It is now common knowledge that micro-segmentation can strongly compliment a good security plan. But with typical IP routed networks this is not an easy thing to do. Route policies and access control list can quickly become unmanageable. It is then that security holes can creep into the network either by misconfiguration or blatant forgetfulness. Such a hole could exist for quite some time before it is discovered either by a security analyst or worse yet a cyber-criminal. Additionally, these methods are complex and very intense from an operational perspective. So many enterprises simply don’t do it or do it in a very limited form.
Extreme Networks’ Fabric Connect is changing the rules on what micro-segmentation and subscriber or user separation is all about. Why can we make that claim? There are several reasons, but these are the biggest ones:
- Fabric Connect is built on a data plane that is based on IEEE 802.1ah Provider Based Bridging/Transport
- It introduces a MAC addressing Hierarchy and Tunneling method (MAC-in-MAC)
- This provides for solid separation of user subscriber from the network service plane
- All topological aspects of Fabric Connect are supported and maintained at the Ethernet forwarding plane
- IP as a protocol plays no role in establishing routed path behaviors within the fabric
- There is no flooding or promiscuous forwarding within Fabric Connect. Instead it uses ‘tandem replication’ at the Ethernet data plane
- This is used for all broadcast, unknown (MAC learning) and multicast traffic
- As a result, these functions are localized and divided at the service edge
- IS-IS is used as the Control Plane for the 802.1ah Data Plane
- It ‘programs’ the IS-IS Link State Database resident in each Fabric Connect node
- Due to this it provides for an inherent Distributed Control Plane
- IS-IS does NOT forward user data in the traditional routing protocol sense
- Circuit based entities known as I-SID’s or Individual Service Identifiers provide for Ethernet Switched Path directional graphs to support the data forwarding plane behaviors across Fabric Connect
- These circuits provide for separation and control of the user/subscriber base
- Layer 2 Services, L2 VSN, E-Tree, Transparent & Switched UNI
- Layer 3 Services, L3 VSN (VRF IP-VPN)
The combination of these technology traits yields a networking protocol architecture that can under the right design circumstances yield totally black and isolated networks. We refer to this as Stealth Networking. Due to the fact that there is no role that IP provides in the establishment of the network as well as the fact that there is a rather absolute separation of the user access from the network service plane, Fabric Connect can yield what we term as hyper-segmentation.
Unlike normal micro-segmentation or even virtualization overlays which assume the use of an IP routed core, Extreme Networks’ Fabric Connect is based purely on Ethernet with no use of IP underlays. IP as a protocol becomes a ‘service phenomenon’ at the fabric edge. This occurs for VLAN’s as well. The end result is a very strong segmentation environment that is quite difficult to not only penetrate but even simply enumerate. This removes some very important rungs in the ladder for a would-be attacker, the ability to ‘see’ and the ability to ‘move’.
Don’t believe us? Come to the Extreme Networks Worldwide User Conference, ExtremeConnect 2018, and give it a try for yourself!
We are holding a Fabric Connect Hack-A-thon to prove the claims that we have made above. We are so confident in the technology that we will be offering a $10,000 prize to anyone who successfully reaches the targets that are provided.
Do you think you have what it takes to win the prize? Well, a little word of warning… many have tried but no one has succeeded yet. Maybe you will win but even if you don’t, more importantly, you will get to know one of the most secure networking technologies on the planet.