Contenu connexe Similaire à Introducing ConnectGuard™ Cloud (20) Introducing ConnectGuard™ Cloud 2. © 2018 ADVA Optical Networking. All rights reserved.22
Overview of ConnectGuard Cloud
• ConnectGuard Cloud technology is part of ConnectGuard family
• First in the industry to deliver virtualized end-to-end encryption in multi-cloud environments
• Breakthrough for service providers and enterprises that want to move away from IPSec and
appliance-based solutions that are costly and inflexible
• Military-grade encryption can be deployed on any COTS server or in a public cloud
infrastructure.
• Encryption at Layer 2, 3 or 4 as needed – match the encryption to the application
• Automated key management for operational simplicity – no need for an externally managed
IKE or PKI system
• Based on the award-winning Ensemble Connector – with zero touch provisioning capabilities,
customers can roll out secure cloud connectivity to thousands of endpoints within minutes.
3. © 2018 ADVA Optical Networking. All rights reserved.33
Agenda
• Drivers for new encryption solutions
• ConnectGuardTM Cloud in the ADVA portfolio
• Benefits of ConnectGuardTM Cloud
• Summary and additional resources
4. © 2018 ADVA Optical Networking. All rights reserved.44 © 2018 ADVA Optical Networking. All rights reserved. Confidential.4
Drivers for new encryption solutions
5. © 2018 ADVA Optical Networking. All rights reserved.55
When your destination is the cloud …
You’ll need a secure path to get there
6. © 2018 ADVA Optical Networking. All rights reserved.66
Industry observations on security
Security threats to enterprises are real and growing
• Threats include loss of data, compromised secrets, civil suits
• Statutory and regulatory requirement (e.g., GDPR) are raising the importance of compliance and the
cost of non-compliances
Appliance-based security solutions are costly, inflexible, logistically difficult
and not cloud-friendly
• Any security solution must address hybrid cloud and multi-cloud applications
New virtualized solutions provide a ground-breaking approach to address
today's threats and limitations
• They also open the door for complementary applications
7. © 2018 ADVA Optical Networking. All rights reserved.77
Encryption challenges
Latency Transparency Applicability
The application should
determine at which layer
to encrypt
Support encryption over
any kind of access or
transport network
Apply encryption at customer
premises, data center or
public cloud
Cost Compatibility Efficiency
Cost per encrypted bit and
initial cost are important
Support services at the layer
where they perform best
Encryption has an impact on
resource and network
utilization
8. © 2018 ADVA Optical Networking. All rights reserved.88
Virtual encryption delivers high-performance, flexible secure cloud connectivity
Secure cloud connectivity use case
Drivers for software endpoints
• Cloud-native implementation for multiple public cloud environments where the
endpoints must reside on cloud infrastructure rather than dedicated hardware
appliances
• SaaS applications in the cloud, where latency can create performance impacts
• Regulatory requirements such as GDPR
• Business or government networks where high-quality encryption is required
Dynamic encrypted networking
• Flexible encrypted mesh for policy-based secure VPNs
• Application-aware encryption at L2/L3/L4
• Supports point-to-point and hub-and-spoke topologies
• Eliminates dependence on application-level encryption
Security with uCPE upgrades
• Upgrade with other security applications or enterprise apps
Effective cost points
• TCO analysis demonstrates software trumps appliances
• Turnkey option for enterprise deployments
9. © 2018 ADVA Optical Networking. All rights reserved.99
Secure cloud connectivity: any-to-any
Public cloud #1
Public cloud #2
Private cloud
HQ
On-net branch
Hybrid branch
Off-net branch
Public
internet
IP-VPN
(MPLS)
CE
L2VPN
Color key: encryption only / encryption + L2 tunnel
SD-WAN
hybrid WAN
10. © 2018 ADVA Optical Networking. All rights reserved.1010 © 2018 ADVA Optical Networking. All rights reserved. Confidential.10
ConnectGuardTM Cloud in the ADVA portfolio
11. © 2018 ADVA Optical Networking. All rights reserved.1111
Secure connectivity across all networks
• Secure cloud connectivity
• Endpoints: >1K to 100K
• Secure VPN connectivity
• Endpoints: 100 to 1000
• Secure data center connectivity
• Endpoints: 10 to 100
CloudEthernetOptical
Physical connectivity
Virtual connectivity
Cloud connectivity
Certified solution
Certified solution
12. © 2018 ADVA Optical Networking. All rights reserved.1212
ADVA ConnectGuard™ security suite
Technologies Product(s) Application
ConnectGuardTM
Management
FSP NM Crypto Manager Encryption domain management
ConnectGuardTM Optical FSP 3000 Secure data center connectivity
ConnectGuardTM Ethernet FSP 150 Secure VPN connectivity
ConnectGuardTM Cloud Connector Encryption,
Ensemble Director
Secure cloud connectivity
13. © 2018 ADVA Optical Networking. All rights reserved.1313
ConnectGuardTM Cloud benefits
Implemented in Ensemble Connector Encryption and Director
Cloud-native software encryption can be hosted on uCPE or in cloud
• End-to-end encryption in multi-cloud environments – prevents man-in-the-middle attack vectors
• Flexible, policy-based and application-aware secure networking – point-to-point or mesh
• Encryption at Layer 2, 3 or 4 as needed – match the encryption to the application
• Based on FIPS-compliant technology from Senetas
Compute and bandwidth efficiency
• Greatly improved throughput, overhead and latency versus IPSec – 8-24 bytes O/H versus 76
• Minimizes cost of hosting server – no need for hardware appliances
Encrypted connections can be shared by multiple applications
• No need to rely on SD-WAN or firewall encryption
• Encryption functionality is separated from VNFs for layered security
• Eliminates need for piecemeal application security
Automated key management for operational simplicity
• No need for an externally managed IKE or PKI system
14. © 2018 ADVA Optical Networking. All rights reserved.1414
Why use Ensemble Connector?
