Secure Networking Simplified - Data Connectors...Secure Networking With A Zero Trust Protocol Open standard delivers native network security and IP mobility Application (L5-L7) Transport

Secure NetworkingSimplified

Cal Jeffrey

Wireless MPLS Shared CampusCellular

Core Switch/Router

Edge Firewall/

VPN

InternalFirewall

Edge Router

Managed Switch/Router

Internet / WAN

Products: VPNs, Firewalls, Routers, Switches, NAC, Cell Modems etc.

Configurations: ACLs, Certificates, Firewall Rules, IPSec Tunnels, Port Management etc.

Core Switch/Router

Edge Firewall/

VPN

InternalFirewall

Edge Router


Traditional Networking and Security

Complex, costly, fragile, & porous

Device A Device B

Device A

Core Switch/Router

Edge Firewall/

VPN

InternalFirewall

Edge Router


Device B

Internet / WAN

Core Switch/Router

Edge Firewall/

VPN

InternalFirewall

Edge Router


Traditional Networking and Security At Scale

Complex, costly, fragile, & porous

SSH KeysCertificatesACLsFW Rules

SSH KeysCertificatesACLsFW Rules

NATSSH KeysCertificates

NATSSH KeysCertificates

VPNsFW Rules

ACLSVLANS

VPNsFW Rules

ACLSVLANS SSH Keys

Certificates

SSH KeysCertificates

VPNsFW Rules

ACLSVLANS

VPNsFW Rules

ACLSVLANS

interface gigabitethernet 0/3nameif dmzsecurity-level 50ip address 192.168.2.1 255.255.255.0no shutdown

same-security-traffic permit inter-interfaceroute outside 0 0 209.165.201.1 1nat(dept1) 1 10.1.1.0 255.255.255.0nat(dept2) 1 10.1.2.0 255.255.255.0router rip

network 10.0.0.0default information originateversion 2

ssh 209.165.200.225 255.255.255.255 outsidelogging trap 5

VPN and Firewall Rules

VLAN Rules

Router>enableRouter>#configure terminalRouter(config)#hostname CORPISP(config)#interface serial 0/0/0CORP(config-if)#description link to ISPCORP(config-if)#ip address 192.31.7.6 255.255.255.252 CORP(config-if)#no shutdownCORP(config)#interface fastethernet 0/1CORP(config-if)#description link to 3560 SwitchCORP(config-if)#ip address 172.31.1.5 255.255.255.252CORP(config-if)#no shutdown






VLAN Rules







VLAN Rules


Secure Networking With A Zero Trust Protocol

Open standard delivers native network security and IP mobility

Application (L5-L7)

Transport (L4)

Network (L3)

Link & Data (L1-L2)

IP ADDRESS: Port

IP ADDRESS: Port

IP Address

MAC Address

TCP/IP BASED NETWORKSNetworks based on non-verifiable IP

UNTRUSTED

Application (L5-L7)

Transport (L4)

HOST IDENTITY (L3.5)

Network (L3)

Link & Data (L1-L2) MAC Address

IP Address

HOST IDENTITY PROTOCOL

HOST IDENTITY TAG: Port

HOST IDENTITY TAG: Port

HIP BASED NETWORKSNetworks based on verifiable device identity

TRUSTED

Core Switch/Router

Edge Firewall/

VPN

InternalFirewall

Edge Router


Core Switch/Router

Edge Firewall/

VPN

InternalFirewall

Edge Router


Identity Defined Networking (IDN) Platform

Secure and Segmented Peer-to-Peer Connectivity for Any Device, in Any Location

Your Existing Network

IDN Overlay Networking Fabric

Internet / WAN

Device A Device BHIPswitch 150 HIPswitch 150

Native Peer-to-Peer Encryption

The IDN Platform

The Conductor

HIPrelay

IDN OrchestrationThe Conductor

Simple network management with automated policy configuration for all trusted IDN endpoints

IDN Enforcement PointsHIP Services

Runs on or adjacent to any host and acts as the IDN enforcement point for network and security policy

IDN RoutingHIPrelay

Identity-based router delivering peer-to-peer connectivity between private or previously non-routable endpoints

Cloud HIPswitchHIPswitchHardware

HIPserver HIPclientVirtual HIPswitch

HIP Services: IDN Enforcement Points

Platform and Transport Ubiquity – A Single Platform Available for All Environments

Clients Servers

CloudsHypervisors

Appliances

HIPswitch 150HIPswitch 75

HIPswitch 500HIPswitch 250

Core Switch/Router

Edge Firewall/

VPN

InternalFirewall

Edge Router


Core Switch/Router

Edge Firewall/

VPN

InternalFirewall

Edge Router


Identity Defined Networking (IDN) Platform

Control Plane Data Plane

ConductorIdentity Orchestration

HIPrelayIdentity Routing

Device A Device BHIPswitch 150 HIPswitch 150

Internet / WAN

What Our Customers Experience

Objectives

▪ High communications costs

▪ Expensive fork-list upgrades for legacy systems

▪ Costly and time-consuming audits

Reduce Costs

Connect and Collect Data Faster

Reduce Risk and Attack Surface

Improve Network Availability and Performance

Business Challenges

▪ Avoid public relations nightmare

▪ Decrease insurance liability

▪ Complicated deployment hinders time-to-value

▪ Getting better business intelligence

▪ Limited supply of experienced net/sec experts

▪ Downtime impacts customers and operations

▪ Meeting Service Level Agreements (SLA’s)

