Upload
others
View
3
Download
0
Embed Size (px)
Citation preview
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
A new paradigmNetworking in Healthcare
Christian Korff
Cisco Deutschland
September 2017
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
For 30 years, we’ve focused on helping to change the way the world works, lives, plays, and learns.
Our Vision
Digitalisierungals Essenz
StückkostenKopierfähigkeit
Kosten gegen 0
Wiederverwendungvon InnovationRapid Prototyping
Moore‘s LawMiniaturisierung
exponentielle Verbreitung
Stückkosten
Modularisierung
Rapid
Prototyping
Miniaturisierung
„Leben und Arbeiten
im Computer?“
© Prof. Dr. Ing. Andreas Schrader
Digital Business Agility
Hyper-
awareness
Informed
Decision-
MakingDigitalBusiness
Agility
Fast
Execution
A company’s ability
to detect and monitor
changes in its
business environment
A company’s ability to
make the best decision in
a given situation
A company’s ability to carry
out its plans quickly and
effectively
Digital Business Agility
So What?
Start with the Core
! "#$%&' ( $#
Add in theDistribution Layer …
! "#$%&' ( $#
) *+,#*- . / "0%&' ( $#
Traditional Multi-Layer Distribution …
! "#$%&' ( $#
) *+,#*- . / "0%&' ( $#
VSS-basedDistribution …
! "#$%&' ( $#
) *+,#*- . / "0%&' ( $#
122
Add in theAccess Layer …
! "#$%&' ( $#
) *+,#*- . / "0%&' ( $#
122
344$++&' ( $#
Multi-Layer Access …L3 terminated at Dist.
! "#$%&' ( $#
) *+,#*- . / "0%&' ( $#
122
344$++&' ( $#
Routed Access …L3 terminated at Access
! "#$%&' ( $#
) *+,#*- . / "0%&' ( $#
122
344$++&' ( $#
Converged Access …Wired / Wireless
! "#$%&' ( $#
) *+,#*- . / "0%&' ( $#
122
344$++&' ( $#
Instant Access …
! "#$%&' ( $#
) *+,#*- . / "0%&' ( $#
122
344$++&' ( $#
Add inWired clients ...
! "#$%&' ( $#
) *+,#*- . / "0%&' ( $#
122
344$++&' ( $#
Add inAccess Points …
! "#$%&' ( $#
) *+,#*- . / "0%&' ( $#
122
344$++&' ( $#
… and someWireless clients …
! "#$%&' ( $#
) *+,#*- . / "0%&' ( $#
122
344$++&' ( $#
Add in a CampusServices Layer …
! "#$%&' ( $#
) *' #$+! ' , - . /) $#012$/
31/4#15. 6"7%&' ( $#
8) )
922$//&' ( $#
… with some WirelessLAN Controllers (WLCs)
! "#$%&' ( $#
) *' #$+! ' , - . /) $#012$/
31/4#15. 6"7%&' ( $#
8) )
922$//&' ( $#
! "# ! "#
… and some Firewalls
! "#$%&' ( $#
) *' #$+! ' , - . /) $#012$/
31/4#15. 6"7%&' ( $#
8) )
922$//&' ( $#
! "#
$%&' ( ) **
! "#
$%&' ( ) **
Form the WLCs intoa Mobility Group …
! "#$%&' ( $#
) *' #$+! ' , - . /) $#012$/
31/4#15. 6"7%&' ( $#
8) )
922$//&' ( $#
! "#
$%&' ( ) **
! "#
$%&' ( ) **
Create the CUWN CAPWAP overlay …
! "#$%&' ( $#
) *' #$+! ' , - . /) $#012$/
31/4#15. 6"7%&' ( $#
8) )
922$//&' ( $#
! "#
$%&' ( ) **
! "#
$%&' ( ) **
Add in Converged Access to the mix …… and add in theData Center for the siteInternet access, dual-homed, with RA VPNGuest wireless access,terminated in DMZNow, let’s move outto the WAN …First, we may haveMAN connectivity …We may also have atraditional WAN (T1, etc)
We may have an SP-provided MPLS serviceWe may be using DMVPN over InternetWe may be using GET VPN over WAN/MPLS …… or we may be using DMVPN over 3G/4G/SatBranches may be single-attached to the WAN …Or branches may be dual-WAN-attachedAdd in remote teleworkers …We may have an second, backup Data Center …… using a variety of DCI options for connectivityFinally, all of this may be virtualized “N” times …
Non-Prescriptive Topology (Too many variations)
Complex Addressing(IP Address tied to topology)
Disruptive Device Growth(IOT and mobility)
Static Resource Allocation
Manual Processes
Complex Provisioning
Rigid Policies(Policy based on IP Address)
Networks Today…
Controller
Software Defined Networking
Services
Orchestration
and Policy
Infrastructure
Endpoints
SecurityCollaborationMobility
Branch
Intent / Policy
Configuration
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
I N T E N T CONTEXT
S E C U R I T Y
L E A R N I N G
THE NETWORK.INTUITIVE.Powered by intent, informed by context.
