Secure Data Center Solution with FP 9300 - BDM

Bill McGee, Sr. ManagerData Center Security [email protected]

Cisco Secure Data Center Solutions

2© 2015 Cisco and/or its affiliates. All rights reserved.

Time- consuming provisioning

Complexdata flows

Unpredictable data volume

In Data Center Security, Agility, Threat Defense, and Control are Challenges

UniqueThreats


Data centers require specialized security

Standard edge security Data center security

Sees symmetric traffic only

Scales statically for predictable data volume, limited by edge data connection

Monitors ingress and egress traffic

Deployed typically as a physical appliance

Deploys in days or weeks

Requires asymmetric traffic management

Must scale dynamically to secure high volume data bursts

Needs to secure intra-data-center traffic

Requires both a physical and virtual solution

Must deploy in hours or minutes


It’s tempting to sacrifice security to achieve agility

Incomplete security coverage

Inconsistent levels of security

Compromised configuration

Proliferating user access


Deploy security where you need it most

East-west traffic

76%

North-south traffic

17%

Inter-data center traffic

7%


Without specialized security, your data center is more exposed to sophisticated threats

of data is stolen in hours; detection can take weeks or months

60%

of data center breaches can be tied to misconfigured security solutions

95%

of companies connect to domains that host malicious files or services

100%

Well-funded. They are part of massive operations

Inventive. They rapidly change their tactics and tools, finding new vulnerabilities to exploit

Insidious. They blend in with the targeted organization, sometimes taking weeks or months to establish multiple footholds in infrastructure and user databases

Today’s hackers are more advanced than ever

Sources: Verizon 2014 Data Breach Investigations Report (DBIR); Gartner; Cisco Annual Security Report 2015


Only Cisco offers the agility, protection, and control you need to truly protect the DC

Unmatched agility Integrated protection Dynamic control


Unmatched agilityAchieve the flexibility and performance required without compromising security

Unmatched agility

Deploy and operate consistentlyacross data center designs, geographies and physical, virtual and cloud environments

Increase resource flexibilitywith security policies that adjust as workloads shift

Scale dynamicallyto apply the right security at the right time, aligned to each workload’s varying demands


Through link scalability

Multiple Uplink Routers

Multiple Physical Links

OSPF/BGP routing for rapid failure detection

Equal Cost Multipath (ECMP)

Full Flow Asymmetry Support

Port Aggregation (EtherChannel)LACP for dynamic bundling and failure detection


Cluster

Single Logical FirewallClustering with full state backup

vPC/VSS Single Virtual SwitchVirtual PortChannel (vPC) on Nexus

Virtual Switch System (VSS) on Catalyst

Device scalability

Complete Fault ToleranceSpanned Etherchannel with LACP for portsNon-Stop Forwarding (NSF) for OSPF/BGP

Redundant Switches

Redundant Firewalls


And site scalability

Local Traffic Processing

Endpoint Mobility

VLAN Segment ExtensionOverlay Transport Virtualization (OTV)

Clustering retains connection state

Clustering with full state backupSite-specific switch connections

Inter-site Clustering

Site A Site B

Virtual


Unified Platform

Or through ACI service chaining

Data Packet

1001000101111000101

110

1001000101111000101

110

1001000101111000101

110

1001000101111000101

110

1001000101111000101

110

1001000101111000101

110

1001000101111000101

110SSL

Metadata tagging

Service 1 Service 2 FW IPSSpecialized

Security Service

Policy Scripting | Management | Reporting | Logging Analytics ꞁ


All with elastic scale and performance

On demand security scales up and down as

traffic increases and decreases

16-way load distribution with state synchronization**

Pool across physical security appliances


Integrated protectionBenefit from robust, purpose-built security that won’t slow you down

Integrated protection

Secure east-west data center traffic flows without crippling data center operations

Prioritize high-risk events automaticallyso you can focus on the potential threats that are most likely to be problems

Defend critical resources in real-timeincluding custom applications, mission-critical infrastructure and sensitive data

Remediate and adapt intelligentlyby efficiently understanding and cleaning up breaches


