Date post: | 14-Jul-2015 |
Category: |
Technology |
Upload: | cisco-public-sector |
View: | 238 times |
Download: | 3 times |
Creating Highly Secure Data Centers
Jamie Sanbower, CCIE #13637 R&S/Security/Wireless
Technical Solutions Architect
February 2015
Cisco Confidential 2 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
§ Data Center Security Primer § Cisco’s DC Security Architecture
§ Threat Focused Visibility
§ Q&A
Agenda
Cisco Confidential 3 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Data Center Security Primer
Cisco Confidential 4 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
§ Manual provisioning § Limited scaling § Rackwide VM mobility
Compute Compute Storage Storage Services Services L2, L3
Cloud
Fabric
Compute Compute Storage Storage Services Services L2, L3
Programmable Provisionable
Monitoring Apps
Provisioning Apps
Networking Apps
End-User Apps
§ Policy-based provisioning § Scale physical and virtual/cloud § DC-wide/Cross-DC VM mobility
§ Service-centric provisioning § Flexible – Anywhere, anytime § Cross-cloud VM mobility
Integrated Fabric and Cloud World of Many Clouds
Data Center Evolution
Cloud
Distributed Fabric-Based Application-Directed
Cisco Confidential 5 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Data Center Security Requirements
Scalability: Need for policy enforcement for high speed networks
Segmentation: Policy between specific groups, users, or applications
Resiliency: High availability is imperative for applications
Expanded Deployment Options: Policy enforcement on inter-DC traffic
Threat Centric: Threat correlation with contextual analysis
Virtualization: Security for east-west traffic in multi-hypervisor environments
Cisco Confidential 6 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Edge Security NOT Designed for the DC
• Only sees symmetric traffic
• Mostly sees Internet apps and micro-apps
• Static scalability for predictable data volume, limited by edge data connection
• Monitors Ingress and Egress traffic. • Only requires a physical appliance. Virtual devices (if any) limited to one hypervisor • Standard deployment takes days or weeks
• Vendor support focused on traditional network deployments
• Must manage asymmetric traffic
• Sees customized and home-grown applications • Requires dynamic scalability to secure high volume data bursts
• Security needs to be integrated in-line (East/West) • Requires both a physical and a virtual solution. 42% of DCs have multiple hypervisors
• Must be deployed in hours or minutes
• The DC requires specialized support for planning, design, and implementation
Internet Edge Security Data Center Security
Cisco Confidential 7 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
1. Security Must Be Designed for the DC
Network Integration Optimum Performance Threat-Based Security
• Must be deployed dynamically and quickly
• Ties data center and security policy together
• Gives the right tool to the right team
• Optimized for DC data bursts • Highly available and resilient • Matches security performance
to network performance • Supports asymmetric traffic.
• North-south and East-west protection
• Signature and signatureless protection
• Reputation-based protection • Custom application inspection
Cisco Confidential 8 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
2. Security Must Address The DC Architecture
8
East – West Traffic
76%
North – South Traffic
17% 7%
Inter-DC Traffic
Cisco Confidential 9 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
3. Security Must Adapt As The DC Evolves
9
Changing business models and competitive environments are driving IT organizations down a DC evolutionary path: Virtualization, SDN, NFV, ACI, Cloud… But what about security?
Cisco Confidential 10 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
4. Security Must Be Threat Oriented
Before Control Enforce Harden
After Scope
Contain Remediate
Attack Continuum
Network Endpoint Mobile Virtual Cloud
Detect Block
Defend
During
Point in Time Continuous
Cisco Confidential 11 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
5. Data Centers Don’t Exist In A Vacuum Data – and threats – flow horizontally across a network
Cisco Confidential 12 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco’s DC Security Architecture
Cisco Confidential 13 C97-731808-00 © 2014 Cisco and/or its affiliates. All rights reserved.
Combined Overview of CVD Architecture
SEA FlexPod
Active Directory
Identity Services Engine
Cisco Security Manager
Enterprise Core
NetFlow Generation Appliances
Cisco Nexus® 1000v Virtual Supervisor
Module Data
CCL
Storage SAN
Cyber Threat Defense
Single Site ASA Clustering
Threat Management with NextGen IPS
Cisco Confidential 14 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Secure Data Center for the Enterprise Portfolio Modular approach for Customer Investment Protection
PLUS, a NEW CVD is now available for Secure DC Cloud! That’s FIVE solutions jointly validated to create a complete portfolio
Cisco Confidential 15 C97-731808-00 © 2014 Cisco and/or its affiliates. All rights reserved.
