Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Introducing ConnectGuard™ Cloud

13,487 views

Published on

ConnectGuard™ Cloud is the industry's first virtualized encryption technology. It safeguards data in multi- and hybrid-cloud environments and enables service providers to move away from IPSec-focused appliance-based solutions that are costly and inflexible. Based on ADVA's award-winning Ensemble Connector with its zero touch provisioning capabilities, ConnectGuard™ Cloud supports the roll out of secure cloud connectivity to thousands of endpoints within minutes.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Introducing ConnectGuard™ Cloud

  1. 1. Introducing ConnectGuardTM Cloud May 2018 Secure cloud connectivity for multi-cloud environments
  2. 2. © 2018 ADVA Optical Networking. All rights reserved.22 Overview of ConnectGuard Cloud • ConnectGuard Cloud technology is part of ConnectGuard family • First in the industry to deliver virtualized end-to-end encryption in multi-cloud environments • Breakthrough for service providers and enterprises that want to move away from IPSec and appliance-based solutions that are costly and inflexible • Military-grade encryption can be deployed on any COTS server or in a public cloud infrastructure. • Encryption at Layer 2, 3 or 4 as needed – match the encryption to the application • Automated key management for operational simplicity – no need for an externally managed IKE or PKI system • Based on the award-winning Ensemble Connector – with zero touch provisioning capabilities, customers can roll out secure cloud connectivity to thousands of endpoints within minutes.
  3. 3. © 2018 ADVA Optical Networking. All rights reserved.33 Agenda • Drivers for new encryption solutions • ConnectGuardTM Cloud in the ADVA portfolio • Benefits of ConnectGuardTM Cloud • Summary and additional resources
  4. 4. © 2018 ADVA Optical Networking. All rights reserved.44 © 2018 ADVA Optical Networking. All rights reserved. Confidential.4 Drivers for new encryption solutions
  5. 5. © 2018 ADVA Optical Networking. All rights reserved.55 When your destination is the cloud … You’ll need a secure path to get there
  6. 6. © 2018 ADVA Optical Networking. All rights reserved.66 Industry observations on security Security threats to enterprises are real and growing • Threats include loss of data, compromised secrets, civil suits • Statutory and regulatory requirement (e.g., GDPR) are raising the importance of compliance and the cost of non-compliances Appliance-based security solutions are costly, inflexible, logistically difficult and not cloud-friendly • Any security solution must address hybrid cloud and multi-cloud applications New virtualized solutions provide a ground-breaking approach to address today's threats and limitations • They also open the door for complementary applications
  7. 7. © 2018 ADVA Optical Networking. All rights reserved.77 Encryption challenges Latency Transparency Applicability The application should determine at which layer to encrypt Support encryption over any kind of access or transport network Apply encryption at customer premises, data center or public cloud Cost Compatibility Efficiency Cost per encrypted bit and initial cost are important Support services at the layer where they perform best Encryption has an impact on resource and network utilization
  8. 8. © 2018 ADVA Optical Networking. All rights reserved.88 Virtual encryption delivers high-performance, flexible secure cloud connectivity Secure cloud connectivity use case Drivers for software endpoints • Cloud-native implementation for multiple public cloud environments where the endpoints must reside on cloud infrastructure rather than dedicated hardware appliances • SaaS applications in the cloud, where latency can create performance impacts • Regulatory requirements such as GDPR • Business or government networks where high-quality encryption is required Dynamic encrypted networking • Flexible encrypted mesh for policy-based secure VPNs • Application-aware encryption at L2/L3/L4 • Supports point-to-point and hub-and-spoke topologies • Eliminates dependence on application-level encryption Security with uCPE upgrades • Upgrade with other security applications or enterprise apps Effective cost points • TCO analysis demonstrates software trumps appliances • Turnkey option for enterprise deployments
