Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Perimeter-less networks: The death of the LAN

Evan Gilman
October 14, 2015
Technology
0
270

Perimeter-less networks: The death of the LAN

The transition to the cloud has not come without its fair share of challenges, network connectivity being one of the most notorious. With less control over the network than ever before, declaring an architecture is oftentimes more trouble than it’s worth, especially if you have more than one cloud provider.

Wrestling control over your network architecture is a daunting task while operating in the cloud. Instead, we can leverage automation to provide software-defined network policies that can be enforced in a distributed way. Taking this approach, long gone are the days of VPN tunnels, perimeter firewalls, and private networks.

In this talk, we’ll go over why network topology doesn’t matter like it used to, and how software-defined policies and automation can come together to provide your systems with a self-configuring decentralized network.

Evan Gilman

October 14, 2015
Tweet

More Decks by Evan Gilman

See All by Evan Gilman
Introducing SPIFFE: An Open Standard for Identity in Cloud Native Environments
evan2645
2
230
Zero Trust Networks: Building Trusted Systems in Untrusted Networks
evan2645
0
160
Zero Trust Networks: Building Systems in Untrusted Networks
evan2645
0
190
Infra as Code: The Organizational Bottleneck and the Shared Service Anti-Pattern
evan2645
0
310
Resilient Infrastructure Automation with Serf
evan2645
3
380
Bridging the Great Divide
evan2645
0
61
Bloated Chefs: A Tale of Gluttony and the Path to Enlightenment
evan2645
0
79
Inside the End-to-End Provider Testing Suite
evan2645
0
48

Other Decks in Technology

See All in Technology
【若手エンジニア応援LT会】AWS Security Hubの活用に苦労した話
kazushi_ohata
0
150
GitHub Universe: Evaluating RAG apps in GitHub Actions
pamelafox
0
170
アジャイルと契約 エッセンシャル版 / Agile Contracts Essential Edition
fkino
0
110
事業者間調整の行間を読む 調整の具体事例
sugiim
0
490
Oracle Base Database Service 技術詳細
oracle4engineer
PRO
5
49k
WINTICKETアプリで実現した高可用性と高速リリースを支えるエコシステム / winticket-eco-system
cyberagentdevelopers
PRO
1
190
ExaDB-D dbaascli で出来ること
oracle4engineer
PRO
0
3.6k
チームを主語にしてみる / Making "Team" the Subject
ar_tama
4
300
Automated Promptingを目指すその前に / Before we can aim for Automated Prompting
rkaga
0
100
MAMを軸とした動画ハンドリングにおけるAI活用前提の整備と次世代ビジョン / abema-ai-mam
cyberagentdevelopers
PRO
1
110
【技術書典17】OpenFOAM(自宅で極める流体解析)2次元円柱まわりの流れ
kamakiri1225
0
200
フルカイテン株式会社 採用資料
fullkaiten
0
36k

Featured

See All Featured
Building a Modern Day 
E-commerce SEO Strategy
aleyda
38
6.9k
ReactJS: Keep Simple. Everything can be a component!
pedronauck
664
120k
Teambox: Starting and Learning
jrom
132
8.7k
Scaling GitHub
holman
458
140k
Facilitating Awesome Meetings
lara
49
6k
ピンチをチャンスに:未来をつくるプロダクトロードマップ #pmconf2020
aki_iinuma
107
49k
What’s in a name? Adding method to the madness
productmarketing
PRO
22
3.1k
Templates, Plugins, & Blocks: Oh My! Creating the theme that thinks of everything
marktimemedia
26
2k
A designer walks into a library…
pauljervisheath
202
24k
Fight the Zombie Pattern Library - RWD Summit 2016
marcelosomers
231
17k
Build your cross-platform service in a week with App Engine
jlugia
229
18k
No one is an island. Learnings from fostering a developers community.
thoeni
19
3k

Transcript

  1. 10/13/15 @evan2645 Perimeter-less Networks: Death of the LAN EVAN GILMAN

  2. 10/13/15 @evan2645 About Me PERIMETER-LESS NETWORKS: DEATH OF THE LAN

  3. 10/13/15 @evan2645 About This Talk RESILIENT INFRASTRUCTURE ORCHESTRATION WITH SERF

  4. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN What is

    a perimeter-less network? Evolution of the Perimeter Network Modern Perimeter Responsibilities Obsoleting the Perimeter Agenda

  5. 10/13/15 @evan2645 What Is It? RESILIENT INFRASTRUCTURE ORCHESTRATION WITH SERF

  6. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN Just what

    it sounds like! All parts equal Zero Trust What is a Perimeter-less Network?

