The document discusses identifying networks in a complex company. It describes challenges with the company's asset database, including many outdated or duplicate entries for operating systems and support groups. It also notes the network maps and asset database do not have a clear correspondence to the physical network. The document advocates identifying currently used versus legacy systems, their functions, vulnerabilities, and how they are arranged on the network. It contrasts firewall-based versus routing-based network planning and some pros and cons of the firewall approach.

1. Confidentiality level C1 | 8 August 20111
Architecting Security
across global networks
Presented by Marco Ermini
8 August 2011

2. Confidentiality level C1 | 8 August 20112
A huge topic: where to start?
“Divide et impera”

3. Confidentiality level C1 | 8 August 20113
A huge topic: where to start?
• This will not be about how to architect a network, or about network
security in general - it is about network visibility.
“Divide et impera”

4. Confidentiality level C1 | 8 August 20114
A huge topic: where to start?
• This will not be about how to architect a network, or about network
security in general - it is about network visibility.
• You land in this complex company (or you acquire it) and you divide
your tasks:
“Divide et impera”

5. Confidentiality level C1 | 8 August 20115
A huge topic: where to start?
• This will not be about how to architect a network, or about network
security in general - it is about network visibility.
• You land in this complex company (or you acquire it) and you divide
your tasks:
1. Identify the networks
“Divide et impera”

6. Confidentiality level C1 | 8 August 20116
A huge topic: where to start?
• This will not be about how to architect a network, or about network
security in general - it is about network visibility.
• You land in this complex company (or you acquire it) and you divide
your tasks:
1. Identify the networks
2. Identify the challenges
“Divide et impera”

7. Confidentiality level C1 | 8 August 20117
A huge topic: where to start?
• This will not be about how to architect a network, or about network
security in general - it is about network visibility.
• You land in this complex company (or you acquire it) and you divide
your tasks:
1. Identify the networks
2. Identify the challenges
3. Identify the alternatives
“Divide et impera”

8. Confidentiality level C1 | 8 August 20118
Architecti
ng
Security
across
global
networks
Identify the networks
Identify the challenges
Identify the alternatives

9. Confidentiality level C1 | 8 August 20119
Identify the networks
• Network maps anyone?

10. Confidentiality level C1 | 8 August 201110
Identify the networks
• Network maps anyone?

11. Confidentiality level C1 | 8 August 201111
Identify the networks
• Network maps anyone?

12. Confidentiality level C1 | 8 August 201112
Identify the networks
• Network maps anyone?

13. Confidentiality level C1 | 8 August 201113
Identify the networks

14. Confidentiality level C1 | 8 August 201114
Identify the networks
• Asset DB anyone?

15. Confidentiality level C1 | 8 August 201115
Identify the networks
• Asset DB anyone?
• Examples of our Asset DB:

16. Confidentiality level C1 | 8 August 201116
Identify the networks
• Asset DB anyone?
• Examples of our Asset DB:
– “OS”, “OS version number”, “support group”, “IP address” and “DB version” are free
text fields

17. Confidentiality level C1 | 8 August 201117
Identify the networks
• Asset DB anyone?
• Examples of our Asset DB:
– “OS”, “OS version number”, “support group”, “IP address” and “DB version” are free
text fields
– “OS”: circa 240 counted, without including the version number!

18. Confidentiality level C1 | 8 August 201118
Identify the networks
• Asset DB anyone?
• Examples of our Asset DB:
– “OS”, “OS version number”, “support group”, “IP address” and “DB version” are free
text fields
– “OS”: circa 240 counted, without including the version number!
cs_os_name cs_os_versionnumber
SOLARIS 10 IDM-AP3-P | SOLARIS 10 9/10 10 9/10 | 10 9/10
SOLARIS 10 177
SOLARIS 10 1/06 820
SOLARIS 10 10/08 1413
SOLARIS 10 10/08 | SOLARIS 10 10/08 1
SOLARIS 10 10/09 1554
SOLARIS 10 11/06 2164
SOLARIS 10 3/05 35
SOLARIS 10 5/08 259
SOLARIS 10 5/08 | SOLARIS 10 5/08 3
SOLARIS 10 5/09 725
SOLARIS 10 6/06 278
SOLARIS 10 8/07 397
SOLARIS 10 8/11 3
SOLARIS 10 9/10 3442
SOLARIS 10 IDM-AP3-P | SOLARIS 10 9/10 1
SOLARIS 10 X64 10
SUN SOLARIS 10 4

19. Confidentiality level C1 | 8 August 201119
Identify the networks
• Asset DB anyone?
• Examples of our Asset DB:
– “OS”, “OS version number”, “support group”, “IP address” and “DB version” are free
text fields
– “OS”: circa 240 counted, without including the version number!

20. Confidentiality level C1 | 8 August 201120
Identify the networks
• Asset DB anyone?
• Examples of our Asset DB:
– “OS”, “OS version number”, “support group”, “IP address” and “DB version” are free
text fields
– “OS”: circa 240 counted, without including the version number!
– “DB” and “Computers” counted as different entities

21. Confidentiality level C1 | 8 August 201121
Identify the networks
• Asset DB anyone?
• Examples of our Asset DB:
– “OS”, “OS version number”, “support group”, “IP address” and “DB version” are free
text fields
– “OS”: circa 240 counted, without including the version number!
– “DB” and “Computers” counted as different entities
– 80+ support groups (!!!) many of which clearly legacy or duplicated

22. Confidentiality level C1 | 8 August 201122
Identify the networks
• Asset DB anyone?
• Examples of our Asset DB:
– “OS”, “OS version number”, “support group”, “IP address” and “DB version” are free
text fields
– “OS”: circa 240 counted, without including the version number!
– “DB” and “Computers” counted as different entities
– 80+ support groups (!!!) many of which clearly legacy or duplicated
– No unique correspondence between Asset DB entry and physical reality

23. Confidentiality level C1 | 8 August 201123
Identify the networks
• Asset DB anyone?
• Examples of our Asset DB:
– “OS”, “OS version number”, “support group”, “IP address” and “DB version” are free
text fields
– “OS”: circa 240 counted, without including the version number!
– “DB” and “Computers” counted as different entities
– 80+ support groups (!!!) many of which clearly legacy or duplicated
– No unique correspondence between Asset DB entry and physical reality
– IP address field has space for only one entry (!!!)

