Trends in Enterprise Networking
-
Upload
rockwell-automation -
Category
Technology
-
view
384 -
download
2
description
Transcript of Trends in Enterprise Networking
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.
PUBLIC INFORMATION
Trends in Enterprise Networking Dave Cronberger (Cisco Systems), Xuechen Yang (Cisco Systems)
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. 2
Agenda
Cisco TrustSec – Enable Identity-aware Network
SDN – Software Defined Networking
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.
Control and Data Plane resides within Physical Device
The Network Paradigm as We Know it…
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.
Software defined networking (SDN) is an approach to building computer networks that separates and abstracts elements of these
systems
What is SDN? (per Wikipedia definition)
Defining SDN
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.
In other words…
In the SDN paradigm, not all processing happens inside
the same device
The SDN Paradigm
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.
What did this “SDN” thing come from?
6
Stanford University – Clean Slate Project
http://cleanslate.stanford.edu/
“…explore what kind of Internet we would design if we were to start with a clean slate
and 20-30 years of hindsight.”
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.
… Clean Slate led to the development of …
7
OpenFlow
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.
OpenFlow is a Layer 2 communications protocol that gives access to the forwarding plane of a network switch or router over the
network
What is Openflow? (per Wikipedia definition)
Define Openflow
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.
Four parts to Openflow
Let’s take a closer look at Openflow …
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.
Central Administration and Operations
point for Network Elements
Openflow Controller
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.
Northbound API Integral part of
Controller
“Network enabled” application can make use
of Northbound API to request services from the
network…
Controller Northbound API
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.
Agent runs on the network device
Agent receives
instructions from Controller
Agent programs
device tables
Openflow Device Agent
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.
Openflow Protocol is…
“A mechanism for the Openflow Controller to communicate with Openflow Agents…”
Openflow Protocol
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.
Google has been using Openflow to drive their Wide Area Network since January 2011
http://www.eetimes.com/electronics-news/4371179/Google-describes-its-OpenFlow-network
Google’s SDN Network
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.
Open Network Foundation
15
Non Profit Consortium Dedicated to “the transformation of networks through SDN”
Mission to “commercialize and promote SDN…as a
disruptive approach to networking…”
Open Network Foundation
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.
Software Defined
Networking
Openflow is one flavor of SDN
Openflow Does Not Equal SDN
Software Defined
Networking
Openflow
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.
Virtual Overlays
17
Multiple “overlay” networks can co-exist at
the same time
Overlays provides logical network constructs for different
tenants (customers)
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.
Cisco’s ACI (Application Centric Infrastructure)
18
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. 19
Agenda
Cisco TrustSec – Enable Identity-aware Network
SDN – Software Defined Networking
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.
Challenges with Enterprise Security and Access Control Policy
20
Protected assets are defined by their network connection
• Policies are statically and manually configured
• Rules are based on network topology (subnets, addresses)
• IP Address does not provide user context or meaning
Method does not facilitate key Business / IT requirements like:
• Frequent organizational changes
• Mobile workforces
• Device choice
• Virtualization
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.
Introduce Cisco TrustSec
21
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.
