This document discusses Zero Trust security and how to implement a Zero Trust network architecture. It begins with an overview of Zero Trust and why it is important given limitations of traditional perimeter-based networks. It then covers the basic components of a Zero Trust network, including an identity provider, device directory, policy evaluation service, and access proxy. The document provides guidance on designing a Zero Trust architecture by starting with questions about users, applications, conditions for access, and corresponding controls. Specific conditions discussed include user/device attributes as well as device health and identity. Benefits of the Zero Trust model include conditional access, preventing lateral movement, and increased productivity.
Micro segmentation and zero trust for security and compliance - Guardicore an...YouAttestSlideshare
Micro Segmentation for Zero trust security and compliance
1) What is Zero Trust?
2) How does zero trust relate to compliance?
3) Guardicore and Micro Segmentation,
4) YouAttest and Compliance
5) Short Demo and Q&A session
Zero Trust, Zero Trust Network, or Zero Trust Architecture refer to security concepts and threat model that no longer assumes that actors, systems or services operating from within the security perimeter should be automatically trusted, and instead must verify anything and everything trying to connect to its systems before granting access.
The document provides an agenda for an AWS Security User Group meeting in Riyadh on May 1, 2019. The agenda includes discussions on cloud security, security terminology, cloud security threats, best practices for cloud security, AWS security services, identity and access management, and security of infrastructure. It also provides overviews and descriptions of AWS products and services related to security such as IAM, Inspector, Key Management Service, Macie, Organizations, Shield, Secrets Manager, SSO, WAF, and more.
Cloud Native Bern 05.2023 — Zero Trust VisibilityRaphaël PINSON
As the adoption of Kubernetes continues to grow, so does the need for securing containerized applications and their data. One effective security model that has gained popularity is Zero Trust Networking, which assumes that all resources, devices and users are untrusted, and access to resources is granted only after proper authentication and authorization. However, implementing Zero Trust Networking in Kubernetes can be challenging, given the dynamic nature of containerized workloads and the complexity of network policies.
In this presentation, we will explore how to implement Zero Trust Networking in Kubernetes using Cilium, Hubble & Grafana. We will start by setting up Cilium on a Kubernetes cluster, which provides network security by enforcing identity-based access control policies using eBPF. Next, we will export Network Policy Verdict metrics using Hubble, which allows us to visualize network policies and track security events in real-time. Finally, we will use a Grafana dashboard to visualize these metrics and demonstrate how to secure a Kubernetes namespace without affecting existing traffic in the namespace.
By the end of this presentation, attendees will have a good understanding of the importance of Zero Trust Networking in Kubernetes and how to implement it using Cilium, Hubble & Grafana. They will also learn how to secure a Kubernetes namespace and monitor network policies using a Grafana dashboard.
The document provides an overview of the Splunk data platform. It discusses how Splunk helps organizations overcome challenges in turning real-time data into action. Splunk provides a single platform to investigate, monitor, and take action on any type of machine data from any source. It enables multiple use cases across IT, security, and business domains. The document highlights some of Splunk's products, capabilities, and customer benefits.
Threat Hunting - Moving from the ad hoc to the formalPriyanka Aash
In order to effectively defend your organization, you must think about the offensive strategy as well. But before we get ahead of ourselves let’s talk briefly about the building blocks of a good offense. First is an architecture that is built around a security policy that is aligned with the business risk. Risk must be understood and a cookie cutter approach must be avoided here because again every organization is different and so are their risks.
SOC and SIEM systems can help organizations detect and respond to security incidents and threats in a timely manner. A SOC acts as a security operations center to monitor, analyze, and respond to cybersecurity incidents. SIEM provides real-time analysis of security alerts and events to help identify potential threats. Implementing SOC and SIEM solutions can improve an organization's security posture through early threat detection, compliance with regulations, and reduced breach impact.
Many organizations and managed security providers are starting to move from SIEM, Security Information and Event Management, to EDR, Endpoint Detection and Response. The problem is this may not be the best decision for your organization. These technologies are similar but fundamentally different. This presentation also shares innovating ways to use your SIEM to catch the bad guys as well as learn some simple tricks for easing the burden of SIEM management.
The document discusses security best practices for AWS, including implementing a segregated account environment, strong identity and access management, enabling traceability through logging and monitoring, and applying security controls at multiple layers. It provides examples of setting up identity and access management with AWS IAM, implementing detective controls with AWS CloudTrail and GuardDuty, and using network and host-level security features like VPCs, security groups, and AWS WAF.
This document discusses multi-cloud security architecture. It outlines some of the key challenges of securing applications and data across multiple cloud platforms, including secrets management, identity and access management, application security, and data security. It also presents some common cloud security frameworks like FedRAMP and tools like CASB, CWPP, and CSPM that can help address these challenges. Finally, it notes that with organizations increasingly using both private and public clouds, multi-cloud environments are inevitable, and security needs to span all cloud domains including governance, risk, compliance and more.
SOC presentation- Building a Security Operations CenterMichael Nickle
Presentation I used to give on the topic of using a SIM/SIEM to unify the information stream flowing into the SOC. This piece of collateral was used to help close the largest SIEM deal (Product and services) that my employer achieved with this product line.
The document discusses cloud security and compliance. It defines cloud computing and outlines the essential characteristics and service models. It then discusses key considerations for cloud security including identity and access management, security threats and countermeasures, application security, operations and maintenance, and compliance. Chief information officer concerns around security, availability, performance and cost are also addressed.
CyberArk is an information security company focused on privileged account security. They help companies protect their most sensitive information and infrastructure by securing privileged accounts. The document outlines best practices for securing privileged accounts at different maturity levels - from baseline to highly effective. It recommends identifying and reducing privileged accounts, enforcing least privilege, and automating password management. For highly effective security, it suggests multi-factor authentication, privileged session recording, and anomaly detection to prevent cyber threats targeting privileged credentials.
The document provides an overview of Red Hat OpenShift Container Platform, including:
- OpenShift provides a fully automated Kubernetes container platform for any infrastructure.
- It offers integrated services like monitoring, logging, routing, and a container registry out of the box.
- The architecture runs everything in pods on worker nodes, with masters managing the control plane using Kubernetes APIs and OpenShift services.
- Key concepts include pods, services, routes, projects, configs and secrets that enable application deployment and management.
This document discusses concepts related to observability including Prometheus, ELK stack, OpenTracing, and Victoria Metrics. It provides examples of setting up Prometheus and Grafana to monitor metrics from applications instrumented with exporters. It also demonstrates setting up Filebeat, Logstash and Elasticsearch (ELK stack) to monitor logs and send them to Elasticsearch. Additionally, it shows how to implement OpenTracing in a Java application and visualize traces using Jaeger. Finally, it outlines an exercise to build a microservices ecommerce application incorporating logging, metrics and tracing using the discussed tools.
This presentation walks through the Security and Compliance functionality to customers leveraging Azure as a compute environment. It includes deep-dive references to detailed information on each topic presented.
What is SASE and How Can Partners Talk About it?QOS Networks
Security + SD-WAN is the next step in the network story. Customers today are keen to identify how to keep their ecosystems secure and business continuity intact. Join us as we discuss the SASE approach and how to have that conversation with your customers.
01-Chapter 01-Introduction to CASB and Netskope.pptxssuser4c54af
The document introduces Netskope's cloud access security broker (CASB) platform and its capabilities. It notes that the modern workforce is cloud-powered, mobile, and collaborative, bringing new security challenges. Netskope provides visibility, data security, compliance, and threat protection for cloud services. It is recognized as a leader in the Gartner Magic Quadrant for CASBs and offers the most comprehensive coverage of cloud applications and access methods.
Proteja sus datos en cualquier servicio Cloud y Web de forma unificadaCristian Garcia G.
The document discusses the need for cloud security solutions as cloud usage increases. It summarizes that the way people work has changed with access from any device at any time. More sensitive data is now stored in the cloud exposing it to new risks. It then provides an overview of the Netskope cloud security platform, highlighting its capabilities including visibility, data security, compliance, threat protection and ability to govern sanctioned and unsanctioned cloud applications and web usage from a single interface. Sample customers and use cases that Netskope addresses are also summarized.
The rapid growth and many flavors of cloud capabilities can provide great business value. If not well planned, they may also give security professionals fits. With perspective and a deliberate approach, CISOs can not only manage cloud security effectively, but leverage the cloud to power security capabilities.
This session will introduce challenges and trends relating to the cloud for information security practitioners. Much of the session will focus on the speaker's own successes, failures, pitfalls and pratfalls as CISO for a cloud-based startup that built an AWS-based SAAS predictive analytics platform. We will also touch on private cloud concerns, architecture planning and real-world solutions.
Take It to the Cloud: The Evolution of Security ArchitecturePriyanka Aash
As companies evolve their IT stack, traditional security approaches/architectures need to be reconsidered. This session will review some of the new risks introduced by SaaS/IaaS adoption and show how to mitigate these risks using new approaches to security architecture. Presenters will also review the transition of security architecture itself to the cloud.
(Source: RSA USA 2016-San Francisco)
Implementing Security on a Large Multi-Tenant Cluster the Right WayDataWorks Summit
Raise your hands if you are deploying Kerberos and other Hadoop security components after deploying Hadoop to the enterprise. We will present the best practices and challenges of implementing security on a large multi-tenant Hadoop cluster spanning multiple data centers. Additionally, we will outline our authentication & authorization security architecture, how we reduced complexity through planning, and how we worked with multiple teams and organizations to implement security the right way the first time. We will share lessons learned and takeaways for implementing security at your company.
We will walk through the implementation and its impacts to the user, development, support and security communities and will highlight the pitfalls that we navigated to achieve success. Protecting your customers and information assets is critical to success. If you are planning to introduce Hadoop security to your ecosystem, don’t miss this in depth discussion on a very important and necessary component to enterprise big data.
During a recent webinar, Jonathan Knudsen presented: "That's Not How This Works: All Development Should Be Secure."
Development teams are pressured to push new software out quickly. But with speed comes risk. Anyone can write software, but if you want to create software that is safe, secure, and robust, you need the right process. Webinar attendees will learn:
• Why traditional approaches to software development usually end in tears and heartburn
• How a structured approach to secure software development lowers risk for you and your customers
• Why automation and security testing tools are key components in the implementation of a secure development life cycle
For more information, please visit our website at www.synopsys.com/software-integrity.html
Decision criteria and analysis for hardware-based encryptionThales e-Security
Organizations trying to balance the risk of data breaches against the cost of pervasive encryption often balk at the trade-off. The use of hardware security modules (HSMs) in conjunction with applications that perform encryption improves the protection afforded to encryption keys and the encryption processes themselves, but cost considerations typically limit the scope of their deployment.
This slidedeck provides an explanation of criteria to help organizations decide which applications or data would benefit most from hardware-based encryption and key protection. The criteria are designed to make those decisions repeatable, consistent, and specific for any application, based on the organization’s sensitivity to cost, risk tolerance, and performance requirements. Real-world examples are also included!
Our why not listen to the webcast: https://www.thales-esecurity.com/knowledge-base/webcasts/sans-webcast
Advanced threat security - Cyber Security For The Real WorldCisco Canada
Cisco delivers intelligent cybersecurity for the real world, providing one of the industry's most comprehensive advanced threat protection portfolio of solutions and services that are integrated, pervasive, continuous and open.
Cisco's threat-centric approach to security reduces complexity, while providing unmatched visibility, continuous control and advanced threat protection across the entire attack continuum, allowing customers to act smarter and more quickly -- before, during, and after an attack.
More information on security here: http://bit.ly/1paUnZV
Desafíos de la Ciberseguridad en un ecosistema digitalmente transformadoCristian Garcia G.
Para trabajar en un ecosistema digitalmente transformado, los directores de sistemas de información y otros líderes empresariales tienen que navegar en un entorno de amenazas a la seguridad en constante cambio. Las soluciones de Next Gen Security (NGS) son soluciones de seguridad optimizadas para trabajar mejor con la escala masiva y cobertura expansiva de la Tercera Plataforma. Aunque 7 de cada 10 empresas afirman estar en el proceso de implementar una solución más de seguridad de nueva generación, 3 de esos 7 no tendrá éxito por la falta de competencia interna, por lo que el tema de seguridad es cada día más crítico”. Akamai ofrece un rendimiento a escala con la solución de distribución en la nube más grande y confiable del mundo. Sus recursos se escalan de forma que sus clientes no tengan que hacerlo. Akamai tiene una visibilidad sin igual de las propiedades más atacadas en la web y obtiene inteligencia ante amenazas continuamente a partir de inspecciones avanzadas tanto del tráfico bueno como del malo.
How to Overcome Network Access Control Limitations for Better Network SecurityCryptzone
The document summarizes the limitations of Network Access Control (NAC) solutions for securing networks and controlling access in modern IT environments where resources are distributed. It argues that a Software-Defined Perimeter (SDP) model provides better security by establishing encrypted, individual connections between each user and only the specific applications and resources they are authorized to access, rather than relying on trust-based access inside the network perimeter. Key benefits of SDP include zero-trust authentication, dynamic identity-based policies, encryption of all traffic, simplicity, and consistency across cloud and hybrid environments.
Security Delivery Platform: Best practicesMihajlo Prerad
Security Delivery Platform: Best practices
The traditional Security model was one that operated under simple assumptions. Those assumptions led to deployment models which in todays’ world of cyber security have been proven to be quite vulnerable and inadequate to growing amount and diversity of threats.
A Security Delivery Platform addresses the above considerations and provides a powerful solution for deploying a diverse set of security solutions, as well as scaling each security solution beyond traditional deployments. Such platform delivers visibility into the lateral movement of malware, accelerate the detection of ex-filtration activity, and could significantly reduce the overhead, complexity and costs associated with such security deployments.
In today’s world of industrialized and well-organized cyber threats, it is no longer sufficient to focus on the security applications exclusively. Focusing on how those solutions get deployed together and how they get consistent access to relevant data is a critical piece of the solution. A Security Delivery Platform in this sense is a foundational building block of any cyber security strategy.
This document provides an overview of Sangfor Technologies Inc., a network security company. It discusses Sangfor's history and growth over 23 years, with R&D centers in China, the US, and elsewhere. Sangfor has developed security solutions like next-generation firewalls, endpoint security, and a business intelligence platform. The document highlights Sangfor's focus on innovation through a 20% R&D budget and over 1,500 patents. It also outlines Sangfor's global expansion, with offices and support centers around the world.
Application security meetup k8_s security with zero trust_29072021lior mazor
The "K8S security with Zero Trust" Meetup is about K8s posture Management and runtime protection, ways to secure your software supply chain, Managing Attack Surface reduction, and How to secure K8s with Zero-Trust.
The document discusses cloud security risks and challenges faced by enterprises adopting cloud services. It highlights recent security breaches at Dropbox, RSA, and Twitter. It notes the tension between business users who want more cloud services for agility and cost savings, and security/compliance teams who have concerns about lack of control and visibility in public clouds. The document introduces CipherCloud's encryption gateway solution that allows enterprises to securely adopt public cloud services by encrypting sensitive data before it leaves their network. It provides a demo of the product and discusses how it addresses customer pain points around data privacy, compliance and security.
Session Sponsored by Trend Micro: 3 Secrets to Becoming a Cloud Security Supe...Amazon Web Services
While security is a top concern in every organization these days, it often gets a bad rap. In many minds, security has the reputation of the bothersome villain who attempts to hinder performance or restrain agility. In this session we will outline three strategies to protect your valuable workloads, without falling into traditional security traps. We will walk through three stories of EC2 security superheroes who saved the day by overcoming compliance and design challenges, using a (not so) secret arsenal of AWS and Trend Micro security tools.
Key takeaways from this session include how to:
- Design a workload-centric security architecture
- Improve visibility of AWS-only or hybrid environments
- Stop patching live instances but still prevent exploits
Speaker: Sasha Pavlovic, Director, Cloud & Datacentre Security, Asia Pacific, Trend Micro
This document summarizes a presentation given by Chris Harwood of Healthdirect Australia about their migration to AWS and use of Trend Micro Deep Security. The key points are:
1) Healthdirect Australia provides various health services and needed to migrate to the cloud to improve scalability, security, and agility.