BEFOREDiscoverEnforce Harden

AFTERScope

ContainRemediate

Attack Continuum

Network Endpoint Mobile Virtual Cloud

Detect Block Defend

DURING

Through a threat-centric security model

Point in Time Continuous


Stay protected against the latest threats with regular updates pushed automatically

Identify advanced threats quickly with industry-leading threat data and research

Get industry-specific threat intelligence tailored to your business

Catch advanced threats endpoints miss with Cisco’s threat engineers and analysts

With the smartest threat defense available

00I00 I00I0I II0I0I 0II0I I0I00I0I0 0II0I0II 0I00I0I I0 00 II0III0I 0II0II0I II00I0I0 0I00I0I00 I0I0 I0I0 I00I0I00

III00II 0II00II I0I0II0II0 I0 I0 I00 00I0 I000 0II0 00

III00II I000I0I I000I0I I000I0I II 0I00 I0I000 0II0 00 00I I0I0I0 I0I0III000 I0I00I0I 0II0I0 I00I0I0I0I 000

II0II0I0I0I I0I0I0I 0I0I0I0I 0I0I00I0 I0I0I0I 0II0I0I0I

0II00 I00I0I0 0I00I0I I00I0I0 I0I0I0I 0I0I0I 0I0I0I000I0I0 0I0I0I0 I0I0I00I 0I0I 0I0I 0I0I I0I0I 0I00I0I

III00II 0II00II I0I000 0II0 00I0I00 I0 I000I0I 0II 0I0I0I

III00II 0II00II 0I0I0I0I 0I I0 I00 000II0 I0I0 0II0 00

Email Endpoints Web Networks NGIPS Devices

WWW

24 7 365 OperationsJan

600+ Researchers

Research Response

Threat Intelligence

• Monitors 35% of the world’s email traffic

• Receives 1.1 million incoming malware samples daily

• Performs 4.9 billion AV and web filtering blocks per month

• Processes 100 terabytes of security intelligence daily

Talos


Market-leading ASA NGFW

Deploy consistent policy between virtual and physical devicesSupport Traditional and Next-Gen Data Centers (SDN, NFV, ACI)

Fully integrated into ACI – APIC-based provisioning, orchestration, and management

Cisco ASA Virtual Firewall• Full ASA Feature Set• Hypervisor Agnostic• vSwitch Independent• Dynamic Scalability

Cisco ASA 5585-X Series• Now with FirePOWER NGIPS services• Up to 640 Gbps throughput• 16-node, multi-site clustering• Clusters managed as a single device


FirePOWER Next Generation IPS

Easily add Application Control, URL Filtering, and Advanced Malware Protection (AMP) with optional subscription licenses

Industry-Best NG Intrusion Prevention

Real-Time Contextual Awareness

Full Stack Visibility

Unparalleled Performance and Scalability

Physical and Virtual Form Factors

Detects and Inspects Custom Applications


And Cisco Advanced Malware ProtectionAll detection is less than 100% effective

Reputation Filtering and File Sandboxing

Dynamic Analysis

Machine Learning

Fuzzy Finger-printing

Advanced Analytics

One-to-OneSignature


With continuous attack analysis

0001110 1001 1101 1110011 0110011 101000 0110 00 0111000 111010011 101 1100001 110

1000111010011101 1100001110001110 1001 1101 1110011 0110011 101000 0110 00

0100001100001 1100 0111010011101 1100001110001110 1001 1101 1110011 0110011 101000 0110 00

Web

WWW

Endpoints NetworkEmail Devices

IPS

File Fingerprint and Metadata

Process Information

Continuous feed

Continuous analysis

File and Network I/O

Breadth and Control points:

Telemetry Stream

Talos + Threat Grid Intelligence

TrajectoryBehavioralIndications

of Compromise

Threat Hunting

Retrospective Detection


Introducing Firepower 9300

Multi-service security

Benefits• Integration of best-of-breed security• Dynamic service stitching

Features*• Firepower Threat Defense containers

- NGIPS, AMP, URL, Application, Visibility & Control (AVC)