  7. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN More Scalable

    Less Complex It just makes sense… Why Do I Want One?

  8. 10/13/15 @evan2645 Perimeter Network Evolution RESILIENT INFRASTRUCTURE ORCHESTRATION WITH SERF

  9. 10/13/15 @evan2645 Near The Beginning PERIMETER-LESS NETWORKS: DEATH OF THE

    LAN

  10. 10/13/15 @evan2645 Near The Beginning PERIMETER-LESS NETWORKS: DEATH OF THE

    LAN

  11. 10/13/15 @evan2645 Near The Beginning PERIMETER-LESS NETWORKS: DEATH OF THE

    LAN

  12. 10/13/15 @evan2645 Near The Beginning PERIMETER-LESS NETWORKS: DEATH OF THE

    LAN Internet

  13. 10/13/15 @evan2645 Near The Beginning PERIMETER-LESS NETWORKS: DEATH OF THE

    LAN Internet

  14. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN RFC 1597

    Accelerated Growth

  15. 10/13/15 @evan2645 Accelerated Growth PERIMETER-LESS NETWORKS: DEATH OF THE LAN

    Internet

  16. 10/13/15 @evan2645 Accelerated Growth PERIMETER-LESS NETWORKS: DEATH OF THE LAN

    Corp. Internet

  17. 10/13/15 @evan2645 Accelerated Growth PERIMETER-LESS NETWORKS: DEATH OF THE LAN

    Corp. Internet

  18. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN • Complete

    isolation if not for the ALG’s • Security controls few and far between • Watch them like dogs! • DMZ is invented Security Concerns

  19. 10/13/15 @evan2645 Security Concerns PERIMETER-LESS NETWORKS: DEATH OF THE LAN

    Corp. DMZ Internet Stub Area

  20. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN NAT NAT

  21. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN • Provided

    general connectivity for private networks • Firewall is a natural place for NAT • Modern notion of ‘perimeter firewall’ is born NAT

  22. 10/13/15 @evan2645 Perimeter Network Design PERIMETER-LESS NETWORKS: DEATH OF THE

    LAN Corp. DMZ Internet + NAT

  23. 10/13/15 @evan2645 Perimeter Network Design PERIMETER-LESS NETWORKS: DEATH OF THE

    LAN Corp. DMZ Internet Perimeter Network + NAT

  24. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN Perimeter Device

    Challenges

  25. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN State Maintenance

    Perimeter Device Challenges

  26. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN State Maintenance

    Throughput Perimeter Device Challenges

  27. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN State Maintenance

    Throughput Redundancy Perimeter Device Challenges

  28. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN • Multi-tenancy

    • DC’s running on untrusted hardware • Network is not really yours anymore… Enter the Present the CLOUD

  29. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN • Emulate

    perimeter architecture • Familiar, proven, comfortable, ‘de facto’ • Does it really still make sense though? Enter the Present the CLOUD

  30. 10/13/15 @evan2645 Perimeter Responsibilities RESILIENT INFRASTRUCTURE ORCHESTRATION WITH SERF

  31. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN Perimeter Responsibilities

  32. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN • Collection

    of network security devices • Network Translation/Mapping • Policy Definition • Policy Enforcement • Authentication, Authorization, and Access (AAA) Perimeter Responsibilities

  33. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN Translation/Mapping

  34. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN • Why

    waste public addresses on stuff that will never need it? Translation/Mapping

  35. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN • Why

    waste public addresses on stuff that will never need it? • Airport arrival/departure displays Translation/Mapping