2) Migrating to AWS helped Healthdirect address issues like limited capacity, high costs, and inability to respond quickly with their traditional on-premises environment.
3) Security was a major concern for Healthdirect due to the sensitive healthcare data they handle. Trend Micro Deep Security provided host-based security that fit their needs on AWS.
4) Deep Security's agent-
Hardening the cloud : Assuring agile security in high-growth environmentsPriyanka Aash
Modern businesses recognize one of the greatest challenges they face on a day-to-day basis is meeting the demand for security at speed without jeopardizing protection; this is especially true in high-growth environments. This session will deliver IT and security professionals actionable, real-world insights aimed to improve AWS security strategies at minimal cost while delivering high value.
(Source : RSA Conference USA 2017)
Scalar Security Roadshow - Vancouver PresentationScalar Decisions
Gartner recently released a report on IT security priorities for the remainder of 2014. Amongst respondents, network security, application security, endpoint security, and security services all ranked highly. In this quick-fire, half-day roadshow, Scalar brings you solutions to these problems from three of our most strategic security vendors, as well as a full presentation on our managed security services portfolio.
Building Cloud-Native App Series - Part 11 of 11
Microservices Architecture Series
Service Mesh - Observability
- Zipkin
- Prometheus
- Grafana
- Kiali
Building Cloud-Native App Series - Part 7 of 11
Microservices Architecture Series
Containers Docker Kind Kubernetes Istio
- Pods
- ReplicaSet
- Deployment (Canary, Blue-Green)
- Ingress
- Service
Building Cloud-Native App Series - Part 5 of 11
Microservices Architecture Series
Microservices Architecture,
Monolith Migration Patterns
- Strangler Fig
- Change Data Capture
- Split Table
Infrastructure Design Patterns
- API Gateway
- Service Discovery
- Load Balancer
This document discusses Redis, MongoDB, and Amazon DynamoDB. It begins with an overview of NoSQL databases and the differences between SQL and NoSQL databases. It then covers Redis data types like strings, hashes, lists, sets, sorted sets, and streams. Examples use cases for Redis are also provided like leaderboards, geospatial queries, and message queues. The document also discusses MongoDB design patterns like embedding data, embracing duplication, and relationships. Finally, it provides a high-level overview of DynamoDB concepts like tables, items, attributes, and primary keys.
Building Cloud-Native App Series - Part 3 of 11
Microservices Architecture Series
AWS Kinesis Data Streams
AWS Kinesis Firehose
AWS Kinesis Data Analytics
Apache Flink - Analytics
Building Cloud-Native App Series - Part 2 of 11
Microservices Architecture Series
Event Sourcing & CQRS,
Kafka, Rabbit MQ
Case Studies (E-Commerce App, Movie Streaming, Ticket Booking, Restaurant, Hospital Management)
Building Cloud-Native App Series - Part 1 of 11
Microservices Architecture Series
Design Thinking, Lean Startup, Agile (Kanban, Scrum),
User Stories, Domain-Driven Design
This document provides an overview of microservices architecture, including concepts, characteristics, infrastructure patterns, and software design patterns relevant to microservices. It discusses when microservices should be used versus monolithic architectures, considerations for sizing microservices, and examples of pioneers in microservices implementation like Netflix and Spotify. The document also covers domain-driven design concepts like bounded context that are useful for decomposing monolithic applications into microservices.
This document discusses domain-driven design (DDD) concepts for transforming a monolithic application to microservices, including:
1. Classifying applications into areas like lift and shift, containerize, refactor, and expose APIs to prioritize high business value, low complexity projects.
2. Focusing on shorter duration projects from specifications to operations.
3. Designing around business capabilities, processes, and forming teams aligned to capabilities rather than technology.
4. Key DDD concepts like ubiquitous language, bounded contexts, and context maps to decompose the domain model into independently deployable microservices.
This document provides an overview of Docker concepts including containers, images, Dockerfiles, and the Docker architecture. It defines key Docker terms like images, containers, and registries. It explains how Docker utilizes Linux kernel features like namespaces and control groups to isolate containers. It demonstrates how to run a simple Docker container and view logs. It also describes the anatomy of a Dockerfile and common Dockerfile instructions like FROM, RUN, COPY, ENV etc. Finally, it illustrates how Docker works by interacting with the Docker daemon, client and Docker Hub registry to build, run and distribute container images.
The document discusses Hyperledger Fabric, a blockchain framework. It provides an overview of why blockchain is needed to solve reconciliation issues in multi-party environments. It then summarizes key aspects of Hyperledger Fabric such as its architecture, components, and how transactions flow through the network.
The DealBook is our annual overview of the Ukrainian tech investment industry. This edition comprehensively covers the full year 2023 and the first deals of 2024.
Best Programming Language for Civil EngineersAwais Yaseen
The integration of programming into civil engineering is transforming the industry. We can design complex infrastructure projects and analyse large datasets. Imagine revolutionizing the way we build our cities and infrastructure, all by the power of coding. Programming skills are no longer just a bonus—they’re a game changer in this era.
Technology is revolutionizing civil engineering by integrating advanced tools and techniques. Programming allows for the automation of repetitive tasks, enhancing the accuracy of designs, simulations, and analyses. With the advent of artificial intelligence and machine learning, engineers can now predict structural behaviors under various conditions, optimize material usage, and improve project planning.
Scaling Connections in PostgreSQL Postgres Bangalore(PGBLR) Meetup-2 - MydbopsMydbops
This presentation, delivered at the Postgres Bangalore (PGBLR) Meetup-2 on June 29th, 2024, dives deep into connection pooling for PostgreSQL databases. Aakash M, a PostgreSQL Tech Lead at Mydbops, explores the challenges of managing numerous connections and explains how connection pooling optimizes performance and resource utilization.
Key Takeaways:
* Understand why connection pooling is essential for high-traffic applications
* Explore various connection poolers available for PostgreSQL, including pgbouncer
* Learn the configuration options and functionalities of pgbouncer
* Discover best practices for monitoring and troubleshooting connection pooling setups
* Gain insights into real-world use cases and considerations for production environments
This presentation is ideal for:
* Database administrators (DBAs)
* Developers working with PostgreSQL
* DevOps engineers
* Anyone interested in optimizing PostgreSQL performance
Contact info@mydbops.com for PostgreSQL Managed, Consulting and Remote DBA Services
How Social Media Hackers Help You to See Your Wife's Message.pdfHackersList
In the modern digital era, social media platforms have become integral to our daily lives. These platforms, including Facebook, Instagram, WhatsApp, and Snapchat, offer countless ways to connect, share, and communicate.
Choose our Linux Web Hosting for a seamless and successful online presencerajancomputerfbd
Our Linux Web Hosting plans offer unbeatable performance, security, and scalability, ensuring your website runs smoothly and efficiently.
Visit- https://onliveserver.com/linux-web-hosting/
INDIAN AIR FORCE FIGHTER PLANES LIST.pdfjackson110191
These fighter aircraft have uses outside of traditional combat situations. They are essential in defending India's territorial integrity, averting dangers, and delivering aid to those in need during natural calamities. Additionally, the IAF improves its interoperability and fortifies international military alliances by working together and conducting joint exercises with other air forces.
Transcript: Details of description part II: Describing images in practice - T...BookNet Canada
This presentation explores the practical application of image description techniques. Familiar guidelines will be demonstrated in practice, and descriptions will be developed “live”! If you have learned a lot about the theory of image description techniques but want to feel more confident putting them into practice, this is the presentation for you. There will be useful, actionable information for everyone, whether you are working with authors, colleagues, alone, or leveraging AI as a collaborator.
Link to presentation recording and slides: https://bnctechforum.ca/sessions/details-of-description-part-ii-describing-images-in-practice/
Presented by BookNet Canada on June 25, 2024, with support from the Department of Canadian Heritage.
Kief Morris rethinks the infrastructure code delivery lifecycle, advocating for a shift towards composable infrastructure systems. We should shift to designing around deployable components rather than code modules, use more useful levels of abstraction, and drive design and deployment from applications rather than bottom-up, monolithic architecture and delivery.
Advanced Techniques for Cyber Security Analysis and Anomaly DetectionBert Blevins
Cybersecurity is a major concern in today's connected digital world. Threats to organizations are constantly evolving and have the potential to compromise sensitive information, disrupt operations, and lead to significant financial losses. Traditional cybersecurity techniques often fall short against modern attackers. Therefore, advanced techniques for cyber security analysis and anomaly detection are essential for protecting digital assets. This blog explores these cutting-edge methods, providing a comprehensive overview of their application and importance.
Support en anglais diffusé lors de l'événement 100% IA organisé dans les locaux parisiens d'Iguane Solutions, le mardi 2 juillet 2024 :
- Présentation de notre plateforme IA plug and play : ses fonctionnalités avancées, telles que son interface utilisateur intuitive, son copilot puissant et des outils de monitoring performants.
- REX client : Cyril Janssens, CTO d’ easybourse, partage son expérience d’utilisation de notre plateforme IA plug & play.
Paradigm Shifts in User Modeling: A Journey from Historical Foundations to Em...Erasmo Purificato
Slide of the tutorial entitled "Paradigm Shifts in User Modeling: A Journey from Historical Foundations to Emerging Trends" held at UMAP'24: 32nd ACM Conference on User Modeling, Adaptation and Personalization (July 1, 2024 | Cagliari, Italy)
Comparison Table of DiskWarrior Alternatives.pdfAndrey Yasko
To help you choose the best DiskWarrior alternative, we've compiled a comparison table summarizing the features, pros, cons, and pricing of six alternatives.
How RPA Help in the Transportation and Logistics Industry.pptxSynapseIndia
Revolutionize your transportation processes with our cutting-edge RPA software. Automate repetitive tasks, reduce costs, and enhance efficiency in the logistics sector with our advanced solutions.
UiPath Community Day Kraków: Devs4Devs ConferenceUiPathCommunity
We are honored to launch and host this event for our UiPath Polish Community, with the help of our partners - Proservartner!
We certainly hope we have managed to spike your interest in the subjects to be presented and the incredible networking opportunities at hand, too!
Check out our proposed agenda below 👇👇
08:30 ☕ Welcome coffee (30')
09:00 Opening note/ Intro to UiPath Community (10')
Cristina Vidu, Global Manager, Marketing Community @UiPath
Dawid Kot, Digital Transformation Lead @Proservartner
09:10 Cloud migration - Proservartner & DOVISTA case study (30')
Marcin Drozdowski, Automation CoE Manager @DOVISTA
Pawel Kamiński, RPA developer @DOVISTA
Mikolaj Zielinski, UiPath MVP, Senior Solutions Engineer @Proservartner
09:40 From bottlenecks to breakthroughs: Citizen Development in action (25')
Pawel Poplawski, Director, Improvement and Automation @McCormick & Company
Michał Cieślak, Senior Manager, Automation Programs @McCormick & Company
10:05 Next-level bots: API integration in UiPath Studio (30')
Mikolaj Zielinski, UiPath MVP, Senior Solutions Engineer @Proservartner
10:35 ☕ Coffee Break (15')
10:50 Document Understanding with my RPA Companion (45')
Ewa Gruszka, Enterprise Sales Specialist, AI & ML @UiPath
11:35 Power up your Robots: GenAI and GPT in REFramework (45')
Krzysztof Karaszewski, Global RPA Product Manager
12:20 🍕 Lunch Break (1hr)
13:20 From Concept to Quality: UiPath Test Suite for AI-powered Knowledge Bots (30')
Kamil Miśko, UiPath MVP, Senior RPA Developer @Zurich Insurance
13:50 Communications Mining - focus on AI capabilities (30')
Thomasz Wierzbicki, Business Analyst @Office Samurai
14:20 Polish MVP panel: Insights on MVP award achievements and career profiling
Coordinate Systems in FME 101 - Webinar SlidesSafe Software
If you’ve ever had to analyze a map or GPS data, chances are you’ve encountered and even worked with coordinate systems. As historical data continually updates through GPS, understanding coordinate systems is increasingly crucial. However, not everyone knows why they exist or how to effectively use them for data-driven insights.
During this webinar, you’ll learn exactly what coordinate systems are and how you can use FME to maintain and transform your data’s coordinate systems in an easy-to-digest way, accurately representing the geographical space that it exists within. During this webinar, you will have the chance to:
- Enhance Your Understanding: Gain a clear overview of what coordinate systems are and their value
- Learn Practical Applications: Why we need datams and projections, plus units between coordinate systems
- Maximize with FME: Understand how FME handles coordinate systems, including a brief summary of the 3 main reprojectors
- Custom Coordinate Systems: Learn how to work with FME and coordinate systems beyond what is natively supported
- Look Ahead: Gain insights into where FME is headed with coordinate systems in the future
Don’t miss the opportunity to improve the value you receive from your coordinate system data, ultimately allowing you to streamline your data analysis and maximize your time. See you there!
1. @arafkarsh arafkarsh
ARAF KARSH HAMID
Co-Founder / CTO
MetaMagic Global Inc., NJ, USA
@arafkarsh
arafkarsh
8 Years
Network &
Security
6+ Years
Cloud
Native Apps
8 Years
Cloud
Computing
8 Years
Distributed
Computing
Architecting
& Building Apps
Microservice
Architecture Series
Building Cloud Native Apps
Zero Trust / SASE
Network / Security
Cisco SD-WAN / SD-Access
Cisco Secure Cloud Insights / Jupiter One
GRC / DevSecOps
Part 12 of 12
2. @arafkarsh arafkarsh 2
Slides are color coded based on the topic colors.
VXLAN / GRE /
DMVPN / LISP / MPLS
SDN / SD-WAN
Service Mesh
2
Network / Security
SD-WAN / SWG
DNA / ISE / SD-Access
Secure Cloud Insights
JupiterOne
3
Cisco Solutions
Perimeter Security
Zero Trust / NIST 800-207
Beyond Corp / SDP
ZTX / CARTA / SASE
1
Zero Trust
DevOps
DevSecOps
Playbook
4
Operations
3. @arafkarsh arafkarsh
0
Setting up the Context
o Developer Journey
o US DoD: Maturation of SDLC Best Practices
o SANS: Cloud Security Architecture
3
DoD = Department of Defense
This is the final Part (12) of the
Cloud Native App Architecture
Series focused on Software
Developers.
The objective of this Chapter is to
give a good overview of the
Networking and Security Landscape
to the developers and how they can
contribute (Code / Service Mesh)
towards the Security Measures
handled by the Security Team.
This Section sets up the context to
Networking / Security and
Operations (DevSecOps)
4. @arafkarsh arafkarsh
Agile
Scrum (4-6 Weeks)
Developer Journey
Monolithic
Domain Driven Design
Event Sourcing and CQRS
Waterfall
Optional
Design
Patterns
Continuous Integration (CI)
6/12 Months
Enterprise Service Bus
Relational Database [SQL] / NoSQL
Development QA / QC Ops
4
Microservices
Domain Driven Design
Event Sourcing and CQRS
Scrum / Kanban (1-5 Days)
Mandatory
Design
Patterns
Infrastructure Design Patterns
CI
DevOps
Event Streaming / Replicated Logs
SQL NoSQL
CD
Container Orchestrator Service Mesh
6. @arafkarsh arafkarsh
SecOps / DevOps
6
Source: SCI – Your Eyes in the Sky By AI Huger, Nov 15, 2021
While SecOps starts on the left with security posture and attack surface
management as its entry point, DevOps start at the far right with
continuous integration and continuous delivery (CI/CD) pipeline and
application/API security as their main care about.
As SecOps moves right and begins to influence the other
stakeholders within a mature organization, DevOps shifts
left to include pre-deploy checks by using runtime security
inputs.
