Upload
vuongtu
View
218
Download
0
Embed Size (px)
Citation preview
CTO PoV: Enterprise Networks (Part 2)Security for IoT & Cloud
Khalid RazaCTO & Co-Founder
Viptela
Danny JohnsonDirector, Product Marketing
Verizon
Viptela Confidential2
SD-WAN Architecture
MPLS Internet LTE
Hospital Branch Office
Data Center
End-userWireless Laptop
Printer
Smart Phones
Private Cloud
vSmart ControllerSecure OverlayControl plane
Data Plane
Analytics Engine
Medical Device
Management Plane
vEdge vEdge
Orchestration
GUI
vOrchestrator
§ Monitoring§ Provisioning§ Troubleshooting
Viptela Confidential3
Secure Control Plane ScaleSecurity at Routing Scale
§ De-centralized control plane§ IKE and Diffie-Hellman for key
exchange and security association establishment
§ O(N^2) complexity
§ Centralized control plane§ Extensible overlay management
protocol for security parameters exchange
§ O(N) complexity
Viptela Traditional
Viptela Confidential4
Any
Use
r/D
evic
e
Any
Del
iver
y
4GINTERNET MPLS
DC
IaaS
SaaS
3rdParty
DATACENTER CAMPUS BRANCH HOME OFFICE
CONTROL
MANAGEMENT ORCHESTRATION
Viptela - Enabling the Next Generation Enterprise Architecture
SD WAN I-IOT ANALYTICS CLOUD 3rd party connectivity
USERSAPPs
vFab
ric
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
Case Study: 1200-site Bank
Customer challenges:• Deploy new high bandwidth video
application, new revenue ($$) • Security requirements across lines of
business• Avoid application outages during
network failures
How Verizon & Viptela helped:• Managed SD-WAN solution with
MPLS + Broadband + LTE at every location
• Cloud-managed overlay fabric with end-to-end security
• Isolated segments for each line of business
• Application policies with intelligent real-time steering
Public internet
Rapid deployment
Security / Isolation of Assets
1200+ branches
Verizon Private IP
Regional Offices
Verizon Secure CloudInterconnect
Consumer Mobile devices
Wifi, Geofencing
Digital signage
ATM’s and kiosks
Video conferencing
Data centers
Headquarters
Retailbranch
Time to Revenue
App Outages
Viptela Confidential6
DTLS/TLS Control Tunnel
Zero-Trust Security Principles
Control Elements
X.509 Certificate
Viptela Confidential7
Dramatic Scale Key management
Site 1 Site 2
IPSec
vEdgevEdge
vSmartController(s)Data traffic
Control Plane
IPSecSite 100Site 101
4GINTERNET MPLS
Viptela Confidential8
Infrastructure DDoS MitigationvEdge Routers
IPSec
vEdge Router
vSmartvBondvManage
RemotevEdge Routers
CPU
PacketForwarding
Else
§ Default Deny: All§ Default Allow: ICMP, DNS,
DHCP§ Manual Allow: SSH, NTP
§ Default Deny: All§ Allow: Specific IP/Port
(provided by vBond)
§ Default Deny: All§ Allow: Specific peers
(provided by vSmart)
Viptela Confidential9
Application FirewallDeep Packet Inspection
TransportsTransports
Transports
ServerUser
vSmartControllers
SitevEdge
Data CentervEdge
Data traffic
Control Plane
Update Update
ACL ACL
IPSec Tunnel
Match: ApplicationAction: Drop/Allow
Match: ApplicationAction: Drop/Allow
§ 3,000 individual applications and protocols
§ Application families App FingerprintingApp Fingerprinting
Viptela Confidential10
Stateful Network ServicesNetwork Service Insertion and Chaining
TransportsTransports
Transports
ServerUser
vSmartControllers
SitevEdge
Data CentervEdge
Data traffic
Control Plane
Update Update
IPSec Tunnel
Regional DC/ColovEdge
Network Service Nodes
Update
§ Strong security posture- Regionalized stateful network
service
§ Multiple network services - Service chaining