Private Cloud on Cisco Integrated Infrastructures with Cisco UCS Director

Chris O’Brien

Technical Marketing Manager

Creating a more flexible, functional, and secureapplication environment

Cisco Confidential 2© 2013-2014 Cisco and/or its affiliates. All rights reserved.

Today’s SecurityMultiple products, policies, unmanaged devices and cloud access

Comm. / SMB / Branch

WWW

Enterprise DC

UCSGlobal

Orchestration

Connect

Branch

Campus

Cellular

Internet

Edge

WWW

Edge

WWW

SaaS

CSR

SP Cloud

SP-1

SP-2

SP Core/ Edge

ASR

CSRWeb

SecurityGateway

WWW

WWW

WWWUCS

Global Orchestration

Multiple Management Paradigms

Multiple IdentityStores

IsolatedThreat Intelligence

InconsistentEnforcement

ANYANY

Cisco Confidential 3© 2013-2014 Cisco and/or its affiliates. All rights reserved.

DC | CLOUD TRANSITION

Unifying the network services Securing multi-tenancy designs

Extending security posture# ! %

AGILITY FLEXIBITY AUTOMATION AGILITYAUTOMATION

EFFICIENCYVISIBILITYCONSISTENCY CONSISTENCY

CONSOLIDATION COST REDUCTION ELASTIC CONSOLIDATIONELASTIC

AGILITY FLEXIBITY AUTOMATION AGILITYAUTOMATION

EFFICIENCYVISIBILITYCONSISTENCY CONSISTENCY

CONSOLIDATION COST REDUCTION ELASTIC CONSOLIDATIONELASTIC

Physical

Virtual Cloud

Cisco Confidential 4© 2013-2014 Cisco and/or its affiliates. All rights reserved.

Erodes efficiency gains and delays new services implementation by months

“Bolted on” Security Inhibits Data Center Acceleration

Cannot scale to today’s data center network performance requirements

Cannot proactively defend against emerging threats

Cisco Confidential 5© 2013-2014 Cisco and/or its affiliates. All rights reserved.

The New Security Model - Cisco

BEFOREDetect Block Defend

DURING AFTERControlEnforce Harden

ScopeContain

Remediate

Attack Continuum

Network Endpoint Mobile Virtual Cloud

Point in time Continuous

Cisco Confidential 6© 2013-2014 Cisco and/or its affiliates. All rights reserved.

The Secure Enclave Architecture (SEA)

Cisco Confidential 7© 2013-2014 Cisco and/or its affiliates. All rights reserved.

Tenant

BTenant

C

Virtualized and Bare-Metal

Compute and Hypervisor

B CANetwork and

Services

VM VM BareMetal

Tenant

A

Cisco and our technology partners (NetApp, EMC, Lancope, etc.) working together

Consistent design and documentation

Builds on top of existing FlexPod Data Center

Strong focus on applications

Secure Enclave ArchitectureSecurity Services on Cisco Integrated Systems

ContinuousPoint in time

•Scope•Contain•Remediate

•Detect•Block•Defend

•Control•Enforce•Harden

Before

During

After

Cisco Confidential 8© 2013-2014 Cisco and/or its affiliates. All rights reserved.

Least common mechanism: To globalize common/shared modules (enforcement) as it has the effect of reducing duplicates which can result in less opportunities for compromise. Potential performance and maintenance benefits

Minimized Sharing: Sharing should be limited to reduce potential encroachment. Only explicitly requested and granted access

Efficient Mediated Access: States that functions of access control should be allocated to the lowest possible level (closer to hardware) while still meeting flexibility requirements.

Secure Enclave FrameworkDesign Principles

Cisco Confidential 9© 2013-2014 Cisco and/or its affiliates. All rights reserved.

Domain Managers

OS and Virtual

Machines

Storage

Network

Compute

Cisco UCS Director Integration

Cisco® UCS B-Series Blade Servers, C-Series and UCS Manager

Cisco Nexus® Family Switches

NetApp FAS Series Storage Systems

On-DemandAutomated Delivery

Policy-Driven Provisioning

Integrated

System

VMsComputeNetwork Storage

Single Pane of Glass

End-to-End Automation

and Lifecycle

Management

UCS Director

Tenant

BTenant

C

Virtualized and Bare-Metal

Compute and Hypervisor

B CANetwork and

Services

VM VM BareMetal

Tenant

A

Cisco Confidential 10© 2013-2014 Cisco and/or its affiliates. All rights reserved.

