Avaya – Stealth Networks Overview

Download Report

Transcript Avaya – Stealth Networks Overview 

Stealth NetworksPrivate and Secure Networking
for
Critical Assets & Infrastructure
July 2014
Ed Koehler - Avaya
Why should you listen?
 Because folks want to attack you!!!
– Critical Business information
– Personal and Credit data
– Just for the heck of it!
 These folks are serious and they are well equipped
with sophisticated tools
– It’s no longer kids looking for kicks or prestige
 Avaya’s Fabric Connect provides for services
that, when properly implemented CANNOT
be attacked!
 This creates a ‘Stealth Shield’ over the network that
makes it invisible!
© 2012 Avaya Inc. All rights reserved.
2
Privacy in a Virtualized World
 Network and Service Virtualization have transformed
the IT industry
– Cloud Services
– Software Defined Networking
– BYOD and Mobility
 Security and privacy concerns are being expressed by
many risk and security analysts
 Regulatory compliance in a virtualized environment
can be a difficult bar to reach
 Examples are, PCI Compliance, HIPAA, Process flow
and control (SCADA) environments (NERC/CIP), Video
Surveillance
© 2012 Avaya Inc. All rights reserved.
3
What makes this so difficult?
 Traditional networking approaches utilize IP as a utility
protocol to establish service paths
 These paths are prone to IP scanning techniques that
are used to:
– Discover network topology
– Identify key attack vectors
 Using traditional approaches for privacy and separation
are costly and complex
– Inadvertent Routed Black Holes
– Poor resiliency
– High Cap/Ex and Op/Ex
 Using IP as the utility for establishing paths means that they
have to be visible. This creates a ‘catch 22’ which in turn
creates complexity and cost
© 2012 Avaya Inc. All rights reserved.
4
Avaya’s Fabric Connect is truly Stealth!
 Fabric Connect is not dependent upon IP to establish
the service path
 Service Paths are established by the use of SPB
Ethernet Switched Paths within Fabric Connect
 As a result, path behaviors are established on a
completely different plane
 ESP’s are ‘invisible to IP’
© 2012 Avaya Inc. All rights reserved.
5
The definition of a “Stealth” Network
 Any network that is enclosed and self contained with no reachability
into and/or out of it. It also must be mutable in both services and
coverage characteristics
 Avaya’s Fabric Connect based on IEEE 802.1aq provides for fast
and nimble private networking circuit based capabilities that are
unparalleled in the industry
 Based on I-SID’s - NOT like MPLS IP VPN or VRF Lite!
– Simple not complex
 “Stealth” Networks are private ‘dark’ networks that are provided as
services within the Fabric Connect cloud
– L2 Stealth
– A non-IP addressed L2 VSN environment
– L3 Stealth
– A L3 VSN IP VPN environment
© 2012 Avaya Inc. All rights reserved.
6
Data Protection: Segmentation comes first!
Dark Reading™ recommendations…
 Security includes all people, processes and technology
 Validation on ‘where’ Private Data exists
– Trace processes and systems
– Develop flow diagrams of interacting systems & Private Data
 Develop documented penetration testing specific to the Private
environment
– ‘Hack Attack’ methodologies
– Ongoing evaluation of threats/vulnerabilities/risk
 The more technologies involved in the private environment the more
engineering & penetration testing required!
 Fabric Connect used end to end eliminates most if not all other network technologies!
– Fabric Connect (IEEE 802.1aq)
– Can significantly reduce ACL requirements and enhance data flow validation!
– Firewalls/IDS – are collapsed into a virtualized security demarcation perimeter
– Servers/Storage – resides in encrypted virtualized storage hidden by stealth services
– Authentication/Authorization - Identity Engines!
– Management applications!** Important consideration to ‘lock down’ the management
environment. If it manages a system in the private environment. It is part of it!
© 2012 Avaya Inc. All rights reserved.
7
Modularity and sampling concept ‘End to end
Stealth’
Data Center Systems
Storage
Systems
Firewall/IDS
Security
Demarcation
Compute
Systems
Network
Distribution
Systems
Remote site systems
App/OS
Switch/Network
Secure Single Port
Private
Application Data Center
(Server)
Fabric Connect Cloud
VRF
VLAN
FW/IDS
Subnet A
Secure L2
“Stealth” Networks
© 2012 Avaya Inc. All rights reserved.
IDE
I-SID
Core Distribution
Private
Application
(Client)
VRF
Secure L3 “Stealth”
Network (IP VPN)
VLAN
Subnet B
8
In Conclusion…
 While IP Virtual Private Networks are nothing new, Avaya
takes the concept to a new level with Fabric Connect
 Flexible and nimble service extensions lend itself to an
incredibly mobile secure networking paradigm
– “Stealth” Networking – Fast, nimble and invisible
 “Stealth” Networks can be used to facilitate traditional privacy
concerns such as PCI and HIPAA compliance
 Next generation private network requirements such as
mobility for emergency response, military and/or field based
operations
 Avaya’s Fabric Connect can deliver all modes of secure
private connectivity
– Layer 2 Stealth requirements
– Layer 3 Stealth requirements
– Mobile Stealth requirements
© 2012 Avaya Inc. All rights reserved.
9