Connector provides cloud-native computing (Linux/KVM/OpenStack), plus:
1. Accelerated vSwitch
2. Carrier Ethernet 2.0
3. Networking incl. LTE
4. Zero touch commissioning (ZTC)
5. Embedded cloud (OpenStack)
6. Integrated OS with open interfaces
7. Device scalability
8. Telco management
9. High availability
10. Platform security
11. Encryption engine
12. Local router
6. Ensemble Connector
7. Server – Intel Xeon ® and Intel Atom®
Linux - CentOS
Hypervisor – KVM /QEMU
1. Virtual switch - Connector
VNF / VM VNF / VMVNF / VM
2. CE 2.0
3. Network
8. Telco
management
10. Security
4. ZTC
Standard cloud environment
Server – Intel Xeon ® and Intel Atom®
Linux - CentOS
Hypervisor – KVM / QEMU
Virtual switch – OVS and DPDK
VNF / VM VNF / VMVNF / VM
9. HA
5. OpenStack
11. Encryption
12. Local router
15. © 2018 ADVA Optical Networking. All rights reserved.1515 © 2018 ADVA Optical Networking. All rights reserved. Confidential.15
Benefits of ConnectGuardTM Cloud
Provided by Ensemble Connector Encryption
16. © 2018 ADVA Optical Networking. All rights reserved.1616
Integrated key derivation function (KDF)
• Integrated KDF for managing key lifecycle
• Secure centralized key management that delivers keys from a FIPS-certified appliance
• Automatic key updates managed with timestamps
• Manages keys at Layer 2, 3 and 4
• FIPS-compliant technology for multi-layer encryption
• Random number generator with equivalent entropy to hardware platforms
• Scales to thousands of endpoints
• No master/slave requirement
• Zero touch provisioning
17. © 2018 ADVA Optical Networking. All rights reserved.1717
Flexible encryption options
• AES-256 CTR/GCM mode
• Confidentiality only OR
• Confidentiality + authentication
• Multi-layer simultaneous encryption
policies
• Layer 2: Ethernet (MAC or VLAN)
• Layer 3: IPv4/v6 subnets
• Layer 4: IP + port
• NAT passthrough
• Netflow/Jflow support
• Policy-based routing
Low overhead per packet. Best case is one third of the
overhead per packet compared to military grade IPSec.
Overhead:
• 8 bytes for encryption header (sender ID, key bank, frame counter)
• 4 bytes additional header for TCP (layer 4 encryption only)
• 16 bytes additional authentication data (optional)
18. © 2018 ADVA Optical Networking. All rights reserved.1818
Centralized key distribution with KDF
Optional alternative to integrated KDF
• Single centralized platform for managing key lifecycle
• FIPS-certified server* distributes keys to all endpoints
• Key server is tiered and redundant for resiliency
• Uses industry standard key management protocol (KMIP)
• Control plane isolation
• Scales to hundreds of thousands of endpoints
• Policy driven by:
• Single key management system for all data
• Key management required on specific site
• FIPS requirements
*SafeNet KeySecure or Senetas hardware encryptor as server
19. © 2018 ADVA Optical Networking. All rights reserved.1919
IPSec over internet Connector EncryptionPlain internet
IPSec significantly impacts transmission performance
Actual measurements from live test of 1Gbit/s traffic over internet
Why not use IPSec?
Throughput 56% – 86%*
Latency: 37 – 79* ms
Throughput 16% – 20%*
Latency: 37 – 79* ms
Throughput 56% – 95%*
Latency: 37 – 79* ms
*Depending on frame size 64-1M bytes
20. © 2018 ADVA Optical Networking. All rights reserved.2020 © 2018 ADVA Optical Networking. All rights reserved. Confidential.20
Summary and additional resources
21. © 2018 ADVA Optical Networking. All rights reserved.2121
Summary
Enterprises are moving workloads into the cloud, including consumption of IaaS, PaaS, and SaaS services, in
both multi-cloud and hybrid cloud models
Achieving multi-cloud benefits requires efficient, secure and transparent connectivity
Need a software solution that is compatible with uCPE and cloud deployments
• Encrypt all the way into the cloud
• Using low-cost uCPE servers at the customer site
• Efficient and low-overhead encryption
Benefits:
• Transport of Layer 2 traffic over Layer 2 or Layer 3 access
• Software solution that is compatible with existing encryption deployments
• Ability to encrypt at Layers 2, 3 or 4 depending on requirements of the application
• Efficient encryption minimizes required processing and network overhead
• Modular, cloud native architecture – supports uCPE and public cloud, provides choice
• Sophisticated key management
• Turnkey solutions available
22. © 2018 ADVA Optical Networking. All rights reserved.2222
Additional resources
• Securing zero touch for uCPE deployments
• Using the Cloud to Secure the Cloud
• Security is a many-layered thing*
• Meet Anna and the future of virtualized encryption in the cloud
23. Thank you
IMPORTANT NOTICE
The content of this presentation is strictly confidential. ADVA Optical Networking is the exclusive owner or licensee of the content, material, and information in this presentation. Any
reproduction, publication or reprint, in whole or in part, is strictly prohibited.
The information in this presentation may not be accurate, complete or up to date, and is provided without warranties or representations of any kind, either express or implied. ADVA
Optical Networking shall not be responsible for and disclaims any liability for any loss or damages, including without limitation, direct, indirect, incidental, consequential and special
damages, alleged to have been caused by or in connection with using and/or relying on the information contained in this presentation.
Copyright © for the entire content of this presentation: ADVA Optical Networking.