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
THE NETWORK. INTUITIVE.Powered by Intent. Informed by Context.
Intent-based Network Infrastructure
Command and Control Center
AnalyticsPolicy Automation
I N T E N T C O N T E X T
S E C U R I T Y
L E A R N I N G
Programmable
Integrated
Secure
Software Defined Accesspowered by DNA Center
Assurance powered by Network Data Platform
Security Policypowered by Identity Services Engine
C97-739103-00 © 2017 Cisco and/or its affiliates. All rights reserved. Public
Encrypted Traffic is increasing
75 % of web traffic will be encrypted by 2019**
SSL/TLS encrypted traffic grew 90% year
over year from July 2015 to July 2016.*
* Source: NSS Labs
2015
40%
2016
75%
2019
21%
15% of all Malware utilizes TLS and rising*
**Cisco ThreatGrid Analysis 2015
C97-739103-00 © 2017 Cisco and/or its affiliates. All rights reserved. Public
How to identify Malware hidden under TLS?Endpoint Internet
. . .
?
C97-739103-00 © 2017 Cisco and/or its affiliates. All rights reserved. Public
Behavioral Patterns w.r.t. Packet Lengths/Times
Bestafera
Self-Signed Certificate
Data Exfiltration
C2 Message
Google Search
Initial Page LoadPage Refresh
Autocomplete
C97-739103-00 © 2017 Cisco and/or its affiliates. All rights reserved. Public
TLS Client Fingerprinting (Bestafera)
TLS ClientHello Possible Clients True Client
(v: 1.0.1r)
C97-739103-00 © 2017 Cisco and/or its affiliates. All rights reserved. Public
Why This Approach is Successful
(v: 1.0.1r)
(v: 52.0)
+
+
=
=
SD-Access - Two Level Hierarchy
Building Management
VN
Network
Campus Users
VN
First level Segmentation that
ensures zero Communication
between Building Management
and Campus Users
1
2
Virtual Network (VN) VRF
Second level Segmentation
ensures role based access control
between two groups within a
Virtual Network
Scalable Group SGT/SGACL
1
2
Group Policy
CollaborationSecurity Networking
Expanded data usage increases need
for efficient, reliable networks
Business-critical apps require priority
and real-time access
Increased number of mobile devices
requires even better analytics
Network Utilization Growth
iOS and Cisco devices recognize
each other
Enabled with a “handshake”—unique
to Apple and Cisco
Fast roaming and load balancing
automatically enabled
Optimizing Wi-Fi Connectivity
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
• ETA Solution Overview in BRKCRS-1560 -https://www.ciscolive.com/online/connect/sessionDetail.ww?SESSION_ID=95570&backBtn=true
• Research behind ETA BRKSEC-2809 -https://www.ciscolive.com/online/connect/sessionDetail.ww?SESSION_ID=94399&backBtn=true
• Cognitive Analytics overview BRKSEC-3106 -https://www.ciscolive.com/online/connect/sessionDetail.ww?SESSION_ID=95774&backBtn=true
• Hidden Figures - Securing what you cannot see INSSEC-103 -https://www.ciscolive.com/online/connect/sessionDetail.ww?SESSION_ID=95318&backBtn=true
• Overview of ETA https://www.youtube.com/watch?v=JpbL6DC-JlM
• Demo of ETA https://www.youtube.com/watch?v=6f5INflDRto
RessourcesFor YourReference