access-list 102 permit udp 126.183.90.85 0.0.0.255 eq 3256 114.53.254.245 255.255.255.255 lt 1780 access-list 102 deny icmp 203.36.110.37 255.255.255.255 lt 999 229.216.9.232 0.0.0.127 gt 3611 access-list 102 permit tcp 131.249.33.123 0.0.0.127 lt 4765 71.219.207.89 0.255.255.255 eq 606 access-list 102 deny tcp 112.174.162.193 0.255.255.255 gt 368 4.151.192.136 0.0.0.255 gt 4005 access-list 102 permit ip 189.71.213.162 0.0.0.127 gt 2282 74.67.181.47 0.0.0.127 eq 199 access-list 102 deny udp 130.237.66.56 255.255.255.255 lt 3943 141.68.48.108 0.0.0.255 gt 3782 access-list 102 deny ip 193.250.210.122 0.0.1.255 lt 2297 130.113.139.130 0.255.255.255 gt 526 access-list 102 permit ip 178.97.113.59 255.255.255.255 gt 178 111.184.163.103 255.255.255.255 gt 959 access-list 102 deny ip 164.149.136.73 0.0.0.127 gt 1624 163.41.181.145 0.0.0.255 eq 810 access-list 102 permit icmp 207.221.157.104 0.0.0.255 eq 1979 99.78.135.112 0.255.255.255 gt 3231 access-list 102 permit tcp 100.126.4.49 0.255.255.255 lt 1449 28.237.88.171 0.0.0.127 lt 3679 access-list 102 deny icmp 157.219.157.249 255.255.255.255 gt 1354 60.126.167.112 0.0.31.255 gt 1025 access-list 102 deny icmp 76.176.66.41 0.255.255.255 lt 278 169.48.105.37 0.0.1.255 gt 968 access-list 102 permit ip 8.88.141.113 0.0.0.127 lt 2437 105.145.196.67 0.0.1.255 lt 4167 access-list 102 permit udp 60.242.95.62 0.0.31.255 eq 3181 33.191.71.166 255.255.255.255 lt 2422 access-list 102 permit icmp 186.246.40.245 0.255.255.255 eq 3508 191.139.67.54 0.0.1.255 eq 1479 access-list 102 permit ip 209.111.254.187 0.0.1.255 gt 4640 93.99.173.34 255.255.255.255 gt 28 access-list 102 permit ip 184.232.88.41 0.0.31.255 lt 2247 186.33.104.31 255.255.255.255 lt 4481 access-list 102 deny ip 106.79.247.50 0.0.31.255 gt 1441 96.62.207.209 0.0.0.255 gt 631 access-list 102 permit ip 39.136.60.170 0.0.1.255 eq 4647 96.129.185.116 255.255.255.255 lt 3663 access-list 102 permit tcp 30.175.189.93 0.0.31.255 gt 228 48.33.30.91 0.0.0.255 gt 1388 access-list 102 permit ip 167.100.52.185 0.0.1.255 lt 4379 254.202.200.26 255.255.255.255 gt 4652 access-list 102 permit udp 172.16.184.148 0.255.255.255 gt 4163 124.38.159.247 0.0.0.127 lt 3851 access-list 102 deny icmp 206.107.73.252 0.255.255.255 lt 2465 171.213.183.230 0.0.31.255 gt 1392 access-list 102 permit ip 96.174.38.79 0.255.255.255 eq 1917 1.156.181.180 0.0.31.255 eq 1861 access-list 102 deny icmp 236.123.67.53 0.0.31.255 gt 1181 31.115.75.19 0.0.1.255 gt 2794 access-list 102 deny udp 14.45.208.20 0.0.0.255 lt 419 161.24.159.166 0.0.0.255 lt 2748 access-list 102 permit udp 252.40.175.155 0.0.31.255 lt 4548 87.112.10.20 0.0.1.255 gt 356 access-list 102 deny tcp 124.102.192.59 0.0.0.255 eq 2169 153.233.253.100 0.255.255.255 gt 327 access-list 102 permit icmp 68.14.62.179 255.255.255.255 lt 2985 235.228.242.243 255.255.255.255 lt 2286 access-list 102 deny tcp 91.198.213.34 0.0.0.255 eq 1274 206.136.32.135 0.255.255.255 eq 4191 access-list 102 deny udp 76.150.135.234 255.255.255.255 lt 3573 15.233.106.211 255.255.255.255 eq 3721 access-list 102 permit tcp 126.97.113.32 0.0.1.255 eq 4644 