Upload
bill-mcgee
View
999
Download
2
Embed Size (px)
Citation preview
Bill McGee, Sr. ManagerData Center Security [email protected]
Cisco Secure Data Center Solutions
2© 2015 Cisco and/or its affiliates. All rights reserved.
Time- consuming provisioning
Complexdata flows
Unpredictable data volume
In Data Center Security, Agility, Threat Defense, and Control are Challenges
UniqueThreats
3© 2015 Cisco and/or its affiliates. All rights reserved.
Data centers require specialized security
Standard edge security Data center security
Sees symmetric traffic only
Scales statically for predictable data volume, limited by edge data connection
Monitors ingress and egress traffic
Deployed typically as a physical appliance
Deploys in days or weeks
Requires asymmetric traffic management
Must scale dynamically to secure high volume data bursts
Needs to secure intra-data-center traffic
Requires both a physical and virtual solution
Must deploy in hours or minutes
4© 2015 Cisco and/or its affiliates. All rights reserved.
It’s tempting to sacrifice security to achieve agility
Incomplete security coverage
Inconsistent levels of security
Compromised configuration
Proliferating user access
5© 2015 Cisco and/or its affiliates. All rights reserved.
Deploy security where you need it most
East-west traffic
76%
North-south traffic
17%
Inter-data center traffic
7%
6© 2015 Cisco and/or its affiliates. All rights reserved.
Without specialized security, your data center is more exposed to sophisticated threats
of data is stolen in hours; detection can take weeks or months
60%
of data center breaches can be tied to misconfigured security solutions
95%
of companies connect to domains that host malicious files or services
100%
Well-funded. They are part of massive operations
Inventive. They rapidly change their tactics and tools, finding new vulnerabilities to exploit
Insidious. They blend in with the targeted organization, sometimes taking weeks or months to establish multiple footholds in infrastructure and user databases
Today’s hackers are more advanced than ever
Sources: Verizon 2014 Data Breach Investigations Report (DBIR); Gartner; Cisco Annual Security Report 2015
7© 2015 Cisco and/or its affiliates. All rights reserved.
Only Cisco offers the agility, protection, and control you need to truly protect the DC
Unmatched agility Integrated protection Dynamic control
8© 2015 Cisco and/or its affiliates. All rights reserved.
Unmatched agilityAchieve the flexibility and performance required without compromising security
Unmatched agility
Deploy and operate consistentlyacross data center designs, geographies and physical, virtual and cloud environments
Increase resource flexibilitywith security policies that adjust as workloads shift
Scale dynamicallyto apply the right security at the right time, aligned to each workload’s varying demands
9© 2015 Cisco and/or its affiliates. All rights reserved.
Through link scalability
Multiple Uplink Routers
Multiple Physical Links
OSPF/BGP routing for rapid failure detection
Equal Cost Multipath (ECMP)
Full Flow Asymmetry Support
Port Aggregation (EtherChannel)LACP for dynamic bundling and failure detection
10© 2015 Cisco and/or its affiliates. All rights reserved.
Cluster
Single Logical FirewallClustering with full state backup
vPC/VSS Single Virtual SwitchVirtual PortChannel (vPC) on Nexus
Virtual Switch System (VSS) on Catalyst
Device scalability
Complete Fault ToleranceSpanned Etherchannel with LACP for portsNon-Stop Forwarding (NSF) for OSPF/BGP
Redundant Switches
Redundant Firewalls
11© 2015 Cisco and/or its affiliates. All rights reserved.
And site scalability
Local Traffic Processing
Endpoint Mobility
VLAN Segment ExtensionOverlay Transport Virtualization (OTV)
Clustering retains connection state
Clustering with full state backupSite-specific switch connections
Inter-site Clustering
Site A Site B
Virtual
12© 2015 Cisco and/or its affiliates. All rights reserved.
Unified Platform
Or through ACI service chaining
Data Packet
1001000101111000101
110
1001000101111000101
110
1001000101111000101
110
1001000101111000101
110
1001000101111000101
110
1001000101111000101
110
1001000101111000101
110SSL
Metadata tagging
Service 1 Service 2 FW IPSSpecialized
Security Service
Policy Scripting | Management | Reporting | Logging Analytics ꞁ
13© 2015 Cisco and/or its affiliates. All rights reserved.
All with elastic scale and performance
On demand security scales up and down as
traffic increases and decreases
16-way load distribution with state synchronization**
Pool across physical security appliances
14© 2015 Cisco and/or its affiliates. All rights reserved.
