Tip:
Highlight text to annotate it
X
Welcome to Movie Line Monday.
My name is Krishna.
And today's topic is inspired by the movie, Treasure of the
Sierra Madre.
I don't have to show any stinking badges.
We are going to talk about policy evolution today.
So let's go back when networking started, policies
were pretty much enforced on a packet level basis.
A packet had IP addresses and port numbers, and you could
define ACLs, access control lists, that told you what
policies to enforce.
So you can block a particular IP address or a particular
combination of IP address and port.
Now as applications evolved, you needed a much more
stateful way of enforcing policies.
So that gave way to the connection concept.
In the connection, a bunch of packets is identified by what
we call a 5 tuple, which consists of the source IP,
desk IP, source port, desk port and protocol.
And that 5 tuple, all packets that had the same 5 tuple
belong to a given connection.
And the way you enforce policy is using state for firewall
rules, where you specified rules as to what applications
to block or what applications to allow.
And the firewall kept state of all packets that belong to a
given connection and applied the policy once at the
beginning of the connection.
Now let's fast forward to the 2010 decade.
So what we're seeing right now is applications
are much more richer.
They don't go to one particular server.
A given application transaction consists of many
TCP connections.
And so this gives rise to the concept of
an application session.
So you may ask, how do you identify
this application session?
So an application session, at the highest level, is
identified by a user, an application, a device they are
accessing the application from, and the location from
where they are coming.
This tuple, in this particular case a 4 tuple, would identify
a particular application session for policy
enforcement.
So when you are applying policies in this context, you
need to look at this tuple to identify all the TCP
connections that belong to that tuple and then apply the
policy holistically.
Only then you will be able to apply policy in a way in which
it matters.
Otherwise, some connections are going to go through and
some may not.
And the decide intent of the policy
enforcement would not happen.
So the new session is the app session.
And the new tuple is user, app, device and location.