24. Confidentiality level C1 | 8 August 201124
Identify the networks
• Asset DB anyone?
• Examples of our Asset DB:
– “OS”, “OS version number”, “support group”, “IP address” and “DB version” are free
text fields
– “OS”: circa 240 counted, without including the version number!
– “DB” and “Computers” counted as different entities
– 80+ support groups (!!!) many of which clearly legacy or duplicated
– No unique correspondence between Asset DB entry and physical reality
– IP address field has space for only one entry (!!!)
– No way to do an automatic import, therefore many departments don’t use it

25. Confidentiality level C1 | 8 August 201125
Identify the networks
• Asset DB anyone?
• Examples of our Asset DB:
– “OS”, “OS version number”, “support group”, “IP address” and “DB version” are free
text fields
– “OS”: circa 240 counted, without including the version number!
– “DB” and “Computers” counted as different entities
– 80+ support groups (!!!) many of which clearly legacy or duplicated
– No unique correspondence between Asset DB entry and physical reality
– IP address field has space for only one entry (!!!)
– No way to do an automatic import, therefore many departments don’t use it
– It relies on a special tool to fetch the data, but the tool is not ubiquitous

26. Confidentiality level C1 | 8 August 201126
Identify the networks
• Asset DB anyone?
• Examples of our Asset DB:
– “OS”, “OS version number”, “support group”, “IP address” and “DB version” are free
text fields
– “OS”: circa 240 counted, without including the version number!
– “DB” and “Computers” counted as different entities
– 80+ support groups (!!!) many of which clearly legacy or duplicated
– No unique correspondence between Asset DB entry and physical reality
– IP address field has space for only one entry (!!!)
– No way to do an automatic import, therefore many departments don’t use it
– It relies on a special tool to fetch the data, but the tool is not ubiquitous
– Almost 35000 entries, but no one knows if the data is qualitatively relevant

27. Confidentiality level C1 | 8 August 201127
Identify the networks
• Asset DB anyone?
• Examples of our Asset DB:
– “OS”, “OS version number”, “support group”, “IP address” and “DB version” are free
text fields
– “OS”: circa 240 counted, without including the version number!
– “DB” and “Computers” counted as different entities
– 80+ support groups (!!!) many of which clearly legacy or duplicated
– No unique correspondence between Asset DB entry and physical reality
– IP address field has space for only one entry (!!!)
– No way to do an automatic import, therefore many departments don’t use it
– It relies on a special tool to fetch the data, but the tool is not ubiquitous
– Almost 35000 entries, but no one knows if the data is qualitatively relevant
– No one is accountable for the data, only for the Asset DB tool in itself

28. Confidentiality level C1 | 8 August 201128
Identify the networks
• Asset DB anyone?
• Examples of our Asset DB:
– “OS”, “OS version number”, “support group”, “IP address” and “DB version” are free
text fields
– “OS”: circa 240 counted, without including the version number!
– “DB” and “Computers” counted as different entities
– 80+ support groups (!!!) many of which clearly legacy or duplicated
– No unique correspondence between Asset DB entry and physical reality
– IP address field has space for only one entry (!!!)
– No way to do an automatic import, therefore many departments don’t use it
– It relies on a special tool to fetch the data, but the tool is not ubiquitous
– Almost 35000 entries, but no one knows if the data is qualitatively relevant
– No one is accountable for the data, only for the Asset DB tool in itself
• There is a disconnection between who created and maintains the system,
and the business objectives of it

29. Confidentiality level C1 | 8 August 201129
Identify the networks
• Asset DB anyone?
• Examples of our Asset DB:
– “OS”, “OS version number”, “support group”, “IP address” and “DB version” are free
text fields
– “OS”: circa 240 counted, without including the version number!
– “DB” and “Computers” counted as different entities
– 80+ support groups (!!!) many of which clearly legacy or duplicated
– No unique correspondence between Asset DB entry and physical reality
– IP address field has space for only one entry (!!!)
– No way to do an automatic import, therefore many departments don’t use it
– It relies on a special tool to fetch the data, but the tool is not ubiquitous
– Almost 35000 entries, but no one knows if the data is qualitatively relevant
– No one is accountable for the data, only for the Asset DB tool in itself
• There is a disconnection between who created and maintains the system,
and the business objectives of it

30. Confidentiality level C1 | 8 August 201130
Identify the networks

31. Confidentiality level C1 | 8 August 201131
Identify the networks
• Which hosts are still used, which ones are legacy?

32. Confidentiality level C1 | 8 August 201132
Identify the networks
• Which hosts are still used, which ones are legacy?
• What is the usage of the hosts?
– Which one needs to stay on the same subnets/logical networks?
– Which one needs to be kept separated?

33. Confidentiality level C1 | 8 August 201133
Identify the networks
• Which hosts are still used, which ones are legacy?
• What is the usage of the hosts?
– Which one needs to stay on the same subnets/logical networks?
– Which one needs to be kept separated?
• Which vulnerabilities have the hosts?
– Can you detect them?
– Can you patch them?

34. Confidentiality level C1 | 8 August 201134
How is the network planned?

35. Confidentiality level C1 | 8 August 201135
How is the network planned?
• Legacy not just in the hosts, also in the networks

36. Confidentiality level C1 | 8 August 201136
How is the network planned?
• Legacy not just in the hosts, also in the networks
• Was there a policy when the network was planned?
– Was the policy actually usable?
– Did they use it?

