Private, Secure Networking for the

Public Sector
Ed Koehler
Director Distinguished Engineer
Ohio Digital Summit 2015

Privacy in a Virtualized World

Network and Service Virtualization have transformed the
IT industry
Cloud Services
Software Defined Networking

Security and privacy concerns are being expressed by

many risk and security analysts
Regulatory compliance in a virtualized environment can
be a difficult bar to reach
Examples are PCI Compliance, HIPAA, Process flow
and control (SCADA) environments, Video Surveillance,
etc.

2014 Avaya Inc. All rights reserved.

Security Impact What Makes this So Difficult?

Traditional networking approaches utilize IP as a utility protocol to
establish service paths
These paths are prone to IP scanning techniques that are used to:
Discover network topology
Identify key attack vectors

Using traditional approaches for privacy and separation are costly

and complex
Inadvertent Routed Black Holes
Poor resiliency
High Capital Expenditure (CAPEX) and Operational Expenditure (OPEX)

Using IP as the utility for establishing paths means that they have to
be visible. This creates a Catch-22 which in turn creates complexity
and cost

2014 Avaya Inc. All rights reserved.

IP Address Explosion!
BGP Tables are being overrun.
IPv6 is exacerbating the issue!
Sensors and actuators require addresses
IPv6 is a huge address space

We can not afford to waste IP space on transit routes!!!

Non-IP path establishment technologies
IEEE 802.1aq/IETF RFC6329 Shortest Path Bridging
Avaya Fabric Connect IETF Draft enhancements for L3 and multicast

There are also implicit security concerns in using IP as a path protocol

IP Scanning
Infrastructure Attack
Confidential Data Breach

If we can remove some of the dependency on IP to establish service

paths EVERYTHING becomes much EASIER!

2014 Avaya Inc. All rights reserved.

SPB is TRULY Stealthy!

Fabric Connect is not dependent upon IP to establish the service path

IP Networks become points of service within the Fabric

Service Paths are established by the use of SPB Ethernet Switched Paths
within Fabric Connect
As a result, path behaviors are established on a completely different plane
ESPs are invisible to IP
Helps to clear up IP address congestion and convoluted topologies
2014 Avaya Inc. All rights reserved.

Data Protection: Segmentation comes first!

Dark Reading recommendations
Security includes all people, processes and technology
Validation on where Private Data exists
Trace processes and systems
Develop flow diagrams of interacting systems & Private Data

Develop documented penetration testing specific to the Private

environment
Hack Attack methodologies
Ongoing evaluation of threats/vulnerabilities/risk

The more technologies involved in the private environment the more

engineering & penetration testing required!

Fabric Connect used end to end eliminates most if not all other network technologies!
Fabric Connect (IEEE 802.1aq)
Can significantly reduce ACL requirements and enhance data flow validation!

Firewalls/IDS are collapsed into a virtualized security demarcation perimeter

Servers/Storage resides in encrypted virtualized storage hidden by stealth services
Authentication/Authorization - Identity Engines
Management applications!** Important consideration to lock down the management
environment. If it manages a system in the private environment. It is part of it!
2014 Avaya Inc. All rights reserved.

A Fabric Enabled Enterprise

Driving a LOWER TCO through SIMPLIFICATION

Based on
E-LINE
Provider
Service

Consistent Architecture From Data Center to Campus / Metro to Branch

2014 Avaya Inc. All rights reserved.

Rationale for Evolution

Reduced TCO &
Utility pricing

Enhanced Security &

Cloud scale

Business Continuity
DR Capabilities

ONE.

Security

Business Continuity

Enterprise Fabric
PROTOCOL
TIER Data Center
Converged Infrastructure
Multi-Tenants
Multi-Services (16M+)

LOWER TCO

Reduced Time to Service

Minutes vs weeks
Automated Provisioning
Edge-only provisioning
Green IT Cooling Power
Smart Buildings
Simplified Architecture

16M+ Secure Zones

IP hacking prevention
PCI compliant
Private Stealth networks
Secure BYOD & VDI

Cloud Scale & Agility

Unmatched Multicast
scalability & reliability

IPTV, CCTV, Digital

Signage, CC supervisor, CC
Desktop Display, IP
Wallboards, etc

Embedded Monitoring Tools

All cloud deployment models
supported & PODs support

6x9s when it matters

Extend @ Cloud speed
Application/Context
Awareness
In production service
enablement
Emergency Services

DR Capabilities

Native Fabric Extension

High Performance DC Fabric
VM Mobility, Lowest Latency,
Highest performance EastWest flows (near 20TB)
In service maintenance and
operations

Public Sector Network Evolution

2014 Avaya Inc. All rights reserved.

A Profound Impact on how networks will be built !