7. @arafkarsh arafkarsh
SANS Cloud Security Architecture Principles
7
Source: RSA Conference 2019 – A Cloud Security Architecture workshop. Dave Shackleford Sr. Instructor SANS Institute
Think
Components
Design for
Failure
Always
Think of
Feedback Loops
Use Different
Storages
Options
Built-In
Security
at every Layer
CENTRALIZATION
Focus on
Centralization
Standards & Automation
Design for
Elasticity
8. @arafkarsh arafkarsh
1
Zero Trust
o Perimeter Security Vs. Zero Trust
o Google Beyond Corp
o NIST 800-207
o Forrester Zero Trust Extended
o Software Defined Perimeter
o Secure Access Service Edge
8
o Understand the Origin of
Zero Trust
o Issues with Perimeter
Security
o Zero Trust Concept based
on NIST Standards
o Implementing Zero Trust
using Software Defined
Perimeter
o Understanding SASE
Objectives
9. @arafkarsh arafkarsh
History: Evolution of Security & Threat
9
Time Technology / Threats
1 Early 1990s Anti Viruses / Viruses
2 Mid 1990s Wardialing
Testing an organization's list of phone numbers for the presence of modems.
After the Telecommunications Consumer Protection Act of 2003 made it
illegal to "dial for tone" war dialling died off.
3 Late 1990s Firewalls Deep Packet Inspection
4 Early 2000s PKI
A public key infrastructure (PKI) is a set of roles, policies, hardware, software and
procedures needed to create, manage, distribute, use, store and revoke digital
certificates and manage public-key encryption
5 Mid 2000s Deperimeterization Jericho Forum
6 Late 2000s Next Gen Firewalls
7 Early 2010s Defense in Depth & APTs
An advanced persistent threat (APT) is a stealthy threat actor, typically a nation state or state-
sponsored group, which gains unauthorized access to a computer network and remains
undetected for an extended period
8 Mid 2010s AI & Big Data
9 Late 2010s Zero Trust
Source: RSA Conference. Mar 17, 2019: Fallacy of Zero Trust Network By Paul Simmonds
10. @arafkarsh arafkarsh
What Zero Trust is
10
Source: RSA Conference. Mar 17, 2019: Fallacy of Zero Trust Network By Paul Simmonds
• NOT A Next Generation Firewall / Security Device
• NOT A Next Generation Perimeter
• NOT A Next Gen VPN Solution
• NOT a Security Product
• NOT an IT Project
• NOT Eliminating your Intranet
• AND NOT About “Trusting No One”
11. @arafkarsh arafkarsh
How ZERO TRUST should Help Organization
11
• Business Focused (Enables Business)
• A (Architectural) State of Mind
• Same Security Principles for Internet & Intranet
• A Combination of Process and Technologies
• Reduced Complexity
• Better User Experience for SecOps and Partners
Source: RSA Conference. Mar 17, 2019: Fallacy of Zero Trust Network By Paul Simmonds
12. @arafkarsh arafkarsh
Perimeter Security Vs. Zero Trust
12
Classic Security Model
Perimeter Security
• Location Based (External /
Internal)
• Anyone inside the network is
always trusted.
• Based on Layered Security
Never Trust,
Always Verify 1
Implement
Least Privilege 2
(Always)
Assume Breach 3
Forrester's John Kindervag 2010: No More Chewy Centers: Introducing
The Zero Trust Model Of Information Security
Inspired from Jericho Forum Commandments v1.2 May 2007
Source: Microsoft: Jericho & Modern Security
Restrict everything to a secure Network
Zero Trust
Protect Assets
anywhere with
Central Policy
13. @arafkarsh arafkarsh
Zero Trust: Access Management
13
• Least Privilege
• Every Access is limited to a
specific user, device, and
app or resource only
• Centralized
• Policies are centralized
across common IT Systems
• Policies are defined by
Business Team (Support
from IT)
Source: RSA Conference. Mar 17, 2019: Fallacy of Zero Trust Network By Paul Simmonds
• Dynamic
• Access Decisions are made
in real-time
• Context of the Access
influence the Decision
• Adaptive
• Open to Support new Auth
Protocols
• Constantly Evolving System
(Machine Learning, AI)
14. @arafkarsh arafkarsh
Zero Trust: Data
14
• Adopt the Principle of Least Privilege
• Access to the Data MUST be limited to a Specific user, device
and App or Resource Only
• Identify the User Persona and limit the access based on that
Source: RSA Conference. Mar 17, 2019: Fallacy of Zero Trust Network By Paul Simmonds
• Contextual Access Control
• Data Access Policies must be defined by the Business with the support of IT
• Access decisions must be made in real-time – as and when its required.
• Operate Outside your Control
• Business needs to interact with the outside world
15. @arafkarsh arafkarsh
Zero Trust: Network
15
• It’s Application and User Centric and not Infra or Technology Centric
• No DMZ or VPN anymore: No Security Perimeter
• All Network Sessions MUST have Authentication and Authorization
• Only Secure (Encrypted) Protocols allowed on Network
• More than One way to Implement Zero Trust Network
• Network Micro Segmentation (Lots of Tiny Firewalls)
• Software Defined Perimeter (Lots of Tiny VPN)
• Identity Aware Proxy (Next Gen Web Access Management)
• All of the Above
Source: RSA Conference. Mar 17, 2019: Fallacy of Zero Trust Network By Paul Simmonds
16. @arafkarsh arafkarsh
Jericho: Zero Trust Fundamentals
16
JFC
#4
Devices and applications must communicate using open, secure
protocols.
JFC
#5
All devices must be capable of maintaining their security policy
on an un-trusted network. Designed for Internet
JFC
#6
All people, processes, and technology must have declared and
transparent levels of trust for any transaction to take place.
Multiple trust attributes (user, device, location, app etc)
JFC
#11
By default, Data must be appropriately secured when stored, in
transit, and in use.
Source: Jericho Forum Commandments v1.2 May 2007: https://collaboration.opengroup.org/jericho/commandments_v1.2.pdf
18. @arafkarsh arafkarsh
Google Beyond Corp: A New Approach to Enterprise Security
18
Source: 2014: Google BeyondCorp: A New Approach to Enterprise Security https://research.google/pubs/pub43231/
19. @arafkarsh arafkarsh
Google Beyond Corp: Design to Deploy
19
Source: 2016: Google BeyondCorp 2: Design to Deployment at Google https://research.google/pubs/pub44860/
Management
Agents
Certificate
Authorities
Asset
Inventories
Exceptions
Others
Trust Inferer
Device Inventory
Service
Access Control
Engine
Access Policy
Interactive Login
Network Switch
Web Proxy
Gateways
Code Repository
Network VLAN
Bug Tracker
Resources
Data Sources Access Intelligence Gateways Resources
1
2
3
4
20. @arafkarsh arafkarsh
Google Beyond Corp: Design to Deploy
20
Source: 2016: Google BeyondCorp 2: Design to Deployment at Google https://research.google/pubs/pub44860/
Access requirements are organized into Trust Tiers representing levels of increasing sensitivity.
• Resources are an enumeration of all the applications, services, and infrastructure that are subject to access
control. Resources might include anything from online knowledge bases, to financial databases, to link-layer
connectivity, to lab networks. Each resource is associated with a minimum trust tier required for access.
• The Trust Inferer is a system that continuously analyses and annotates device state. The system sets the
maximum trust tier accessible by the device and assigns the VLAN to be used by the device on the corporate
network. These data are recorded in the Device Inventory Service. Re-evaluations are triggered either by state
changes or by a failure to receive updates from a device.
• The Access Policy is a programmatic representation of the Resources, Trust Tiers, and other predicates that
must be satisfied for successful authorization.
• The Access Control Engine is a centralized policy enforcement service referenced by each gateway that
provides a binary authorization decision based on the access policy, output of the Trust Inferer, the resources
requested, and real-time credentials.
At the heart of this system, the Device Inventory Service continuously collects, processes, and publishes changes
about the state of known devices.
Resources are accessed via Gateways, such as SSH servers, Web proxies, or 802.1x-enabled networks. Gateways
perform authorization actions, such as enforcing a minimum trust tier or assigning a VLAN.
21. @arafkarsh arafkarsh
NIST 800-207: Zero Trust Architecture
21
Source: NIST SP 800-207:Zero Trust Architecture https://csrc.nist.gov/publications/detail/sp/800-207/final
A User, An Application, or a Device – Operating on (or with) a Computer System which has access to an
Enterprise Resource
Subject
Is an Application, Document, Data, Database, Workload that’s under the Enterprise Control protected
by the Zero Trust System
Resource
Policy Enforcement Point
Policy Engine Policy Administrator
Policy Decision Point
Control
Plane
Data Plane Resource
Subject
User
App Device
UnTrusted Trusted
CDM
System
GRC
System
Threat
Intelligence
Activity
Logs
Data
Access
Policy
PKI
IAM
SIEM
1 2
3
22. @arafkarsh arafkarsh
NIST 800-207: Zero Trust Architecture
22
PE – Policy
Engine
PA – Policy
Administrator
PEP – Policy
Enforcement
Point
Policy Decision Point PE is responsible to grant access to a resource for a given subject. The PE uses
enterprise policy as well as input from external sources (e.g., CDM systems,
threat intelligence, etc) as input to a trust algorithm to grant, deny, or revoke
access to the resource.
Source: NIST 800-207 https://www.nccoe.nist.gov/projects/implementing-zero-trust-architecture
PA is responsible for establishing and/or shutting down the communication. It
would generate any session-specific auth and auth token, or credential used by
a client to access an enterprise resource. PA configures the PEP to allow the
session to start. If the session is denied the PA signals to the PEP to shut down
the connection.
PEP is responsible for enabling, monitoring, and eventually terminating
connections between a subject and an enterprise resource. The PEP
communicates with the PA to forward requests and/or receive policy updates
from the PA.
23. @arafkarsh arafkarsh
Google Beyond Corp: with NIST 800-207
23
Source: 2016: Google BeyondCorp 2: Design to Deployment at Google https://research.google/pubs/pub44860/
Management
Agents
Certificate
Authorities
Asset
Inventories
Exceptions
Others
Trust Inferer
Device Inventory
Service
Access Policy
Interactive Login
Network Switch
Web Proxy
Gateways
Code Repository
Network VLAN
Bug Tracker
Resources
Data Sources Access Intelligence
Network PEP
(Access Proxy) Application PEP
1
2
4
Policy Decision Point
Access Control
Engine
Gateways Resources
3
24. @arafkarsh arafkarsh
3 Types of PEP: Policy Enforcement Points
24
User Agent PEP runs on the user device (laptops, smart devices, desktops etc.) and provides
secure connections to the resource, introspect the device to provide input into Policies like
device configuration, security posture, geo location etc. PEP can also interact with User if it
requires additional authentication.
User Agent
PEP
NIST 800-207 Zero Trust Architecture
There are 2 types of Application PEPs – External and Internal. Internal one will be running
along with the workload based on sidecar pattern. Internal PEP focuses on Application access
based on User/Service Authentication and Authorization. External PEPs will be linked to
systems like PAM or DLP.
Application
PEP
Network PEP are the simplest among the three category of Policy Enforcement Points.
Network PEP are already in place in any classic setup to some extend, For Ex Devices like
enterprise firewalls (Next Gen Firewalls). These PEPs operate at the network layer enforcing
traffic policies. It can also inspect the data or meta to enforce the policy.
Network
PEP
25. @arafkarsh arafkarsh
NIST 800-207: Deployment Models
25
Source: NIST SP 800-207:Zero Trust Architecture https://csrc.nist.gov/publications/detail/sp/800-207/final
1. Resource Based Deployment Model
2. Enclave Based Deployment Model
3. Cloud Routed Deployment Model
4. Micro Segmented Deployment Model
26. @arafkarsh arafkarsh
NIST 800-207: Resource Based
26
Device
Agent
PEP
Policy Engine
Policy Administrator
Policy Decision Point
Control Plane
Data Plane
User
App
Policy
Enforcement
Point
Gateway
Source: NIST SP 800-207:Zero Trust Architecture https://csrc.nist.gov/publications/detail/sp/800-207/final
Resource Based
Deployment
Model
Zero Trust Deployment Models
Control Messages
Data
Implicit Trust Zone
Pros
• End to End Control of App
and Network Traffic
• Trust Zone behind Gateway
Cons
• PEP need to be deployed for
Device and Resource
• Push back from App
Resource Owners
• Requires 1:1 Relationship
with Subject and Resource
• Need to deployable for
Legacy Apps Resource
Resource = Data, Documents, Apps, Services, Files etc.
27. @arafkarsh arafkarsh
NIST 800-207: Enclave Based
27
Device
Agent
PEP
Policy Engine
Policy Administrator
Policy Decision Point
Control Plane
Data Plane
User
App
Policy
Enforcement
Point
Gateway
Source: NIST SP 800-207:Zero Trust Architecture https://csrc.nist.gov/publications/detail/sp/800-207/final
Enclave Based
Deployment
Model
Zero Trust Deployment Models
Control Messages
Data
Implicit Trust Zone
Pros
• Easy to Deploy for Resources
• Fewer PEPs deployed
• PEPs can run at the Edge of
the network
Cons
• Large and Opaque Resource
Zones
• PEPs represent a new type
of Ingress point into the
enterprise Network
Resource Enclave
Resource = Data, Documents, Apps, Services, Files etc.
28. @arafkarsh arafkarsh
NIST 800-207: Cloud Routed
28
Device
Agent
PEP
PEP
Policy Decision Point Control
Plane
Data
Plane
User
App
Policy
Enforcement
Point
Gateway
Source: NIST SP 800-207:Zero Trust Architecture https://csrc.nist.gov/publications/detail/sp/800-207/final
Cloud Routed
Deployment
Model
Zero Trust Deployment Models
Control Messages
Data
Implicit Trust Zone
Pros
• Easy to setup for Enterprises
• Reduces the Operational
overhead
• Secure Web Gateway
enables Multi-Cloud or
Hybrid Cloud Environments
Cons
• Adds Latency to user Traffic
• Limited Network Protocols
support
• Large and Opaque Trust
Zones.
Resource Enclave
Resource = Data, Documents, Apps, Services, Files etc.
PEP
Subject
29. @arafkarsh arafkarsh
NIST 800-207: Micro Segmentation
29
Policy Decision Point
Control Plane
Data Plane
Source: NIST SP 800-207:Zero Trust Architecture https://csrc.nist.gov/publications/detail/sp/800-207/final
Micro Segmentation
Deployment Model
Zero Trust Deployment Models
Control Messages
Data
Implicit Trust Zone
Pros
• Small Implicit Trust Zone
• Bi-Directional, Good for
Microservices Implementation
Cons
• Large PEP deployment
• Potential Conflicts
• Direct access to PEPs by
Subjects
• Potential for push back from
App Owners
Resource = Data, Documents, Apps, Services, Files etc.
PEP
Subject Resource
Device
Agent
PEP
User
App
PEP
Subject Resource
PEP
Subject Resource
30. @arafkarsh arafkarsh
NIST 800-162: Attribute Based Access Control
30
Source: Page 17 NIST 800-162: https://csrc.nist.gov/publications/detail/sp/800-162/final
An access control method were
• subject requests to perform operations on objects
are granted or denied
• based on assigned attributes of the subject,
• assigned attributes of the object,
• environment conditions,
• and a set of policies that are specified in terms of
those attributes and conditions.
31. @arafkarsh arafkarsh
NIST 800-162: Attribute Based Access Control
31
Source: Page 18 NIST 800-162: https://csrc.nist.gov/publications/detail/sp/800-162/final
1. Subject requests access to object
2. Access Control Mechanism
evaluates
a) Rules,
b) Subject Attributes,
c) Object Attributes,
d) Environment Conditions to
compute a decision
3. Subject is given access to object if
authorized
32. @arafkarsh arafkarsh
NIST 800-162: Attribute Based Access Control
32
A subject is a human user or NPE, such as a device that issues
access requests to perform operations on objects. Subjects are
assigned one or more attributes.
An object is a system resource for which access is managed by
the ABAC system, such as devices, files, records, tables,
processes, programs, networks, or domains containing or
receiving information. It can be the resource or requested
entity, as well as anything upon which an operation may be
performed by a subject including data, applications, services,
devices, and networks.
Source: Page 17 NIST 800-162: https://csrc.nist.gov/publications/detail/sp/800-162/final
33. @arafkarsh arafkarsh
NIST 800-162: Attribute Based Access Control
33
• An operation is the execution of a function at the request of a subject
upon an object. Operations include read, write, edit, delete, copy,
execute, and modify.