Integrated protectionBenefit from robust, purpose-built security that won’t slow you down
Integrated protection
Secure east-west data center traffic flows without crippling data center operations
Prioritize high-risk events automaticallyso you can focus on the potential threats that are most likely to be problems
Defend critical resources in real-timeincluding custom applications, mission-critical infrastructure and sensitive data
Remediate and adapt intelligentlyby efficiently understanding and cleaning up breaches
15© 2015 Cisco and/or its affiliates. All rights reserved.
BEFOREDiscoverEnforce Harden
AFTERScope
ContainRemediate
Attack Continuum
Network Endpoint Mobile Virtual Cloud
Detect Block Defend
DURING
Through a threat-centric security model
Point in Time Continuous
16© 2015 Cisco and/or its affiliates. All rights reserved.
Stay protected against the latest threats with regular updates pushed automatically
Identify advanced threats quickly with industry-leading threat data and research
Get industry-specific threat intelligence tailored to your business
Catch advanced threats endpoints miss with Cisco’s threat engineers and analysts
With the smartest threat defense available
00I00 I00I0I II0I0I 0II0I I0I00I0I0 0II0I0II 0I00I0I I0 00 II0III0I 0II0II0I II00I0I0 0I00I0I00 I0I0 I0I0 I00I0I00
III00II 0II00II I0I0II0II0 I0 I0 I00 00I0 I000 0II0 00
III00II I000I0I I000I0I I000I0I II 0I00 I0I000 0II0 00 00I I0I0I0 I0I0III000 I0I00I0I 0II0I0 I00I0I0I0I 000
II0II0I0I0I I0I0I0I 0I0I0I0I 0I0I00I0 I0I0I0I 0II0I0I0I
0II00 I00I0I0 0I00I0I I00I0I0 I0I0I0I 0I0I0I 0I0I0I000I0I0 0I0I0I0 I0I0I00I 0I0I 0I0I 0I0I I0I0I 0I00I0I
III00II 0II00II I0I000 0II0 00I0I00 I0 I000I0I 0II 0I0I0I
III00II 0II00II 0I0I0I0I 0I I0 I00 000II0 I0I0 0II0 00
Email Endpoints Web Networks NGIPS Devices
WWW
24 7 365 OperationsJan
600+ Researchers
Research Response
Threat Intelligence
• Monitors 35% of the world’s email traffic
• Receives 1.1 million incoming malware samples daily
• Performs 4.9 billion AV and web filtering blocks per month
• Processes 100 terabytes of security intelligence daily
Talos
17© 2015 Cisco and/or its affiliates. All rights reserved.
Market-leading ASA NGFW
Deploy consistent policy between virtual and physical devicesSupport Traditional and Next-Gen Data Centers (SDN, NFV, ACI)
Fully integrated into ACI – APIC-based provisioning, orchestration, and management
Cisco ASA Virtual Firewall• Full ASA Feature Set• Hypervisor Agnostic• vSwitch Independent• Dynamic Scalability
Cisco ASA 5585-X Series• Now with FirePOWER NGIPS services• Up to 640 Gbps throughput• 16-node, multi-site clustering• Clusters managed as a single device
18© 2015 Cisco and/or its affiliates. All rights reserved.
FirePOWER Next Generation IPS
Easily add Application Control, URL Filtering, and Advanced Malware Protection (AMP) with optional subscription licenses
Industry-Best NG Intrusion Prevention
Real-Time Contextual Awareness
Full Stack Visibility
Unparalleled Performance and Scalability
Physical and Virtual Form Factors
Detects and Inspects Custom Applications
19© 2015 Cisco and/or its affiliates. All rights reserved.
And Cisco Advanced Malware ProtectionAll detection is less than 100% effective
Reputation Filtering and File Sandboxing
Dynamic Analysis
Machine Learning
Fuzzy Finger-printing
Advanced Analytics
One-to-OneSignature
20© 2015 Cisco and/or its affiliates. All rights reserved.
With continuous attack analysis
0001110 1001 1101 1110011 0110011 101000 0110 00 0111000 111010011 101 1100001 110
1000111010011101 1100001110001110 1001 1101 1110011 0110011 101000 0110 00
0100001100001 1100 0111010011101 1100001110001110 1001 1101 1110011 0110011 101000 0110 00
Web
WWW
Endpoints NetworkEmail Devices
IPS
File Fingerprint and Metadata
Process Information
Continuous feed
Continuous analysis
File and Network I/O
Breadth and Control points:
Telemetry Stream
Talos + Threat Grid Intelligence
TrajectoryBehavioralIndications
of Compromise
Threat Hunting
Retrospective Detection
21© 2015 Cisco and/or its affiliates. All rights reserved.