  9. 9. © 2018 ADVA Optical Networking. All rights reserved.99 Secure cloud connectivity: any-to-any Public cloud #1 Public cloud #2 Private cloud HQ On-net branch Hybrid branch Off-net branch Public internet IP-VPN (MPLS) CE L2VPN Color key: encryption only / encryption + L2 tunnel SD-WAN hybrid WAN
  10. 10. © 2018 ADVA Optical Networking. All rights reserved.1010 © 2018 ADVA Optical Networking. All rights reserved. Confidential.10 ConnectGuardTM Cloud in the ADVA portfolio
  11. 11. © 2018 ADVA Optical Networking. All rights reserved.1111 Secure connectivity across all networks • Secure cloud connectivity • Endpoints: >1K to 100K • Secure VPN connectivity • Endpoints: 100 to 1000 • Secure data center connectivity • Endpoints: 10 to 100 CloudEthernetOptical Physical connectivity Virtual connectivity Cloud connectivity Certified solution Certified solution
  12. 12. © 2018 ADVA Optical Networking. All rights reserved.1212 ADVA ConnectGuard™ security suite Technologies Product(s) Application ConnectGuardTM Management FSP NM Crypto Manager Encryption domain management ConnectGuardTM Optical FSP 3000 Secure data center connectivity ConnectGuardTM Ethernet FSP 150 Secure VPN connectivity ConnectGuardTM Cloud Connector Encryption, Ensemble Director Secure cloud connectivity
  13. 13. © 2018 ADVA Optical Networking. All rights reserved.1313 ConnectGuardTM Cloud benefits Implemented in Ensemble Connector Encryption and Director Cloud-native software encryption can be hosted on uCPE or in cloud • End-to-end encryption in multi-cloud environments – prevents man-in-the-middle attack vectors • Flexible, policy-based and application-aware secure networking – point-to-point or mesh • Encryption at Layer 2, 3 or 4 as needed – match the encryption to the application • Based on FIPS-compliant technology from Senetas Compute and bandwidth efficiency • Greatly improved throughput, overhead and latency versus IPSec – 8-24 bytes O/H versus 76 • Minimizes cost of hosting server – no need for hardware appliances Encrypted connections can be shared by multiple applications • No need to rely on SD-WAN or firewall encryption • Encryption functionality is separated from VNFs for layered security • Eliminates need for piecemeal application security Automated key management for operational simplicity • No need for an externally managed IKE or PKI system
  14. 14. © 2018 ADVA Optical Networking. All rights reserved.1414 Why use Ensemble Connector? Connector provides cloud-native computing (Linux/KVM/OpenStack), plus: 1. Accelerated vSwitch 2. Carrier Ethernet 2.0 3. Networking incl. LTE 4. Zero touch commissioning (ZTC) 5. Embedded cloud (OpenStack) 6. Integrated OS with open interfaces 7. Device scalability 8. Telco management 9. High availability 10. Platform security 11. Encryption engine 12. Local router 6. Ensemble Connector 7. Server – Intel Xeon ® and Intel Atom® Linux - CentOS Hypervisor – KVM /QEMU 1. Virtual switch - Connector VNF / VM VNF / VMVNF / VM 2. CE 2.0 3. Network 8. Telco management 10. Security 4. ZTC Standard cloud environment Server – Intel Xeon ® and Intel Atom® Linux - CentOS Hypervisor – KVM / QEMU Virtual switch – OVS and DPDK VNF / VM VNF / VMVNF / VM 9. HA 5. OpenStack 11. Encryption 12. Local router
  15. 15. © 2018 ADVA Optical Networking. All rights reserved.1515 © 2018 ADVA Optical Networking. All rights reserved. Confidential.15 Benefits of ConnectGuardTM Cloud Provided by Ensemble Connector Encryption
  16. 16. © 2018 ADVA Optical Networking. All rights reserved.1616 Integrated key derivation function (KDF) • Integrated KDF for managing key lifecycle • Secure centralized key management that delivers keys from a FIPS-certified appliance • Automatic key updates managed with timestamps • Manages keys at Layer 2, 3 and 4 • FIPS-compliant technology for multi-layer encryption • Random number generator with equivalent entropy to hardware platforms • Scales to thousands of endpoints • No master/slave requirement • Zero touch provisioning