• Policy is the representation of rules or relationships that makes it
possible to determine if a requested access should be allowed, given the
values of the attributes of the subject, object, and possibly environment
conditions.
• Environment conditions: operational or situational context in which
access requests occur. Environment conditions are detectable
environmental characteristics. Environment characteristics are
independent of subject or object, and may include the current time, day
of the week, location of a user, or the current threat level.
Source: Page 17 NIST 800-162: https://csrc.nist.gov/publications/detail/sp/800-162/final
34. @arafkarsh arafkarsh
NIST 800-162: ABAC in Action
34
Source: Page 19 NIST 800-162: https://csrc.nist.gov/publications/detail/sp/800-162/final
• Each object within the system must be assigned specific
object attributes that characterize the object.
• Some attributes pertain to the entire instance of an
object, such as the owner.
• Other attributes may only apply
to parts of the object. For
example,
• a document object could be
owned by organization A,
• have a section with
intellectual property from
organization B,
• and be part of a program run
by organization C.
38. @arafkarsh arafkarsh
Forrester: Zero Trust eXtended (ZTX)
38
Forrester Zero Trust extended Ecosystem: Aug 11, 2020
Zero Trust
Strategy
Zero Trust
Capability
Zero Trust
Technology
Zero Trust
Feature
Goal is to evolve towards a
Zero Trust Architecture or
Encrypt all Sensitive Data
For Ex. Data Security
Security teams need the ability
to inventory, classify, obfuscate,
archive, or delete data
according to policy
Ask
“What capabilities does this
technology support and where
does it specifically plug into my
team’s Zero Trust strategy?”
39. @arafkarsh arafkarsh
Gartner: CARTA: 7 Core Areas
39
Continuous Adaptive Risk and Trust Assessment approach
Source: Gartner 2018
Replace one-time security gates with Context Aware, Adaptive & Programmable
Security Platforms
1
Continuously Discover, Monitor, Assess and Prioritize Risk – Proactively and Reactively
2
Perform Risk and Trust Assessment Early in Digital Business Initiatives
3
Instrument Infrastructure for Comprehensive, full stack Risk Visibility, Including
Sensitive Data Handling
4
Use Analytics, AI, Automation and Orchestration to speed the time to detect and
respond to scale
5
Architect Security as an Integrated, Adaptable Programmable System, and not Silos
6
Put Continuous Data Driven Risk Decision making and Risk Ownership into BU’s and
product owners
7
40. @arafkarsh arafkarsh
Software Defined Perimeter – Context
40
o Classic Network Design creates fixed Perimeter to divide the External
Network with Internal Network
o Using Routers, Firewalls, and other access control devices.
o The concept of Classic Network is based on visibility and accessibility.
1. Today’s network is fluid with Hybrid clouds, IaaS, PaaS, SaaS, IoT, etc.,
all with multiple entry points.
2. This is further complicated by Contractors, Remote/Mobile Users,
BYOD etc.
These conditions gives rise to Software Defined Perimeter instead of a
traditional Fixed Perimeter
Cloud Security Alliance: May 27, 2020: SDP and Zero Trust
41. @arafkarsh arafkarsh
Software Defined Perimeter
41
• SDP abstracts and hides internet connected infrastructure (Routers,
Servers etc.) irrespective of infra is On-Premise or Cloud.
• SDP Secures the user, application and the connectivity.
• Instead of traditional hardware-based perimeter setup, SDP is
completely software driven.
• VPN Connects the users to the Network using a simple
authentication
• While SDP allows the users to connect to the required resource using
real-time contextual risk assessment to determine user access.
According to Gartner more than 60% of Enterprises moved away from VPN by 2021
Cloud Security Alliance: May 27, 2020: SDP and Zero Trust
42. @arafkarsh arafkarsh
Software Defined Perimeter – Principles
42
1. Separation of Control Plane and Data Plane. User, Devices etc
access is controlled using Control Plane. SDP Controller handles the
control plane.
2. Separation of logical and physical Components. The Connection
between hosts are virtualized using overlay tunnels.
3. Authenticating the Hosts. Only authorized systems/services allowed
to communicate.
4. Validating the Hosts against a set of policies. Checking for absence
of Malwares, allowed applications, business policies such as time of
the day, checking external Threat Intelligence Database.
Source: IEEE Software-Defined Perimeters: An Architectural View of SDP
SDP is not a replacement for existing solutions, it augments the existing solutions such as SDN.
43. @arafkarsh arafkarsh
Software Defined Perimeter: Architecture
43
Cloud Security Alliance: May 27, 2020: SDP and Zero Trust
Policy
Enforcement Point
SDP Gateway
SDP Controller
Policy Decision Point
Control Plane
Data Plane
Resource
Subject
User
App
Device
SDP
Client
Source: https://cloudsecurityalliance.org/artifacts/sdp-architecture-guide-v2/
IH: Initiating Host
Control Messages
Data
SDP requires
2 Security
modules
1. mTLS
2. SPA
AH
AH: Accepting Host
The model depicted below is Similar to Enclave Resource model from NIST 800-207 Architecture. NIST team
defined that based on Cloud Security Alliance SDP Architecture.
44. @arafkarsh arafkarsh
SDP – Secure Communications
44
mTLS – Mutual
Transport Layer Security
SPA – Single Packet
Authorization
• Both Client and Server need to
validate the certificate
• Expect Mutual Root
Certificates for Client & Server
• Avoids Man in the Middle
Attack
HOTP: An HMAC-Based One-Time Password Algorithm
Authenticate before Connect
• Default Policy in SDP Gateway is
Drop All Packets
• Based on RFC 4226: HOTP
• SPA happens before TLS Connection
• For Valid Connections Firewall rule
is created for mTLS connection
45. @arafkarsh arafkarsh
Deployment modes of Software Defined Perimeter
45
• Client-Gateway – SDP uses a proxy that arbitrates
connections between clients and a set of protected servers.
A client connects to a gateway which in turn provides access
to hosts that provide services.
• Client-Server – there is no gateway proxy sitting between the
client and server. The clients directly connect to the hosts.
• Server to Server – used for servers offering services (via REST
APIs) to applications.
• Client to Server to Client – peer to peer connections between
clients. Source: IEEE Software-Defined Perimeters: An Architectural View of SDP
As defined by Cloud Security Alliance
47. @arafkarsh arafkarsh
SASE: Secure Access Service Edge
47
Created by Gartner: Six Core Technologies of SASE
Network
Security
SASE
SD-WAN
ZTNA
Zero Trust Network Access
SWG
Secure Web Gateway
CASB
Cloud Access Security Broker
FWaaS
Firewall as a Service
DNS
Security
48. @arafkarsh arafkarsh
SASE: Overview
48
o Users
o Devices
o Locations
o Public Cloud
o Data Center
o Edge
Identity Context
Consistent Network & Security Policy
SASE Cloud Infrastructure
WAN Edge
Infrastructure
/ Services
Security
Services
Edge
Threat
Awareness
Sensitive Data
Awareness
Entities Anywhere Resources Everywhere
Zero Trust Access
Consistent User Experience
Source: Gartner 2021 Strategic
Roadmap for SASE Convergence,
March 25, 2021By Neil
MacDonald, Nat Smith, Lawrence
Orans, Joe Skorupa
49. @arafkarsh arafkarsh
SASE: Detailed View
49
o Employees
o Contractors
o Partners
o Devices
o Distributed Apps
o Remote
o Mobile
o Offices
o Edge
o Applications
o APIs
o Data
o Devices
o SaaS
o IaaS
o Data Center
o Branch
o Edge
User / Device Identity Context
Consistent Network & Security Policy
SASE Cloud Infrastructure
WAN Edge Services
• SD-WAN
• WAN Optimization
• QoS
• Routing
• SaaS Acceleration
• Content Delivery /
Caching
• …
Security Services Edge
• Secure Web GW
• CASB
• ZTNA / VPN
• FWaaS
• Remote Browser
Isolation
• Encryption /
Decryption
• …
Threat
Awareness
Sensitive Data
Awareness
Entities Anywhere Resources Everywhere
Zero Trust Access
Consistent User Experience
Source: Gartner 2021 Strategic
Roadmap for SASE Convergence,
March 25, 2021By Neil
MacDonald, Nat Smith, Lawrence
Orans, Joe Skorupa
52. @arafkarsh arafkarsh
SASE: Reference Architecture
52
SASE Reference Architecture
based on Network as a
Service Model
Source: Cisco: SASE with Savvy The Keys to an Effective Secure Access Service Edge Solution
As the workloads are
becoming Cloud Native in a
Hybrid, Multi Cloud
Environment, Cisco Umbrella
and Cisco SD-WAN is an
implementation SASE
Framework.
53. @arafkarsh arafkarsh
SASE Framework: Summary
53
Source: July 21, 2021: Steve Murphy SASE and Secure Web Gateway
Secure Access Framework to Manage
• Cloud Environment (Hybrid, Multi Cloud)
• Distributed Workforce (Remote, WFH)
Focuses on Delivery Adaptive Access & Security to Users
• Direct Access to Cloud (SD-WAN)
• Eliminate backhaul to Security Stack
Users can access Apps/Data from Any Device from Any Location
• Security is Applied based on Context
54. @arafkarsh arafkarsh
2
Network / Security
o VXLAN / GRE / DMVPN / MPLS / LISP
o SDN / SD-WAN
o Zero Trust / VPN
o Service Mesh
54
o Understanding of Overlay
Networking
o Understanding of GRE /
DM VPN / LISP / MPLS
o Understanding of Software
Defined Networking
o Understanding of SD-WAN
o Understanding of Service
Mesh
Objectives
55. @arafkarsh arafkarsh
Networking
o Overlay Network VXLAN
o GRE / mGRE / DM VPN / IPSec /
o LISP : Location ID Separation Protocol
o MPLS : Multi Protocol Label Switching
o SDN : Software Defined Networking
o SD-WAN : Software Defined – WAN
o SD-WAN : Zero Touch Provisioning
o SD-WAN : Public / Private WAN
55
57. @arafkarsh arafkarsh
Networking Glossary Netfilter – Packet Filtering in Linux
Software that does packet filtering, NAT and other
Packet mangling
IP Tables
It allows Admin to configure the netfilter for managing
IP traffic.
ConnTrack
Conntrack is built on top of netfilter to handle
connection tracking..
IPVS – IP Virtual Server
Implements a transport layer load balancing as part of
the Linux Kernel. It’s similar to IP Tables and based on
netfilter hook function and uses hash table for the
lookup.
Border Gateway Protocol
BGP is a standardized exterior gateway protocol
designed to exchange routing and reachability
information among autonomous systems (AS) on the
Internet. The protocol is often classified as a path vector
protocol but is sometimes also classed as a distance-
vector routing protocol. Some of the well known &
mandatory attributes are AS Path, Next Hop Origin.
L2 Bridge (Software Switch)
Network devices, called switches (or bridges) are
responsible for connecting several network links to each
other, creating a LAN. Major components of a network
switch are a set of network ports, a control plane, a
forwarding plane, and a MAC learning database. The set
of ports are used to forward traffic between other
switches and end-hosts in the network. The control
plane of a switch is typically used to run the Spanning
Tree Protocol, that calculates a minimum spanning tree
for the LAN, preventing physical loops from crashing the
network. The forwarding plane is responsible for
processing input frames from the network ports and
making a forwarding decision on which network port or
ports the input frame is forwarded to.
57
58. @arafkarsh arafkarsh
Networking Glossary
Layer 2 Networking
Layer 2 is the Data Link Layer (OSI Mode) providing Node to
Node Data Transfer. Layer 2 deals with delivery of frames
between 2 adjacent nodes on a network. Ethernet is an Ex.
Of Layer 2 networking with MAC represented as a Sub Layer.
Flannel uses L3 with VXLAN (L2) networking.
Layer 4 Networking
Transport layer controls the reliability of a given link through
flow control.
Layer 7 Networking
Application layer networking (HTTP, FTP etc.,) This is the
closet layer to the end user. Kubernetes Ingress Controller is
a L7 Load Balancer.
Layer 3 Networking
Layer 3’s primary concern involves routing packets between
hosts on top of the layer 2 connections. IPv4, IPv6, and ICMP
are examples of Layer 3 networking protocols. Calico uses L3
networking.
VXLAN Networking
Virtual Extensible LAN used to help large cloud deployments
by encapsulating L2 Frames within UDP Datagrams. VXLAN is
similar to VLAN (which has a limitation of 4K network IDs).
VXLAN is an encapsulation and overlay protocol that runs on
top of existing Underlay networks. VXLAN can have 16
million Network IDs.
Overlay Networking
An overlay network is a virtual, logical network built on top
of an existing network. Overlay networks are often used to
provide useful abstractions on top of existing networks and
to separate and secure different logical networks.
Source Network Address Translation
SNAT refers to a NAT procedure that modifies the source
address of an IP Packet.
Destination Network Address Translation
DNAT refers to a NAT procedure that modifies the
Destination address of an IP Packet.
58
62. @arafkarsh arafkarsh
eth0 10.130.1.102
Node / Server 1
172.17.4.1
B1 – MAC
VSWITCH
VTEP
172.17.4.1
Y1 – MAC
Customer 1
Customer 2
eth0 10.130.2.187
Node / Server 2
172.17.5.1
B2 – MAC
VSWITCH
VTEP
172.17.5.1
Y2 – MAC
Customer 1
Customer 2
VXLAN Encapsulation
Overlay Network
Src: 172.17.4.1
Src: B1 – MAC
Dst: 172.17.5.1
Dst: B2 - MAC
Src: 10.130.1.102
Dst: 10.130.2.187
Src UDP Port: Dynamic
Dst UDP Port: 4789
VNI: 100
Src: 172.17.4.1
Src: B1 – MAC
Dst: 172.17.5.1
Dst: B2 - MAC
Src: 172.17.4.1
Src: B1 – MAC
Dst: 172.17.5.1
Dst: B2 - MAC
VSWITCH: Virtual Switch. | VTEP : Virtual Tunnel End Point | VNI : Virtual Network Identifier
62
63. @arafkarsh arafkarsh
eth0 10.130.1.102
Node / Server 1
172.17.4.1
B1 – MAC
VSWITCH
VTEP
172.17.4.1
Y1 – MAC
Customer 1
Customer 2
eth0 10.130.2.187
Node / Server 2
172.17.5.1
B2 – MAC
VSWITCH
VTEP
172.17.5.1
Y2 – MAC
Customer 1
Customer 2
VXLAN Encapsulation
Overlay Network
Src: 10.130.2.187
Dst: 10.130.1.102
Src UDP Port: Dynamic
Dst UDP Port: 4789
VNI: 100
VSWITCH: Virtual Switch. | VTEP : Virtual Tunnel End Point | VNI : Virtual Network Identifier
Src: 172.17.5.1
Src: B2 - MAC
Dst: 172.17.4.1
Dst: B1 – MAC
Src: 172.17.5.1
Src: B2 - MAC
Dst: 172.17.4.1
Dst: B1 – MAC
Src: 172.17.5.1
Src: B2 - MAC
Dst: 172.17.4.1
Dst: B1 – MAC
63
64. @arafkarsh arafkarsh
eth0 10.130.1.102
Node / Server 1
172.17.4.1
B1 – MAC
VSWITCH
VTEP
172.17.4.1
Y1 – MAC
Customer 1
Customer 2
eth0 10.130.2.187
Node / Server 2
172.17.5.1
B2 – MAC
VSWITCH
VTEP
172.17.5.1
Y2 – MAC
Customer 1
Customer 2
VXLAN Encapsulation
Overlay Network
Src: 172.17.4.1
Src: Y1 – MAC
Dst: 172.17.5.1
Dst: Y2 - MAC
Src: 10.130.1.102
Dst: 10.130.2.187
Src UDP Port: Dynamic
Dst UDP Port: 4789
VNI: 200
Src: 172.17.4.1
Src: Y1 – MAC
Dst: 172.17.5.1
Dst: Y2 - MAC
Src: 172.17.4.1
Src: Y1 – MAC
Dst: 172.17.5.1
Dst: Y2 - MAC
VSWITCH: Virtual Switch. | VTEP : Virtual Tunnel End Point | VNI : Virtual Network Identifier
64
65. @arafkarsh arafkarsh
eth0 10.130.1.102
Node / Server 1
172.17.4.1
B1 – MAC
VSWITCH
VTEP
172.17.4.1
Y1 – MAC
Customer 1
Customer 2
eth0 10.130.2.187
Node / Server 2
172.17.5.1
B2 – MAC
VSWITCH
VTEP
172.17.5.1
Y2 – MAC
Customer 1
Customer 2
VXLAN Encapsulation
Overlay Network
VNI: 100
VNI: 200
VSWITCH: Virtual Switch. | VTEP : Virtual Tunnel End Point | VNI : Virtual Network Identifier
65
66. @arafkarsh arafkarsh
GRE: Generic Routing Encapsulation
66
Created By Cisco RFC 2784 & updated by RFC 2890
GRE is used to create a tunnel between 2 network over public network. It can carry any OSI L3 protocol over an
IP Protocol. GRE creates a Point-2-Point connection like VPN by encapsulating the (original) payload.
