Identity-Defined Networking Andrei Gurtov IDA, Linkping University - - PowerPoint PPT Presentation

identity defined networking
SMART_READER_LITE
LIVE PREVIEW

Identity-Defined Networking Andrei Gurtov IDA, Linkping University - - PowerPoint PPT Presentation

Feb 18, 2024 234 likes •505 views

Identity-Defined Networking Andrei Gurtov IDA, Linkping University Erik Giesa, Marc Kaplan TemperedNetworks TDDD17, LiU Contents Traditional Networking: Challenging and Complex Identity-Defined Networking (IDN): A New

slide-1
SLIDE 1

Identity-Defined Networking

Andrei Gurtov IDA, Linköping University Erik Giesa, Marc Kaplan TemperedNetworks

TDDD17, LiU

slide-2
SLIDE 2

Contents

  • Traditional Networking: Challenging and Complex
  • Identity-Defined Networking (IDN):

A New Approach for Unified Secure Networking and Mobility

  • Host Identity Protocol (HIP)
  • Centralized Orchestration
  • Secure Networking Made Simple
  • Value From New Identity Networking Paradigm
slide-3
SLIDE 3

Traditional Networking is Complex, Costly and Fragile

IT Intranet Corporate Network Cellular Network

Users Remote Worker Site 1 Site 3 Remote Site 4 Network & Security Management Data Center Remote Vendor

IT Intranet

Data Center Data Center

slide-4
SLIDE 4

And is Simply Not Sustainable

VPN access controls for each network Fragile DNS and routing updates for failover Policies tied to IP addresses Complex firewall and networking rule sets VLANs and access control lists (ACLS) overhead

… per device

slide-5
SLIDE 5

WAN / LAN

Remote Unmanaged Network Remote Site Managed Network

Corporate Network & Resources Device 10 Device 11 Device 12 192.168.10.10 192.168.10.11 192.168.10.12 Device 20 Device 21 192.168.20.20 192.168.20.21 Device 30 Device 31 Device 32 192.168.30.30 192.168.30.31 192.168.30.32

Problem: The Singular Root Defect

that affects all IP security and networking

192.168.10.1 192.168.20.1 192.168.30.1

IP Addresses are used as Network and Device Identity

  • Hacker reconnaissance & fingerprinting via TCP/IP stack
  • Listening TCP/UDP service ports
  • All networking and security products use IP addresses for policy

Large Attack Surface

  • IP, TCP/UDP Attacks: every connected thing is an entry point
  • East / West lateral movement
  • ACLs and VLANs ≆ segmentation

Lack of Mobility and Instant Failover

  • Policies tied to IP - creates inflexible mobility
  • IP conflicts
  • DNS TTL and Routing Convergence Delays

Networking and Security Costs

  • Many distributed, complex VLAN, ACL, VPN, firewall policies
  • Controlling network routing
  • IPsec VPN cert management, connection limitations, failover issues
  • Expense of “next-gen” firewalls deployed on interior
  • Field Technicians
  • Remote Employees
slide-6
SLIDE 6

The Ideal Solution

Integrates networking and identity from the start Provisions networks and resources rapidly Allows instant segment, revoke, or quarantine Can be easily managed from a centralized location

slide-7
SLIDE 7

Identity-Defined Networking (IDN) – Unified Networking & Security

Securely connect any resource, anytime, anywhere.

C R Y P T O G R A P H I C I D E N T I T I E S A U T O MA T E D O R C H E ST R AT I ON S O F T W A R E -D E F I N E D S E G ME N T A T I O N H O S T I D E N T I T Y N A ME S P A C E E N C R Y P T ED F A B R I C D E V I C E - B A S E D T R U ST

  • Connect & protect resources globally
  • Unparalleled TCO
  • Dramatically reduced business risk
  • Controlled & verifiable access
  • Simple & provable compliance auditing
slide-8
SLIDE 8

Host Identity Protocol (HIP)

  • Under development at Internet Engineering

Task Force (IETF) from 2004

  • Verizon, Ericsson, Boeing, …
  • HIPv2 is approved as IETF standard RFC7401 in

2015

  • My role:
  • Co-chairing Host Identity Protocol Research

Group at IRTF (2006-2010)

