Upload
others
View
4
Download
0
Embed Size (px)
Citation preview
Sam Rastogi, Service Provider Security Product Marketing, Security Business Group
Enabling Open & Programmable Networks
Threat-Centric Security for Service Providers
September 1, 2015
Bill Mabon, Network Security Product Marketing, Security Business Group
2 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Trends: New Opportunities … The world has gone mobile Traffic growth, driven by video
Rise of cloud computing Machine-to-Machine
Changing Customer
Expectations Ubiquitous Access to Apps & Services
10X Mobile Traffic Growth From 2013-2019
Changing Enterprise Business Models Efficiency & Capacity
Soon to Change SP
Architectures/ Service Delivery
Emergence of the Internet of Everything
Process Things People Data
Pet
abyt
es p
er M
onth
Other (43%, 25%) 120,000
100,000
80,000
60,000
40,000
20,000
0
Internet Video (57%, 75%)
2013 2014 2015 2016 2017 2018
23% Global CAGR 2013-
2018
New Threats
Dynamic Threat Landscape
Increasing Threat Sophistication
Risks to Service Providers and Their Customers
3 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Security for Open & Programmable Networks
Applications & Services
Evolved Programmable Network
Cisco Services
Storage Network Compute
Service Broker
SMART SERVICE
CAPABILITIES
OP
EN
AP
Is O
PE
N A
PIs
OP
EN
AP
Is
OP
EN
AP
Is
Security
Evolved Services Platform Orchestration
Engine
Catalog of Virtual Functions
Service Profile
Benefits: • New Revenue Streams • Increased Business Agility • Lower Operating Costs
Cisco Service Provider Architecture
4 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Legacy Security: Costly & Complex
Siloed
Inefficient
Manual
Limited integration, security gaps
Hard-coded processes
Over-provisioned, static, and slow
Hinders realization of
open and programmable
networks
5 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
1001 0001011110001011
10
1001 0001011110001011
10
1001 0001011110001011
10
1001 0001011110001011
10
1001 0001011110001011
10
Legacy Security: Siloed, Inefficient & Expensive
Data Packet
1001 0001011110001011
10
/
1001 0001011110001011
10
DDoS Platform
SSL Platform FW Platform
WAF Platform
IPS Platform
Sandbox Platform
SSL
DDoS WAF
FW IPS
Sandbox
Reduced Effectiveness Increased Latency Slows Network Static & Manual
6 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cisco’s Threat-Centric Security Model
Network Endpoint Mobile Virtual Cloud
Point in Time Continuous
DURING Detect Block
Defend
AFTER Scope
Contain Remediate
BEFORE Discover Enforce Harden
Covers the Entire Attack Continuum
Advanced Malware Protection VPN Firewall NGIPS DDoS
Policy Management Application Control
Secure Access + Identity Services
Malware Sandboxing Web Security
Email Security Network Behavior Analysis
Security Services
7 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Operational Efficiency
Integrated Security
Enhanced Agility
High speed, scalable security
Dynamic service stitching
Dynamic provisioning across physical, virtual, and cloud
Automated and consistent security policies
Lower integration costs and complexity
RESTful APIs and 3rd party tool integration
Best of Breed security = Cisco + 3rd party
Security services in a consolidated platform
Visibility and correlation
Threat-Centric Security for Service Providers
8 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Carrier-Class
Firepower 9300 Platform High-Speed, Scalable Security
Modular Multi-Service Security
Benefits • Integration of best-of-breed security • Dynamic service stitching
Features* • ASA container • Firepower Threat Defense containers
• NGIPS, AMP, URL, AVC • 3rd Party containers
• Radware DDoS • Other ecosystem partners
Benefits • Standards and interoperability • Flexible Architecture
Features • Template driven security • Secure containerization for customer
apps • Restful/JSON API • 3rd party orchestration/management
Benefits • Industry Leading Performance / RU
• 600% Higher Performance • 30% higher port density
Features • Compact, 3RU form factor • 10G/40G I/O; 100G ready • Terabit backplane • Low latency, Intelligent fastpath • NEBS ready
* Contact Cisco for services availability
9 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cisco Transforms Security Service Integration Data Packet
1001 0001011110001011
10
DDoS Platform
SSL Platform FW Platform
WAF Platform
IPS Platform
Sandbox
SSL
DDoS WAF
FW IPS
Sandbox
Limited effectiveness Increased latency Slows network Static & Manual Unified Platform
Data Packet
1001 00010111100010
1110 DDoS FW WAF NGIPS SSL AMP
Inte
grat
ed
Maximum protection Highly efficient Scalable processing Dynamic
Silo
ed
Key: Cisco Service
3rd Party Service
10 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Roadmap & Vision Consistent Security Across Physical, Virtual & Cloud