GRE Tunnels are not secured as the data is un-encrypted. For Secure tunnel use IPSec.
202.1.2.1 204.1.2.1
Public IP Public IP
Branch 1 Branch 2
Internet
192.168.1.1/24 192.168.1.2/24
$ Interface tunnel0
ip address 192.168.1.1
255.255.255.0
ip mtu 1476
ip tcp adjust-mss 1436
tunnel source 202.1.2.1
tunnel destination 204.1.2.1
$ Interface tunnel0
ip address 192.168.1.2
255.255.255.0
ip mtu 1476
ip tcp adjust-mss 1436
tunnel source 204.1.2.1
tunnel destination 202.1.2.1
VTI VTI
Underlay
New IP Header GRE Header
Original IP
Header
Data
4 – 16 Bytes
20 Bytes
24 – 36 Bytes Overhead
Data (Payload)
Source: RedHat Introduction to Linux IP Tunnels
67. @arafkarsh arafkarsh
GRE: Packet Headers & Data Transfer
67
Created By Cisco RFC 2784 & updated by RFC 2890
202.1.2.1 204.1.2.1
Public IP Public IP
Branch 1
Router
Branch 2
Router
172.17.4.1
172.17.4.2
172.17.5.1
172.17.5.2
Internet
192.168.1.1/24 192.168.1.2/24
VTI VTI
Underlay
New IP Header GRE Header
Original IP
Header
Data
Src = 172.17.4.1
Dst = 172.17.5.2
Src = 202.1.2.1
Dst = 204.1.2.1
1. Packet reaches Branch 1 Router
2. New IP Header and GRE Header added
3. Packets Reaches Branch 2 Router
4. New IP Header and GRE Header Removed
LAN LAN
Routes
All traffic to 172.17.5.1/24
will be forwarded
to Tunnel 0 or
192.168.1.1
Route
All traffic to 172.17.4.1/24
will be forwarded to
Tunnel 0 or 192.168.1.2
68. @arafkarsh arafkarsh
DM VPN: Dynamic Multipoint VPN
68
o GRE is a Point-2-Point VPN Tunnel.
o DM VPN helps to create VPN to multiple sites.
o It’s a Hub & Spoke Design and yet spoke will
be able to talk to each other.
o Encryption is supported using IPSec.
o Its a great alternative to MPLS VPN.
4 Critical Elements for DM VPN
1. Multipoint GRE
2. NHRP (Next Hop Resolution Protocol)
3. Routing (RIP, EIGRP, OSPF, BGP etc.)
4. IPSec (optional)
Branch 1
B2
B3 B4
Head
Quarter
Branch 1
B2
B3 B4
HQ
Ex. Organization with
1 HQ and 4 branches
Point 2 Point GRE Tunnels
are complex and doesn’t
scale well.
Internet
Requirements
1. All branches linked to HQ
2. Branch B1 & B3 linked
3. Branch B2 & B4 linked
Source: Cisco DM VPN
69. @arafkarsh arafkarsh
NHRP: Next Hop Resolution Protocol
69
o It’s a protocol to discover the best path (Next Hop) in a multiple wide area
network with lot of subnets.
o WAN typically blocks broadcast requests and it’s called Non-Broadcast
Multiple Access (NBMA) network.
o NHRP is similar to ARP (Address Resolution Protocol).
o NHRP provides Next Hop Servers (NHSes) to register and provide routing
information to Next Hop Clients (NHCs). NHS is the hub and NHC the spoke.
o Each NHC registers its physical IP and its logical local IP to the NHS.
o When an NHC wants to discover the Route to another NHC it sends the
request to NHS and NHS returns the target NHC details.
NHRP was developed by Internet Engineering Task Force: RFC 2332
70. @arafkarsh arafkarsh
Multipoint GRE
70
B1 B2
B3 B4
HQ
Requirements
1. All branches linked to HQ
2. Branch B1 & B3 linked
3. Branch B2 & B4 linked
This is not an ideal Solution as we need to
setup multiple tunnel interfaces at each
router, its messy and not scalable.
In Multipoint GRE, there will be ONLY 1 tunnel interface on
each router & Hub interface don’t have tunnel destination.
B1 B2
B3 B4
Head
Quarter
NHC NHC
NHC NHC
NHS
Hub & Spoke
Topology
B1 B2
B3 B4
Head
Quarter
NHC NHC
NHC NHC
NHS
192.168.1.0/24
NHC registers
with NHS
B1 & B2 sends NHRP
request to NHS to get
the route details
Based on the Route
details dynamic
tunnels are built.
Dynamic
On Demand
Tunnels
71. @arafkarsh arafkarsh
DM VPN: Phases
71
Phase 1
All the spokes are registered with the Hub. All traffic goes thru Hub. Each Spoke
uses regular Point-2-Point GRE Tunnel.
Phase 2
Allows Spoke-2-Spoke communication using Multipoint GRE tunnels. Spoke-2-
Spoke tunnels are on-demand based on traffic. Data need not go to the Hub for
communication.
Phase 3
Improves the Phase 2 with NHRP request to create the Spoke-2-Spoke Tunnels on-
Demand. This improves the scalability from Phase 2 where the routes are pre-
defined.
Source: Tech Target: DM VPN:
Phase 1 Phase 2 Phase 3
Key
Feature
Spokes Dynamically
register with Hub
Spoke Communicates
directly with other Spokes
Allows route
summarization
Tunnel
Type
Hub: mGRE
Spoke: GRE
All use mGRE All use mGRE
72. @arafkarsh arafkarsh 72
B1
B2
B3 B4
Head
Quarter
NHC
NHC
NHC NHC
NHS
Dynamic
On Demand
Tunnels
.99
192.168.1.0/24
9.9.9.9
2.2.2.2
1.1.1.1
3.3.3.3 4.4.4.4
LAN
172.99.1.1
LAN
172.4.1.1
LAN
172.3.1.1
LAN
172.2.1.1
LAN
172.1.1.1
1. All branches are connected to HQ
2. Branch B1 & B3 are connected
3. Branch B2 & B4 are connected
Specs
$ interface Tunnel0
ip address 192.168.1.99 255.255.255.0
ip mtu 1476
ip tcp adjust-mss 1436
tunnel source 9.9.9.9
ip nhrp authentication NHRPKEY
ip nhrp network-id 1
tunnel mode gre multipoint
tunnel key 11
Hub Configuration P-2-M
$ interface Tunnel0
ip address 192.168.1.1 255.255.255.0
ip mtu 1476
ip tcp adjust-mss 1436
tunnel source 1.1.1.1
tunnel destination 9.9.9.9
ip nhrp authentication NHRPKEY
ip nhrp network-id 1
tunnel key 11
ip nhrp nhs 192.168.1.99
ip nhrp map 192.168.1.99
1.1.1.1
B1 Spoke Configuration P-2-P
DM VPN Phase 1
172.99.1.1 172.4.1.1 Data
Src Dst
172.99.1.1 172.2.1.1 Data
172.3.1.1 172.99.1.1 Data
1
172.1.1.1 172.3.1.1 Data
172.2.1.1 172.4.1.1 Data
2
3
DM VPN: Multipoint GRE
Adjusted for 40-byte GRE Header
Tunnel Source Public (NBMA) IP Address
NHRP Network ID (Domain) – Hub will be NH Server
No Destination is assigned for mGRE
Optional – Used for authentication. If set, is in the
GRE header. It must match for the tunnel to form.
In Phase 1 – Spoke work in GRE mode. So, destination
IP (NBMA) is given of the Hub Router
Next Hop Server is the Hub Router. This needs to
be statically configured
Map the Tunnel to the NBMA IP address (Hub)
$ ip nhrp nhs 192.168.1.99 nbma 1.1.1.1 multicast
Repeat the B1 Spoke Config for other Branches also
73. @arafkarsh arafkarsh 73
B1
B2
B3 B4
Head
Quarter
NHC
NHC
NHC NHC
NHS
Dynamic
On Demand
Tunnels
.99
192.168.1.0/24
9.9.9.9
2.2.2.2
1.1.1.1
3.3.3.3 4.4.4.4
LAN
172.99.1.1
LAN
172.4.1.1
LAN
172.3.1.1
LAN
172.2.1.1
LAN
172.1.1.1
1. All branches are connected to HQ
2. Branch B1 & B3 are connected
3. Branch B2 & B4 are connected
Specs
172.99.1.1 172.4.1.1 Data
Src Dst
172.99.1.1 172.2.1.1 Data
172.3.1.1 172.99.1.1 Data
1
172.1.1.1 172.3.1.1 Data
172.2.1.1 172.4.1.1 Data
2
3
DM VPN: Multipoint GRE
Adjusted for 40-byte GRE Header
Tunnel Source Public (NBMA) IP Address
NHRP Network ID (Domain) – Hub will be NH Server
Statically configured destination for Spoke is gone
mGRE is introduced for Spoke also
Optional – Used for authentication. If set, is in the
GRE header. It must match for the tunnel to form.
Hub informs Spoke about a better route for the spoke
This allows the Spoke to accept the redirect
message and create a short cut route.
DM VPN Phase 2
$ interface Tunnel0
ip address 192.168.1.1 255.255.255.0
ip mtu 1476
ip tcp adjust-mss 1436
tunnel source 1.1.1.1
tunnel mode gre multipoint
ip nhrp authentication NHRPKEY
ip nhrp network-id 1
tunnel key 11
ip nhrp map multicast
1.1.1.1
B1 Spoke Configuration P-2-M
DM VPN Phase 3
$ interface Tunnel0
ip nhrp shortcut
B1 Spoke Configuration – Routes
$ interface Tunnel0
ip nhrp redirect
Hub Configuration P-2-M
Use Hub Config from Phase 1
No Static destination, so manually map the
multicast to NHS
74. @arafkarsh arafkarsh
DM VPN: Multipoint GRE – Summary
74
B1
B2
B3 B4
Head
Quarter
NHC
NHC
NHC NHC
NHS
Dynamic
On Demand
Tunnels
.99
192.168.1.0/24
9.9.9.9
2.2.2.2
1.1.1.1
3.3.3.3 4.4.4.4
LAN
172.99.1.1
LAN
172.4.1.1
LAN
172.3.1.1
LAN
172.2.1.1
LAN
172.1.1.1
1. All branches are connected to HQ
2. Branch B1 & B3 are connected
3. Branch B2 & B4 are connected
Specs
$ interface Tunnel0
ip address 192.168.1.99 255.255.255.0
ip mtu 1476
ip tcp adjust-mss 1436
tunnel source 9.9.9.9
ip nhrp authentication NHRPKEY
ip nhrp network-id 1
tunnel mode gre multipoint
tunnel key 11
Hub Configuration P-2-M
$ interface Tunnel0
ip address 192.168.1.1 255.255.255.0
ip mtu 1476
ip tcp adjust-mss 1436
tunnel source 1.1.1.1
tunnel destination 9.9.9.9
ip nhrp authentication NHRPKEY
ip nhrp network-id 1
tunnel key 11
ip nhrp nhs 192.168.1.99
ip nhrp map 192.168.1.99 1.1.1.1
B1 Spoke Configuration P-2-P
DM VPN Phase 1 DM VPN Phase 2
$ interface Tunnel0
ip address 192.168.1.1 255.255.255.0
ip mtu 1476
ip tcp adjust-mss 1436
tunnel source 1.1.1.1
tunnel mode gre multipoint
ip nhrp authentication NHRPKEY
ip nhrp network-id 1
tunnel key 11
ip nhrp map multicast 1.1.1.1
B1 Spoke Configuration P-2-M
DM VPN Phase 3
$ interface Tunnel0
ip nhrp shortcut
B1 Spoke Configuration – Routes
$ interface Tunnel0
ip nhrp redirect
Hub Configuration P-2-M
172.99.1.1 172.4.1.1 Data
Src Dst
172.99.1.1 172.2.1.1 Data
172.3.1.1 172.99.1.1 Data
1
172.1.1.1 172.3.1.1 Data
172.2.1.1 172.4.1.1 Data
2
3
75. @arafkarsh arafkarsh
IPSec
75
RFC 6071
o Creates an encrypted tunnel over an IP Network
o Authentication and Encryption prevents eavesdropping
and data modification
o GRE can be combined with IPSec to support Multiple
protocols over IP Network
New IP
Header
IPSec
Header
Original IP
Header
Data
50 – 57 Bytes Overhead
IPSec
Trailer
IPSec
Auth Trailer
76. @arafkarsh arafkarsh
VRF: Virtual Routing & Forwarding
76
172.17.4.1 172.17.5.1
Internet
Customer A Customer B
Before VRF
ISP
Router
172.17.4.1 172.17.5.1
Internet
Customer A Customer B
After VRF
ISP
Router
VRF-A VRF-B
o It Allows to have multiple instances
of routing table in a Virtual Router.
o VRF increases the security as traffic
is separated.
o Network Path is segmented without
using multiple hardware’s.
o A VRF Instance uses a Single Routing table.
o VRF requires a forwarding table for the
next Hop of the packet.
o Traditional VRF is done on ISP MPLS-VPN
and VRF Lite is without MPLS-VPN.
o VRF uses the same methods of Virtualization as VLANs. They are equivalent to the L3 version of a
TCP/IP Layer of VLAN. VLAN makes a single switch appear as multiple switches while VRF makes a
single Router appear as multiple routers.
77. @arafkarsh arafkarsh
MPLS: Multi Protocol Label Switching
77
Jointly developed by Cisco, Ipsilon & IBM in 1996. First working group formed in 1997 and first deployment in 1999.
• MPLS supports transport over IP, Ethernet, asynchronous transfer mode (ATM) and frame relay.
• MPLS allows most data packets to be forwarded at Layer 2 - switching (Data Link) layer of OSI instead of
Layer 3 the routing (Network) Layer.
• MPLS is an alternative to traditional routing based on destination IP address of the packet which requires
each router to inspect packets destination IP address in every hop before consulting its own routing table.
This is a time-consuming process especially for Voice and Video calls.
• First router in the MPLS network will determine the entire route upfront the identity of which is quickly
conveyed to subsequent routers using a label in the packet header.
MPLS labels consist of 4
parts:
1. Label value: 20 bits
2. Experimental: 3 bits
3. Bottom of stack: 1 bit
4. Time to live: 8 bits
Source: Tech Target – Multi Protocol Label Switching
Label Edge
Router
1. Each packet get labelled on
entry by ISPs LER.
2. This router (LER) decides Label
Switch Path (LSP) the path it
will take until it reaches the
destination.
3. All subsequent LSR will forward
the packet based on the Label.
78. @arafkarsh arafkarsh
LISP: Location Identifier Separation Protocol
78
LISP creates 2 addresses for each network node:
1. One for its Identity (Endpoint Identifiers – EID).
Assigned to hosts like Computers, Laptops, Printers, etc
2. Second for its Routing Location (RLOC) in the
network. Assigned to routers, use RLOC to reach EIDs.
LISP is a tunnelling Protocol that uses DNS like system to
figure out which router the they should send packets.