37. Confidentiality level C1 | 8 August 201137
How is the network planned?
• Legacy not just in the hosts, also in the networks
• Was there a policy when the network was planned?
– Was the policy actually usable?
– Did they use it?
• Firewall based versus routing based

38. Confidentiality level C1 | 8 August 201138
How is the network planned?
• Legacy not just in the hosts, also in the networks
• Was there a policy when the network was planned?
– Was the policy actually usable?
– Did they use it?
• Firewall based versus routing based

39. Confidentiality level C1 | 8 August 201139
How is the network planned?
• Legacy not just in the hosts, also in the networks
• Was there a policy when the network was planned?
– Was the policy actually usable?
– Did they use it?
• Firewall based versus routing based

40. Confidentiality level C1 | 8 August 201140
How is the network planned?
• Legacy not just in the hosts, also in the networks
• Was there a policy when the network was planned?
– Was the policy actually usable?
– Did they use it?
• Firewall based versus routing based

41. Confidentiality level C1 | 8 August 201141
Firewall-based network

42. Confidentiality level C1 | 8 August 201142
Firewall-based network
• Pros (supposed…):

43. Confidentiality level C1 | 8 August 201143
Firewall-based network
• Pros (supposed…):
– Each application/network is “separate”

44. Confidentiality level C1 | 8 August 201144
Firewall-based network
• Pros (supposed…):
– Each application/network is “separate”
– Only allowed IP/port pairs can establish a session

45. Confidentiality level C1 | 8 August 201145
Firewall-based network
• Pros (supposed…):
– Each application/network is “separate”
– Only allowed IP/port pairs can establish a session
– Possible to implement a precise change management for firewall requests

46. Confidentiality level C1 | 8 August 201146
Firewall-based network
• Pros (supposed…):
– Each application/network is “separate”
– Only allowed IP/port pairs can establish a session
– Possible to implement a precise change management for firewall requests
– Possible to implement monitoring of connections

47. Confidentiality level C1 | 8 August 201147
Firewall-based network
• Pros (supposed…):
– Each application/network is “separate”
– Only allowed IP/port pairs can establish a session
– Possible to implement a precise change management for firewall requests
– Possible to implement monitoring of connections
• Cons (certain!):

48. Confidentiality level C1 | 8 August 201148
Firewall-based network
• Pros (supposed…):
– Each application/network is “separate”
– Only allowed IP/port pairs can establish a session
– Possible to implement a precise change management for firewall requests
– Possible to implement monitoring of connections
• Cons (certain!):
– Lots of firewalls are needed!

49. Confidentiality level C1 | 8 August 201149
Firewall-based network
• Pros (supposed…):
– Each application/network is “separate”
– Only allowed IP/port pairs can establish a session
– Possible to implement a precise change management for firewall requests
– Possible to implement monitoring of connections
• Cons (certain!):
– Lots of firewalls are needed!
– Rules just accumulate, possibly duplicate and overlap and shadow each other

50. Confidentiality level C1 | 8 August 201150
Firewall-based network
• Pros (supposed…):
– Each application/network is “separate”
– Only allowed IP/port pairs can establish a session
– Possible to implement a precise change management for firewall requests
– Possible to implement monitoring of connections
• Cons (certain!):
– Lots of firewalls are needed!
– Rules just accumulate, possibly duplicate and overlap and shadow each other
– Lots of personnel/operational efforts
– Difficult to implement security/monitoring/compliance tools

51. Confidentiality level C1 | 8 August 201151
Firewall-based network
• Pros (supposed…):
– Each application/network is “separate”
– Only allowed IP/port pairs can establish a session
– Possible to implement a precise change management for firewall requests
– Possible to implement monitoring of connections
• Cons (certain!):
– Lots of firewalls are needed!
– Rules just accumulate, possibly duplicate and overlap and shadow each other
– Lots of personnel/operational efforts
– Difficult to implement security/monitoring/compliance tools
– Waste of IP addresses

52. Confidentiality level C1 | 8 August 201152
Firewall-based network
• Pros (supposed…):
– Each application/network is “separate”
– Only allowed IP/port pairs can establish a session
– Possible to implement a precise change management for firewall requests
– Possible to implement monitoring of connections
• Cons (certain!):
– Lots of firewalls are needed!
– Rules just accumulate, possibly duplicate and overlap and shadow each other
– Lots of personnel/operational efforts
– Difficult to implement security/monitoring/compliance tools
– Waste of IP addresses
– Projects get bored and just ask for “allow all”

53. Confidentiality level C1 | 8 August 201153
Firewall-based network
• Pros (supposed…):
– Each application/network is “separate”
– Only allowed IP/port pairs can establish a session
– Possible to implement a precise change management for firewall requests
– Possible to implement monitoring of connections
• Cons (certain!):
– Lots of firewalls are needed!
– Rules just accumulate, possibly duplicate and overlap and shadow each other
– Lots of personnel/operational efforts
– Difficult to implement security/monitoring/compliance tools
– Waste of IP addresses
– Projects get bored and just ask for “allow all”
– No real visibility!

54. Confidentiality level C1 | 8 August 201154
Firewall-based network
• Pros (supposed…):
– Each application/network is “separate”
– Only allowed IP/port pairs can establish a session
– Possible to implement a precise change management for firewall requests
– Possible to implement monitoring of connections
• Cons (certain!):
– Lots of firewalls are needed!
– Rules just accumulate, possibly duplicate and overlap and shadow each other
– Lots of personnel/operational efforts
– Difficult to implement security/monitoring/compliance tools
– Waste of IP addresses
– Projects get bored and just ask for “allow all”
– No real visibility!
– No real security!