Virtual Cloud Physical
11 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Securing Mobile and Carrier Networks
12 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Technology trends are driving use cases
EPC
S1 Gi/SGi S8 SWu SP Wi-Fi
Trends
3G-to-LTE IPv4-to-IPv6 Hotspots
Stateful devices Virtual
Applications & smart phones
13 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Securing network edges is critical
• Increase in connected devices and app complexity
• Growing number of IP addresses
• Migration from IPv4 to IPv6 protocol
Gi/SGi Interface Internet
• Subscribers increasingly access customer EPCs via other operators and untrusted networks
S8 Interface Roaming
• Proliferation of microcells, cell stations, Evolved Node Bs (eNodeBs), or hotspots
S1 Interface
• Voice over Wi-Fi as a business imperative
SWu Interface OTT
• Subscribers using Mobile SPs networks for their own personal Wi-Fi hotspots
SP Wi-Fi
EPC
14 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Security for Carrier and Mobile Edge Use Case HW Requirements
• Ultra High Performance FW • High Port Density, 100Gbps • NEBS • Power Efficiency
SW Requirements • Mobile Access: Strong
authentication, authorization (IKE v1/V2 & PKI protocols); Data confidentiality w/ IPSec ESP; LTE S1 FW (GTP, S1-SP FW)
• Partner Edge: GTP, NAT • Internet Edge: FW, NAT, IPS,
Content Filtering
Mob
ile P
acke
t Cor
e
Mobile Access Edge
Partner Edge
Internet Edge Internet
15 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Securing the Data Center
16 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Time- consuming provisioning
Complex data flows
Unpredictable data volume
In Data Center Security, Threat Defense, Agility, and Control are Challenges
Unique Threats
17 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Data Centers Require Specialized Security
Standard edge security Data center security
Sees symmetric traffic only
Scales statically for predictable data volume, limited by edge data connection
Monitors ingress and egress traffic
Is deployed typically as a physical appliance
Deploys in days or weeks
Requires asymmetric traffic management
Must scale dynamically to secure high-volume data bursts
Needs to secure intra-data-center traffic
Requires both a physical and virtual solution
Must deploy in hours or minutes
18 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Deployed Where You Need It Most
East-west traffic
76%
North-south traffic
17%
Inter-data-center traffic
7%
19 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Threat Centric Security to Protect Your Data Center from Sophisticated Attacks
Sources: Verizon 2014 Data Breach Investigations Report (DBIR); Gartner; Cisco Annual Security Report 2015
Today’s adversaries are more advanced than ever
Well-funded. Both organized crime and nation states adversaries.
Inventive. Agile methodology, and now finding East-West vulnerabilities to exploit.
Insidious. They blend in with the targeted organization, sometimes taking weeks or months to establish multiple footholds in infrastructure and user databases.
60% of data is stolen in hours; detection can take weeks or months
of data center breaches can be tied to misconfigured security solutions
of companies connect to domains that host malicious files or services
95%
100%
20 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
• Scalability: High Throughput • Multi-Tenancy: Multi-Context • Segmentation: Internal/External • North-South, East-West traffic • Multi-Site Security & Mobility • Multi-Vendor Orchestration
Security for Data Center Requirements
Benefits • High Scale: access rule, TrustSec • Network Integration: Routing,
switching, inter-site DC extensions • High Density: 40G/100G • Clustering: Intra-chassis, Inter-
chassis, Inter-site • Flow offload • Consistent Policy Mgmt
Global Orchestration
Global Orchestration
Global Orchestration
Global Orchestration
21 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Trust The Market Leader
“Cisco is the clear leader here…” IT decision-makers consider Cisco the top data center security solution supplier across 10 separate categories.
Infonetics Research Report Experts: Data Center Security Strategies and Vendor Leadership: North American Enterprise Survey, March 2014 and April 2015
22 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
End-to-End Network Visibility from SP Core to
Customer Premise
Unmatched Visibility
Consistent Control
Consistent Policies Across Network, Data Center, and
Workloads
Complexity Reduction
Reduce IT Silos, Respond Faster to New Opportunities & Business Models
Detect & Mitigate Advanced Threats
across CPE, Cloud, and Network
Advanced Threat Protection
Cisco Difference for Service Providers