2.216.105.40 0.0.31.255 eq 3716 access-list 102 permit icmp 147.31.93.130 0.0.0.255 gt 968 154.44.194.206 255.255.255.255 eq 4533 access-list 102 deny tcp 154.57.128.91 0.0.0.255 lt 1290 106.233.205.111 0.0.31.255 gt 539 access-list 102 deny ip 9.148.176.48 0.0.1.255 eq 1310 64.61.88.73 0.0.1.255 lt 4570 access-list 102 deny ip 124.236.172.134 255.255.255.255 gt 859 56.81.14.184 255.55.255.255 gt 2754 access-list 102 deny icmp 227.161.68.159 0.0.31.255 lt 3228 78.113.205.236 255.55.255.255 lt 486 access-list 102 deny udp 167.160.188.162 0.0.0.255 gt 4230 248.11.187.246 0.255.255.255 eq 2165 access-list 102 deny udp 32.124.217.1 255.255.255.255 lt 907 11.38.130.82 0.0.31.255 gt 428 access-list 102 permit ip 64.98.77.248 0.0.0.127 eq 639 122.201.132.164 0.0.31.255 gt 1511 access-list 102 deny tcp 247.54.117.116 0.0.0.127 gt 4437 136.68.158.104 0.0.1.255 gt 1945 access-list 102 permit icmp 136.196.101.101 0.0.0.255 lt 2361 90.186.112.213 0.0.31.255 eq 116 access-list 102 deny udp 242.4.189.142 0.0.1.255 eq 1112 19.94.101.166 0.0.0.127 eq 959 access-list 102 deny tcp 82.1.221.1 255.255.255.255 eq 2587 174.222.14.125 0.0.31.255 lt 4993 access-list 102 deny tcp 103.10.93.140 255.255.255.255 eq 970 71.103.141.91 0.0.0.127 lt 848 access-list 102 deny ip 32.15.78.227 0.0.0.127 eq 1493 72.92.200.157 0.0.0.255 gt 4878 access-list 102 permit icmp 100.211.144.227 0.0.1.255 lt 4962 94.127.214.49 0.255.255.255 eq 1216 access-list 102 deny icmp 88.91.79.30 0.0.0.255 gt 26 207.4.250.132 0.0.1.255 gt 1111 access-list 102 deny ip 167.17.174.35 0.0.1.255 eq 3914 140.119.154.142 255.255.255.255 eq 4175 access-list 102 permit tcp 37.85.170.24 0.0.0.127 lt 3146 77.26.232.98 0.0.0.127 gt 1462 access-list 102 permit tcp 155.237.22.232 0.0.0.127 gt 1843 239.16.35.19 0.0.1.255 lt 4384 access-list 102 permit icmp 136.237.66.158 255.255.255.255 eq 946 119.186.148.222 0.255.255.255 eq 878 access-list 102 permit ip 129.100.41.114 255.255.255.255 gt 3972 47.135.28.103 0.0.0.255 eq 467 access-list 102 permit udp 126.183.90.85 0.0.0.255 eq 3256 114.53.254.245 255.255.255.255 lt 1780 access-list 102 deny icmp 203.36.110.37 255.255.255.255 lt 999 229.216.9.232 0.0.0.127 gt 3611 access-list 102 permit tcp 131.249.33.123 0.0.0.127 lt 4765 71.219.207.89 0.255.255.255 eq 606 access-list 102 deny tcp 112.174.162.193 0.255.255.255 gt 368 4.151.192.136 0.0.0.255 gt 4005 access-list 102 permit ip 189.71.213.162 0.0.0.127 gt 2282 74.67.181.47 0.0.0.127 eq 199 access-list 102 deny udp 130.237.66.56 255.255.255.255 lt 3943 141.68.48.108 0.0.0.255 gt 3782 access-list 102 deny ip 193.250.210.122 0.0.1.255 lt 2297 130.113.139.130 0.255.255.255 gt 526 access-list 102 permit ip 178.97.113.59 255.255.255.255 gt 178 111.184.163.103 255.255.255.255 gt 959 access-list 102 deny ip 164.149.136.73 0.0.0.127 gt 1624 163.41.181.145 0.0.0.255 eq 810 access-list 102 permit icmp 207.221.157.104 0.0.0.255 eq 1979 99.78.135.112 0.255.255.255 gt 3231 access-list 102 permit tcp 100.126.4.49 0.255.255.255 lt 1449 28.237.88.171 0.0.0.127 lt 3679 access-list 102 deny icmp 157.219.157.249 255.255.255.255 gt 1354 