Created by Cisco and transferred to IETF – RFC 6830 : https://datatracker.ietf.org/doc/html/rfc6830
Source: Cisco LISP – IP Routing Guide
Internet Routing Tables has grown exponentially high resulting in close to 900K prefixes putting
huge burden on the BGP routers.
• Multihoming: Customers Connect 2 different ISPs and advertise their PI (Provider Independent)
IP Address to both ISPs.
• Traffic Engineering: By advertising Specific Route increases size of the Internet Routing Table.
WHY
3 Environments in a LISP Network
1. LISP Site: EID Namespace
2. Non-LISP Site: RLOC
Namespace where you find
RLOC
3. LISP Mapping Service: EID-to-
RLOC Mapping Service
79. @arafkarsh arafkarsh
LISP: Control / Data Plane
79
172.17.4.2 DNS Server
DNS Request
DNS Response
google.com ?
142.250.77.110
LISP
R1
EID: 172.17.5.2 ?
EID: 172.17.5.0/24
RLOC: 204.1.2.1
Map Request
Map Response
• DNS resolves a Hostname
to IP Address
• LISP resolves an EID to
RLOC
LISP Data Plane
LISP Control Plane
Source: https://networklessons.com/cisco/ccnp-encor-350-401/cisco-locator-id-separation-protocol-lisp
80. @arafkarsh arafkarsh
LISP: Location Identifier Separation Protocol
80
LISP is a Map and
Encapsulation Protocol
LISP
R1
202.1.2.1
204.1.2.1
172.17.5.0/24 EID
RLOC
202.3.2.1
172.17.4.2
Map Cache
202.1.2.1
172.17.4.0/24 EID
RLOC
Map Cache
172.17.4.2
172.17.5.2
Data
Src
Dst
IP Data
172.17.4.2
172.17.5.2
Data
Src
Dst
IP Data
Where is
EID: 172.17.5.2 ?
EID: 172.17.5.0/24
RLOC: 204.1.2.1
R2
204.1.2.1
New IP Header LISP Header Original IP Header Data
Src: 202.1.2.1
Dst: 204.1.2.1
Src: 172.17.4.2
Dst: 172.17.5.2
204.1.2.1
172.17.5.0/24 EID
RLOC
Map Database
1
2
3
4 5
6
RLOC
Space
LISP Site 1
172.17.5.2
LISP Site 2
Host 1 Host 2
ITR ETR
Router R1 = Ingres Tunneling Router
Router R2 = Egress Tunneling Router
LISP Stores all the EID-RLOC Maps
1. Host 1 sends data to Host 2 thru
R1
2. R1 Router Sends Map Request to
LISP Server with EID
3. LISP Server Responds with RLOC
4. R1 encapsulates the Packet with
R1 Source and R2 Destination
5. R2 Router receives the LISP
encapsulated packet and de-
encapsulate
6. R2 Send the Original Packet to
Host 2
81. @arafkarsh arafkarsh
Software Defined Network
81
Challenges
1. Explosion of Devices
2. Cost of Human Error
3. Lack of Visibility
4. Security Challenges
1. Central Intelligence
2. Intent Based Networking
Control
Plane
Data
Plane
Tradition Router has both
Control and Data Planes
Data Plane:
Responsible for Packet Forwarding
Control Plane:
Responsible for Device Network
Communication and How to
forward packets
Control Plane
Central Intelligence
Control Plane moved out and
router contains only the Data Plane
Forwarding Rules Packet Forwarding
2 Fundamental Tenets of SDN
Control
Plane
Application
Plane
Data
Plane
Southbound APIs
Northbound APIs
Security
Network OS
QoS
MPLS…
Routing
SDN Architecture
82. @arafkarsh arafkarsh
SDN Architecture
Software Defined Network
82
Control
Plane
Management
Plane
Data
Plane
Southbound APIs
Northbound APIs
Security
Controller
QoS
MPLS…
Routing
• OpenFlow
• SNMP
• NetConf
RESTful or Java APIs
Business Applications
Network Elements
Controller
Application
Layer
Control
Layer
Infrastructure
Layer
East – West APIs
Multiple Controllers to avoid
Single Point of Failure
vRouter vSwitch vFirewall SDN Appliance – vEdge.
vController
vManage
83. @arafkarsh arafkarsh
Benefits of the SDN Controller
83
1. Virtualization
1. Virtualizes the Network
2. Separate the Network Function from
the hardware – (NFV) Network
Function Virtualization
3. VNF = Virtual Network Functions
vRouter vSwitch vFirewall
Cisco SD-WAN vEdge 1000 Router
2. Automation
1. ZTP = Zero Touch Provisioning
2. Use Template to automatically
deploy the hardware into your
network
3. Visibility
1. Single Controller to see the
entire network
2. Configure and Monitor from a
Single Glass of Pane
84. @arafkarsh arafkarsh
SDN – Use Cases
84
• SD-DC Software Defined Data
Center
• SD-WAN Software Defined WAN
• SD-LAN Software Defined LAN
• SDX Software Defined X
85. @arafkarsh arafkarsh
Software Defined – WAN
85
Uses a combination of technologies
to create the next generation WAN
• Encrypted Tunnels: IPSec /
GRE
• Routing Protocols: OSPF and
BGP, MPLS
• Supports various Network
Topologies
Features
1. Transport
Independent
2. Cloud Friendly
3. Simple and
Secure
86. @arafkarsh arafkarsh
Software Defined – WAN: Architecture
86
New York
SD-WAN Edge
Appliance
San Jose
SD-WAN Edge
Appliance
Internet
MPLS
SD-WAN
Fabric
1 Gb DIA
100 M MPLS
SD-WAN Controller
Cloud Hosted / On-Premise
100 M MPLS
1 Gb DIA
Circuits
Underlay
IP, MPLS, 4G/5G…
Overlay
Tunnels
Benefits of SD-WAN
1. Active-Active Design
Some vendors support up
to 8 active connections
1. Intelligent Traffic Routing
2. Better User Experience
87. @arafkarsh arafkarsh
Software Defined – WAN: Zero Touch Provisioning
87
New York
SD-WAN Edge
Appliance
Internet
MPLS
SD-WAN
Fabric
1 Gb DIA
SD-WAN Controller
Cloud Hosted / On-Premise
100 M MPLS
Circuits
Underlay
IP, MPLS, 4G/5G…
1 Unbox & Connect
to the network
2
SD-WAN Appliance
Calls Home to talk
the controller
3
SD-WAN Controller
pushes the configuration
to the SD-WAN
Appliance
4
SD-WAN Appliance
joins the SD-WAN
Fabric
88. @arafkarsh arafkarsh
Software Defined – WAN: Security
88
New York
SD-WAN Edge
Appliance SD-WAN
Fabric
SD-WAN Controller
Cloud Hosted / On-Premise
1
Localized Security Policy
to handle a specific
Branch Specs
2
Centralized Security Deployed
Through Service Chaining By
Redirecting Internet Traffic To
a Cloud Firewall or Secure
Web Gateway
3
Consistent Security Policy
regardless of Local or a
Central Security Policy
89. @arafkarsh arafkarsh
Public
WAN
Private
WAN Software Defined – WAN: Private / Public
89
New York
SD-WAN Edge
Appliance
San Jose
SD-WAN Edge
Appliance
Layer 1 – Dark Fiber Circuit
Layer 2 – Virtual Private LAN Service - Circuit
Layer 3 – Multi Protocol Label Switching- Circuit
MPLS
VPLS
Layer 3 – Dedicated Internet Access Circuit
Layer 3 – Broadband (DSL/Cable/4G/5G) Circuit Shared
Source: Juniper: Understand the VPLS
Source: Juniper: Understanding MPLS VPN Circuits
90. @arafkarsh arafkarsh
Modern WAN Architecture: SD-WAN
Software Defined – WAN: Cloud Friendly
90
Traditional / Legacy WAN Architecture
MPLS
Branches
Users Data Center
Users
DIA /
Broadband
MPLS
Branches
Data Center
SaaS
Multi
Cloud
Internet
Internet
Choke Point
91. @arafkarsh arafkarsh
Software Defined – WAN: Benefits
91
1. Create a Secure and Open Network than a closed
one.
2. Utilizes all your Bandwidth (across multiple
providers / protocols) instead of master / slave
3. Support smooth transition Cloud Native Apps
(cloud Workloads)
4. Simplified Management using Single Glass of Pane
5. Consolidate Edge Appliances, rather than dedicated
appliances from different vendor.
92. @arafkarsh arafkarsh
Software Defined – WAN: Summary
92
A Cloud
Delivered,
Centralized,
Single Solution
for Management
of Configurations
for WAN, Cloud &
Security with low
Cost.
Single Pane of Glass – SPoG: Cisco SD-WAN Dashboard
95. @arafkarsh arafkarsh
SANS Cloud Security Architecture Principles
95
Source: RSA Conference 2019 – A Cloud Security Architecture workshop. Dave Shackleford Sr. Instructor SANS Institute
Think
Components
Design for
Failure
Always
Think of
Feedback Loops
Use Different
Storages
Options
Built-In
Security
at every Layer
CENTRALIZATION
Focus on
Centralization
Standards & Automation
Design for
Elasticity
96. @arafkarsh arafkarsh
Built-In Security At Every Layer
96
Built-In
Security
at every Layer
• Cloud Architecture is composed of Multiple
Layers. From a Cloud Native App perspective
Each Microservice is specific layer in the
Application Stack.
• Each Layer must be self defending.
• Each Layer Must have a Security Layer to be part
of Defense in Depth.
• Depends on the Security Guidelines / Policies
some of the security measures will be internal
some external.
Source: RSA Conference 2019 – A Cloud Security Architecture workshop. Dave Shackleford Sr. Instructor SANS Institute
97. @arafkarsh arafkarsh
Built-In Security At Every Layer
97
Stack Layer Controls
1 Data
Backup, Data Leak Prevention, Encryption in Transit
and Rest.
2
Application Logic +
Presentation
Web App Firewall, Secure Web Gateway, Identity &
Access Management, Scans / Pen Tests, Service Mesh
Policies
3 Network
Access Controls, Firewalls, Service Mesh, Routing,
DDoS Defense
4 Operating Systems
Backups, Configuration, Vulnerability Scanning, User /
Privilege Management
5 Hypervisor
Configuration, Access Controls, User / Privilege
Management
Source: RSA Conference 2019 – A Cloud Security Architecture workshop. Dave Shackleford Sr. Instructor SANS Institute
Built-In
Security
at every Layer
98. @arafkarsh arafkarsh
Built-In Security At Every Layer
98
Source: RSA Conference 2019 – A Cloud Security Architecture workshop. Dave Shackleford Sr. Instructor SANS Institute
Built-In
Security
at every Layer
o Cloud introduced very frequent changes to the environment
(Infrastructure / Software)
o Security Measures must be embedded for these Rapid changes.
1. Defining Security in the Code (Functional Code, Security
Policies)
2. Include Security Configuration Params for the Container /
Virtual Machines
3. Automating Security Processes & Activities
4. Building Continuously Monitored Environments
o Many of these are realized through Sound DevSecOps Practices.
99. @arafkarsh arafkarsh
Think ”Components”
99
Source: RSA Conference 2019 – A Cloud Security Architecture workshop. Dave Shackleford Sr. Instructor SANS Institute
Think
Components
o From Systems to Component based thinking is a Major shift
for Security Professionals
o Cloud is more oriented towards component-based model
and linked together based on Business requirements
o Key aspects of Component is – Reusability
o Network Policies
o Security Policies
The above can be applied across multiple clouds
Ex. Terraform, Kubernetes, Service Mesh
100. @arafkarsh arafkarsh
Design for Failure
100
Design for
Failure
Source: RSA Conference 2019 – A Cloud Security Architecture workshop. Dave Shackleford Sr. Instructor SANS Institute
o In the Cloud Failure is common
o Elasticity Issues
o Configuration Issues
o Cloud Provider Issues
o Chaos Engineering plays a big Role in Preparing for this
o Product ion – Network Testing
o Production – Security Testing
o Production – Performance Testing
Minimize
Blast Radius
Chaos Engineering
Principle
101. @arafkarsh arafkarsh
Design for Elasticity
101
Source: RSA Conference 2019 – A Cloud Security Architecture workshop. Dave Shackleford Sr. Instructor SANS Institute
o Microservices, Containers and Kubernetes brought automated dynamic
scaling up and down of the systems (containers)
o This is a new environment from Security Perspective compared with old
Static environment (Changes are periodic and planned).
o Designing Elasticity from Security Perspective
o Vertical or Horizontal Scaling
o What thresholds are appropriate for scaling up & down
o How will inventory management adjust to system volume changes
o Images new systems are spawned from
o Where are new systems located in the network
o Host Based Security + Licensing
Design for
Elasticity
102. @arafkarsh arafkarsh
Make use of Different Storage Options
102
Source: RSA Conference 2019 – A Cloud Security Architecture workshop. Dave Shackleford Sr. Instructor SANS Institute
Use Different
Storages
Options
o There are many types of Storage options available in Cloud and
each has its own security features.
o Design the Data Security based on the storage options.
o Things to consider and evaluate
o Storage have appropriate SLA
o Storage options for Dev and Ops
o Storage have adequate Redundancy & Archival
o Storage have native encryption capabilities
o Storage have adequate logging and event generation
103. @arafkarsh arafkarsh
Always think of Feedback Loops
103
Source: RSA Conference 2019 – A Cloud Security Architecture workshop. Dave Shackleford Sr. Instructor SANS Institute
o One of the most critical Principle is Feedback Loops
o One of the critical aspect of Feedback loops is Logging
o Enable Logging everywhere you can
o Within the entire cloud environment (Cloud Trail –Azure,
Cloud Watch – AWS, Stack Driver – Google)
o OS Types, Network Platforms
o For All Identity & Access Management
o For all Interconnected services and their activity
o Feedback Loops = Logging
o Secure Log Access
Always
Think of
Feedback Loops
104. @arafkarsh arafkarsh
Focus on Centralization, Standards, Automation
104
Source: RSA Conference 2019 – A Cloud Security Architecture workshop. Dave Shackleford Sr. Instructor SANS Institute
o Centralization – Having a Single Glass of Pane to see all the things
happening in the cloud.
o Using the Same vendor Products across all the environments (Cloud,
On-Premise) – If Possible
o Standardization – Go with well known standards
o SAML and OpenID – Connect for IAM
o YAML for Configs / Infra as Code
o AES-256+ for Crypto
o Automation – Is the Key for DevOps and DevSecOps. Manual efforts
are doomed to fail due to rapid changes.
CENTRALIZATION
Focus on
Centralization
Standards & Automation
105. @arafkarsh arafkarsh
Blast Radius
105
Source: RSA Conference 2019 – A Cloud Security Architecture workshop. Dave Shackleford Sr. Instructor SANS Institute
o One of the Core Security Concepts in the world of DevOps & Cloud
Computing is the Blast Radius
o It’s the amount of damage that could be caused if something goes
wrong
o An Account or Server gets hacked
o A Component Fails
o Design the Security Model in such a way that the damage is limited
to that area or Service.
o In Microservices architecture link this concept with Circuit Breakers,
Bulkhead Design Patterns.
106. @arafkarsh arafkarsh
Security
o 802.1x EAP Security
o Port Knocking & SPA – Single Packet Authorization
o Micro Segmentation / Software Defined Firewall
o Zero Trust and VPNs
o Service Mesh
106
107. @arafkarsh arafkarsh
IEEE 802.1x Wired / Wireless
107
Source: What is 802.1X? How Does it Work? https://www.securew2.com/solutions/802-1x
https://standards.ieee.org/ieee/802.1X/7345/
• 802.1X is an authentication protocol to allow access to networks with the use of a RADIUS server.
• 802.1X and RADIUS based security is considered the gold standard to secure wireless and wired networks.
An 802.1X network is different from home networks in one major way;
1. it has an authentication server called a RADIUS Server.
2. It checks a user's credentials to see if they are an active member of the organization &
3. depending on the network policies, grants users varying levels of access to the network.
This allows unique credentials or certificates to be used per user, eliminating the reliance
on a single network password that can be easily stolen
108. @arafkarsh arafkarsh
802.1x EAP Security
108
• Standard Authentication protocol used on encrypted networks is Extensible Authentication Protocol (EAP).