55. Confidentiality level C1 | 8 August 201155
Architecti
ng
Security
across
global
networks
Identify the networks
Identify the challenges
Identify the alternatives

56. Confidentiality level C1 | 8 August 201156
No real visibility

57. Confidentiality level C1 | 8 August 201157
No real visibility
• You cannot really enforce protocols on the firewalls

58. Confidentiality level C1 | 8 August 201158
No real visibility
• You cannot really enforce protocols on the firewalls
• You cannot possibly TAP all of these interfaces

59. Confidentiality level C1 | 8 August 201159
No real visibility
• You cannot really enforce protocols on the firewalls
• You cannot possibly TAP all of these interfaces
• Even if you TAP them, they will bypass you

60. Confidentiality level C1 | 8 August 201160
No real visibility
• You cannot really enforce protocols on the firewalls
• You cannot possibly TAP all of these interfaces
• Even if you TAP them, they will bypass you
• Projects tend to skip the processes if they are too complex

61. Confidentiality level C1 | 8 August 201161
No real visibility
• You cannot really enforce protocols on the firewalls
• You cannot possibly TAP all of these interfaces
• Even if you TAP them, they will bypass you
• Projects tend to skip the processes if they are too complex
• When NAT/NATP is used, it becomes complex to understand real sources
and destinations

62. Confidentiality level C1 | 8 August 201162
No real security

63. Confidentiality level C1 | 8 August 201163
No real security
• You will have to choose what to protect and what not

64. Confidentiality level C1 | 8 August 201164
No real security
• You will have to choose what to protect and what not
• Often reduced to only “perimeter defence”

65. Confidentiality level C1 | 8 August 201165
No real security
• You will have to choose what to protect and what not
• Often reduced to only “perimeter defence”
• Projects will tend to bypass monitored points seeking for simplicity in
deployment

66. Confidentiality level C1 | 8 August 201166
No real security
• You will have to choose what to protect and what not
• Often reduced to only “perimeter defence”
• Projects will tend to bypass monitored points seeking for simplicity in
deployment
• If you enable logging on big pipes, you will get huge amount of data

67. Confidentiality level C1 | 8 August 201167
No real security
• You will have to choose what to protect and what not
• Often reduced to only “perimeter defence”
• Projects will tend to bypass monitored points seeking for simplicity in
deployment
• If you enable logging on big pipes, you will get huge amount of data
• Firewalls tends to become congestion points

68. Confidentiality level C1 | 8 August 201168
No real security
• You will have to choose what to protect and what not
• Often reduced to only “perimeter defence”
• Projects will tend to bypass monitored points seeking for simplicity in
deployment
• If you enable logging on big pipes, you will get huge amount of data
• Firewalls tends to become congestion points
• Subject to DoS attacks

69. Confidentiality level C1 | 8 August 201169
No real security
• You will have to choose what to protect and what not
• Often reduced to only “perimeter defence”
• Projects will tend to bypass monitored points seeking for simplicity in
deployment
• If you enable logging on big pipes, you will get huge amount of data
• Firewalls tends to become congestion points
• Subject to DoS attacks
• Often traffic spoofing is disabled – firewall used as routers

70. Confidentiality level C1 | 8 August 201170
No real security
• You will have to choose what to protect and what not
• Often reduced to only “perimeter defence”
• Projects will tend to bypass monitored points seeking for simplicity in
deployment
• If you enable logging on big pipes, you will get huge amount of data
• Firewalls tends to become congestion points
• Subject to DoS attacks
• Often traffic spoofing is disabled – firewall used as routers
• Does not understand OSI Layer 4 and above

71. Confidentiality level C1 | 8 August 201171
No real security
• You will have to choose what to protect and what not
• Often reduced to only “perimeter defence”
• Projects will tend to bypass monitored points seeking for simplicity in
deployment
• If you enable logging on big pipes, you will get huge amount of data
• Firewalls tends to become congestion points
• Subject to DoS attacks
• Often traffic spoofing is disabled – firewall used as routers
• Does not understand OSI Layer 4 and above
• End to end encryption takes out the usefulness of the firewall

72. Confidentiality level C1 | 8 August 201172
No real security
• You will have to choose what to protect and what not
• Often reduced to only “perimeter defence”
• Projects will tend to bypass monitored points seeking for simplicity in
deployment
• If you enable logging on big pipes, you will get huge amount of data
• Firewalls tends to become congestion points
• Subject to DoS attacks
• Often traffic spoofing is disabled – firewall used as routers
• Does not understand OSI Layer 4 and above
• End to end encryption takes out the usefulness of the firewall
• Network borders are blurred

73. Confidentiality level C1 | 8 August 201173
No real security
• You will have to choose what to protect and what not
• Often reduced to only “perimeter defence”
• Projects will tend to bypass monitored points seeking for simplicity in
deployment
• If you enable logging on big pipes, you will get huge amount of data
• Firewalls tends to become congestion points
• Subject to DoS attacks
• Often traffic spoofing is disabled – firewall used as routers
• Does not understand OSI Layer 4 and above
• End to end encryption takes out the usefulness of the firewall
• Network borders are blurred
• Lacking proper access control mechanisms

74. Confidentiality level C1 | 8 August 201174
Architecti
ng
Security
across
global
networks
Identify the networks
Identify the challenges
Identify the alternatives

75. Confidentiality level C1 | 8 August 201175
Different security policy

76. Confidentiality level C1 | 8 August 201176
Different security policy
• Divide the network into sensitivity zones

77. Confidentiality level C1 | 8 August 201177
Different security policy
• Divide the network into sensitivity zones
– Front ends, back ends, “crown jewels” area, office LAN access, Guest access, etc.

78. Confidentiality level C1 | 8 August 201178
Different security policy
• Divide the network into sensitivity zones
– Front ends, back ends, “crown jewels” area, office LAN access, Guest access, etc.
• Simplify the requirements

79. Confidentiality level C1 | 8 August 201179
Different security policy
• Divide the network into sensitivity zones
– Front ends, back ends, “crown jewels” area, office LAN access, Guest access, etc.
• Simplify the requirements
– Identify what is really important and what can be “drawn together”

80. Confidentiality level C1 | 8 August 201180
Different security policy
• Divide the network into sensitivity zones
– Front ends, back ends, “crown jewels” area, office LAN access, Guest access, etc.
• Simplify the requirements
– Identify what is really important and what can be “drawn together”
• Take the responsibility and accountability for simplification

81. Confidentiality level C1 | 8 August 201181
Different security policy
• Divide the network into sensitivity zones
– Front ends, back ends, “crown jewels” area, office LAN access, Guest access, etc.
• Simplify the requirements
– Identify what is really important and what can be “drawn together”
• Take the responsibility and accountability for simplification
• Secure the end point too!