  • Co-authoring HIP Experiment Report

(RFC6538)

  • White paper 2016

http://www.temperednetworks.com/resource s/host-identity-protocol-dr-andrei-gurtov/

  • Wiley book, 332p, 2008
  • Open-source code in HIPL, OpenHIP
  • Dozens of papers on various aspects of HIP

architecture

slide-9
SLIDE 9

Identity-Defined Networking (IDN) at a Glance

slide-10
SLIDE 10

Globally Unique and Locally Unique Identifiers

  • Host Identity Tag (HIT)
  • Compatible with IPv6 address
  • Statistically unique
  • Probability of collisions is

negligible

  • Local Scope Identity (LSI)
  • Compatible with IPv4 address
  • Probability of collisions is

significant

  • Restricted to local scope

10

Private Key Public Key 128 Bit 32 Bit

One-way Hash Last Digits

Host Identity Host Identity Tag Local Scope Identifier

slide-11
SLIDE 11

IP HIP IPsec

IP

HIP in the Communication Stack

11

TCP / UDP HIP

HI IP Payload Control

Transport Layer Network Layer ... ...

slide-12
SLIDE 12

How IDN Fabric Overlays Existing Infrastructure

HIPserver

Application Server

Device B

HIPswich Conductor

Serves as device identity authority where trust-based policies are distributed to all HIP (Host Identity Protocol) Services

Device A

Public / Shared Network (Untrusted) IDN-Fabric (Trusted)

slide-13
SLIDE 13

Secure Networking Made Simple

  • Host Identity Namespace - Global IP Mobility
  • Dynamic Device-Based Traffic Management
  • Instant Failover
  • Automated (API-driven) or Manual Control
  • Prevent IP Address Spoofing and MiTM attacks
  • Assign IDN Endpoints and Networks an Identity
  • Encrypted Fabric Extends all the Way to

IDN Endpoints

Global Orchestration and Network Provisioning Trust-Based Unique Cryptographic Identities (CID)

slide-14
SLIDE 14

The Cure to IT Complexity

  • Unified single-pane-of-glass management
  • Rapid point and click trust-based segmentation
  • Centralized governance, compliance, and

policy enforcement

  • Build secure segmented networks instantly
  • Eliminate errors caused by complexity
  • Faster and most cost-effective failover
  • Simplified auditing and access control

Visual Orchestration Simplifies, Reduces Complexity & Errors Reduces OpEx as much as 90%

slide-15
SLIDE 15

WAN / LAN

Device 10 Device 11 Device 12 192.168.10.10 192.168.10.11 192.168.10.12 Device 20 Device 21 192.168.20.20 192.168.20.21 Device 30 Device 31 Device 32 192.168.30.30 192.168.30.31 192.168.30.32 192.168.10.1 192.168.20.1 192.168.30.1

CLOAKED, SEGMENTED & MOBILE PROTECTED, SEGMENTED, ENCRYPTED, & MOBILE CLOAKED, SEGMENTED, & MOBILE

HIPswitch 192.168.10.100 192.168.30.100

  • Field Technicians
  • Remote Employees

HIPclient Lower Costs, Simpler Environment

  • CapEx and OpEx decrease
  • Eliminate or reduce interior “next-gen” firewalls, VPNs,

complex policies, ACLs, VLAN complexity, cert mngt 10.0.9.2 Conductor

A New Identity Networking Paradigm Made Simple

Remote Site Networks & Resources

Corporate Network & Resources

Unique Host Identity Approach

  • Host Identity Protocol (HIP): IETF ratified April 2015
  • True SDN overlay –little to no changes to network, security, or applications
  • Unshackles IP from serving as identity - frees IT from complexity
  • In production since 2006

Rapid Provisioning, Revocation, IP Mobility and Failover

  • Effortless segmentation & cloaking
  • One-click orchestration to connect, disconnect, move or failover any “thing”
  • Less than 1 second failover between any IDN endpoint
  • Build ID overlays (IDOs) on-demand based on situation