60.126.167.112 0.0.31.255 gt 1025 access-list 102 deny icmp 76.176.66.41 0.255.255.255 lt 278 169.48.105.37 0.0.1.255 gt 968 access-list 102 permit ip 8.88.141.113 0.0.0.127 lt 2437 105.145.196.67 0.0.1.255 lt 4167 access-list 102 permit udp 60.242.95.62 0.0.31.255 eq 3181 33.191.71.166 255.255.255.255 lt 2422 access-list 102 permit icmp 186.246.40.245 0.255.255.255 eq 3508 191.139.67.54 0.0.1.255 eq 1479 access-list 102 permit ip 209.111.254.187 0.0.1.255 gt 4640 93.99.173.34 255.255.255.255 gt 28 access-list 102 permit ip 184.232.88.41 0.0.31.255 lt 2247 186.33.104.31 255.255.255.255 lt 4481 access-list 102 deny ip 106.79.247.50 0.0.31.255 gt 1441 96.62.207.209 0.0.0.255 gt 631 access-list 102 permit ip 39.136.60.170 0.0.1.255 eq 4647 96.129.185.116 255.255.255.255 lt 3663 access-list 102 permit tcp 30.175.189.93 0.0.31.255 gt 228 48.33.30.91 0.0.0.255 gt 1388 access-list 102 permit ip 167.100.52.185 0.0.1.255 lt 4379 254.202.200.26 255.255.255.255 gt 4652 access-list 102 permit udp 172.16.184.148 0.255.255.255 gt 4163 124.38.159.247 0.0.0.127 lt 3851 access-list 102 deny icmp 206.107.73.252 0.255.255.255 lt 2465 171.213.183.230 0.0.31.255 gt 1392 access-list 102 permit ip 96.174.38.79 0.255.255.255 eq 1917 1.156.181.180 0.0.31.255 eq 1861 access-list 102 deny icmp 236.123.67.53 0.0.31.255 gt 1181 31.115.75.19 0.0.1.255 gt 2794 access-list 102 deny udp 14.45.208.20 0.0.0.255 lt 419 161.24.159.166 0.0.0.255 lt 2748 access-list 102 permit udp 252.40.175.155 0.0.31.255 lt 4548 87.112.10.20 0.0.1.255 gt 356 access-list 102 deny tcp 124.102.192.59 0.0.0.255 eq 2169 153.233.253.100 0.255.255.255 gt 327 access-list 102 permit icmp 68.14.62.179 255.255.255.255 lt 2985 235.228.242.243 255.255.255.255 lt 2286 access-list 102 deny tcp 91.198.213.34 0.0.0.255 eq 1274 206.136.32.135 0.255.255.255 eq 4191 access-list 102 deny udp 76.150.135.234 255.255.255.255 lt 3573 15.233.106.211 255.255.255.255 eq 3721 access-list 102 permit tcp 126.97.113.32 0.0.1.255 eq 4644 2.216.105.40 0.0.31.255 eq 3716 access-list 102 permit icmp 147.31.93.130 0.0.0.255 gt 968 154.44.194.206 255.255.255.255 eq 4533 access-list 102 deny tcp 154.57.128.91 0.0.0.255 lt 1290 106.233.205.111 0.0.31.255 gt 539 access-list 102 deny ip 9.148.176.48 0.0.1.255 eq 1310 64.61.88.73 0.0.1.255 lt 4570 access-list 102 deny ip 124.236.172.134 255.255.255.255 gt 859 56.81.14.184 255.55.255.255 gt 2754 access-list 102 deny icmp 227.161.68.159 0.0.31.255 lt 3228 78.113.205.236 255.55.255.255 lt 486 access-list 102 deny udp 167.160.188.162 0.0.0.255 gt 4230 248.11.187.246 0.255.255.255 eq 2165 access-list 102 deny udp 32.124.217.1 255.255.255.255 lt 907 11.38.130.82 0.0.31.255 gt 428 access-list 102 permit ip 64.98.77.248 0.0.0.127 eq 639 122.201.132.164 0.0.31.255 gt 1511 access-list 102 deny tcp 247.54.117.116 0.0.0.127 gt 4437 136.68.158.104 0.0.1.255 gt 1945 access-list 102 permit icmp 136.196.101.101 0.0.0.255 lt 2361 90.186.112.213 0.0.31.255 eq 116 access-list 102 deny udp 242.4.189.142 0.0.1.255 eq 1112 19.94.101.166 0.0.0.127 eq 959 access-list 102 deny tcp 82.1.221.1 255.255.255.255 eq 