• 802.1X is the standard that is used for passing EAP over wired and wireless Local Area Networks (LAN).
• It provides an encrypted EAP tunnel that prevents outside users from intercepting information.
The EAP protocol can be configured
1. Credential (EAP-TTLS/PAP and PEAP-MSCHAPv2) and
2. Digital Certificate (EAP-TLS) authentication and is a highly secure method for protecting the authentication
process.
Source: What is 802.1X? How Does it Work? https://www.securew2.com/solutions/802-1x
802.1X only includes 4
major components:
1. Client
2. Access-point/switch
3. RADIUS Server
4. Identity provider
109. @arafkarsh arafkarsh
Port Knocking
109
• Port knocking is a simple method to grant remote access without leaving a port
constantly open.
• In the following config of KnockD – the Port (8888) will be open for 10 seconds
based on the correct sequence of access on ports – 7000, 8000, 9000.
Source: Ubuntu Port Knocking Manual: https://help.ubuntu.com/community/PortKnocking
Security by Obscurity
110. @arafkarsh arafkarsh
32 Bit
64 Bit
32 Bit
Single Packet Authorization
110
UID OTP
Counter GMAC
128 Bit
SPA = UID, CTR OTP, GMAC
UID Universal ID of SDP Client
CTR Hashed with seed to Create OTP
OTP One Time Password: HTOP
GMAC Signature of UID, CTR, OTP
Seed Shared Secret for OTP
Encryption
Key
Shared Key for GMAC
(AES-256)
OTP HMAC [Seed + CTR]
GMAC E-Key [UID + OTP + CTR]
CTR
Is incremented to mitigate
playback attacks
= 256
SPA addresses all the limitations of Port Knocking
By Default, SPA Gateway Drops All the Packets
1. Client Sends a SPA Packet
2. Gateway Receives the Packet and Decrypts Packet
3. Validates the Credentials based on protocol / port
4. If Valid, then Adds a Firewall rule to open an mTLS
Connection
5. Once the Connection is established the Gateway
removes the firewall rule making the service go Dark
Again.
o The established mTLS session will not be affected by
removing the firewall rule.
111. @arafkarsh arafkarsh
Single Packet Authorization: Benefits
111
SPA Blackens the Gateway and all the services Behind
the Gateway are invisible to the world.
SPA also mitigates DDoS attacks on TLS. SDP Gateway
discards the TLS DoS attack before it gets into the
handshake.
The First packet to the Gateway must be a SPA
Packet. Any other packet will be viewed as an Attack
this helps in attack detection.
Source: https://network-insight.net/2019/06/zero-trust-single-packet-authorization-passive-authorization/
112. @arafkarsh arafkarsh
Zero Trust: Micro Segmentation
112
Source: Cisco: What is Micro Segmentation?
How does it work?
• Secures App by allowing specific Application Traffic and Deny All other Traffic
• Micro Segmentation is the foundation of Zero Trust Security Model
Challenges in Implementing Micro Segmentation
• Implement Granular Firewall Policy using Host workload Firewall
• Policy Life Cycle Management
• Begin at Macro Level and refine using Policy Automation
Why can’t Classic Firewalls do the job?
• Granular East-West Policy Controls provides Workload Perimeter
• Implemented at Workload Level
• Scalable across workloads
• Enhances the visibility and control from workload perspective
113. @arafkarsh arafkarsh
Zero Trust: Micro Segmentation: Benefits
113
Source: Cisco: What is Micro Segmentation?
Reduce Attack Surface
Uses an allow-list model to significantly reduce this attack surface across different
workload types and environments.
Protect Critical Applications
Gain better threat visibility and enforcement for critical workloads and applications
across different platforms and environments, limiting lateral movement of a
security incident from one compromised VM, service, or container to another.
Achieve Regulatory Compliance
Granular visibility and control over sensitive workloads demonstrate proper
security and data separation to simplify audits and document compliance.
114. @arafkarsh arafkarsh
Software Defined Firewall: Network / Micro Segmentation
114
Network Segmentation using Software Defined Firewall Micro Segmentation using Software Defined Firewall
Source: https://www.vmware.com/topics/glossary/content/network-segmentation.html
115. @arafkarsh arafkarsh
Traditional VPN Vs. Zero Trust
115
Enterprise
VPN
User System
VPN
Client
User
App
VPN
Server IAM
WAN
WAN
Split
Tunnel
Optional
Resource = Data, Documents, Apps, Services, Files etc.
Relies on Shared secret
and/or Shared root of Trust
If Split tunneling is enabled
only traffic to Enterprise
will be tunneled.
Zero Trust
User System
Agent
PEP
User
App
PEP
Encrypted Tunnel
Normal Traffic
LAN
IAM
PDP
PEP PEP
• Dynamically adjust the Context
• Multiple Entry Points
• Support Remote and On Premise
Resource
Resource Resource
Resource
116. @arafkarsh arafkarsh
Zero Trust – Security: Resource Based
116
Device
Agent
PEP
Policy Decision Point
ZT Aware
Network IDS/IPS
Control Plane
Data Plane
User
App
PEP
Gateway
Source: Page 183: Zero Trust Security: An Enterprise Guide by Jason Garbis, Jerry W Chapman
Resource Based
Deployment
Model
Zero Trust Deployment Models
Encrypted Tunnel
Data
Implicit Trust Zone
Zero Trust will bring changes to
network segmentation and
network traffic encryption
patterns.
Resource
Resource = Data, Documents, Apps, Services, Files etc.
Host IDS/IPS
Host IDS/IPS
ZT Aware
IDS/IPS
117. @arafkarsh arafkarsh
Zero Trust – Security: Enclave Based
117
Device
Agent
PEP
Policy Decision Point
ZT Aware
Network IDS/IPS
Control Plane
Data Plane
User
App
PEP
Gateway
Source: Page 183: Zero Trust Security: An Enterprise Guide by Jason Garbis, Jerry W Chapman
Enclave Based
Deployment
Model
Zero Trust Deployment Models
Encrypted Tunnel
Data
Implicit Trust Zone
Zero Trust will bring changes to
network segmentation and
network traffic encryption
patterns.
Resource Enclave
Resource = Data, Documents, Apps, Services, Files etc.
Host IDS/IPS
ZT Aware
IDS/IPS
Host IDS/IPS
Host IDS/IPS
NIDPS
118. @arafkarsh arafkarsh
Zero Trust – Security: Cloud Routed
118
Device
PEP
Policy Decision Point
Control
Plane
Data
Plane
User
App
Cloud Routed
Deployment
Model
Zero Trust Deployment Models
Resource = Data, Documents, Apps, Services, Files etc.
PEP
Subject
Source: Page 183: Zero Trust Security: An Enterprise Guide by Jason Garbis, Jerry W Chapman
ZT Aware
Network IDS/IPS
Agent
PEP
Host IDS/IPS
PEP
Gateway
Resource Enclave
Host IDS/IPS
Host IDS/IPS
NIDPS
Encrypted Tunnel
Data
Implicit Trust Zone
119. @arafkarsh arafkarsh
Zero Trust – Security: Micro Segmentation
119
Micro Segmentation
Deployment
Model
Zero Trust Deployment Models
Resource = Data, Documents, Apps, Services, Files etc.
Source: Page 183: Zero Trust Security: An Enterprise Guide by Jason Garbis, Jerry W Chapman
PEP
Subject Resource
Host IDS/IPS
PEP
Subject Resource
Host IDS/IPS
ZT Aware
Network IDS/IPS
120. @arafkarsh arafkarsh
Secure Web Gateway
120
Content Filtering
Filter Content by specific URL or category to ensure internet access is based
on corporate policies.
Scan Docs Scan all the uploaded and downloaded files for malware and other threats.
File Types Block Files based on File Types Example .exe files.
App Controls
User access to Web Apps are controlled. For example, Uploading fille to Drop
Box, Google Drive etc. Attaching file to Gmail and Posting to Social Media
sites.
Metrics
Detailed Reporting on User, Device, URLs accessed, network Identity and
Allow or Block Actions.
121. @arafkarsh arafkarsh
Cloud Access Security Broker (CASB)
121
o CASB is the bridge between Cloud
Service Consumers and Cloud
Service Providers to combine and
interject enterprise security Policies
as the cloud-based resources are
consumed.
o They combine multiple types of
Security Policy Enforcement
Systems like Authentication, Single
Sign-On, Authorization, Credential
Mapping, Device Profiling,
Encryption, Tokenization, Malware
detection / prevention etc.
Visibility Compliance
Threat
Prevention
Data
Security
Source: Garnet CASB Definition
122. @arafkarsh arafkarsh
Service Mesh: Istio Security
Source: https://istio.io/docs/concepts/security/
It provide strong identity, powerful policy, transparent TLS encryption, and authentication,
authorization and audit (AAA) tools to protect your services and data. The goals of Istio
security are
• Security by default: no changes
needed for application code
and infrastructure
• Defense in Depth: integrate
with existing security systems to
provide multiple layers of
Defense
• Zero-trust network: build
security solutions on untrusted
networks
122
124. @arafkarsh arafkarsh
Service Mesh: Micro Segmentation
124
Source: Istio: Micro-Segmentation with Istio Authorization https://istio.io/latest/blog/2018/istio-authorization/
• Authorization at different levels of granularity, including
namespace level, service level, and method level.
• Service-to-service and end-user-to-service authorization.
• High performance, as it is enforced natively on Envoy.
• Role-based semantics, which makes it easy to use.
• High flexibility as it allows users to define conditions
using combinations of attributes.
125. @arafkarsh arafkarsh
3
Cisco
SASE / Zero Trust
o Cisco Software Defined – WAN
o Cisco Software Defined – Access
o Cisco Secure Cloud Insights
125
o Understand Cisco Umbrella
o Understand Cisco DNA
o Understand Cisco SD-WAN
o Understand Cisco SD-
Access
o Understand Jupiter One
Objectives
127. @arafkarsh arafkarsh
Cisco Viptela
SD-WAN
o Architecture
o Controllers
o Overlay Management Protocol
o Zero Touch Provisioning
o Transport Tunnels & Topologies
o Traffic Routing
o Bootup Sequence
127
Cisco SD-WAN Solution
represents an evolution of
networking from an older,
hardware-based model to a
secure, software-based, virtual
IP fabric. Cisco SD-WAN fabric,
also called an overlay network,
forms a software overlay that
runs over standard network
transport services, including
the public Internet, MPLS, and
broadband.
Source: Cisco SD-WAN Getting started Guide. Page 5
128. @arafkarsh arafkarsh 128
Mana
SD-WAN
Edge
Appliances
Routers
MPLS
DIA
DSL
4G/5G
Branch Remote Data Center Branch Cloud Branch
• Zero Touch Provisioning
• On-Premise or Cloud
• Physical or Virtual
Data Plane
vSmart Controllers
• Routing and Security Policies
• Horizontal Scaling
Control Plane
vManage
• Single Pane of Glass
• RBAC and APIs
• Monitoring / Troubleshooting
Management Plane
Cisco
SD-WAN
(Viptela)
Architecture
vEdge
vEdge
vAnalytics
• Carrier Performance
• Bandwidth Forecasting
• Machine Learning
Analytics Plane
SD-WAN
Fabric
vEdge Cloud
Overlay
Network
Source: Cisco SD-WAN
Getting Started Guide
Cloud /
On-Premise
vBond
130. @arafkarsh arafkarsh
OMP – Overlay Management Protocol
130
o OMP Provides Centralized Control
1. Orchestration of
1. Routing & Secure Connectivity between Sites
2. Service Chaining like Firewalls, Routers
3. VPN Topologies
2. Distribution of
1. Traffic Routing Rules
2. Security Policies
3. Security
1. Establishes Secure Connection between vSmart to
vSmart, vSmart to vEdge
2. Uses DTLS (UDP), AES 256 Key Encryption
o Three Types of OMP Routes
1. OMP Routes (vRoutes)
2. TLOC: Transport Location (ties to a Physical Location)
3. Service Routes (Firewalls, IDS, etc.) vEdge vEdge
vSmart vSmart
vSmart
Patent: Overlay Management Protocol for Secure Routing based on an Overlay Network
Source: SD-WAN OMP
131. @arafkarsh arafkarsh
Cisco SD-WAN Controllers
131
vSmart
vManage
vBond
vManage Cisco vManage is a centralized network management
system that lets you configure and manage the entire
overlay network from a simple graphical dashboard.
vSmart & vBond
talks to vManage
vSmart The Cisco vSmart Controller is the centralized brain of
the Cisco SD-WAN solution, controlling the flow of data
traffic throughout the network. The vSmart works with
the vBond Orchestrator to authenticate vEdge devices as
they join the network and to orchestrate connectivity
among the edge routers.
Read this article to setup Cisco
SD-WAN: Basic Configuration Lab
by Jedadiah Casey
Source: Cisco SD-WAN Getting Started Page 13
vBond The Cisco vBond Orchestrator automatically orchestrates
connectivity between edge routers and vSmart.
Controllers. If any edge router or Cisco vSmart Controller
is behind a NAT, the Cisco vBond Orchestrator also
serves as an initial NAT-traversal orchestrator.
132. @arafkarsh arafkarsh
Cisco SD-WAN Components
132
vSmart
vManage
vBond
vAnalytics Cisco vAnalytics platform is a SaaS service hosted by
Cisco SD-WAN as part of the solution. vAnalytics
platform provides graphical representations of the
performance of your entire overlay network over
time and lets you drill down to the characteristics of
a single carrier, tunnel, or application at a particular
time.
Read this article to setup Cisco SD-WAN: Basic Configuration Lab by Jedadiah Casey
Source: Cisco SD-WAN Getting Started Page 13, 18
The edge routers sit at the perimeter of a site (such
as remote offices, branches, campuses, data centres)
and provide connectivity among the sites. They are
either hardware devices or software (Cloud router),
that runs as a virtual machine. The edge routers
handle the transmission of data traffic.
vEdge
vAnalytics
vEdge Routers
133. @arafkarsh arafkarsh
Cisco SD-WAN Controllers Deployment Models
133
Source: Cisco SD-WAN Getting Started
vSmart
vManage
vBond
On - Premise
Private
Cloud
Cisco
Cloud
Preferred Deployment Model
Cloud Delivered
134. @arafkarsh arafkarsh
Cisco SD-WAN Zero Touch Provisioning
134
Send New Router
(vEdge) Details
DTLS
DTLS
vBond
vSmart
vEdge
vManage
Send IP
Addresses
of vManage
& vSmart
to vEdge
Authentication
DTLS /
TLS
Authentication
vEdge
vManage
Send Full
Configuration
file for vEdge
1 2
Authentication
vSmart
OMP Session Established
between vEdge & vSmart
to exchange routes
3
vEdge
Authentication
vEdge
BFD Session Established.
Helps to quickly switch
over when a path fails
4
vEdge
vBond Checks.
Digital Certificate
and Serial No.
Reject if it
Doesn’t
Match.
Bidirectional
Forwarding
Detection
Source:
Cisco
SD-WAN
Getting
Started
Page
28
135. @arafkarsh arafkarsh
SD-WAN Transport Tunnels & Topologies
135
Mana
Mana
Full Mesh
Mana
Partial Mesh
Mana
Hub & Spoke
Mana
Point 2 Point
MPLS
DIA
DSL
4G/5G
vSmart
vEdge vEdge
OMP Route
tables
Site 1 Site 2
o No Reliance on Underlay Transport
o Each VPN can have a separate topology
o vEdge Routers maintain per VPN routing info.