  36. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN • Why

    waste public addresses on stuff that will never need it? • Airport arrival/departure displays • Cash registers, ATMs Translation/Mapping

  37. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN • Why

    waste public addresses on stuff that will never need it? • Airport arrival/departure displays • Cash registers, ATMs • Environmental control Translation/Mapping

  38. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN • 'Address

    Allocation for Private Internets’ Translation/Mapping

  39. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN • 'Address

    Allocation for Private Internets’ • No mention of NAT Translation/Mapping

  40. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN • 'Address

    Allocation for Private Internets’ • No mention of NAT • IPv4 is already exhausted Translation/Mapping

  41. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN • 'Address

    Allocation for Private Internets’ • No mention of NAT • IPv4 is already exhausted • Use what you have Translation/Mapping

  42. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN • 'Address

    Allocation for Private Internets’ • No mention of NAT • IPv4 is already exhausted • Use what you have • IPv6 is the nail in the coffin Translation/Mapping

  43. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN NAT: It’s

    for the birds Translation/Mapping

  44. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN NAT: It’s

    for the birds Translation/Mapping

  45. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN NAT: It’s

    for the birds Translation/Mapping

  46. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN • If

    it’s not centralized, it’s decentralized • Distributing enforcement means more touch points • Need automation to scale • Key objective: Policy Config Generation Policy Definition and Enforcement

  47. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN • Configuration

    Management (CM) has changed the landscape • End-state declaration • Often brings infra/topology metadata • Declare security policy state given CM metadata Policy Definition

  48. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN Policy Definition

  49. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN • Policy

    as code! Policy Definition

  50. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN • Policy

    as code! • Role/Type-based policies Policy Definition

  51. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN • Policy

    as code! • Role/Type-based policies • Metadata store is up-to-date Policy Definition

  52. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN • Policy

    as code! • Role/Type-based policies • Metadata store is up-to-date • No more Human intervention Policy Definition

  53. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN • Policy

    as code! • Role/Type-based policies • Metadata store is up-to-date • No more Human intervention • Version Control!!!1 Policy Definition

  54. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN • Almost

    all hosts have local enforcement facilities • Most network equipment does too (ACLs, etc) • Can calculate host-level policies • CM can load calculated policy into enforcement facilities • Instrumentation here provides rich insight Policy Enforcement

  55. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN • Almost

    all hosts have local enforcement facilities • Most network equipment does too (ACLs, etc) • Can calculate host-level policies • CM can load calculated policy into enforcement facilities • Instrumentation here provides rich insight Policy Enforcement

  56. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN • All

    hosts reachable, self-aware AAA

  57. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN • All

    hosts reachable, self-aware • Endpoint AAA - no more VPN AAA

  58. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN • All

    hosts reachable, self-aware • Endpoint AAA - no more VPN • Self-aware hosts can do authorization and access AAA

  59. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN • Authentication

    backend same as before (LDAP, RADIUS, etc) AAA

  60. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN • Authentication

    backend same as before (LDAP, RADIUS, etc) • Device vs User authentication AAA

  61. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN • Authentication

    backend same as before (LDAP, RADIUS, etc) • Device vs User authentication • Device example: IPsec + IKE w/ PKI AAA

  62. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN • Authentication

    backend same as before (LDAP, RADIUS, etc) • Device vs User authentication • Device example: IPsec + IKE w/ PKI • User example: username/password login w/ TOTP AAA

  63. 10/13/15 @evan2645 Obsoleting The Perimeter RESILIENT INFRASTRUCTURE ORCHESTRATION WITH SERF

  64. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN Strategies for

    policy generation and management Strategies for distributed policy enforcement Strategies for AAA Perimeter-free

  65. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN Mr. Gorbachev…

    Perimeter-free

  66. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN All hosts

    independently instrumented and configured Zero dependency on underlying network architecture No more VPN, all hosts communicate P2P-style Less complexity, higher availability, more secure ‘A collection of Internet hosts’ Perimeter-free

  67. 10/13/15 @evan2645 Thank you! Q&A RESILIENT INFRASTRUCTURE ORCHESTRATION WITH SERF