Significantly Reduced Attack Surface

  • No trust? No connectivity. No communication. No data.
  • VLAN ”segmentation” traversal is now impossible.
  • Based on explicit device trust- all systems are invisible
  • 2048 bit Identity-Based connectivity, AES 256 encryption by default
slide-16
SLIDE 16

The New Identity Networking Paradigm Creates Tremendous Value

25%

Increase in network and security team productivity

97%

Reduce networking and resource provisioning time up to:

25%

Decrease IT CapEx and OpEx costs up to:

100%

Make 100% of your connected IP resources invisible

slide-17
SLIDE 17

The New Identity Networking Paradigm Creates Tremendous Value

25%

Improve time to mitigation, revocation, and quarantine up to:

90%

Reduce attack surface up to:

25%

Decrease failover and disaster recovery times to as little as:

slide-18
SLIDE 18

Reduce Deployment Time

BEFORE TEMPERED

Ticket submitted to Network IT for new resources addition to corporate network. Design for Routing, Firewall, VPN, and Switching Policies Design Submitted to InfoSec for review and approval Approval of Design by InfoSec Implementation of Design by Network Ops Implementation Review and Sign-Off by InfoSec Go Live!

Week 1 Week 2 Week 3 Week 4 Week 5 Week 6 Week 7

AFTER TEMPERED

Ticket submitted to Network IT for new resource.

Day 1

Resource added with explicit trust relationships, segmentation and

  • encryption. Verified by InfoSec.

Deployment time reduced by

97%

slide-19
SLIDE 19

Increase Productivity

Increase in network and security team productivity

25%

  • Focus on new network designs and policies that

improve quality of service, monitoring and uptime.

  • Spend time on what really matters instead of crawling

through access logs, ACLs, and checking FW rules.

  • Nearly instantly provision and revoke new services,

and verify/test disaster recovery and failover.

slide-20
SLIDE 20

Decrease IT Expenditures

Decreased IT CapEx and OpEx costs

25%

Server Firewall Switch VPN HIPswitch

BEFORE TEMPERED AFTER TEMPERED

slide-21
SLIDE 21

BEFORE TEMPERED

IT Intranet Corporate Network Cellular Network Users Remote Worker Site 1 Site 3 Remote Site 4 Network & Security Management Data Center Remote Vendor

Make 100% of Connected IP Resources Invisible

  • Tempered Networks is the only

technology based on the new identity networking paradigm enabled by the Host Identity Protocol (HIP).

  • No other solution on the market can

cloak as effectively.

  • No other vendor can be deployed as

easily across physical, virtual, and cloud networks.

slide-22
SLIDE 22

Reduce Attack Surface

Up to:

90%

BEFORE TEMPERED AFTER TEMPERED

slide-23
SLIDE 23

Improve Time to Mitigation, Revocation, and Quarantine

Time to mitigation, revocation, and quarantine is improved

By:

50%

  • Revocation of any resource within the IDN

fabric is one click, or an automated API call, and happens instantly

  • The alternative is to check all VPNs, Firewalls

rules, ACLs, and other policies to ensure that system is in fact quarantined or revoked

slide-24
SLIDE 24

Decrease Failover and Disaster Recovery Time

Failover and Disaster Recovery times reduced to as little as

  • ne millisecond.

To as little as:

1ms

  • Every IDN endpoint or HIP Service is based on

unique host identities, therefor failover can be applied from an entire datacenter (represented as a unique host identity), or to a server (represented as a unique host identity).

  • If one goes down in the IDN fabric, a simple API

automated or manual update to the mesh telling all things that are communicating to it, to failover instantly to it’s backup in another pre-defined IDO

slide-25
SLIDE 25

USE C E CASE S SECTIO ION

slide-26
SLIDE 26

“SEGMENTED (QUARANTINED) VENDOR NET” “INSTANT DISASTER RECOVERY, REVOCATION & QUARANTINE” “EFFORTLESS SEGMENTATION, ENCRYPTION, AND IP MOBILITY” “NETWORK AND IP RESOURCE CLOAKING” “NETWORK VIRTUALIZATION & ORCHESTRATION - RAPID PROVISIONING”

Use Cases

“SECURE MACHINE TO MACHINE COMMUNICATION” “CLOAK AND PROTECT LEGACY SYSTEMS”