Enclave ModelLogical Structure

Access control point into the secure region (public)

Access control within and between application tiers (private)

Cyber Threat Defense (CTD) operations to expose and identify malicious traffic

Cisco TrustSec (CTS) using Secure Group Access control to identify server roles and to enforce security policy

Out-of-band management for centralized administration of the Enclave and its resources

Optional load balancing capabilities

Enclave Model

Public Access Control

Private Access Control

Cisco TrustSec

Load Balancing

Cisco Cyber Security and

Threat Defense

Database TierWeb Tier Application

Tier

W1 WX App1 AppX DB1 DBx

External Network

Management

Cisco Confidential 11© 2013-2014 Cisco and/or its affiliates. All rights reserved.

Tenant

BTenant

C

Virtualized and Bare-Metal

Compute and Hypervisor

B CANetwork and

Services

VM VM BareMetal

Tenant

A

Latest and greatest Cisco Security capabilities all working together

Consistent design and documentation

Builds on top of Cisco Integrated Systems

Strong focus on enterprise applications

Initial solution Target 2Q CY 2014

Secure Enclave ArchitectureSecurity Services on a Cisco Integrated System

UCS Director

Cisco Confidential 12© 2013-2014 Cisco and/or its affiliates. All rights reserved.

Enclave Framework: Transparent Firewalling

VMware ESXi

VMware HA Cluster

Web Application Database

Enclave-1

Cisco UCS FabricInterconnects

Cisco NexusSwitching

Cisco ISEPolicy Manager

Cisco ASATransparent

Virtual Context

SXPVLAN 3001- Enclave-1 VLAN (Inside)

VLAN 2001- Enclave-1 VLAN (Outside)

VLAN 3253- Common VTEP VLAN

SXP

PAC

PAC

Cisco Nexus 1000V VXLAN 30011

VMware ESXi

VMware ESXi

CiscoVSG

LoadBalancing

vmk4vmk3 vmk4vmk3 vmk4vmk3

• ISE provides centralized authentication and security group table information via PAC file

• SGT applied at the VM port profile• SXP propagates SGT information across

the fabric from Nexus 1000V• ASA virtual context in transparent mode

provides access control• Single VLAN into the Enclave• One or more VXLANs for VM-to-VM traffic• Virtual Security Gateway provides access

control across the Enclave• Vmk4 supports NFS for the Enclave• Vmk5 supports iSCSI for the Enclave• Load balancing services (optional)

Cisco Confidential 13© 2013-2014 Cisco and/or its affiliates. All rights reserved.

Enclave Traffic Patterns

Enclave Model

Public Access Control

Private Access Control

Cisco TrustSec

Load Balancing

Cisco Cyber Security

and Threat Defense

Database TierWeb Tier Applicatio

n Tier

W1 WX App1 AppX DB1 DBx

External Network

Management

Enclave Model

Public Access Control

Private Access Control

Cisco TrustSec

Load Balancing

Cisco Cyber Security

and Threat Defense

Database TierWeb Tier Applicatio

n Tier

W1 WX App1 AppX DB1 DBx

External Network

Management

North South

East West

Enclave Enclave

North South

East West

Cisco Confidential 14© 2013-2014 Cisco and/or its affiliates. All rights reserved.

Builds on top of existing Cisco Integrated Systems (Standardize the physical & logical platforms)

Latest and greatest Cisco Security capabilities all continuously working together (Before, During, After)

Strong focus on applications

Expedite and remove risk through automation

Summary

Tenant

BTenant

C

Virtualized and Bare-Metal

Compute and Hypervisor

B CANetwork and Services

VM VM BareMetal

Tenant

A

UCS Director

Thank you.

Cisco Confidential 16© 2013-2014 Cisco and/or its affiliates. All rights reserved.

Cisco Secure Enclaves Architecture Design Guidehttp://www.cisco.com/c/en/us/products/collateral/servers-unified-computing/ucs-manager/whitepaper-c07-731204.html

Secure Data Center for Enterprise Solution Design Guide at http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/sdc-dg.pdf

Cisco Secure Data Center for Enterprise (Implementation Guide) at http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/sdc-ig.pdf

Cisco Cyber Threat Defense for the Data Center Solution: First Look Guide at http://www.cisco.com/en/US/solutions/collateral/ns340/ns414/ns742/ns744/docs/ctd-first-look-design-guide.pdf

Reference Material