• ASA container- Stateful FW, Virtual Private Network

(VPN), CGNAT• 3rd Party containers

- Radware DDoS- Other ecosystem partners

Carrier-class

Benefits• Industry Leading Performance/RU

- 600+% Higher Performance- 30% higher port density

Features• Compact, 3RU form factor• 10G/40G I/O; 100G ready• Terabit backplane• Low latency, Intelligent fastpath• NEBS in process

Modular

Benefits• Standards and interoperability• Flexible Architecture

Features• Template driven security• Secure containerization for customer apps• Restful/JSON API• 3rd party orchestration/management

* Contact Cisco for services availability


Enables a revolution in data center securitySuperior Threat Defense

Security Policy Follows Workloads

Flexible & Cost Effective

Validated superior by independent labs and industry analysts.

The only platform with Gartner-defined NGIPS* with automated threat impact analysis.

Partner ecosystem enables additional, tightly integrated, security services (e.g., DDoS mitigation)

Highest performance and port density per RU in the industry.

Single appliances up to: 240Gbps throughput — 30Gbps+ per flow, sub-5 microsecond latency, 100Gbps interface-ready.

Need more? Cluster up to five units for 1.2 Tbps of power

Maintain consistent security policy across physical, virtualized, and cloud topologies.

Firepower 9300 interoperates with virtualized Cisco ASAv and NGIPSv.

Moving to SDN/ACI? Let’s talk about orchestration andmicrosegmentation.

Investment protection with a balanced mix of hardware acceleration and x86 complex optimization to address evolving threats and protocols.

Modular architecture for both security modules and interfaces.

Lower power consumption.

Low Latency,High Speed

* Contact Cisco for services availability


With the most powerful solution in the industry

NGFW

Block and monitor unauthorized access and activity at L2-7

NGIPS

Detect, prevent, and respond to real-time threats to your network

URL Filtering

Restrict access to specific sites and sub-sites, as well as categories of sites

VPN

Protect both remote users and site-to-site connections with granular control

W W W

Integrated Intelligent Services FrameworkIntelligent processing for more effective detection, higher performance, and simplified management

AMP

Identify and target breaches and malware for analysis and response

Third Party

Open API enables a range of additional tools for customized protection


10010001011110001011

10

10010001011110001011

10

10010001011110001011

10

10010001011110001011

10

10010001011110001011

10

Legacy Security: siloed, inefficient, expensive

Data Packet

10010001011110001011

10

/

10010001011110001011

10

DDoS Platform

SSL Platform FW Platform

WAF Platform

IPS Platform

Sandbox Platform

SSL

DDoS WAF

FW IPS

Sandbox

Reduced Effectiveness Increased Latency Slows Network Static & Manual


Cisco transforms Security Service IntegrationData Packet

10010001011110001011

10

DDoS Platform

SSL Platform FW Platform

WAF Platform

IPS Platform

Sandbox

SSL

DDoS WAF

FW IPS

Sandbox

Limited effectiveness Increased latency Slows network Static & ManualUnified Platform

Data Packet

100100010111100010

1110DDoS FW WAF NGIPSSSL AMP

Inte

grat

ed

Maximum protection Highly efficient Scalable processing Dynamic

Silo

ed

Key:Cisco Service

3rd Party Service


Unified Platform

Looking forward: intelligent service stitching

Metadata tag

Data Packet

100100010111100010

1110DDoS SSL WAF NGIPS AMPFW

Smart tags eliminate needless re-inspection

Automates security service intelligence

Optimize security via dynamic service stitching

xxx

Key:

Cisco Service

3rd Party Service


Operational Efficiency

Integrated Security

Enhanced Agility

High speed, scalable security

Dynamic service stitching

Dynamic provisioning across physical, virtual, and cloud

Automated and consistent security policies

Lower integration costs and complexity

RESTful APIs and 3rd party tool integration

Best of Breed security = Cisco + 3rd party

Security services in a consolidated platform

Visibility and correlation

Firepower 9300 threat-centric security benefits


Malware

Client applications

Operating systems

Mobile Devices

VOIP phones

Routers & switches

Printers

C & C Servers

Network Servers

Users

File transfers

Web applications

Applicationprotocols

Threats

No other solution offers this level of visibilityThe more infrastructure you see, the better protection you get