2587 174.222.14.125 0.0.31.255 lt 4993 access-list 102 deny tcp 103.10.93.140 255.255.255.255 eq 970 71.103.141.91 0.0.0.127 lt 848 access-list 102 deny ip 32.15.78.227 0.0.0.127 eq 1493 72.92.200.157 0.0.0.255 gt 4878 access-list 102 permit icmp 100.211.144.227 0.0.1.255 lt 4962 94.127.214.49 0.255.255.255 eq 1216 access-list 102 deny icmp 88.91.79.30 0.0.0.255 gt 26 207.4.250.132 0.0.1.255 gt 1111 access-list 102 deny ip 167.17.174.35 0.0.1.255 eq 3914 140.119.154.142 255.255.255.255 eq 4175 access-list 102 permit tcp 37.85.170.24 0.0.0.127 lt 3146 77.26.232.98 0.0.0.127 gt 1462 access-list 102 permit tcp 155.237.22.232 0.0.0.127 gt 1843 239.16.35.19 0.0.1.255 lt 4384 access-list 102 permit icmp 136.237.66.158 255.255.255.255 eq 946 119.186.148.222 0.255.255.255 eq 878 access-list 102 permit ip 129.100.41.114 255.255.255.255 gt 3972 47.135.28.103 0.0.0.255 eq 467
22
Simplified Access Management
Accelerated Security Operations
Consistent Policy Anywhere
• Manages policies using plain language
• Control access to critical assets by business role
• Maintain policy compliance
• Segments networks using central policy management
• Enforces policy on wired, wireless & VPN
• Scales to remote, branch, campus & data center
• Quickly onboard servers
• Speed-up adds, moves and changes, eliminate many
• Automate FW & ACL administration
Traditional Security Policy
Taking Complexity out of Network Security
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.
Traditional Security Administration
23
Adding destination Object
Adding source Object
ACL for 3 source objects & 3 destination objects
permit NY to SRV1 for HTTPS deny NY to SAP2 for SQL deny NY to SCM2 for SSH permit SF to SRV1 for HTTPS deny SF to SAP1 for SQL deny SF to SCM2 for SSH permit LA to SRV1 for HTTPS deny LA to SAP1 for SQL deny LA to SAP for SSH
Permit SJC to SRV1 for HTTPS deny SJC to SAP1 for SQL deny SJC to SCM2 for SSH permit NY to VDI for RDP deny SF to VDI for RDP deny LA to VDI for RDP deny SJC to VDI for RDP
A Global Bank dedicated 24 global resources
to manage Firewall rules currently
Complex Task and High OPEX continues
Traditional ACL/FW Rule
Source Destination
NY
SF
LA
DC-MTV (SRV1)
DC-MTV (SAP1)
DC-RTP (SCM2)
NY
10.2.34.0/24
10.2.35.0/24
10.2.36.0/24
10.3.102.0/24
10.3.152.0/24
10.4.111.0/24
…. SJC DC-RTP (VDI)
Production
Servers
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.
Security Administration with TrustSec
24
Permit Employee to Production_Servers eq HTTPS Deny Employee to Production_Servers eq SQL Deny Employee to Production_Servers eq SSH Permit Employee to VDI eq RDP
Deny BYOD to Production_Servers Deny BYOD to VDI eq RDP
Policy Stays with Users / Servers regardless of location/topology
Simple to define, Audit, and Manage
Less operational effort and faster to deploy new services
Security Group
Filtering
NY
SF
LA
DC-MTV (SRV1)
DC-MTV (SAP1)
DC-RTP (SCM2) SJC DC-RTP (VDI)
Production
Servers
VDI Servers
BYOD
Employee
Source SGT:
Employee (10)
BYOD (200)
Destination SGT:
Production_Servers (50)
VDI (201)
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.