82. Confidentiality level C1 | 8 August 201182
Different security policy
• Divide the network into sensitivity zones
– Front ends, back ends, “crown jewels” area, office LAN access, Guest access, etc.
• Simplify the requirements
– Identify what is really important and what can be “drawn together”
• Take the responsibility and accountability for simplification
• Secure the end point too!
• Employ better tools for network monitoring

83. Confidentiality level C1 | 8 August 201183
Different security policy
• Divide the network into sensitivity zones
– Front ends, back ends, “crown jewels” area, office LAN access, Guest access, etc.
• Simplify the requirements
– Identify what is really important and what can be “drawn together”
• Take the responsibility and accountability for simplification
• Secure the end point too!
• Employ better tools for network monitoring
– Database Activity Monitoring, Web Application Firewall, Network Forensics tools, etc.

84. Confidentiality level C1 | 8 August 201184
Different security policy
• Divide the network into sensitivity zones
– Front ends, back ends, “crown jewels” area, office LAN access, Guest access, etc.
• Simplify the requirements
– Identify what is really important and what can be “drawn together”
• Take the responsibility and accountability for simplification
• Secure the end point too!
• Employ better tools for network monitoring
– Database Activity Monitoring, Web Application Firewall, Network Forensics tools, etc.
– Application-aware tools – Next Generation Firewalls

85. Confidentiality level C1 | 8 August 201185
Different security policy
• Divide the network into sensitivity zones
– Front ends, back ends, “crown jewels” area, office LAN access, Guest access, etc.
• Simplify the requirements
– Identify what is really important and what can be “drawn together”
• Take the responsibility and accountability for simplification
• Secure the end point too!
• Employ better tools for network monitoring
– Database Activity Monitoring, Web Application Firewall, Network Forensics tools, etc.
– Application-aware tools – Next Generation Firewalls
– Select and slice the data that you want to analyse – in real time!

86. Confidentiality level C1 | 8 August 201186
Different security policy
• Divide the network into sensitivity zones
– Front ends, back ends, “crown jewels” area, office LAN access, Guest access, etc.
• Simplify the requirements
– Identify what is really important and what can be “drawn together”
• Take the responsibility and accountability for simplification
• Secure the end point too!
• Employ better tools for network monitoring
– Database Activity Monitoring, Web Application Firewall, Network Forensics tools, etc.
– Application-aware tools – Next Generation Firewalls
– Select and slice the data that you want to analyse – in real time!
– Identify to which user a traffic belongs to

87. Confidentiality level C1 | 8 August 201187
Different security policy
• Divide the network into sensitivity zones
– Front ends, back ends, “crown jewels” area, office LAN access, Guest access, etc.
• Simplify the requirements
– Identify what is really important and what can be “drawn together”
• Take the responsibility and accountability for simplification
• Secure the end point too!
• Employ better tools for network monitoring
– Database Activity Monitoring, Web Application Firewall, Network Forensics tools, etc.
– Application-aware tools – Next Generation Firewalls
– Select and slice the data that you want to analyse – in real time!
– Identify to which user a traffic belongs to
– Deal with encryption

88. Confidentiality level C1 | 8 August 201188
Different security policy
• Divide the network into sensitivity zones
– Front ends, back ends, “crown jewels” area, office LAN access, Guest access, etc.
• Simplify the requirements
– Identify what is really important and what can be “drawn together”
• Take the responsibility and accountability for simplification
• Secure the end point too!
• Employ better tools for network monitoring
– Database Activity Monitoring, Web Application Firewall, Network Forensics tools, etc.
– Application-aware tools – Next Generation Firewalls
– Select and slice the data that you want to analyse – in real time!
– Identify to which user a traffic belongs to
– Deal with encryption
– Keep a forensic registration of the traffic – you may need it!

89. Confidentiality level C1 | 8 August 201189
Different security policy
• Divide the network into sensitivity zones
– Front ends, back ends, “crown jewels” area, office LAN access, Guest access, etc.
• Simplify the requirements
– Identify what is really important and what can be “drawn together”
• Take the responsibility and accountability for simplification
• Secure the end point too!
• Employ better tools for network monitoring
– Database Activity Monitoring, Web Application Firewall, Network Forensics tools, etc.
– Application-aware tools – Next Generation Firewalls
– Select and slice the data that you want to analyse – in real time!
– Identify to which user a traffic belongs to
– Deal with encryption
– Keep a forensic registration of the traffic – you may need it!
– Produce NetFlow/PCAPs for SIEM tools

90. Confidentiality level C1 | 8 August 201190
Example of simplified network segregation

91. Confidentiality level C1 | 8 August 201191
Example of simplified network segregation
• Traffic flows for delivered
applications

92. Confidentiality level C1 | 8 August 201192
Example of simplified network segregation
• Traffic flows for delivered
applications
– Internet application to allow
customers’ self service provisioning

93. Confidentiality level C1 | 8 August 201193
Example of simplified network segregation
• Traffic flows for delivered
applications
– Internet application to allow
customers’ self service provisioning

94. Confidentiality level C1 | 8 August 201194
Example of simplified network segregation
• Traffic flows for delivered
applications
– Internet application to allow
customers’ self service provisioning

95. Confidentiality level C1 | 8 August 201195
Example of simplified network segregation
• Traffic flows for delivered
applications
– Internet application to allow
customers’ self service provisioning

96. Confidentiality level C1 | 8 August 201196
Example of simplified network segregation
• Traffic flows for delivered
applications
– Internet application to allow
customers’ self service provisioning

97. Confidentiality level C1 | 8 August 201197
Example of simplified network segregation
• Traffic flows for delivered
applications
– Internet application to allow
customers’ self service provisioning

98. Confidentiality level C1 | 8 August 201198
Example of simplified network segregation
• Traffic flows for delivered
applications
– Internet application to allow
customers’ self service provisioning

99. Confidentiality level C1 | 8 August 201199
Example of simplified network segregation
• Traffic flows for delivered
applications
– Internet application to allow
customers’ self service provisioning

