Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Perimeter-less networks: The death of the LAN

Evan Gilman
October 14, 2015

Perimeter-less networks: The death of the LAN

The transition to the cloud has not come without its fair share of challenges, network connectivity being one of the most notorious. With less control over the network than ever before, declaring an architecture is oftentimes more trouble than it’s worth, especially if you have more than one cloud provider.

Wrestling control over your network architecture is a daunting task while operating in the cloud. Instead, we can leverage automation to provide software-defined network policies that can be enforced in a distributed way. Taking this approach, long gone are the days of VPN tunnels, perimeter firewalls, and private networks.

In this talk, we’ll go over why network topology doesn’t matter like it used to, and how software-defined policies and automation can come together to provide your systems with a self-configuring decentralized network.

Evan Gilman

October 14, 2015
Tweet

More Decks by Evan Gilman

Other Decks in Technology

Transcript

  1. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN What is

    a perimeter-less network? Evolution of the Perimeter Network Modern Perimeter Responsibilities Obsoleting the Perimeter Agenda
  2. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN Just what

    it sounds like! All parts equal Zero Trust What is a Perimeter-less Network?
  3. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN More Scalable

    Less Complex It just makes sense… Why Do I Want One?
  4. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN • Complete

    isolation if not for the ALG’s • Security controls few and far between • Watch them like dogs! • DMZ is invented Security Concerns
  5. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN • Provided

    general connectivity for private networks • Firewall is a natural place for NAT • Modern notion of ‘perimeter firewall’ is born NAT
  6. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN State Maintenance

    Throughput Redundancy Perimeter Device Challenges
  7. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN • Multi-tenancy

    • DC’s running on untrusted hardware • Network is not really yours anymore… Enter the Present the CLOUD
  8. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN • Emulate

    perimeter architecture • Familiar, proven, comfortable, ‘de facto’ • Does it really still make sense though? Enter the Present the CLOUD
  9. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN • Collection

    of network security devices • Network Translation/Mapping • Policy Definition • Policy Enforcement • Authentication, Authorization, and Access (AAA) Perimeter Responsibilities
  10. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN • Why

    waste public addresses on stuff that will never need it? Translation/Mapping
  11. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN • Why

    waste public addresses on stuff that will never need it? • Airport arrival/departure displays Translation/Mapping
  12. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN • Why

    waste public addresses on stuff that will never need it? • Airport arrival/departure displays • Cash registers, ATMs Translation/Mapping
  13. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN • Why

    waste public addresses on stuff that will never need it? • Airport arrival/departure displays • Cash registers, ATMs • Environmental control Translation/Mapping
  14. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN • 'Address

    Allocation for Private Internets’ Translation/Mapping
  15. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN • 'Address

    Allocation for Private Internets’ • No mention of NAT Translation/Mapping
  16. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN • 'Address

    Allocation for Private Internets’ • No mention of NAT • IPv4 is already exhausted Translation/Mapping
  17. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN • 'Address

    Allocation for Private Internets’ • No mention of NAT • IPv4 is already exhausted • Use what you have Translation/Mapping
  18. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN • 'Address

    Allocation for Private Internets’ • No mention of NAT • IPv4 is already exhausted • Use what you have • IPv6 is the nail in the coffin Translation/Mapping
  19. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN • If

    it’s not centralized, it’s decentralized • Distributing enforcement means more touch points • Need automation to scale • Key objective: Policy Config Generation Policy Definition and Enforcement
  20. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN • Configuration

    Management (CM) has changed the landscape • End-state declaration • Often brings infra/topology metadata • Declare security policy state given CM metadata Policy Definition
  21. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN • Policy

    as code! • Role/Type-based policies Policy Definition
  22. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN • Policy

    as code! • Role/Type-based policies • Metadata store is up-to-date Policy Definition
  23. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN • Policy

    as code! • Role/Type-based policies • Metadata store is up-to-date • No more Human intervention Policy Definition
  24. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN • Policy

    as code! • Role/Type-based policies • Metadata store is up-to-date • No more Human intervention • Version Control!!!1 Policy Definition
  25. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN • Almost

    all hosts have local enforcement facilities • Most network equipment does too (ACLs, etc) • Can calculate host-level policies • CM can load calculated policy into enforcement facilities • Instrumentation here provides rich insight Policy Enforcement
  26. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN • Almost

    all hosts have local enforcement facilities • Most network equipment does too (ACLs, etc) • Can calculate host-level policies • CM can load calculated policy into enforcement facilities • Instrumentation here provides rich insight Policy Enforcement
  27. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN • All

    hosts reachable, self-aware • Endpoint AAA - no more VPN AAA
  28. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN • All

    hosts reachable, self-aware • Endpoint AAA - no more VPN • Self-aware hosts can do authorization and access AAA
  29. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN • Authentication

    backend same as before (LDAP, RADIUS, etc) • Device vs User authentication AAA
  30. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN • Authentication

    backend same as before (LDAP, RADIUS, etc) • Device vs User authentication • Device example: IPsec + IKE w/ PKI AAA
  31. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN • Authentication

    backend same as before (LDAP, RADIUS, etc) • Device vs User authentication • Device example: IPsec + IKE w/ PKI • User example: username/password login w/ TOTP AAA
  32. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN Strategies for

    policy generation and management Strategies for distributed policy enforcement Strategies for AAA Perimeter-free
  33. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN All hosts

    independently instrumented and configured Zero dependency on underlying network architecture No more VPN, all hosts communicate P2P-style Less complexity, higher availability, more secure ‘A collection of Internet hosts’ Perimeter-free