Flexible Classification for SGT
25
VLAN-SGT
IP-SGT
Port
Profile
Port-SGT
IPv4 Prefix
Learning
IPv6 Prefix
Learning IPv6 Prefix-
SGT
IPv4 Subnet-SGT
802.1X
MAB
Web
Auth
Profiling
SGT
SGT
Addr.Pool-SGT
VLAN-SGT
Data Center/
Virtualization
User/Device/Location
Cisco access layer
ISE
NX-OS/
CIAC/
Hypervisors
IOS/Routing
Campus
& VPN Access
non-Cisco
& legacy env
Business Partners & Supplier access controls
SGT
• TrustSec decouples network topology and security policy to simplify access control and segmentation
• Classification process groups network resources into Security Groups
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.
SGT Propagation
26
Wired
Access
Wireless
Access
DC Firewall
Enterprise
Backbone
DC
Virtual
Access Campus Core DC Core
DC
Distribution
Physical
Server
Physical
Server
VM
Server
VM
Server
DC
Physical
Access
SGT 20
SGT 30
IP Address SGT SRC
10.1.100.98 50 Local
SXP IP-SGT Binding Table
SXP
SGT = 50
ASI
C
ASI
C
Optionally Encrypted
Inline SGT Tagging
SGT=50
ASI
C
L2 Ethernet Frame
SRC: 10.1.100.98
IP Address SGT
10.1.100.98 50 SXP
Non-SGT
capable
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.
Typical TrustSec Deployments
27
Enhanced network role-based access control
Controlled access to compliance-critical assets
Context-based classification facilitating BYOD access control
Improved scale compared to IP-based ACLs
Flexible network segmentation
Segmentation to support compliance needs
Allow shared services with user segmentation
User-to-user malware propagation control
Lines of Business / Extranet access control
Zero Touch Firewall rule provisioning
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.
Securing Your BYOD with TrustSec
28
Segmentation using Security
Group, independent from
topology
Offload filtering to ASA for rich
and scalable policy rule
automation
Simplified network design,
lowering operational cost
WLC
CAPWAP Tunnel
Internet VLAN
BYOD Tag
POS Tag
Audit Tag
SGACL/FW
Device
ISE
BYOD Device Audit
DC-PCI-DB
DC-PCI-Web
Local PCI
Server
Payment System
Source Destination Action
IP Sec Group IP Sec Group Service Action
Campus WLAN BYOD Device Any Internet HTTP Allow
Any Payment
System
Any DC-PCI-Web,
Local PCI Server
HTTPS Allow
Any Audit Any DC-PCI-DB TCP Allow
Any Any Any Any Any Deny
Single VLAN
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.
Campus User Segmentation
29
Voice Employee Guest Quarantine
Employee Tag
Supplier Tag
Guest Tag
Quarantine Tag
Data Center
Firewall
Voice
Building 3
Data VLAN
Campus Core
Data Center
Main Building
Data VLAN
Employee Quarantine
Enforcement is based
on Security Group,
even for
communication in
same VLAN
Employee
Supplier
Guest
Employee SRC
DST Supplier Remed. Internet
✗
✗
✗
✔ ✗
Quarantine ✗ ✗ ✗ ✗ ✔
✔
✔ ✗
✔ ✗
✔
Access Layer
Employee
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.
Cisco TrustSec Summary
30
Efficient
Simplifies implementation of security policy
Highly scalable & Inline rate
Simplifies Data Center network design
Secure
Embed security within the infra
Enforcement based on rich context
Solution simplicity enables end-to-end approach
Demonstrable ROI
Reduces ACL and VLAN complexity & maintenance
Automates FW policy
Improve both performance & availability
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.
IPV6 is Happening
Ever So Slowly
31
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.
So What’s Your Address?
Sta
tus
Why everyone is quiet on IPv6 ?
Going forward
What is it Where will it start
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.
Why everyone is quiet on IPv6?
Enterprises find no panic condition to adopt IPv6
Migration to IPv6 is not into the priority list of decision makers
End consumer lacks readiness of IPv6
Governments lagging in their deployment targets
Lots of doubts and fear regarding adoption of IPv6
Conversation around IPv6 is low..
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.