100. Confidentiality level C1 | 8 August 2011100
Example of simplified network segregation
• Traffic flows for delivered
applications
– Internet application to allow
customers’ self service provisioning
– Outsourced management of the
office LAN to a third party

101. Confidentiality level C1 | 8 August 2011101
Example of simplified network segregation
• Traffic flows for delivered
applications
– Internet application to allow
customers’ self service provisioning
– Outsourced management of the
office LAN to a third party

102. Confidentiality level C1 | 8 August 2011102
Example of simplified network segregation
• Traffic flows for delivered
applications
– Internet application to allow
customers’ self service provisioning
– Outsourced management of the
office LAN to a third party

103. Confidentiality level C1 | 8 August 2011103
Example of simplified network segregation
• Traffic flows for delivered
applications
– Internet application to allow
customers’ self service provisioning
– Outsourced management of the
office LAN to a third party

104. Confidentiality level C1 | 8 August 2011104
Example of simplified network segregation
• Traffic flows for delivered
applications
– Internet application to allow
customers’ self service provisioning
– Outsourced management of the
office LAN to a third party

105. Confidentiality level C1 | 8 August 2011105
Example of simplified network segregation
• Traffic flows for delivered
applications
– Internet application to allow
customers’ self service provisioning
– Outsourced management of the
office LAN to a third party

106. Confidentiality level C1 | 8 August 2011106
Example of simplified network segregation
• Traffic flows for delivered
applications
– Internet application to allow
customers’ self service provisioning
– Outsourced management of the
office LAN to a third party

107. Confidentiality level C1 | 8 August 2011107
Example of simplified network segregation
• Traffic flows for delivered
applications
– Internet application to allow
customers’ self service provisioning
– Outsourced management of the
office LAN to a third party

108. Confidentiality level C1 | 8 August 2011108
Example of simplified network segregation
• Traffic flows for delivered
applications
– Internet application to allow
customers’ self service provisioning
– Outsourced management of the
office LAN to a third party
– Mobile customer with a dedicated
APN, accessing a mobile
management platform

109. Confidentiality level C1 | 8 August 2011109
Example of simplified network segregation
• Traffic flows for delivered
applications
– Internet application to allow
customers’ self service provisioning
– Outsourced management of the
office LAN to a third party
– Mobile customer with a dedicated
APN, accessing a mobile
management platform

110. Confidentiality level C1 | 8 August 2011110
Example of simplified network segregation
• Traffic flows for delivered
applications
– Internet application to allow
customers’ self service provisioning
– Outsourced management of the
office LAN to a third party
– Mobile customer with a dedicated
APN, accessing a mobile
management platform

111. Confidentiality level C1 | 8 August 2011111
Example of simplified network segregation
• Traffic flows for delivered
applications
– Internet application to allow
customers’ self service provisioning
– Outsourced management of the
office LAN to a third party
– Mobile customer with a dedicated
APN, accessing a mobile
management platform

112. Confidentiality level C1 | 8 August 2011112
Example of simplified network segregation
• Traffic flows for delivered
applications
– Internet application to allow
customers’ self service provisioning
– Outsourced management of the
office LAN to a third party
– Mobile customer with a dedicated
APN, accessing a mobile
management platform

113. Confidentiality level C1 | 8 August 2011113
Example of simplified network segregation
• Traffic flows for delivered
applications
– Internet application to allow
customers’ self service provisioning
– Outsourced management of the
office LAN to a third party
– Mobile customer with a dedicated
APN, accessing a mobile
management platform

114. Confidentiality level C1 | 8 August 2011114
Example of simplified network segregation
• Traffic flows for delivered
applications
– Internet application to allow
customers’ self service provisioning
– Outsourced management of the
office LAN to a third party
– Mobile customer with a dedicated
APN, accessing a mobile
management platform

115. Confidentiality level C1 | 8 August 2011115
Example of simplified network segregation
• Traffic flows for delivered
applications
– Internet application to allow
customers’ self service provisioning
– Outsourced management of the
office LAN to a third party
– Mobile customer with a dedicated
APN, accessing a mobile
management platform
• Security point of controls

116. Confidentiality level C1 | 8 August 2011116
Example of simplified network segregation
• Traffic flows for delivered
applications
– Internet application to allow
customers’ self service provisioning
– Outsourced management of the
office LAN to a third party
– Mobile customer with a dedicated
APN, accessing a mobile
management platform
• Security point of controls
– Next Generation Firewalls/IPSes

117. Confidentiality level C1 | 8 August 2011117
Example of simplified network segregation
• Traffic flows for delivered
applications
– Internet application to allow
customers’ self service provisioning
– Outsourced management of the
office LAN to a third party
– Mobile customer with a dedicated
APN, accessing a mobile
management platform
• Security point of controls
– Next Generation Firewalls/IPSes

118. Confidentiality level C1 | 8 August 2011118
Example of simplified network segregation
• Traffic flows for delivered
applications
– Internet application to allow
customers’ self service provisioning
– Outsourced management of the
office LAN to a third party
– Mobile customer with a dedicated
APN, accessing a mobile
management platform
• Security point of controls
– Next Generation Firewalls/IPSes

119. Confidentiality level C1 | 8 August 2011119
Example of simplified network segregation
• Traffic flows for delivered
applications
– Internet application to allow
customers’ self service provisioning
– Outsourced management of the
office LAN to a third party
– Mobile customer with a dedicated
APN, accessing a mobile
management platform
• Security point of controls
– Next Generation Firewalls/IPSes
– Web Application Firewalls/DoS
protection

120. Confidentiality level C1 | 8 August 2011120
Example of simplified network segregation
• Traffic flows for delivered
applications
– Internet application to allow
customers’ self service provisioning
– Outsourced management of the
office LAN to a third party
– Mobile customer with a dedicated
APN, accessing a mobile
management platform
• Security point of controls
– Next Generation Firewalls/IPSes
– Web Application Firewalls/DoS
protection