  17. 17. © 2018 ADVA Optical Networking. All rights reserved.1717 Flexible encryption options • AES-256 CTR/GCM mode • Confidentiality only OR • Confidentiality + authentication • Multi-layer simultaneous encryption policies • Layer 2: Ethernet (MAC or VLAN) • Layer 3: IPv4/v6 subnets • Layer 4: IP + port • NAT passthrough • Netflow/Jflow support • Policy-based routing Low overhead per packet. Best case is one third of the overhead per packet compared to military grade IPSec. Overhead: • 8 bytes for encryption header (sender ID, key bank, frame counter) • 4 bytes additional header for TCP (layer 4 encryption only) • 16 bytes additional authentication data (optional)
  18. 18. © 2018 ADVA Optical Networking. All rights reserved.1818 Centralized key distribution with KDF Optional alternative to integrated KDF • Single centralized platform for managing key lifecycle • FIPS-certified server* distributes keys to all endpoints • Key server is tiered and redundant for resiliency • Uses industry standard key management protocol (KMIP) • Control plane isolation • Scales to hundreds of thousands of endpoints • Policy driven by: • Single key management system for all data • Key management required on specific site • FIPS requirements *SafeNet KeySecure or Senetas hardware encryptor as server
  19. 19. © 2018 ADVA Optical Networking. All rights reserved.1919 IPSec over internet Connector EncryptionPlain internet IPSec significantly impacts transmission performance Actual measurements from live test of 1Gbit/s traffic over internet Why not use IPSec? Throughput 56% – 86%* Latency: 37 – 79* ms Throughput 16% – 20%* Latency: 37 – 79* ms Throughput 56% – 95%* Latency: 37 – 79* ms *Depending on frame size 64-1M bytes
  20. 20. © 2018 ADVA Optical Networking. All rights reserved.2020 © 2018 ADVA Optical Networking. All rights reserved. Confidential.20 Summary and additional resources
  21. 21. © 2018 ADVA Optical Networking. All rights reserved.2121 Summary Enterprises are moving workloads into the cloud, including consumption of IaaS, PaaS, and SaaS services, in both multi-cloud and hybrid cloud models Achieving multi-cloud benefits requires efficient, secure and transparent connectivity Need a software solution that is compatible with uCPE and cloud deployments • Encrypt all the way into the cloud • Using low-cost uCPE servers at the customer site • Efficient and low-overhead encryption Benefits: • Transport of Layer 2 traffic over Layer 2 or Layer 3 access • Software solution that is compatible with existing encryption deployments • Ability to encrypt at Layers 2, 3 or 4 depending on requirements of the application • Efficient encryption minimizes required processing and network overhead • Modular, cloud native architecture – supports uCPE and public cloud, provides choice • Sophisticated key management • Turnkey solutions available
  22. 22. © 2018 ADVA Optical Networking. All rights reserved.2222 Additional resources • Securing zero touch for uCPE deployments • Using the Cloud to Secure the Cloud • Security is a many-layered thing* • Meet Anna and the future of virtualized encryption in the cloud
  23. 23. Thank you IMPORTANT NOTICE The content of this presentation is strictly confidential. ADVA Optical Networking is the exclusive owner or licensee of the content, material, and information in this presentation. Any reproduction, publication or reprint, in whole or in part, is strictly prohibited. The information in this presentation may not be accurate, complete or up to date, and is provided without warranties or representations of any kind, either express or implied. ADVA Optical Networking shall not be responsible for and disclaims any liability for any loss or damages, including without limitation, direct, indirect, incidental, consequential and special damages, alleged to have been caused by or in connection with using and/or relying on the information contained in this presentation. Copyright © for the entire content of this presentation: ADVA Optical Networking.

×