Typical IPS

Typical NGFW

Cisco Firepower 9300 Multi-Service Appliance


Dynamic controlSave time with intelligent and consistent management

Dynamic control

Provision security seamlessly along with other data center resources

Increase security effectiveness by simplifying policy creation and enforcement

Manage everything centrallyfrom one controller*, enabling consistent policies across users and applications

*ACI functionality only


Through Trustsec secure provisioning

Master

Slaves

Cisco ASA 5585-XFirewall Cluster

Cisco SecurityManager

Cisco UCS Director

PhysicalAccess

Compute

Storage

Converged Network Stack

vSphere

AppOS

AppOS

AppOS

AppOS

Tier 1

CiscoNexus1000V

vSphere

AppOS

AppOS

AppOS

AppOS

Tier 2

CiscoNexus1000V

AppOS

AppOS

AppOS

AppOS

Tier N

CiscoNexus1000V

Vblocks/FlexPods

CiscoNexus

IT managed devices

Personal devices

Wired user

Wireless user

Remote VPN user

Identity Services Engine

Useridentity

Role-based policies

Datacenter

SG tags

Policies

SG tags

SG tags

ASA firewall learns when a new workload is provisioned and

automatically applies security policy

Administrator assigns workload to proper group. Switches send

update to devices for policy maps


Or through ACI’s unified operations

Global data center locations

Traditional datacenter

Next Gen

APIC*

Private

VirtualPhysical VirtualPhysicalPhysical

Datacenter administration

Public

Datacenter

Consistent security

Data Architect

Storage Admin

Business App DevOps



And APIC’s simplified provisioning

Manual, complex and time-consuming Automated, simplified and efficient

FirewallFirewallFirewallFirewall

APIC*

Security Policies

Before AfterSecurity Policies

FirewallFirewallFirewallFirewall



Cisco is the clear leader here…IT decision-makers have selected Cisco as the top data center security solution supplier, across all 10 separate categories, three years in a row.

Infonetics Research Report Experts: Data Center Security Strategies and Vendor Leadership: North American Enterprise Surveys - 2013, 2014, 2015

“ ”

Trust the market leader


With a proven Validated Design portfolio

Cyber Threat Defense for Data Center

Threat Managementwith NextGen IPS

ASA Clustering with FirePOWER Services

Secure Enclave Architecture

Cisco Secure Data Center for the Enterprise Solution Portfolio

Converged Infrastructure• Compute• Storage• Hypervisor (Flexpod,

Vblock, VSPEX)VirtualizationInfrastructure MgmtAccess LayerSecure Enclaves

Firewall ClusteringIntrusion PreventionReal Time UpdatesManagementTrustSec• SXP• Secure Group Tags• Policy Enforcement• SGACLs• FWACLS

NextGen IPS in ASA ClusterDefense CenterFireSIGHTUser ContextApplication ControlURL FilteringNetwork-Based AMPEnd Point AMP (Client and Server)

Lancope Stealthwatch• FlowCollector• FlowSensorNetFlowNSEL (Network Security Event Logging)

ASA Clustering with FirePOWER Services

Threat Managementwith NextGen IPS

Cyber Threat Defense for Data Center

CiscoVerifiedDesign

CiscoVerifiedDesign

CiscoVerifiedDesign

CiscoVerifiedDesign


With Cisco you get…

Superior agility, protection and control

Service from the #1 ranked data center security vendor

Proven design and implementation guidance


End-to-End Network Visibility from SP Core to

Customer Premise

UnmatchedVisibility

Consistent Control

Consistent Policies Across Network, Data Center, and

Workloads

Complexity Reduction

Reduce IT Silos, Respond Faster to New Opportunities & Business Models

Detect & Mitigate Advanced Threats

across CPE, Cloud, and Network

Advanced Threat Protection

Cisco’s Differentiated Value


Learn more

Visit the Secure Data Center Solutions site

Visit the Design Zone site

Obtain a Capabilities Gap Assessment from Cisco Services to help maximize your Cisco investment

http://www.cisco.com/go/securedc

http://www.cisco.com/go/designzone


Thank You

Documents

Secure Data Center Solution with FP 9300 - BDM