Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Perimeter-less networks: The death of the LAN

Evan Gilman
October 14, 2015
Technology
0
270

Perimeter-less networks: The death of the LAN

The transition to the cloud has not come without its fair share of challenges, network connectivity being one of the most notorious. With less control over the network than ever before, declaring an architecture is oftentimes more trouble than it’s worth, especially if you have more than one cloud provider.

Wrestling control over your network architecture is a daunting task while operating in the cloud. Instead, we can leverage automation to provide software-defined network policies that can be enforced in a distributed way. Taking this approach, long gone are the days of VPN tunnels, perimeter firewalls, and private networks.

In this talk, we’ll go over why network topology doesn’t matter like it used to, and how software-defined policies and automation can come together to provide your systems with a self-configuring decentralized network.

Evan Gilman

October 14, 2015
Tweet

More Decks by Evan Gilman

See All by Evan Gilman
Introducing SPIFFE: An Open Standard for Identity in Cloud Native Environments
evan2645
2
230
Zero Trust Networks: Building Trusted Systems in Untrusted Networks
evan2645
0
160
Zero Trust Networks: Building Systems in Untrusted Networks
evan2645
0
190
Infra as Code: The Organizational Bottleneck and the Shared Service Anti-Pattern
evan2645
0
320
Resilient Infrastructure Automation with Serf
evan2645
3
380
Bridging the Great Divide
evan2645
0
61
Bloated Chefs: A Tale of Gluttony and the Path to Enlightenment
evan2645
0
79
Inside the End-to-End Provider Testing Suite
evan2645
0
48

Other Decks in Technology

See All in Technology
10XにおけるData Contractの導入について: Data Contract事例共有会
10xinc
6
670
エンジニア人生の拡張性を高める 「探索型キャリア設計」の提案
tenshoku_draft
1
130
Engineer Career Talk
lycorp_recruit_jp
0
190
【Startup CTO of the Year 2024 / Audience Award】アセンド取締役CTO 丹羽健
niwatakeru
0
1.3k
FlutterアプリにおけるSLI/SLOを用いたユーザー体験の可視化と計測基盤構築
ostk0069
0
110
AWS Media Services 最新サービスアップデート 2024
eijikominami
0
200
ISUCONに強くなるかもしれない日々の過ごしかた/Findy ISUCON 2024-11-14
fujiwara3
8
880
適材適所の技術選定 〜GraphQL・REST API・tRPC〜 / Optimal Technology Selection
kakehashi
1
700
AWS Lambda のトラブルシュートをしていて思うこと
kazzpapa3
2
180
The Rise of LLMOps
asei
9
1.7k
マルチプロダクトな開発組織で 「開発生産性」に向き合うために試みたこと / Improving Multi-Product Dev Productivity
sugamasao
1
310
アジャイルでの品質の進化 Agile in Motion vol.1/20241118 Hiroyuki Sato
shift_evolve
0
180

Featured

See All Featured
Easily Structure & Communicate Ideas using Wireframe
afnizarnur
191
16k
Rebuilding a faster, lazier Slack
samanthasiow
79
8.7k
How GitHub (no longer) Works
holman
310
140k
Refactoring Trust on Your Teams (GOTO; Chicago 2020)
rmw
31
2.7k
CSS Pre-Processors: Stylus, Less & Sass
bermonpainter
356
29k
What’s in a name? Adding method to the madness
productmarketing
PRO
22
3.1k
Documentation Writing (for coders)
carmenintech
65
4.4k
Building Flexible Design Systems
yeseniaperezcruz
327
38k
[RailsConf 2023 Opening Keynote] The Magic of Rails
eileencodes
28
9.1k
StorybookのUI Testing Handbookを読んだ
zakiyama
27
5.3k
The World Runs on Bad Software
bkeepers
PRO
65
11k
Designing for Performance
lara
604
68k

Transcript

  1. 10/13/15 @evan2645 Perimeter-less Networks: Death of the LAN EVAN GILMAN

  2. 10/13/15 @evan2645 About Me PERIMETER-LESS NETWORKS: DEATH OF THE LAN

  3. 10/13/15 @evan2645 About This Talk RESILIENT INFRASTRUCTURE ORCHESTRATION WITH SERF

  4. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN What is

    a perimeter-less network? Evolution of the Perimeter Network Modern Perimeter Responsibilities Obsoleting the Perimeter Agenda

  5. 10/13/15 @evan2645 What Is It? RESILIENT INFRASTRUCTURE ORCHESTRATION WITH SERF

  6. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN Just what

    it sounds like! All parts equal Zero Trust What is a Perimeter-less Network?

