Private, Secure Networking for the

Public Sector
Ed Koehler
Director – Distinguished Engineer
Ohio Digital Summit 2015

Privacy in a Virtualized World
 Network and Service Virtualization have transformed the
IT industry
– Cloud Services
– Software Defined Networking

 Security and privacy concerns are being expressed by
many risk and security analysts
 Regulatory compliance in a virtualized environment can
be a difficult bar to reach
 Examples are PCI Compliance, HIPAA, Process flow
and control (SCADA) environments, Video Surveillance,
etc.

© 2014 Avaya Inc. All rights reserved.

2

Security Impact – What Makes this So Difficult?
 Traditional networking approaches utilize IP as a utility protocol to
establish service paths
 These paths are prone to IP scanning techniques that are used to:
– Discover network topology
– Identify key attack vectors

 Using traditional approaches for privacy and separation are costly
and complex
– Inadvertent Routed Black Holes
– Poor resiliency
– High Capital Expenditure (CAPEX) and Operational Expenditure (OPEX)

 Using IP as the utility for establishing paths means that they have to
be visible. This creates a ‘Catch-22’ which in turn creates complexity
and cost

© 2014 Avaya Inc. All rights reserved.

3

IP Address Explosion!
BGP Tables are being overrun.
IPv6 is exacerbating the issue!
 Sensors and actuators require addresses
– IPv6 is a huge address space

 We can not afford to waste IP space on transit routes!!!
– Non-IP path establishment technologies
– IEEE 802.1aq/IETF RFC6329 Shortest Path Bridging
– Avaya Fabric Connect – IETF Draft enhancements for L3 and multicast

– There are also implicit security concerns in using IP as a path protocol
– IP Scanning
– Infrastructure Attack
– Confidential Data Breach

 If we can remove some of the dependency on IP to establish service
paths EVERYTHING becomes much EASIER!

© 2014 Avaya Inc. All rights reserved.

4

SPB is TRULY Stealthy!

 Fabric Connect is not dependent upon IP to establish the service path
– IP Networks become ‘points of service’ within the Fabric

 Service Paths are established by the use of SPB Ethernet Switched Paths
within Fabric Connect
 As a result, path behaviors are established on a completely different plane
 ESPs are ‘invisible to IP’
 Helps to clear up IP address congestion and convoluted topologies
© 2014 Avaya Inc. All rights reserved.

5

Data Protection: Segmentation comes first!
Dark Reading™ recommendations…
 Security includes all people, processes and technology
 Validation on ‘where’ Private Data exists
– Trace processes and systems
– Develop flow diagrams of interacting systems & Private Data

 Develop documented penetration testing specific to the Private
environment
– ‘Hack Attack’ methodologies
– Ongoing evaluation of threats/vulnerabilities/risk

 The more technologies involved in the private environment the more
engineering & penetration testing required!

 Fabric Connect used end to end eliminates most if not all other network technologies!
– Fabric Connect (IEEE 802.1aq)
– Can significantly reduce ACL requirements and enhance data flow validation!

– Firewalls/IDS – are collapsed into a virtualized security demarcation perimeter
– Servers/Storage – resides in encrypted virtualized storage hidden by stealth services
– Authentication/Authorization - Identity Engines
– Management applications!** Important consideration to ‘lock down’ the management
environment. If it manages a system in the private environment. It is part of it!
© 2014 Avaya Inc. All rights reserved.

6

A Fabric Enabled Enterprise
Driving a LOWER TCO through SIMPLIFICATION

Based on
E-LINE
Provider
Service

Consistent Architecture From Data Center to Campus / Metro to Branch
© 2014 Avaya Inc. All rights reserved.

7

Rationale for Evolution
Reduced TCO &
Utility pricing

Enhanced Security &
Cloud scale

Business Continuity
DR Capabilities

ONE….

Security

Business Continuity







Enterprise Fabric
PROTOCOL
TIER Data Center
Converged Infrastructure
• Multi-Tenants
• Multi-Services (16M+)

LOWER TCO




Reduced Time to Service
• Minutes vs weeks
Automated Provisioning
Edge-only provisioning
Green IT – Cooling – Power
• Smart Buildings
Simplified Architecture

16M+ Secure Zones
IP hacking prevention
• PCI compliant
• Private Stealth networks
• Secure BYOD & VDI

Cloud Scale & Agility

Unmatched Multicast
scalability & reliability


IPTV, CCTV, Digital
Signage, CC supervisor, CC
Desktop Display, IP
Wallboards, etc…

Embedded Monitoring Tools
All cloud deployment models
supported & PODs support

6x9’s when it matters
Extend @ Cloud speed
Application/Context
Awareness
In production service
enablement
Emergency Services

DR Capabilities




Native Fabric Extension
High Performance DC Fabric
VM Mobility, Lowest Latency,
Highest performance EastWest flows (near 20TB)
In service maintenance and
operations

Public Sector Network Evolution

© 2014 Avaya Inc. All rights reserved.