Introducing Firepower 9300
Multi-service security
Benefits• Integration of best-of-breed security• Dynamic service stitching
Features*• Firepower Threat Defense containers
- NGIPS, AMP, URL, Application, Visibility & Control (AVC)
• ASA container- Stateful FW, Virtual Private Network
(VPN), CGNAT• 3rd Party containers
- Radware DDoS- Other ecosystem partners
Carrier-class
Benefits• Industry Leading Performance/RU
- 600+% Higher Performance- 30% higher port density
Features• Compact, 3RU form factor• 10G/40G I/O; 100G ready• Terabit backplane• Low latency, Intelligent fastpath• NEBS in process
Modular
Benefits• Standards and interoperability• Flexible Architecture
Features• Template driven security• Secure containerization for customer apps• Restful/JSON API• 3rd party orchestration/management
* Contact Cisco for services availability
22© 2015 Cisco and/or its affiliates. All rights reserved.
Enables a revolution in data center securitySuperior Threat Defense
Security Policy Follows Workloads
Flexible & Cost Effective
Validated superior by independent labs and industry analysts.
The only platform with Gartner-defined NGIPS* with automated threat impact analysis.
Partner ecosystem enables additional, tightly integrated, security services (e.g., DDoS mitigation)
Highest performance and port density per RU in the industry.
Single appliances up to: 240Gbps throughput — 30Gbps+ per flow, sub-5 microsecond latency, 100Gbps interface-ready.
Need more? Cluster up to five units for 1.2 Tbps of power
Maintain consistent security policy across physical, virtualized, and cloud topologies.
Firepower 9300 interoperates with virtualized Cisco ASAv and NGIPSv.
Moving to SDN/ACI? Let’s talk about orchestration andmicrosegmentation.
Investment protection with a balanced mix of hardware acceleration and x86 complex optimization to address evolving threats and protocols.
Modular architecture for both security modules and interfaces.
Lower power consumption.
Low Latency,High Speed
* Contact Cisco for services availability
23© 2015 Cisco and/or its affiliates. All rights reserved.
With the most powerful solution in the industry
NGFW
Block and monitor unauthorized access and activity at L2-7
NGIPS
Detect, prevent, and respond to real-time threats to your network
URL Filtering
Restrict access to specific sites and sub-sites, as well as categories of sites
VPN
Protect both remote users and site-to-site connections with granular control
W W W
Integrated Intelligent Services FrameworkIntelligent processing for more effective detection, higher performance, and simplified management
AMP
Identify and target breaches and malware for analysis and response
Third Party
Open API enables a range of additional tools for customized protection
24© 2015 Cisco and/or its affiliates. All rights reserved.
10010001011110001011
10
10010001011110001011
10
10010001011110001011
10
10010001011110001011
10
10010001011110001011
10
Legacy Security: siloed, inefficient, expensive
Data Packet
10010001011110001011
10
/
10010001011110001011
10
DDoS Platform
SSL Platform FW Platform
WAF Platform
IPS Platform
Sandbox Platform
SSL
DDoS WAF
FW IPS
Sandbox
Reduced Effectiveness Increased Latency Slows Network Static & Manual
25© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco transforms Security Service IntegrationData Packet
10010001011110001011
10
DDoS Platform
SSL Platform FW Platform
WAF Platform
IPS Platform
Sandbox
SSL
DDoS WAF
FW IPS
Sandbox
Limited effectiveness Increased latency Slows network Static & ManualUnified Platform
Data Packet
100100010111100010
1110DDoS FW WAF NGIPSSSL AMP
Inte
grat
ed
Maximum protection Highly efficient Scalable processing Dynamic
Silo
ed
Key:Cisco Service
3rd Party Service
26© 2015 Cisco and/or its affiliates. All rights reserved.
Unified Platform
Looking forward: intelligent service stitching
Metadata tag
Data Packet
100100010111100010
1110DDoS SSL WAF NGIPS AMPFW
Smart tags eliminate needless re-inspection
Automates security service intelligence
Optimize security via dynamic service stitching
xxx
Key:
Cisco Service
3rd Party Service
27© 2015 Cisco and/or its affiliates. All rights reserved.
Operational Efficiency
Integrated Security
Enhanced Agility
High speed, scalable security
Dynamic service stitching
Dynamic provisioning across physical, virtual, and cloud
Automated and consistent security policies
Lower integration costs and complexity
RESTful APIs and 3rd party tool integration
Best of Breed security = Cisco + 3rd party
Security services in a consolidated platform
Visibility and correlation
Firepower 9300 threat-centric security benefits
28© 2015 Cisco and/or its affiliates. All rights reserved.
Malware
Client applications
Operating systems
Mobile Devices
VOIP phones
Routers & switches
Printers
C & C Servers
Network Servers
Users
File transfers
Web applications
Applicationprotocols
Threats
No other solution offers this level of visibilityThe more infrastructure you see, the better protection you get
Typical IPS
Typical NGFW
Cisco Firepower 9300 Multi-Service Appliance
29© 2015 Cisco and/or its affiliates. All rights reserved.