121. Confidentiality level C1 | 8 August 2011121
Example of simplified network segregation
• Traffic flows for delivered
applications
– Internet application to allow
customers’ self service provisioning
– Outsourced management of the
office LAN to a third party
– Mobile customer with a dedicated
APN, accessing a mobile
management platform
• Security point of controls
– Next Generation Firewalls/IPSes
– Web Application Firewalls/DoS
protection

122. Confidentiality level C1 | 8 August 2011122
Example of simplified network segregation
• Traffic flows for delivered
applications
– Internet application to allow
customers’ self service provisioning
– Outsourced management of the
office LAN to a third party
– Mobile customer with a dedicated
APN, accessing a mobile
management platform
• Security point of controls
– Next Generation Firewalls/IPSes
– Web Application Firewalls/DoS
protection
– Session Registration

123. Confidentiality level C1 | 8 August 2011123
Example of simplified network segregation
• Traffic flows for delivered
applications
– Internet application to allow
customers’ self service provisioning
– Outsourced management of the
office LAN to a third party
– Mobile customer with a dedicated
APN, accessing a mobile
management platform
• Security point of controls
– Next Generation Firewalls/IPSes
– Web Application Firewalls/DoS
protection
– Session Registration

124. Confidentiality level C1 | 8 August 2011124
Example of simplified network segregation
• Traffic flows for delivered
applications
– Internet application to allow
customers’ self service provisioning
– Outsourced management of the
office LAN to a third party
– Mobile customer with a dedicated
APN, accessing a mobile
management platform
• Security point of controls
– Next Generation Firewalls/IPSes
– Web Application Firewalls/DoS
protection
– Session Registration
– NAC

125. Confidentiality level C1 | 8 August 2011125
Example of simplified network segregation
• Traffic flows for delivered
applications
– Internet application to allow
customers’ self service provisioning
– Outsourced management of the
office LAN to a third party
– Mobile customer with a dedicated
APN, accessing a mobile
management platform
• Security point of controls
– Next Generation Firewalls/IPSes
– Web Application Firewalls/DoS
protection
– Session Registration
– NAC

126. Confidentiality level C1 | 8 August 2011126
Example of simplified network segregation
• Traffic flows for delivered
applications
– Internet application to allow
customers’ self service provisioning
– Outsourced management of the
office LAN to a third party
– Mobile customer with a dedicated
APN, accessing a mobile
management platform
• Security point of controls
– Next Generation Firewalls/IPSes
– Web Application Firewalls/DoS
protection
– Session Registration
– NAC
– Database Activity Monitoring

127. Confidentiality level C1 | 8 August 2011127
Example of simplified network segregation
• Traffic flows for delivered
applications
– Internet application to allow
customers’ self service provisioning
– Outsourced management of the
office LAN to a third party
– Mobile customer with a dedicated
APN, accessing a mobile
management platform
• Security point of controls
– Next Generation Firewalls/IPSes
– Web Application Firewalls/DoS
protection
– Session Registration
– NAC
– Database Activity Monitoring

128. Confidentiality level C1 | 8 August 2011128
Example of simplified network segregation
• Traffic flows for delivered
applications
– Internet application to allow
customers’ self service provisioning
– Outsourced management of the
office LAN to a third party
– Mobile customer with a dedicated
APN, accessing a mobile
management platform
• Security point of controls
– Next Generation Firewalls/IPSes
– Web Application Firewalls/DoS
protection
– Session Registration
– NAC
– Database Activity Monitoring
– Vulnerability Scanners

129. Confidentiality level C1 | 8 August 2011129
Example of simplified network segregation
• Traffic flows for delivered
applications
– Internet application to allow
customers’ self service provisioning
– Outsourced management of the
office LAN to a third party
– Mobile customer with a dedicated
APN, accessing a mobile
management platform
• Security point of controls
– Next Generation Firewalls/IPSes
– Web Application Firewalls/DoS
protection
– Session Registration
– NAC
– Database Activity Monitoring
– Vulnerability Scanners

130. Confidentiality level C1 | 8 August 2011130
Example of simplified network segregation
• Traffic flows for delivered
applications
– Internet application to allow
customers’ self service provisioning
– Outsourced management of the
office LAN to a third party
– Mobile customer with a dedicated
APN, accessing a mobile
management platform
• Security point of controls
– Next Generation Firewalls/IPSes
– Web Application Firewalls/DoS
protection
– Session Registration
– NAC
– Database Activity Monitoring
– Vulnerability Scanners
– Two factors authentication

131. Confidentiality level C1 | 8 August 2011131
Example of simplified network segregation
• Traffic flows for delivered
applications
– Internet application to allow
customers’ self service provisioning
– Outsourced management of the
office LAN to a third party
– Mobile customer with a dedicated
APN, accessing a mobile
management platform
• Security point of controls
– Next Generation Firewalls/IPSes
– Web Application Firewalls/DoS
protection
– Session Registration
– NAC
– Database Activity Monitoring
– Vulnerability Scanners
– Two factors authentication

132. Confidentiality level C1 | 8 August 2011132
Example of simplified network segregation
• Traffic flows for delivered
applications
– Internet application to allow
customers’ self service provisioning
– Outsourced management of the
office LAN to a third party
– Mobile customer with a dedicated
APN, accessing a mobile
management platform
• Security point of controls
– Next Generation Firewalls/IPSes
– Web Application Firewalls/DoS
protection
– Session Registration
– NAC
– Database Activity Monitoring
– Vulnerability Scanners
– Two factors authentication
– Captive portal

133. Confidentiality level C1 | 8 August 2011133
Example of simplified network segregation
• Traffic flows for delivered
applications
– Internet application to allow
customers’ self service provisioning
– Outsourced management of the
office LAN to a third party
– Mobile customer with a dedicated
APN, accessing a mobile
management platform
• Security point of controls
– Next Generation Firewalls/IPSes
– Web Application Firewalls/DoS
protection
– Session Registration
– NAC
– Database Activity Monitoring
– Vulnerability Scanners
– Two factors authentication
– Captive portal