Why everyone is quiet on IPv6? Short government initiatives, and no urgent need
Source: Current Analysis (August, 2013), ITU, Tech Target, IT Business Edge, Caribbean Network Operators Group
• Even after the exhaustion of IPv4 address, service providers and enterprises are in no hurry for IPv6 Enterprises are not finding in any reason to migrate on IPv6 network, as till date IPv4 works
well both inside and outside the enterprise network With various technologies such as NAT, enterprises holds the power of sticking to IPv4 until
there is a compelling reason to migrate
• Availability of IPv4 transfer policies between inter and intra RIR’s (Regional Internet Registry) has further delayed the necessity for adoption of IPv6
• IPv4 to IPv6 migration is still pretty low on the priority list of network administrators – Current Analysis, August- 2013
• Outside of telco’s and technology companies, moving to IPv6 is rarely high on corporate IT agendas – Deloitte, April-2013
• Decision makers are finding themselves resistant to change as: Migration seems to be more of technology requirement not business requirement Lack of skilled manpower Not ready to share pie from shrinking IT Budgets
• Realization of actual need of IPv6 with newer technologies such as IoT, SDN, Cloud, etc. is still not felt
• Federal agencies are lagging far behind the supposed deadlines to upgrade their websites for IPv6
• Government agencies, facing budget constraints, have missed deadlines for migration – Deliotte, April-2013
• IPv6 deployment targets are missing because No regulatory and economic incentives to encourage IPv6 adoption No efforts to support and promote awareness and educational activities
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.
Why everyone is quiet on IPv6?
Lack of readiness and doubtful state is difficult to overcome
Source: Heavy Reading (March, 2013), Network Computing, GCN,
Deloitte,
• Much of the consumer electronics industry lacks the readiness of IPv6. Unfortunately, most consumers are not aware of these incompatibility issues Many older equipment's such as cable modems, digital set-top boxes,
home routers, smart TVs, DVD players, Blu-ray players, gaming consoles, and other devices that uses IPv4 protocol lacks IPv6 capability
• Consumer electronics industry should follow the lead and show greater support for IPv6 by churning out more IPv6-ready devices
• Currently, there is no rush from end consumers to migrate on IPv6 network, so no motivation for service providers for migration
• The principal challenge for operators is that IPv6 does not have direct backward compatible with IPv4 – Heavy Reading, March-2013.
• Fear of handling different types of network at same time, as SP/ISPs will have to maintain IPv4 operations with legacy equipment's, while adding IPv6 to the mix.
• Other than legacy IPv4 supported equipment's, IPv6 providers also need to revamp their software element
• Security complications in maintaining firewalls which are both IPv6 and IPv4 compatible
• Increase in security threat with auto-configuration feature of IPv6
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.
Going Where?
Pro
ject
sco
pe
Why everyone is quiet on IPv6 ?
Going forward
What is it Where will it start
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.
Going forward Implementation of IPv6 has been a marathon not a sprint race
Source: Heavy Reading (March, 2013) Current Analysis (August, 2013), IT
Business edge, GCN End-consumers need to get upgraded or replace their huge legacy electronics equipment, which is supporting IPv4 protocol but not IPv6 Status– End consumers are least motivated for migration to IPv6 supported equipment's
CDN and web hosting companies are required to increase IPv6-enabled content. Status– Number of people in the industry planning to implement IPv6 has increased, so IPv6 supported content for these users need to be ready
More professional services from service providers and IPv6 skilled workforce by enterprises is desired Status– Decision makers finding themselves resistant to adopt to IPv6 because of scarce skills
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.
What is it Where will it start?
Pro
ject
sco
pe
Why everyone is quiet on IPv6 ?
Going forward
What is it Where will it start
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.
What is it?
Service IPv4 IPv6
Addressing Range 32-bit, NAT 128-bit, Multiple Scopes
IP Provisioning DHCP SLAAC, Renumbering,
DHCP
Security IPSec IPSec
Mobility Mobile IP Mobile IP with Direct
Routing
Quality-of-Service Differentiated Service,
Integrated Service Differentiated Service,
Integrated Service
Multicast IGMP/PIM/MBGP MLD/PIM/MBGP, Scope
Identifier
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.
340,282,366,920,938,463,374,607,432,768,211,456 (IPv6 Address Space - 340 Trillion Trillion Trillion)
vs
4,294,967,296 (IPv4 Address Space - 4 Billion)
.
Antares 15th Brightest star in the sky
Our Sun
You said it was how many?