Overlay VPNs
Single Tunnel Per Transport
Source: Intro to Cisco SD-WAN | Viptela
136. @arafkarsh arafkarsh
Edge Router: Traffic Routing
136
MPLS
DIA
Source: Intro to Cisco SD-WAN | Viptela
Active / Active
Load Sharing Per Session
(Default)
vEdge
MPLS
DIA
Active / Active
Weighted Per Session
vEdge
MPLS
DIA
Active / Standby
Application Pinning
vEdge
Ex. Voice App
MPLS
DIA
Active / Standby
Application Aware Routing
(Policy Enforced)
vEdge
SLA SLA
137. @arafkarsh arafkarsh
SD-WAN: Key Attributes
137
Source: Cisco SD-WAN Getting Started Page 24 - 25
vSmart
vEdge - 1 vEdge - 2
Router 1
IPSec
Domain ID: 1
Site ID: 1
System IP: 10.0.0.1
Domain ID: 1
Site ID: 100
System IP: 1.0.0.100
Domain ID: 1
Site ID: 200
System IP: 2.0.0.200
Domain ID
• Logical grouping of Edge Routers and vSmart Controllers
• Each Domain is identified by a unique Integer
• Currently only 1 Domain is allowed in an Overlay network
• vBond Orchestrator is not part of a Domain
Site ID
• Physical Location of an Edge Router within an Overlay Network
• Each Site ID is a Unique Integer
• If a Site contain 2 Edge Routers (for Backup) the 2nd one will have
the same Site ID
System IP Address
• Each Edge Router and vSmart is assigned with an IP
Address which identifies the physical system
independent of interfaces.
• Similar to Router ID on a regular Router
• Permanent network Overlay Address
TLOC
• Identifies the physical interface where a edge router connects to
the WAN transport network or to a NAT gateway
138. @arafkarsh arafkarsh
Cisco SD-WAN: Boot Sequence
138
Source: Cisco SD-WAN Getting Started Page 95
vSmart
vManage vEdge
vBond
OFF ON
OFF ON
OFF ON
OFF ON
1
2
3
4
4.1 4.2
4.3
Authenticate
Sends Config
6
5.1
5.2
Start
Start
Start
Start
7 Authenticate
Sends Config
7.1
7.2
7.3
139. @arafkarsh arafkarsh
Cisco SD-WAN Summary
139
o Utilization of multiple underlay transport protocols at the
same time.
o Single Window into the Entire Network Fabric for
Management and Monitoring.
o Low-Cost solution with Bandwidth forecasting and Carrier
Performance
o Zero Touch Provisioning
o Separation of Data Plane and Control Plane and virtualizing
the routing instead of dedicated hardware.
143. @arafkarsh arafkarsh
Cisco DNA Center Platform
143
Automation:
o To transform the network Admin’s Business Intent into device
specific Network Configs.
o Consists of Network Info Database, Policy Engines & Network
Programmer
o Controller has the ability to discover the network
infrastructure and periodically scan the network to Create a
Single Source of Truth.
o Policy Engine Provisions various Policies across the enterprise
network
o It also provides topology Info that maps network devices to
physical topology and detailed devices data.
Analytics & Assurance
o Built-in Data Collector Framework. Network Infrastructure data
obtained via streaming telemetry mechanisms. It also collects
data from contextual systems like Cisco ISE, IPAM, ITSM etc.
o Data is processed in real-time using time-series analysis,
Complex Event Processing and Machine Learning Algorithms.
o Output is stored and visualized using DNA Center UI.
Source: Cisco SDA Enabling Intent based Networking, 2nd Edition – Page 112
Policy:
o Define and Deploy Network wide Policies
End-2-End.
o Policies like QoS, Security Policies, Policies
on Metrics etc.
144. @arafkarsh arafkarsh
Cisco DNA Center Overview
144
Digital Network Architecture
• Using Intuitive workflows
• Import Existing Designs
• User Access
Design
• User & Device Profiles
• Virtual Networks
• ISE, AAA, Radius
• Group Policies
Policy
• Zero Touch Provisioning
• Policy Based Automation
• Provisions Network Elements
to send NetFlow Data
Provision
• Network health
• Fabric Health
• 3600 View
• Path Trace, Sensor
Assurance
Source: Cisco DNA 2.2.3.0 Cisco DNA – Plan, Design & Implement Services
148. @arafkarsh arafkarsh
Cisco ISE: How ISE enforces Zero Trust
148
Connecting trusted users and endpoints with trusted resources
Endpoint Request Access
• Endpoint is identified and trust is
established
• Posture of endpoint verified to meet
compliance
1
Endpoint authorized access based
on least privilege
• Access Granted
• Network segmentation
achieved
3
Endpoint classified, and profiled into
groups
• Endpoints are tagged w/SGTs
• Policy applied to profiled groups
based on least privilege
2
Trust continually verified
• Continually monitors and verifies
endpoint trust level
• Vulnerability assessments to identify
indicators of compromise
• Automatically Updates access policy
4
Source: Cisco – Implement Zero Trust and regain Control with Cisco Identity Services Engine
151. @arafkarsh arafkarsh
Cisco: Software Defined Access
151
Why Cisco SD-Access for Zero-Trust Workplace?
• Identify and verify all endpoints and users, including IoT
endpoints, that connect to your network
• Establish policy and segmentation to help ensure least
privilege access based on endpoint and user type
• Continually monitor endpoint behaviour, including
encrypted traffic, to help ensure compliance
• Stop threat propagation, including ransomware, by
quarantining any endpoint that exhibits malicious or out-of-
compliance behaviour
Source: Cisco Software-Defined Access for Zero-Trust Workplace At-a-Glance
152. @arafkarsh arafkarsh
Cisco SD-Access
152
Source: Cisco SDA Enabling Intent based Networking, 2nd Edition – Page 20
o Software- Defined Ac cess is the industry’s first intent- based net working.
o An intent- based network treats the network as a single system that provides
the translation and validation of the business intent (or goals) into the network
and returns actionable insights.
154. @arafkarsh arafkarsh
Cisco SD-Access Layers
154
SDA Fabric Physical and logical network for warding infrastructure
DNA Center
Automation, Policy, Assurance and Integration
Infrastructure
Digital Network Architecture
o Cisco’s SD-Access solution is a programmable network architecture that
provides software-based policy and segmentation from the edge of the
network to the applications.
o SD-Access is implemented via Cisco Digital Network Architecture Center (Cisco
DNA Center) which provides design settings, policy definition and automated
provisioning of the network elements, as well as assurance analytics for an
intelligent wired and wire less net work.
Source: Cisco SDA Enabling Intent based Networking, 2nd Edition – Page 32
155. @arafkarsh arafkarsh
Cisco SD-Access Fabric
155
An SD-Access network underlay is comprised of the physical network devices, such as routers,
switches, and wireless LAN controllers (WLCs) plus a traditional Layer 3 routing protocol.
SD-Access Fabric Overlay has 3 Components
Fabric Data Plane
Logical Overlay is created by using VXLAN.
Fabric Control Plane
Logical Mapping & resolving of users and devices (associated with
VXLAN) is performed by Locator/ID Separation Protocol (LISP)
Fabric Policy Plane
Where the Business Intent is translated into a network Policy using
Address-Agnostic Scalable Group Tags (SGT) and group-based policies.
Source: Cisco SDA Enabling Intent based Networking, 2nd Edition – Page 36
156. @arafkarsh arafkarsh
Cisco SD-Access Architecture Overview
156
Source: Cisco SDA Enabling Intent based Networking, 2nd Edition – Page 36, 50
DNA – Digital Network Architecture
• Automation: Intent Based Automation for
wired and wireless Fabric Devices / users
• Assurance: Collectors Analyze Endpoint to
Application flows and monitor Fabric Device Status.
• Policy: Based on Cisco ISE for Dynamic
Endpoint to Group Mapping & Policy definition
• Control Plane: Central DB to track all
users & devices attached to Fabric.
• Border: Connects the traditional L2,
L3 Networks to the SD-Access Fabric
• Fabric Edge: Responsible to
connecting endpoints to the Fabric
& operates at the perimeter and 1st
point of attachment of users and
implementation of policy.
• WLC: Connects the APs and wireless
Endpoints to the SD-Access Fabric
168. @arafkarsh arafkarsh
Cisco: Secure Cloud Insights
o Apps / Policies / Alerts / Compliance
o Graph Viewer / Insights / Query Library
o JupiterOne Query Language
o JupiterOne Platform
168
169. @arafkarsh arafkarsh
Cisco Secure Cloud Insights – Eye in the Sky
169
Source: SCI – Your Eyes in the Sky By AI Huger, Nov 15, 2021
While SecOps starts on the left with security posture and attack surface
management as its entry point, DevOps start at the far right with
continuous integration and continuous delivery (CI/CD) pipeline and
application/API security as their main care about.
As SecOps moves right and begins to influence the other
stakeholders within a mature organization, DevOps shifts
left to include pre-deploy checks by using runtime security
inputs.
170. @arafkarsh arafkarsh
Cisco SecureX & Secure Cloud Insights
170
Source: SCI – Your Eyes in the Sky By AI Huger, Nov 15, 2021
o Integrated Secure Cloud
Insights with Cisco’s security
platform SecureX and intend
to have it play a bigger role
as a context wrapper for
numerous other Cisco
security services.
o While Secure Cloud Insights
connects the dots, Secure
Cloud Analytics baselines
behaviour by analysing
traffic flowing between
those dots.
171. @arafkarsh arafkarsh
Cisco Secure Cloud Insights
171
Source: Cisco Secure Cloud Insights
Benefits
o Gain complete visibility and
understanding of your cloud security
posture across multiple clouds
o Continuously monitor cloud
environments to detect policy violations
or misconfigurations
o Understand your entire attack surface by
mapping relationships between assets
o Quickly investigate and remediate
impacted assets by pinpointing your
blast radius
172. @arafkarsh arafkarsh
Secure Cloud Insights: Apps
172
Assets
o Gives the Complete Inventory of your
Assets.
o You can analyze and visualize your
assets.
o It also gives you the type and class of
the assets and its relationships.
Source: Cisco Secure Cloud Insights Getting Started Guide Page 5
173. @arafkarsh arafkarsh
Secure Cloud Insights: Policies
173
Source: Cisco Secure Cloud Insights Getting Started Guide Page 6
Policies
o Helps you to articulate your organization
Policies.
o And associate them to your compliance
requirements.
o Each Policy and Procedure is written down
in its own Markup file.
o And the policies can be linked together.
o Policy Templates are open source.
o 120+ Policy and Procedure Templates are
available.
174. @arafkarsh arafkarsh
Secure Cloud Insights: Alerts
174
Source: Cisco Secure Cloud Insights Getting Started Guide Page 6
Alerts
o Alerts can be created using any Query
for Continuous Auditing and Threat
Monitoring.
o You must have at least one Active Rule
to create an Alert.
o You can import rules from Rule Pack
o You can create Custom Rules
175. @arafkarsh arafkarsh
Secure Cloud Insights: Compliance
175
Source: Cisco Secure Cloud Insights Getting Started Guide Page 6
Manage any Compliance standards or
frameworks as a set of Controls or
requirements
o Import a compliance standard or security
questionnaire
o Map policy procedures to each control or
requirement
o Map data-driven compliance evidence by
query questions
o Perform automated gap analysis based on
query results
o Export compliance artifacts (summary or
full evidence package)
176. @arafkarsh arafkarsh
Secure Cloud Insights: Graph Viewer
176
Source: Cisco Secure Cloud Insights Getting Started Guide Page 6
Graph Viewer
It’s a data driven Graph Platform
o Jupiter One Query Language (J1QL)
is used to traverse the Graph Data –
Entities and Edges (Relationships).
o You can view and interact with the
Query Result.
177. @arafkarsh arafkarsh
Secure Cloud Insights: Insights
177
Source: Cisco Secure Cloud Insights Getting Started Guide Page 7
Insights
o Helps you build Reporting
Dashboards using J1QL Queries.
o You can create a Team Board shared
across accounts and individual
Dashboards.
o Layouts are saved for Each User.
o Admins can create default Layouts.
o You can create your own custom
Dashboards.
178. @arafkarsh arafkarsh
Secure Cloud Insights: Query Library
178
Source: Cisco Secure Cloud Insights Getting Started Guide Page 7
Query Library
o Has 100s of built-in and categorized Queries
for accessing the current state of your assets.
o You can clone existing queries
o You can create Custom Queries
Ask Anything Search Bar
o You can type any query in the search bar.
o Autocomplete is available
179. @arafkarsh arafkarsh
Getting Started with Search
179
1. Ask questions by typing in any keywords
to search across all packaged/saved
questions
2. Full text search across all entities based
on their property values
3. JupiterOne Query Language (J1QL) for
precise querying of entities and
Source: Cisco Secure Cloud Insights Getting Started Guide Page 10
Results can be toggled in four different display modes:
Table, Graph, Raw JSON, or Pretty JSON. Results are
limited to return 250 items.
Ask Questions
Just start typing any keyword (or combination
of keywords) such as these (without quotes):
o compliance
o access
o traffic
o ssh
o data encrypted
o production
Or ask a question like:
o Who are my vendors?
o What lambda functions do I have in AWS?
o What is connected to the Internet?
o Who has access to ...?
181. @arafkarsh arafkarsh
Jupiter 1 Query Language
181
FIND {class or type of Entity1} AS {alias1}
WITH
{property}={value} AND|OR
{property}={value}
THAT
{relationship_verb}
{class or type of Entity2} AS {alias2}
WHERE
{alias1}.{property} = {alias2}.{property}
o Seamlessly blend full-text search and graph queries
o Language keywords are case-insensitive
o Inspired by SQL and Cypher and aspires to be as close
to natural language as possible
o Support for variable placeholders
o Return entities, relationships, and/or traversal tree
o Support for sorting via ORDER BY clause (currently
only applies to the starting entities of traversal)
o Support for pagination via SKIP and LIMIT clauses
(currently only applies to the starting entities of
traversal)
o Multi-step graph traversals through relationships via
THAT clause
o Aliasing of selectors via AS keyword
o Pre-traversal filtering using property
values via WITH clause
o Post-traversal filtering using property
values or union comparison via
WHERE clause
o Support aggregates including
COUNT, MIN, MAX, AVG and SUM.
Source: Jupiter One Documentation – Page 81
182. @arafkarsh arafkarsh
Jupiter 1 Query Language
182
FIND {class or type of an Entity}
Start with an Entity
WITH {property}={value} AND|OR
{property}={value}
Optionally add some property filters
THAT {relationship_verb}|RELATES
TO {class/type of another Entity}
Get its relationships
Source: Cisco Secure Cloud Insights Getting Started Guide Page 11
Examples
FIND * WITH tag.Production='true'
FIND User THAT IS Person
FIND User THAT RELATES TO Person
FIND Firewall AS fw
THAT ALLOWS AS rule (Network|Host) AS n
WHERE
rule.ingress=true AND rule.fromPort=22
RETURN
fw._type, fw.displayName, fw.tag.AccountName,
n._type, n.displayName, n.tag.AccountName
WHERE {alias1.property}={value}
AND|OR {alias2.property}={value}
Optionally add some property filters
Editor's Notes
Built-In Security at Every Layer
Think ”Components”
Design for Failure
Design for Elasticity
Make use of different Storage options
Always think of Feedback Loops
Focus on CSA: Centralization, Standardization, Automation
Unique IP Address of the Pod: https://kubernetes.io/docs/tutorials/kubernetes-basics/expose/expose-intro/
Unique IP Address of the Pod: https://kubernetes.io/docs/tutorials/kubernetes-basics/expose/expose-intro/
MPLS supports transport over IP, Ethernet, asynchronous transfer mode (ATM) and frame relay.
MPLS allows most data packets to be forwarded at Layer 2 - switching (Data Link) layer of OSI instead of Layer 3 the routing (Network) Layer.
MPLS is an alternative to traditional routing based on destination IP address of the packet which requires each router to inspect packets destination IP address in every hop before consulting its own routing table. This is a time-consuming process especially for Voice and Video calls.
First router in the MPLS network will determine the entire route upfront the identity of which is quickly conveyed to subsequent routers using a label in the packet header.
Built-In Security at Every Layer
Think ”Components”
Design for Failure
Design for Elasticity
Make use of different Storage options
Always think of Feedback Loops
Focus on CSA: Centralization, Standardization, Automation
https://www.youtube.com/watch?v=wuM5AyJZK2M
Fab ric in ter me di ate nodes are the sim plest de vices in the
SD- Access fab ric ar chi tec ture. In ter me di ate nodes act as pure Layer 3 for warders that
con nect the fab ric edge, bor der, and con trol plane nodes and pro vide the Layer 3 under
lay for fab ric over lay traf fic.