Data Center ONLY with

legacy protocols

ONE PROTOCOL E2E

(L2, L3, Unicast, Multicast)

Legacy Model

Avayas Fabric Connect

Stability,
Scalability &
Simplicity

PIM

OTV

Number of control planes

Number of control planes

Instability &
Complexity

Protocols run
independently.

802.1
Stability

Complex Nodal provisioning

2014 Avaya Inc. All rights reserved.

Stability

OAM

Fabric
Connect

ONE
protocol

802.1

Simple provisioning for endto-end Services 9

Native Secure Multi-Tenant Architecture

Enables Security Zones Enterprise-Wide

UC Zone
Corporate
Zone
Guest Zone
Contractor
Zone

2015 Avaya
Inc.Avaya
AvayaInc.
Confidential
& Proprietary
2014
All rights reserved.

Do not duplicate, publish or distribute further without the express written permission of Avaya.

10

10

Instability derived from complexity

SDN cant solve this, we need a change

MPLS
PIM
BGP
OSPF

Business
MSTP
RSTP

PIM

20 seconds later

Todays protocol stacks are like a

house of cards

The
Protocol
Stack
(a Stack of
Protocols)

OSPF

1.2 seconds later

VLANS
Network

0.5 seconds later

RSTP/M
STP/PVS
T+

0.8 seconds later

802.3

Protocols are killing us

Protocols are like the neverending bottle of pills, each one
prescribed to remedy the
problems introduced by the
previous medication.

Link comes up

http://packetpushers.net/does-trill-stand-a-chance-at-wide-adoption/#disqus_thread

2014 Avaya Inc. All rights reserved.

11

What This Means In The Real World?

Configuring a single Layer 2 VPN (VLAN Extension)
Conventional L2 VPN (Cisco)
set routing-instances RI-IPN-L2L01 instance-type l2vpn
set routing-instances RI-IPN-L2L01 interface ge0/0/8.700
set routing-instances RI-IPN-L2L01 interface xe0/2/0.700
set routing-instances RI-IPN-L2L01 route-distinguisher
13.13.13.1:1013
(Now this might take a while)
set routing-instances RI-IPN-L2L01 vrf-target
target:64999:1013 (Actually, we need to speed things up)
set routing-instances RI-IPN-L2L01 protocols l2vpn
encapsulation-type ethernet-vlan
set routing-instances RI-IPN-L2L01 protocols l2vpn
site H15-H15-IPN-L2L01 site-identifier 1
set routing-instances RI-IPN-L2L01 protocols l2vpn
site H15-H15-IPN-L2L01 interface xe-0/2/0.700 remotesite-id 11
set routing-instances RI-IPN-L2L01 protocols l2vpn
site RH15-H15-IPN-L2L01 site-identifier 11
set routing-instances RI-IPN-L2L01 protocols l2vpn
site RH15-H15-IPN-L2L01 interface ge-0/0/8.700
remote-site-id 1
set interfaces ge-0/0/8 unit 700 description L2-IPNL2L01
set interfaces ge-0/0/8 unit 700 encapsulation vlanccc
set interfaces ge-0/0/8 unit 700 vlan-id 613

Avaya Fabric Connect

vlan i-sid 7 700

DONE end-to-end..!

First device donenow, onto the next...

2014 Avaya Inc. All rights reserved.

12

Modularity and sampling concept End to end

Stealth
Data Center Systems
Storage
Systems

Network
Distribution
Systems

Firewall/IDS
Security
Demarcation

Compute
Systems

Remote site systems

App/OS
Switch/Network

Secure Single Port

Private
Application Data Center
(Server)

Fabric Connect Cloud

VRF

VLAN

FW/IDS

Subnet A
Secure L2
Stealth Networks

2014 Avaya Inc. All rights reserved.

IDE

I-SID

Core Distribution

Private
Application
(Client)

VRF

Secure L3 Stealth
Network (IP VPN)

VLAN

Subnet B

13

In Conclusion
While IP Virtual Private Networks are nothing new, IEEE
802.1aq takes the concept to a new level with Fabric Connect
Flexible and nimble service extensions lend itself to an
incredibly mobile secure networking paradigm
Stealth Networking Fast, nimble and invisible

Stealth Networks can be used to facilitate traditional privacy

concerns such as PCI and HIPAA compliance
Next generation private network requirements such as
mobility for emergency response, military and/or field based
operations
Fabric Connect can deliver all modes of secure private
connectivity
Layer 2 Stealth requirements
Layer 3 Stealth requirements
Mobile Stealth requirements

2014 Avaya Inc. All rights reserved.

14