Let’s assume our Sun represents 4 Billion Addresses
The IPv6 Address space would approach the size Antares
In fact, a proper comparison would be to compare Antares
with a Telephone Box
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.
What does it look like?
16-bit hexadecimal numbers
Numbers are separated by (:)
Hex numbers are not case sensitive
Abbreviations are possible
• Contiguous blocks of zeros could be represented by (::)
Example: 2001:0db8:0000:130F:0000:0000:087C:140B
2001:0db8:0:130F::87C:140B
Double colon can only appear once in the address
• Leading zeros in a block can be omitted
Example: 2001:0db8:00e2:0300::087C:140B
2001:db8:e2:300::87C:140B
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.
More then this will take a day…
Addresses are assigned to interfaces
Interface “expected” to have multiple addresses
Addresses have scope
Link Local
Unique Local
Global
Source Address Selection Algorithm selects source IP with scope ≥ than
scope of destination address
Addresses have lifetime (advertised via RA or DHCP)
Valid and preferred lifetime
Link Local Unique Local Global
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.
Bring Your Own…..?
This is really more about Wireless
Cooperate with IT or prepare to face failure
Device Management - MDM
Device Security – Integrated
This is why IPV6 will happen!
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.
BYOD Use Cases
44
Differentiated Services, On-Boarding Securely
Personal and Corporate Devices
Deny Some Devices
Focus on Basic Services,
Guest Access
Broader Device Types
Internet Only
Posture from Mobile Device Management
Any Device, Any Ownership
MDM Compliance
LIMITED ADVANCED ENHANCED BASIC/GUEST
Environments with Tight Controls
Only Corporate Devices
IT Whitelist
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.
AP AP AP AP
Services & Policies
Mgmt & Policy Architecture Outcomes: Scale and performance for ubiquitous wireless (20X)
Local traffic switching to avoid hair-pinning
Unified Policy for Wired and Wireless
Architected for HA
Brings new feature set to Wireless
CAPWAP (Data, Ctl)
Mobility, Mgmt
5508 / WiSM2
Software upgrade
Improving Mobile Experience Converged Wired/Wireless
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.
Integrated security & MDM Integration - Scope
Enrollment: (IS)-orchestrated to simplify user experience
o Non registered clients redirected to MDM registration page
o Non compliant clients will be given restricted access
Daily Access: network+device
o Update data from endpoint which can be tied into access policy
De-enrollment: Ability to Initiate Device Action from
ISE
o Device stolen -> need to wipe data on client Cisco MCMS
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.
Improving Mobile Experience WLAN Rate Limiting & QoS Prioritization
In combination with QoS
Helpful to prevent Guest WLAN traffic (or other less critical traffic) from
overrunning the WAN
Significant customer issue for customers due to BYOD and Mobile
Device explosion!
Wired Clients w/LAN traffic
Wireless Clients w/LAN traffic
Downstream
Upstream
Rate Limited
Both Upstream and Downstream traffic is rate limited by the AP
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.
Integration with Virtualization Clients
Virtualized App Environment
Application Virtualization Client
Application Portability:
Delivering legacy/non-native apps to broad device set
Example: iPad does not support an application natively
Data Loss Prevention:
Securing Enterprise applications and data
Example: avoid storing data locally, use of virtualization for application subset – confidential, intellectual property, financial
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.
BYOD will Force IPV6
Why
Literally 100’s of Thousands of devices
Cisco as an example:
65,500 employees
1 IP Phone
1 Smart Phone
1 Tablet
1 Laptop
That’s 65,500 x 4 = 262,000 addresses
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.
But wait!
Now add:
Door locks
Thermostats
Security Cameras
Servers
PAC/PLCs
I/O
And…
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.
We care what you think!
On the mobile app:
1. Locate session using
Schedule or Agenda Builder
2. Click on the thumbs up icon on
the lower right corner of the
session detail
3. Complete survey
4. Click the Submit Form button
51
Please take a couple minutes to complete a quick session survey to tell us how we’re doing.
2
3
4
1
Thank you!!
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.
www.rsteched.com
Follow RSTechED on Facebook & Twitter. Connect with us on LinkedIn.
PUBLIC INFORMATION
Questions?