  7. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN More Scalable

    Less Complex It just makes sense… Why Do I Want One?

  8. 10/13/15 @evan2645 Perimeter Network Evolution RESILIENT INFRASTRUCTURE ORCHESTRATION WITH SERF

  9. 10/13/15 @evan2645 Near The Beginning PERIMETER-LESS NETWORKS: DEATH OF THE

    LAN

  10. 10/13/15 @evan2645 Near The Beginning PERIMETER-LESS NETWORKS: DEATH OF THE

    LAN

  11. 10/13/15 @evan2645 Near The Beginning PERIMETER-LESS NETWORKS: DEATH OF THE

    LAN

  12. 10/13/15 @evan2645 Near The Beginning PERIMETER-LESS NETWORKS: DEATH OF THE

    LAN Internet

  13. 10/13/15 @evan2645 Near The Beginning PERIMETER-LESS NETWORKS: DEATH OF THE

    LAN Internet

  14. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN RFC 1597

    Accelerated Growth

  15. 10/13/15 @evan2645 Accelerated Growth PERIMETER-LESS NETWORKS: DEATH OF THE LAN

    Internet

  16. 10/13/15 @evan2645 Accelerated Growth PERIMETER-LESS NETWORKS: DEATH OF THE LAN

    Corp. Internet

  17. 10/13/15 @evan2645 Accelerated Growth PERIMETER-LESS NETWORKS: DEATH OF THE LAN

    Corp. Internet

  18. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN • Complete

    isolation if not for the ALG’s • Security controls few and far between • Watch them like dogs! • DMZ is invented Security Concerns

  19. 10/13/15 @evan2645 Security Concerns PERIMETER-LESS NETWORKS: DEATH OF THE LAN

    Corp. DMZ Internet Stub Area

  20. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN NAT NAT

  21. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN • Provided

    general connectivity for private networks • Firewall is a natural place for NAT • Modern notion of ‘perimeter firewall’ is born NAT

  22. 10/13/15 @evan2645 Perimeter Network Design PERIMETER-LESS NETWORKS: DEATH OF THE

    LAN Corp. DMZ Internet + NAT

  23. 10/13/15 @evan2645 Perimeter Network Design PERIMETER-LESS NETWORKS: DEATH OF THE

    LAN Corp. DMZ Internet Perimeter Network + NAT

  24. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN Perimeter Device

    Challenges

  25. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN State Maintenance

    Perimeter Device Challenges

  26. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN State Maintenance

    Throughput Perimeter Device Challenges

  27. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN State Maintenance

    Throughput Redundancy Perimeter Device Challenges

  28. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN • Multi-tenancy

    • DC’s running on untrusted hardware • Network is not really yours anymore… Enter the Present the CLOUD

  29. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN • Emulate

    perimeter architecture • Familiar, proven, comfortable, ‘de facto’ • Does it really still make sense though? Enter the Present the CLOUD

  30. 10/13/15 @evan2645 Perimeter Responsibilities RESILIENT INFRASTRUCTURE ORCHESTRATION WITH SERF

  31. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN Perimeter Responsibilities

  32. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN • Collection

    of network security devices • Network Translation/Mapping • Policy Definition • Policy Enforcement • Authentication, Authorization, and Access (AAA) Perimeter Responsibilities

  33. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN Translation/Mapping

  34. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN • Why

    waste public addresses on stuff that will never need it? Translation/Mapping

  35. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN • Why

    waste public addresses on stuff that will never need it? • Airport arrival/departure displays Translation/Mapping

  36. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN • Why

    waste public addresses on stuff that will never need it? • Airport arrival/departure displays • Cash registers, ATMs Translation/Mapping