▪ Avoiding service provider lock-in

Penn State University Before Zero Trust Segmentation

HVACServers

Building Access

CameraNVR Lighting

Campus Data Center

Cloud

BioMedResearchBuilding

Student Housing

Cameras

HVAC Systems Lighting

Building Access

Employees

3rd PartyTechnicians

Internet / WAN

• 640+ buildings distributed statewide

• Shared Layer 2 network controlled by IT

• 1000’s of open data jacks per building

• Small OT network staff

• 100’s of 3rd party contractors / vendors

• Immovable deadline (fall semester)

Environment

• No isolation / segmentation

• BAS unprotected (discoverable / accessible)

• Exposed to thousands of attack vectors

• Outages caused by frequent IT changes

• Broadcast storms caused by vendors

• Expensive, fragile, and still vulnerable

Technical Challenges

Students Faculty

3rd PartyTechnicians

Research Servers

?

DR Data Center

IT Servers

Students Guests

Data Jacks

Managed Switch

EdgeRouter

EdgeFirewall

VPN

Cellular Modem

InternalFirewall

Cameras

HVAC Systems Lighting

Building Access

Building Automation Systems (BAS) Network

HVAC Building Access

Cameras

HVAC

Building Access

Cameras

HVAC Lighting

Building Access

Internet / WAN


Employees

Remote Technicians


HIPservers

HIPswitch 150

Lighting

• Segmented and private overlay network

• BAS systems undiscoverable / inaccessible

by unauthorized systems

• Reduced attack vectors by 90%+

• Eliminated downtime and broadcast storms

• Reduced alarms by 50%

• Eliminated / simplified edge firewall rules

• Accelerated deployment by 10 x for ¼ of cost

• Replaced IP complexity chain products

Benefits

BioMedResearchBuilding

StudentHousing

CameraNVR

Lighting

HIPswitch for Cloud

CloudDR

Campus Data Center

HIPclients

Penn State University After Zero Trust SegmentationOverlay Network Segments for Building Automation Systems (BAS)

HIPswitch 150

Traditional IT =Products: VPNs, Firewalls, Switches, NAC, Cell Modems etc.Configurations: ACLs, Certificates, Firewall Rules, IPSec Tunnels, Port Management etc.

Penn State University After Zero Trust Segmentation

Network, Segment, and Protect Building Automation Systems for 640+ Buildings

Rockwell

Admins Vendor DMZ

Rockwell VLAN

SCADA NET

Remote Area 1

Wifi

Siemens VLAN

GE VLAN

Siemens

Admins

GE Admins

Remote Area 2

Remote Area N

Corporate

Everything

Users

Applications Services Database

Vendor-Net (Manufacturing Example)

Conductor

Vendor Net (Trust Detail)

Rockwell

Admins Vendor DMZ

SCADA NET

Remote Area 1

Wifi

Siemens

Admins

GE Admins

Remote Area 2

Remote Area N

Corporate

Everything

Users


Vendor-Net (HIP Enabled Clients)

HIPclient

HIPclient

HIPrelay

Conductor

Public

Roaming

Services Storage

Remote Branch

HIP Relay

Conductor

Wi-Fi

Remote BranchWAN / MPLS

Data Center

Data CenterWAN / MPLS

Services Storage

Cloud Services

Cloud Services

Orchestration

Dual Cell

VendorsDevelpersAdminsUsers

HIP Relay

Services Storage

Flow Description

When HIP Services need to communicate, the policy defined on the conductor will be validated by both the HIPrelay and associated HIPservices , ensuring that peers are allowed to route through the specified HIP Relay cluster.

After policy is validated, HIP Relays will transparently connect HIP Tunnels between peer HIPservices ensuring end-2-end encryption is unaltered.

- The HIP Services will connect to peers based on their Crypto-ID. The Relay simply facilitates a connection bridge to the remote HIPservices, removing the requirement of Inbound initiated connections and a public IP’s at the Edge.

- The HIP Relay(s) add an extra layer of validation by tracking both SPI’s and SA’s. In the case where a peer isn’t allowed to connect, the Relay will drop all requests from the unauthorized HIP service This ensures that HIP peers will never receive the invalid requests.

- Both Hybrid and traditional network deployment architectures are supported with Relay deployments.

- None of the HIP Services, including Relay(s), have listening tcp/udpports. They will only respond to valid crypt-id’s and the hand-shake happens below the Transport Layer.

