Upcoming Events

16 Mar 2018

The Computer Measurement Group (CMG) and the Enterprise Data Center Operators (EDCO) are

co-sponsoring a live seminar. You do not have to be a member of CMG to attend this seminar.

Agenda:

  • TLS1.3 and enterprises network management
    We will discuss the potential problems with TLS1.3 for enterprises and some possible solutions.
    Speaker: Steve Fenter: U.S. Bank

 

  • Encrypted DNS (DPRIVE)
    Encrypted DNS is likely to pose challenges for enterprises, in particular, for mobile users.
    Speaker: Jim Reid: RTFM LLC

  • QUIC and enterprises
    The QUIC protocol is likely to become a well-adopted transport layer protocol similar to TCP and UDP. It will pose many challenges for enterprises.
    Speaker: Dr. Simone Ferlin

 

  • IPv6 and enterprises
    IPv6 implementation at many enterprise networks has lagged. We will discuss the business incentives for implementation.
    Speaker: Lee Howard: Retevia (co-chair v6Ops - IETF)

 

  • IPv6 enterprise use cases
    A number of enterprises will speak on IPv6 implementation efforts at their organization.
    Speakers: Mike Ackermann: Blue Cross Blue Shield of Michigan, Friso Feenstra: Rabobank

 

----------------------------------------------------------------------------------------------------

TLS 1.3

TLS1.3 disallows the use of RSA key exchange. This means that large data centers will need a different (new) way to decrypt out-of-band traffic. We need ways to manage our networks when traffic is encrypted. When you cannot inspect traffic, there can be malware, leaks, fraud and many other security and diagnostic problems.

 

QUIC

The QUIC protocol is essentially HTTPS over UDP. It was developed by Google and is already deployed. QUIC encrypts the headers as well as the payload. From the base Internet Draft for QUIC: “Using UDP as the substrate, QUIC seeks to be compatible with legacy clients and middleboxes. QUIC authenticates all of its headers and encrypts most of the data it exchanges, including its signaling. This allows the protocol to evolve without incurring a dependency on upgrades to middleboxes.” Though laudable in its aims, the problems are that UDP is not examined as thoroughly in firewalls as is TCP. If “middleboxes" cannot examine headers, load balancers may have a problem. If the payload cannot be decrypted, there are issues with fraud detection, data leakage, malware, and network diagnostics.

 

DPRIVE

The concern of the DPRIVE group is the amount of information revealed via DNS -- most importantly, the web site being accessed. DPRIVE aims to provide confidentiality to DNS transactions. Though the goal is laudable, in the real world, DNS information is used to detect malware, leakage of information and fraud. Additionally, DNS is an inordinately key component for networks. Most of us have forgotten the days when a DNS issue made an entire region of the network inaccessible. Imagine what may happen if a Certificate expires for DNS using TLS / TCP or is blocked via a firewall.​

 

IPv6

IPv6 implementation at "brick and mortar" enterprise networks has lagged that of other sectors. Such enterprises are the 99% of commercial and business entities who are not the mega data centers for the 10 or 15 companies whose names are known to most teenagers of the world. We will discuss the nature of the topology, applications, regulatory and business requirements of such companies which may be hindering adoption. We will also discuss the pros and cons of IPv6 implementation in particular as data center topology evolves.

I want to go!

Click on LIVE or REMOTE

Enterprise Use of TLS1.3 Discussions

Mondays

9:00 AM PDT

Join other enterprises in a monthly web conference call to discuss the impact of TLS1.3 on large data centers.

This webinar meets 8 times.

  1. Mon, Feb 26, 2018 8:00 AM - 9:00 AM PST

  2. Mon, Mar 26, 2018 8:00 AM - 9:00 AM PDT

  3. Mon, Apr 23, 2018 8:00 AM - 9:00 AM PDT

  4. Mon, May 28, 2018 8:00 AM - 9:00 AM PDT

  5. Mon, Jun 25, 2018 8:00 AM - 9:00 AM PDT

  6. Mon, Jul 30, 2018 8:00 AM - 9:00 AM PDT

  7. Mon, Aug 27, 2018 8:00 AM - 9:00 AM PDT

  8. Mon, Sep 24, 2018 8:00 AM - 9:00 AM PDT

Impact of TLS1.3 on Enterprises

TLS1.3 disallows the use of RSA key exchange. This means that large data centers will need a different (new) way to decrypt out-of-band traffic. We need ways to manage our networks when traffic is encrypted. When you cannot inspect traffic, there can be malware, leaks, fraud and many other security and diagnostic problems.

TLS1.3 Impact on Network Based Security: Internet Draft

Recently published is an Internet Draft from some people at Cisco called "TLS1.3 Impact on Network Based Security".  We are collaborating with them at the IETF.  The Cisco draft cites the work our group has been doing. 

 

Abstract (TLS1.3 Impact on Network Based Security)
-----------------------------------------------------------------------
Network-based security solutions are used by enterprises, public sector, and cloud service providers today in order to both complement and augment host-based security solutions. TLS 1.3 introduces several changes to TLS 1.2 with a goal to improve the overall security and privacy provided by TLS. However some of these changes have a negative impact on network-based security solutions. While this may be viewed as a feature, there are several real-life use case scenarios that are not easily solved without such network-based security solutions. In this document, we identify the TLS 1.3 changes that may impact network-based security solutions and provide a set of use case scenarios that are not easily solved without such solutions.

Monthly Meetings

For Questions: Contact us at info@e-dco.com