  37. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN • Why

    waste public addresses on stuff that will never need it? • Airport arrival/departure displays • Cash registers, ATMs • Environmental control Translation/Mapping

  38. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN • 'Address

    Allocation for Private Internets’ Translation/Mapping

  39. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN • 'Address

    Allocation for Private Internets’ • No mention of NAT Translation/Mapping

  40. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN • 'Address

    Allocation for Private Internets’ • No mention of NAT • IPv4 is already exhausted Translation/Mapping

  41. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN • 'Address

    Allocation for Private Internets’ • No mention of NAT • IPv4 is already exhausted • Use what you have Translation/Mapping

  42. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN • 'Address

    Allocation for Private Internets’ • No mention of NAT • IPv4 is already exhausted • Use what you have • IPv6 is the nail in the coffin Translation/Mapping

  43. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN NAT: It’s

    for the birds Translation/Mapping

  44. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN NAT: It’s

    for the birds Translation/Mapping

  45. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN NAT: It’s

    for the birds Translation/Mapping

  46. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN • If

    it’s not centralized, it’s decentralized • Distributing enforcement means more touch points • Need automation to scale • Key objective: Policy Config Generation Policy Definition and Enforcement

  47. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN • Configuration

    Management (CM) has changed the landscape • End-state declaration • Often brings infra/topology metadata • Declare security policy state given CM metadata Policy Definition

  48. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN Policy Definition

  49. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN • Policy

    as code! Policy Definition

  50. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN • Policy

    as code! • Role/Type-based policies Policy Definition

  51. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN • Policy

    as code! • Role/Type-based policies • Metadata store is up-to-date Policy Definition

  52. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN • Policy

    as code! • Role/Type-based policies • Metadata store is up-to-date • No more Human intervention Policy Definition

  53. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN • Policy

    as code! • Role/Type-based policies • Metadata store is up-to-date • No more Human intervention • Version Control!!!1 Policy Definition

  54. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN • Almost

    all hosts have local enforcement facilities • Most network equipment does too (ACLs, etc) • Can calculate host-level policies • CM can load calculated policy into enforcement facilities • Instrumentation here provides rich insight Policy Enforcement

  55. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN • Almost

    all hosts have local enforcement facilities • Most network equipment does too (ACLs, etc) • Can calculate host-level policies • CM can load calculated policy into enforcement facilities • Instrumentation here provides rich insight Policy Enforcement

  56. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN • All

    hosts reachable, self-aware AAA

  57. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN • All

    hosts reachable, self-aware • Endpoint AAA - no more VPN AAA

  58. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN • All

    hosts reachable, self-aware • Endpoint AAA - no more VPN • Self-aware hosts can do authorization and access AAA

  59. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN • Authentication

    backend same as before (LDAP, RADIUS, etc) AAA

  60. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN • Authentication

    backend same as before (LDAP, RADIUS, etc) • Device vs User authentication AAA

  61. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN • Authentication

    backend same as before (LDAP, RADIUS, etc) • Device vs User authentication • Device example: IPsec + IKE w/ PKI AAA

  62. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN • Authentication

    backend same as before (LDAP, RADIUS, etc) • Device vs User authentication • Device example: IPsec + IKE w/ PKI • User example: username/password login w/ TOTP AAA

  63. 10/13/15 @evan2645 Obsoleting The Perimeter RESILIENT INFRASTRUCTURE ORCHESTRATION WITH SERF

  64. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN Strategies for

    policy generation and management Strategies for distributed policy enforcement Strategies for AAA Perimeter-free

  65. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN Mr. Gorbachev…

    Perimeter-free

  66. 10/13/15 @evan2645 PERIMETER-LESS NETWORKS: DEATH OF THE LAN All hosts

    independently instrumented and configured Zero dependency on underlying network architecture No more VPN, all hosts communicate P2P-style Less complexity, higher availability, more secure ‘A collection of Internet hosts’ Perimeter-free

  67. 10/13/15 @evan2645 Thank you! Q&A RESILIENT INFRASTRUCTURE ORCHESTRATION WITH SERF