- The assets/services are not visible or routable outside of the Encrypted overlays . Nothing can see or connect to these assets without a valid HIP service Crypto-ID

Data Center 1

Remote Locations

Location 1

NOC

Location 2

Location 3

Routed WAN

MPLS

Layer2 – Layer3 Secure Segmentation

Data Center 2

SIEM Services Database

VLAN 10 – 10.10.10.0/24

VLAN 20 – 10.10.20.0/24

VLAN 10

10.10.10.0/24

VLAN 20

10.10.20.0/24

VLAN 30

10.10.30.0/24

Wifi

Corporate Network

Users


Conductor

Roaming Laptops

On Demand HIP Tunnels

Managed Switch

EdgeRouter

EdgeFirewall

VPN

Wi-Fi Client AP

InternalFirewall

Peace Health Before Zero Trust SegmentationHospital and Clinic Network

VDIFarm

Infusion PumpMaster Servers

MRI/PACs Servers

PaymentServers

Health IT Data Center

Hospital 1

Clinic 2

RemoteClinicians

RemotePhysicians

Internet / WAN

Infusion Pumps

Epic Printers

MRIsPhysicians

Entry Level

1st Floor

2nd Floor

3rd Floor

Gate Controls

Cafeteria Payments

HVACSystems

PatientIntake

Patient Monitors

BuildingControls

PACs Systems

EMRServers

Nurses Station

Physicians

Epic Printers

• 10 hospitals and 75 clinics

• Mixed Layer 2/3 network

• Juniper firewalls used for “segmentation”

• ~50,000 wired an wi-fi medical devices

• Acquiring clinics; rural with legacy systems

• High staff / medical device mobility

Environment


• Medical devices (discoverable / accessible)

• Recognition that patient safety is at risk


• Complexity chain provisioning slow / porous


Impact

Epic Printers

MRI/PACs Servers

BuildingControls

TicketingSystems

Gift ShopSystems

EKGSmartBeds

MRI/PACs Servers

Peace Health After Zero Trust SegmentationOverlay Network Segments for Hospital and Clinic Network

• Segmented and private overlay networks

• Med devices undiscoverable / inaccessible

by unauthorized systems

• Reduced attack vectors by 90%+

• Telecom savings projected to be significant

• Eliminated Juniper firewalls

• Accelerated deployment by 10 x for ¼ of cost

Benefits

Internet / WAN

Hospital 1

Epic Printers

MRIsPhysicians

Entry Level

1st Floor

2nd Floor

Cafeteria Payments

Patient Monitors

Nurses Station

TicketingSystems

Gift ShopSystems

EKG

Infusion PumpMaster Servers

MRI/PACs Servers

PaymentServers

Clinic 2

RemoteClinicians

RemotePhysicians

Epic Printers

Infusion Pumps

Health IT Data Center

Physicians



HIPswitch 150

HIPswitch 500

HIPswitch 500

HIPswitch 500

HIPclients

HIPservers

Corporate Data Center

Crew

Vendor Technicians

• Floating city

• Shared Layer 2/3 network

• Cisco firewalls/networking for

“segmentation”

• Thousands of IIoT endpoints

• Dry dock equals lost revenue

• Thousands of guests and crew

Environment


• Critical systems exposed (nav, ballast, props)

• Complex and costly to maintain


• Complexity chain provisioning slow / porous


Impact

Cruise Ship Before Zero Trust SegmentationShipboard Network

FireCamera

NVRNavigation WaterPropulsion

PaymentSystems

Internet / WAN

Managed Switch

EdgeRouter

EdgeFirewall

VPN

Wi-Fi Client AP

InternalFirewall

Ship 1

Servers

RestaurantSystems

GuessAccess

BridgeControls

CrewAccess

CamerasGift ShopSystems

DutyStation

Navigation

HMI

FireSensors

WaterSystems

WasteWater

BallastController

BarPayments

HVACSensors

PropulsionSystems

NavigationSensors

GuestAccess

FireController

DutyStation

Lighting

Corporate Data Center

Crew

Vendor Technicians

FireNavigation WaterPropulsionPaymentSystems

Internet / WAN

Gift ShopSystems

DutyStation

FireSensors

WaterSystems

WasteWater

BallastController

BarPayments

HVACSensors

NavigationSensors

FireController

DutyStation

Lighting

Cruise Line After Zero Trust SegmentationOverlay Network Segments for Shipboard Network

BridgeControls

PropulsionSystems

Ship 1

Navigation

HIPclients

HIPservers



HIPswitch150

HIPswitch150

HIPswitch150

• Isolation / segmentation of all ship controls

• Eliminate east / west / north / south attack

vectors

• Shipboard controls cloaked / invisible

• No dry dock, no lost revenue

• Eliminated IP conflicts

• Segmented vendor access

• Deploy 10 x faster at 30th of cost

Benefits

Thank You!

Appendix

Build a Zero Trust IoT/Hybrid Cloud Network in 2 minutes

Install HIP services, add devices to your overlay, create policy

Secure Networking Simplified - Data Connectors...Secure Networking With A Zero Trust Protocol Open standard delivers native network security and IP mobility Application (L5-L7) Transport

Documents