7. #RSAC
The Threat
Infiltration Discovery Extraction Exfiltration
Large Number
of Attackers
Using a Large
Number of
Attacks
Very Hard to
Detect or
Defend
Smaller Amount
of Attackers
Using a Standard
Approach
Easier to
Detect and
Defend
Smaller Amount
of Attackers
Using Normal
Access Methods
Hard to Defend
or Detect
It Doesn’t
Matter!
You’re Too Late!
11. #RSAC
Security Architecture Made Simple (SAMS)
Infrastructure
Device
Network
Application &
Services
Access
Identity
Position
Role
Authorization
Data
Elements
Classification
16. #RSAC
Using Core Router and Core Firewall
16
Service A
Service F
Service E
Service D
Service C
Service B
17. #RSAC
Traditional Approach
Pros
Known Technology
Somewhat Flexible
Minimal Training
Cons
Difficult to Scale the Solution
Hub Model Requires all Traffic
Traverse the Core
Difficult to Insert Additional
Security Services
17
18. #RSAC
The Software Defined Approach
18
Host1
Service A
Service F
Service E
Service D
Service C
Service B
Host2
Service A
Service F
Service E
Service D
Service C
Service B
Host3
Service A
Service F
Service E
Service D
Service C
Service B
OverlayNetworks
19. #RSAC
SDN/S Approach
Pros
Easily Scaled
Very Flexible
Optimized Routing
Allows Insertion of Security
Services
Automation/Orchestration
Cons
Emerging Technology
Standards are Not Well Defined
Vendor Eco Systems are
Developing
Monitoring Solutions are Not Well
Developed
19
21. #RSAC
Security Architecture Made Simple
SAMS Data
Products
Reports
XML package
File
Message
Reports
Webservices
File Transfers
Information
Objects
Function
Macro
Routine
Flight Loads
Revenues
Metrics
Data
Elements
Fields
Elements
Guest details
Charge Amount
Departure Time
24. #RSAC
Security Architecture Made Simple
SAMS Access
Company
Position
Position the
Employee was hired
into
CEO
Manager, Sales
Analyst III, IT
Company
Role
Function
Within a Company
Safety Office
Financial Office
Maint. Lead
ERP Admin
App/Service
Role
Function
Within an
Application or
Service
Administrator
Super User
Standard User
Auditor
25. #RSAC
Security Architecture Made Simple
SAMS Access
Application or Service Role
Enterprise Directory Service or
Local Directory Service
Company Role
Identity Management System
Company Position
Human Resource System
26. #RSAC
Security Architecture Made Simple (SAMS)
Infrastructure
Device
Network
Application
Access
Identity
Position
Role
Authorization
Data
Elements
Classification
Access
To
Info.
Access
To
Infrastructure
Storage &
Transmission
of Data
Roles
and
Responsibilities
27. #RSAC
Products to look for
(HyperLinked)
Vmware NSX
Palo alto, Check Point
McAfee NSM
Tivoli Identity Management
Arkin Net Analytics Platform (www.arkin.net)
27
28. #RSAC
Apply Slide
Consider network challenges
Decide on a security strategy that will work for your organization
Familiarize yourself with Software Defined Network & Security
Accept that Bring Your Own Device is really your friend
Figure out a plan to migrate your network
Start making changes (evolution not revolution)
28
29. #RSAC
Summary
“If you can't explain it to a six year old, you don't understand it
yourself.”
Albert Einstein
29
30. #RSAC
Thanks and Recognition
VMWare
• Vern Bolinius
• Ray Budavari
• Bruno Germain
• Darren Humphries
Bosses
• Cheryl Smith (Former CIO)
• Dan Neal (My Boss)
My Family
• Patrick, Brittney, Taz
Thanks
VTeam
• Dominador DeLeon – Sr. TSA - Infrastructure Ops
• Justin Domshy – Manager of Environments
• Mike Gromek - Technical Architect III
• Darrell Lizotte – Technical Architect III
• Randy Seabrook – Manager Architecture
• Derek Sharman - Sr. Analyst-Config Management
• Walter Wenzl - Sr Analyst-Config Management
• Michael Slavens - Security Support Analyst III
• Peter Graw - Technical Architect III, IT – Infrastructure
• Quentin Hall - Technical Architect III
• Tao Yu - Sr. TSA Telecomm
Inspiration
• Dump your DMZ by Joern Wettern
• BYOD and the Death of the DMZ by Lori MacVittie
• Zero Trust Model John Kindervag
39. #RSAC
Dealing with an evolving technology
Software Defined Datacenter
Target
Architecture Industry
Direction
Dev/Te
st
Tenant
s
Staging
Tenants
Production
Tenants
Second
Datacenter
Full SDN
Network
Industry
Direction
Industry
Direction
Industry
Direction
Target
Architecture
Target
Architecture
Target
Architecture
Target
Architecture Target
Architecture