134. Confidentiality level C1 | 8 August 2011134
Multiple applications deployment – old approach

135. Confidentiality level C1 | 8 August 2011135
Multiple applications deployment – old approach

136. Confidentiality level C1 | 8 August 2011136
Multiple applications deployment – old approach

137. Confidentiality level C1 | 8 August 2011137
Multiple applications deployment – new policy

138. Confidentiality level C1 | 8 August 2011138
Multiple applications deployment – new policy

139. Confidentiality level C1 | 8 August 2011139
Multiple applications deployment – new policy

140. Confidentiality level C1 | 8 August 2011140
Security Monitoring with the new policy

141. Confidentiality level C1 | 8 August 2011141
Security Monitoring with the new policy

142. Confidentiality level C1 | 8 August 2011142
Security Monitoring with the new policy

143. Confidentiality level C1 | 8 August 2011143
Security Monitoring with the new policy

144. Confidentiality level C1 | 8 August 2011144
Next evolution?

145. Confidentiality level C1 | 8 August 2011145
Next evolution?
• Fabric path interception
• Packets are routed and
switched only on the main
switching/routing instance
• There is no switching or routing
happening on the access switch

146. Confidentiality level C1 | 8 August 2011146
Next evolution?
• Fabric path interception
• Packets are routed and
switched only on the main
switching/routing instance
• There is no switching or routing
happening on the access switch

147. Confidentiality level C1 | 8 August 2011147
Next evolution?
• Fabric path interception
• Packets are routed and
switched only on the main
switching/routing instance
• There is no switching or routing
happening on the access switch

148. Confidentiality level C1 | 8 August 2011148
Next evolution?
• Fabric path interception
• Packets are routed and
switched only on the main
switching/routing instance
• There is no switching or routing
happening on the access switch

149. Confidentiality level C1 | 8 August 2011149
Next evolution?
• Fabric path interception
• Packets are routed and
switched only on the main
switching/routing instance
• There is no switching or routing
happening on the access switch
• Capacity can scale to 768 x 10
Gb/sec ports
• However, real throughput
depends on the fabric
connectors (generally 40
Gb/sec)

150. Confidentiality level C1 | 8 August 2011150
Next evolution?
• Fabric path interception
• Packets are routed and
switched only on the main
switching/routing instance
• There is no switching or routing
happening on the access switch
• Capacity can scale to 768 x 10
Gb/sec ports
• However, real throughput
depends on the fabric
connectors (generally 40
Gb/sec)

151. Confidentiality level C1 | 8 August 2011151
Next evolution?
• Fabric path interception
• Packets are routed and
switched only on the main
switching/routing instance
• There is no switching or routing
happening on the access switch
• Capacity can scale to 768 x 10
Gb/sec ports
• However, real throughput
depends on the fabric
connectors (generally 40
Gb/sec)
• Could we do that?

152. Confidentiality level C1 | 8 August 2011152
Next evolution?

153. Confidentiality level C1 | 8 August 2011153
Next evolution?
• Interchangeable 1+10 Gb/sec ports

154. Confidentiality level C1 | 8 August 2011154
Next evolution?
• Interchangeable 1+10 Gb/sec ports
• 10 Gb/sec iBypass HD

155. Confidentiality level C1 | 8 August 2011155
Next evolution?
• Interchangeable 1+10 Gb/sec ports
• 10 Gb/sec iBypass HD
• Chassis-based bypass/load balancer

156. Confidentiality level C1 | 8 August 2011156
Next evolution?
• Interchangeable 1+10 Gb/sec ports
• 10 Gb/sec iBypass HD
• Chassis-based bypass/load balancer
• Programmable bypass or TAP

157. Confidentiality level C1 | 8 August 2011157
Next evolution?
• Interchangeable 1+10 Gb/sec ports
• 10 Gb/sec iBypass HD
• Chassis-based bypass/load balancer
• Programmable bypass or TAP
• Higher ports density xBalancer

158. Confidentiality level C1 | 8 August 2011158
Next evolution?
• Interchangeable 1+10 Gb/sec ports
• 10 Gb/sec iBypass HD
• Chassis-based bypass/load balancer
• Programmable bypass or TAP
• Higher ports density xBalancer
• Real application detection on the xBalancer/Director Pro

159. Confidentiality level C1 | 8 August 2011159
Next evolution?
• Interchangeable 1+10 Gb/sec ports
• 10 Gb/sec iBypass HD
• Chassis-based bypass/load balancer
• Programmable bypass or TAP
• Higher ports density xBalancer
• Real application detection on the xBalancer/Director Pro
• “Passive checks” for tool failures

160. Confidentiality level C1 | 8 August 2011160
Next evolution?
• Interchangeable 1+10 Gb/sec ports
• 10 Gb/sec iBypass HD
• Chassis-based bypass/load balancer
• Programmable bypass or TAP
• Higher ports density xBalancer
• Real application detection on the xBalancer/Director Pro
• “Passive checks” for tool failures
• Correlation of sources/destinations/NAC tokens with real users (AD
accounts)

161. Confidentiality level C1 | 8 August 2011161
Next evolution?
• Interchangeable 1+10 Gb/sec ports
• 10 Gb/sec iBypass HD
• Chassis-based bypass/load balancer
• Programmable bypass or TAP
• Higher ports density xBalancer
• Real application detection on the xBalancer/Director Pro
• “Passive checks” for tool failures
• Correlation of sources/destinations/NAC tokens with real users (AD
accounts)
• Real distributed management common for bypasses, TAPs, etc.

162. Confidentiality level C1 | 8 August 2011162
Next evolution?
• Interchangeable 1+10 Gb/sec ports
• 10 Gb/sec iBypass HD
• Chassis-based bypass/load balancer
• Programmable bypass or TAP
• Higher ports density xBalancer
• Real application detection on the xBalancer/Director Pro
• “Passive checks” for tool failures
• Correlation of sources/destinations/NAC tokens with real users (AD
accounts)
• Real distributed management common for bypasses, TAPs, etc.
• APIs and connections with SIEM tools

163. Confidentiality level C1 | 8 August 2011163

164. Confidentiality level C1 | 8 August 2011164
Thank you