Dynamic controlSave time with intelligent and consistent management
Dynamic control
Provision security seamlessly along with other data center resources
Increase security effectiveness by simplifying policy creation and enforcement
Manage everything centrallyfrom one controller*, enabling consistent policies across users and applications
*ACI functionality only
30© 2015 Cisco and/or its affiliates. All rights reserved.
Through Trustsec secure provisioning
Master
Slaves
Cisco ASA 5585-XFirewall Cluster
Cisco SecurityManager
Cisco UCS Director
PhysicalAccess
Compute
Storage
Converged Network Stack
vSphere
AppOS
AppOS
AppOS
AppOS
Tier 1
CiscoNexus1000V
vSphere
AppOS
AppOS
AppOS
AppOS
Tier 2
CiscoNexus1000V
AppOS
AppOS
AppOS
AppOS
Tier N
CiscoNexus1000V
Vblocks/FlexPods
CiscoNexus
IT managed devices
Personal devices
Wired user
Wireless user
Remote VPN user
Identity Services Engine
Useridentity
Role-based policies
Datacenter
SG tags
Policies
SG tags
SG tags
ASA firewall learns when a new workload is provisioned and
automatically applies security policy
Administrator assigns workload to proper group. Switches send
update to devices for policy maps
31© 2015 Cisco and/or its affiliates. All rights reserved.
Or through ACI’s unified operations
Global data center locations
Traditional datacenter
Next Gen
APIC*
Private
VirtualPhysical VirtualPhysicalPhysical
Datacenter administration
Public
Datacenter
Consistent security
Data Architect
Storage Admin
Business App DevOps
*ACI functionality only
32© 2015 Cisco and/or its affiliates. All rights reserved.
And APIC’s simplified provisioning
Manual, complex and time-consuming Automated, simplified and efficient
FirewallFirewallFirewallFirewall
APIC*
Security Policies
Before AfterSecurity Policies
FirewallFirewallFirewallFirewall
*ACI functionality only
33© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco is the clear leader here…IT decision-makers have selected Cisco as the top data center security solution supplier, across all 10 separate categories, three years in a row.
Infonetics Research Report Experts: Data Center Security Strategies and Vendor Leadership: North American Enterprise Surveys - 2013, 2014, 2015
“ ”
Trust the market leader
34© 2015 Cisco and/or its affiliates. All rights reserved.
With a proven Validated Design portfolio
Cyber Threat Defense for Data Center
Threat Managementwith NextGen IPS
ASA Clustering with FirePOWER Services
Secure Enclave Architecture
Cisco Secure Data Center for the Enterprise Solution Portfolio
Converged Infrastructure• Compute• Storage• Hypervisor (Flexpod,
Vblock, VSPEX)VirtualizationInfrastructure MgmtAccess LayerSecure Enclaves
Firewall ClusteringIntrusion PreventionReal Time UpdatesManagementTrustSec• SXP• Secure Group Tags• Policy Enforcement• SGACLs• FWACLS
NextGen IPS in ASA ClusterDefense CenterFireSIGHTUser ContextApplication ControlURL FilteringNetwork-Based AMPEnd Point AMP (Client and Server)
Lancope Stealthwatch• FlowCollector• FlowSensorNetFlowNSEL (Network Security Event Logging)
ASA Clustering with FirePOWER Services
Threat Managementwith NextGen IPS
Cyber Threat Defense for Data Center
CiscoVerifiedDesign
CiscoVerifiedDesign
CiscoVerifiedDesign
CiscoVerifiedDesign
35© 2015 Cisco and/or its affiliates. All rights reserved.
With Cisco you get…
Superior agility, protection and control
Service from the #1 ranked data center security vendor
Proven design and implementation guidance
36© 2015 Cisco and/or its affiliates. All rights reserved.
End-to-End Network Visibility from SP Core to
Customer Premise
UnmatchedVisibility
Consistent Control
Consistent Policies Across Network, Data Center, and
Workloads
Complexity Reduction
Reduce IT Silos, Respond Faster to New Opportunities & Business Models
Detect & Mitigate Advanced Threats
across CPE, Cloud, and Network
Advanced Threat Protection
Cisco’s Differentiated Value
37© 2015 Cisco and/or its affiliates. All rights reserved.
Learn more
Visit the Secure Data Center Solutions site
Visit the Design Zone site
Obtain a Capabilities Gap Assessment from Cisco Services to help maximize your Cisco investment
38© 2015 Cisco and/or its affiliates. All rights reserved.
Thank You