8

A Profound Impact on how networks will be built !
Data Center ONLY with

legacy protocols

ONE PROTOCOL E2E
(L2, L3, Unicast, Multicast)

Legacy Model

Avaya’s Fabric Connect
Stability,
Scalability &
Simplicity

PIM

OTV

Number of control planes

Number of control planes

Instability &
Complexity

Protocols run
independently.

802.1
Stability

Complex Nodal provisioning
© 2014 Avaya Inc. All rights reserved.

Stability

OAM

Fabric
Connect

ONE
protocol

802.1

Simple provisioning for endto-end Services 9

Native Secure Multi-Tenant Architecture
Enables “Security Zones” Enterprise-Wide

UC Zone
Corporate
Zone
Guest Zone
Contractor
Zone

© 2015 Avaya
Inc.Avaya
AvayaInc.
– Confidential
& Proprietary
© 2014
All rights reserved.

Do not duplicate, publish or distribute further without the express written permission of Avaya.

10

10

Instability derived from complexity
SDN can’t solve this, we need a change

MPLS
PIM
BGP
OSPF

Business
MSTP
RSTP

PIM

20 seconds later…

Today’s protocol stacks are like a
house of cards

The
Protocol
Stack
(a Stack of
Protocols)

OSPF

1.2 seconds later…

VLANS
Network

0.5 seconds later…

RSTP/M
STP/PVS
T+

0.8 seconds later…

802.3

“Protocols are killing us…
Protocols are like the neverending bottle of pills, each one
prescribed to remedy the
problems introduced by the
previous medication.”

Link comes up…

http://packetpushers.net/does-trill-stand-a-chance-at-wide-adoption/#disqus_thread

© 2014 Avaya Inc. All rights reserved.

11

What This Means In The Real World?
Configuring a single Layer 2 VPN (VLAN Extension)
Conventional L2 VPN (Cisco)
set routing-instances RI-IPN-L2L01 instance-type l2vpn
set routing-instances RI-IPN-L2L01 interface ge0/0/8.700
set routing-instances RI-IPN-L2L01 interface xe0/2/0.700
set routing-instances RI-IPN-L2L01 route-distinguisher
13.13.13.1:1013
(Now this might take a while…)
set routing-instances RI-IPN-L2L01 vrf-target
target:64999:1013 (Actually, we need to speed things up…)
set routing-instances RI-IPN-L2L01 protocols l2vpn
encapsulation-type ethernet-vlan
set routing-instances RI-IPN-L2L01 protocols l2vpn
site H15-H15-IPN-L2L01 site-identifier 1
set routing-instances RI-IPN-L2L01 protocols l2vpn
site H15-H15-IPN-L2L01 interface xe-0/2/0.700 remotesite-id 11
set routing-instances RI-IPN-L2L01 protocols l2vpn
site RH15-H15-IPN-L2L01 site-identifier 11
set routing-instances RI-IPN-L2L01 protocols l2vpn
site RH15-H15-IPN-L2L01 interface ge-0/0/8.700
remote-site-id 1
set interfaces ge-0/0/8 unit 700 description L2-IPNL2L01
set interfaces ge-0/0/8 unit 700 encapsulation vlanccc
set interfaces ge-0/0/8 unit 700 vlan-id 613

Avaya Fabric Connect
vlan i-sid 7 700

DONE – end-to-end..!

First device done…now, onto the next...
© 2014 Avaya Inc. All rights reserved.

12

Modularity and sampling concept ‘End to end
Stealth’
Data Center Systems
Storage
Systems

Network
Distribution
Systems

Firewall/IDS
Security
Demarcation

Compute
Systems

Remote site systems
App/OS
Switch/Network

Secure Single Port
Private
Application Data Center
(Server)

Fabric Connect Cloud
VRF

VLAN

FW/IDS

Subnet A
Secure L2
“Stealth” Networks

© 2014 Avaya Inc. All rights reserved.

IDE

I-SID

Core Distribution

Private
Application
(Client)

VRF

Secure L3 “Stealth”
Network (IP VPN)

VLAN

Subnet B

13

In Conclusion…
 While IP Virtual Private Networks are nothing new, IEEE
802.1aq takes the concept to a new level with Fabric Connect
 Flexible and nimble service extensions lend itself to an
incredibly mobile secure networking paradigm
– “Stealth” Networking – Fast, nimble and invisible

 “Stealth” Networks can be used to facilitate traditional privacy
concerns such as PCI and HIPAA compliance
 Next generation private network requirements such as
mobility for emergency response, military and/or field based
operations
 Fabric Connect can deliver all modes of secure private
connectivity
– Layer 2 Stealth requirements
– Layer 3 Stealth requirements
– Mobile Stealth requirements

© 2014 Avaya Inc. All rights reserved.

14

Sign up to vote on this title
UsefulNot useful

Master Your Semester with Scribd & The New York Times

Special offer: Get 4 months of Scribd and The New York Times for just $1.87 per week!

Master Your Semester with a Special Offer from Scribd & The New York Times