Stealth Networks-Private and Secure NetworkingforCritical Assets & Infrastructure

July 2014

Ed Koehler - Avaya

© 2012 Avaya Inc. All rights reserved. 22

Why should you listen?

Because folks want to attack you!!!– Critical Business information

– Personal and Credit data

– Just for the heck of it!

These folks are serious and they are well equipped with sophisticated tools– It’s no longer kids looking for kicks or prestige

Avaya’s Fabric Connect provides for services that, when properly implemented CANNOT be attacked!

This creates a ‘Stealth Shield’ over the network that makes it invisible!

© 2012 Avaya Inc. All rights reserved. 33

Privacy in a Virtualized World

Network and Service Virtualization have transformed the IT industry– Cloud Services

– Software Defined Networking

– BYOD and Mobility

Security and privacy concerns are being expressed by many risk and security analysts

Regulatory compliance in a virtualized environment can be a difficult bar to reach

Examples are, PCI Compliance, HIPAA, Process flow and control (SCADA) environments (NERC/CIP), Video Surveillance

© 2012 Avaya Inc. All rights reserved. 44

What makes this so difficult?

Traditional networking approaches utilize IP as a utility protocol to establish service paths

These paths are prone to IP scanning techniques that are used to:– Discover network topology

– Identify key attack vectors

Using traditional approaches for privacy and separation are costly and complex– Inadvertent Routed Black Holes

– Poor resiliency

– High Cap/Ex and Op/Ex

Using IP as the utility for establishing paths means that they have to be visible. This creates a ‘catch 22’ which in turn creates complexity and cost

© 2012 Avaya Inc. All rights reserved. 55

Avaya’s Fabric Connect is truly Stealth!

Fabric Connect is not dependent upon IP to establish the service path

Service Paths are established by the use of SPB Ethernet Switched Paths within Fabric Connect

As a result, path behaviors are established on a completely different plane

ESP’s are ‘invisible to IP’

© 2012 Avaya Inc. All rights reserved. 66

The definition of a “Stealth” Network Any network that is enclosed and self contained with no reachability

into and/or out of it. It also must be mutable in both services and coverage characteristics

Avaya’s Fabric Connect based on IEEE 802.1aq provides for fast and nimble private networking circuit based capabilities that are unparalleled in the industry

Based on I-SID’s - NOT like MPLS IP VPN or VRF Lite!– Simple not complex

“Stealth” Networks are private ‘dark’ networks that are provided as services within the Fabric Connect cloud– L2 Stealth

– A non-IP addressed L2 VSN environment

– L3 Stealth

– A L3 VSN IP VPN environment

© 2012 Avaya Inc. All rights reserved. 77

Data Protection: Segmentation comes first!Dark Reading™ recommendations…

Security includes all people, processes and technology

Validation on ‘where’ Private Data exists

– Trace processes and systems

– Develop flow diagrams of interacting systems & Private Data

Develop documented penetration testing specific to the Private environment

– ‘Hack Attack’ methodologies

– Ongoing evaluation of threats/vulnerabilities/risk

The more technologies involved in the private environment the more engineering & penetration testing required!

Fabric Connect used end to end eliminates most if not all other network technologies!– Fabric Connect (IEEE 802.1aq)

– Can significantly reduce ACL requirements and enhance data flow validation!

– Firewalls/IDS – are collapsed into a virtualized security demarcation perimeter

– Servers/Storage – resides in encrypted virtualized storage hidden by stealth services

– Authentication/Authorization - Identity Engines!

– Management applications!** Important consideration to ‘lock down’ the management environment. If it manages a system in the private environment. It is part of it!

© 2012 Avaya Inc. All rights reserved. 88

VLANVLANI-SID

Secure L3 “Stealth” Network (IP VPN)

Subnet A Subnet B

VRFVRF

Fabric Connect Cloud

Secure L2 “Stealth” Networks

Core DistributionData CenterPrivateApplication(Client)

PrivateApplication(Server)

Secure Single Port

Modularity and sampling concept ‘End to end Stealth’

Remote site systemsApp/OS

Switch/Network

Network Distribution

Systems

Firewall/IDSSecurity

Demarcation

Data Center Systems

Compute Systems

Storage Systems

FW/IDS

IDE

© 2012 Avaya Inc. All rights reserved. 99

In Conclusion…

While IP Virtual Private Networks are nothing new, Avaya takes the concept to a new level with Fabric Connect

Flexible and nimble service extensions lend itself to an incredibly mobile secure networking paradigm– “Stealth” Networking – Fast, nimble and invisible

“Stealth” Networks can be used to facilitate traditional privacy concerns such as PCI and HIPAA compliance

Next generation private network requirements such as mobility for emergency response, military and/or field based operations

Avaya’s Fabric Connect can deliver all modes of secure private connectivity– Layer 2 Stealth requirements

– Layer 3 Stealth requirements

– Mobile Stealth requirements