tempered networks’ new identity networking paradigmsecure micro-segmentation tni routes but leaves...
TRANSCRIPT
Tempered Networks’New Identity Networking Paradigm
The Cure for IT Risk, Cost, and Complexity –unified secure networking made simple
Tempered Networks’ Identity-Defined Network (IDN) It’s never been possible…until now
MOVE ANY IP RESOURCE
GLOBALLY
ONE-CLICK SEGMENTATION :
MICRO, MACRO, CROSS -REALM
CLOAK AND ENCRYPT
INSTANTLY CONNECT,
D ISCONNECT,REVOKE
INSTANT MICRO and
MACRO FAILOVER
NEW HOST IDENTITY
NAMESPACE
▪ Unify networking and security based on identity
▪ Simplify to reduce cap ex and op ex
▪ Segment to reduce business risk
▪ Orchestrate for speed, consistency, and simplicity
▪ Instantly network and secure any thing, anywhere, anytime
Traditional Networking is Complex, Costly and Fragile
Users
Remote
Worker
Site 1
Remote
Vendor
IT Intranet
Data Center
Data Center
Gateway
Switch Block
IT Intranet
Corporate
Network
Users
Remote
Worker
Site 1
Remote
VendorIT Intranet
Data
Center
Data Center
“We didn’t focus on how you could wreck this (IP) system intentionally…
getting this thing to work at all was non-trivial.”
- Vint Cerf, Washington Post, November 2016
Lack of Identity: The Root Cause of Complexity, Cost, and Vulnerability
Complex firewall and
networking rule sets
Routing policies,
VLANs and
ACLS overhead
… per networked “thing”
VPN access
controls for each
network
DNS and routing
updates for failover
100%
Network and Security Policies
USE IP ADDRESSES as IDENTITY
*Inspired by, “An Attack Surface Metric,” Dr. Pratyusa Manadhata, Member, IEEE, and Dr. Jeannette Wing, Fellow, IEEE, IEEE Transactions on Software Engineering, 2010
(clients x resources) x (net & sec policy) x updates = complexity(c x r ) x p = y*n in
continuous change
The new Identity Networking paradigm is required
Link (L1)
Network (L2-L3)
Transport (L4)
Application (L5-L7)
MAC address
IP Address
IP Address: Port
IP Address: Port
Internet 2.0 –
“Network everything”
Link
Network
Transport
Application
MAC address
IP Address
Host Identity
Protocol (HIP)
Host Identity Tag: Port
Host Identity
Host Identity Tag: Port
Internet 3.0 –
“Network ONLY CRYPTO-IDENTIFIED things”
To a secure,
mobile and
private Internet
Authenticate and Authorize a “device” BEFORE transport is established
HIPservers
HIPswitch
Tempered Networks’ IDN Conductor
Control based on unique crypto-identity for every networked thing via an overlay fabric .
Seamless deployment, simple policy orchestration and enforcement based on identity.
Securely connect, cloak, segment, revoke, move, and failover instantly within the IDN’s encrypted fabric.
Public / Corporate Network (No Identity. Untrusted. Unmanageable.)
IDN Fabric (trusted, cloaked, segmented, encrypted)
HIPclientsHIPchip
IP
Cameras
➢ Applications
➢ Databases
➢ Cloud workloads
➢ Containers
PoS / ATMs
Identity-Defined Networking (IDN) – the way forward Securely network and orchestrate any thing, anywhere, anytime - instantly.
IP
Cameras
Reduce and accelerate the time to provision
BEFORE TEMPERED
Ticket submitted to Network
IT for new resources addition
to corporate network.
Design for Routing, Firewall,
VPN, and Switching Policies
Design Submitted to InfoSec
for review and approval
Approval of Design
by InfoSec
Implementation of Design by
Network Ops
Implementation Review and
Sign-Off by InfoSec
GO LIVE!
Week 1
Week 2
Week 3
Week 4
Week 5
Week 6
Week 7
AFTER TEMPERED
Ticket submitted to Network
team for new resource.
InfoSec approved.
Day 1
Any resource can be added to the IDN
fabric through explicit device-based
authentication and authorization.
Automatic inheritance of:
• Hardened segmentation
• Cloaking
• Military-grade encryption
between all IDN Endpoints
Simple and consistent deployment by
NetOps. Easily verif ied by InfoSec.
Secure networking
time reduced by:
97%
GO LIVE!
Use case – oil and gas (ICS/SCADA)
➢ Failed audit
➢ Flat L2 network
➢ Duplicate IP addresses
➢ Provisioning time and politics
➢ Congestion on radio network
➢ No adequate redundancy
➢ Secure micro-segmentation
➢ TNI routes but leaves L2 network alone
➢ IP addresses are abstracted from the network, no need to re-IP
➢ OT controls their own network and destiny, IT no longer cares
➢ Allowed use of OSPF, radios became much more efficient
➢ Now has cell back-up
Challenge Benefit
IDN Lab/Demo
Data Center 1
Remote Station
Sub 1
NOC
Sub 2
Sub 3
Routed WAN
MPLS
Layer2 – Layer3 Secure Segmentation
Data Center 2
SIEM Services Database
VLAN 10 – 10.10.10.0/24
VLAN 20 – 10.10.20.0/24
VLAN 10
10.10.10.0/24
VLAN 10
10.10.10.0/24
VLAN 10
10.10.10.0/24
Wifi
Corporate Network
Users
Applications Services Database
Conductor
Field Techs
On Demand
HIP Tunnels
3rd Party
Untrusted
Public
Data Center 2
Distribution CenterRemote Location
Data Center 1
WAN / MPLS
Research Facility
Mobile
Field Tech
Remote LocationDistribution CenterSupply Chain
Mobile
Field Tech
ConductorHIP Relay
On Demand
HIP Tunnels
On Demand
HIP Tunnels
Thank you