Simplifying Security Across the Enterprise End-to-End Cisco TrustSec® Security
Data Center
Master
Slaves
Cisco® ASA 5585-X Firewall Cluster
Allow
Limited Access
Deny
Allow
Limited Access
Deny
Cisco® Security Manager
Policies
SG Tags
Cisco UCS® Director
Allow
Limited Access
Deny
Roles-Based Policies
Authorized Users
Guest Access
Devices
User Identity
Campus and Mobile Workers
Remote VPN User
IT Managed Devices
Wireless User
Personal Devices
Wired User
ASA firewall learns when new a workload is provisioned and automatic applies
security policy
Administrator assigns workload to proper group. Switches send update to devices for
policy maps.
Physical Access
Compute
Storage
Converged Network Stack
vSphere
App
OS
App
OS
App
OS
App
OS
Tier 1
Cisco Nexus 1000V
vSphere
App
OS
App
OS
App
OS
App
OS
Tier 2
Cisco Nexus 1000V
App
OS
App
OS
App
OS
App
OS
Tier N
Cisco Nexus 1000V
Vblocks/ FlexPods
Cisco Nexus® 7000
Identity Services Engine
WiFi
Cisco Confidential 16 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
System Isolation via Microsegmentation Fabric or Traditional DC Network
Policy Per App Tier, Per VM, Per vNIC
Tenant B VDC
Web App
Web DB
Nexus 1000V
VDC
ASAv/NGFW
Nexus 1000V
Web Tier App Tier
Control ingress/egress & inter-VM traffic
NGFW/NGIPS, FW, SGACL, PVLANs
Traffic and Threat Visibility
Advanced Malware Protection
Administrative Segregation Server • Network • Security
Tenant A
ASAv/NGFW
VSG
VSG
Cisco Confidential 17 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
ACI policy model ENABLES Micro-Segmentation across physical and virtual workloads
DATA CENTER MICRO-SEGMENTATION IN ACI USING EPG AND CONTRACTS
Virtual Virtual Physical
§ ACI micro-segmentation provides security for east/west traffic
§ Supports physical and virtual workloads § Automated on white-list application centric policy
model § L4-7 Security Device Integration and Policy
Automation § Enables visibility and troubleshooting
Cisco Confidential 18 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
ACI WHITELIST policy SUPPORTS “ZERO TRUST” MODEL
TRUST BASED ON LOCATION (Traditional DC Switch)
Servers 2 and 3 can communicate unless blacklisted
1 4 2 3
No communication allowed between Servers 2 and 3 unless there is a whitelist policy
ZERO TRUST ARCHITECTURE (Nexus 9000 with ACI)
EPG 1 “WEB”
EPG 2 “APP”
1 2 3 4
Whitelist policy = Explicitly configured ACI contract between EPG 1 and EPG 2 allowing traffic between their members ACI architecture allows flexible EPG membership, enabling wide range of security policies
Cisco Confidential 19 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
ASA Cluster Scalability
Nexus 7K #2 Nexus 7K #1
Layer-2 Deployment Data Plane
ASA 5585-X Cluster
Nexus 7Ks are vPC Peers
Master
Slave
Slave
Slave
Slave
Slave
Slaves
Slave
...
PC-1 PC-1
A 16 node ASA 5585-X cluster* can deliver up to: § 256Gps of real-world mixed traffic throughput
(640Gbps Max) § 50M concurrent connections § Consistent scaling factor regardless
of units in cluster § Handles the expected asymmetric traffic flows
found in a modern data centers § Integrates with FirePOWER Appliances and
Services Modules for AVC and NextGen IPS
*Cisco ASA Software release 9.2 +
1
2
3
4
5
6
7-15
16
Cisco Confidential 20 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco ASA Clustering Correct Asynchronous Flows
Inside Outside
South Context
Inside Outside
North Context
ASA-1 (5585-X)
NGIPS-1
ASA / FirePOWER Appliance Set #1
Flow Inspection
Inside Outside
South Context
Inside Outside
North Context
ASA-2 (5585-X)
NGIPS-2
ASA / FirePOWER Appliance Set #2
Cluster lookup of flow owner
Request
Reply
Source
Destination
Firewall Policy
Firewall Policy
Flow Inspection
DATA
CCL
DATA
ASA Clustering eliminates the need for a statefull load-balancer in the data center to scale security services performance
Firewall Policy
Firewall Policy
LACP chooses
ASA to send packet to
Cisco Confidential 21 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Integrated Design – Connect an Enclave
Main System
Policy Based Diverted Traffic
NGIPS – FirePOWER Service Module Blade
Flow Inspection
Firewall Policy
VPN Decryption Outside
ASA / FirePOWER Set
ASA Cluster – Enclave 1 Contexts
Source Destination
Inside
Cisco Confidential 22 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Appliance Design – Connect an Enclave
Flow Inspection
Inside Firewall Policy
Outside
South Context
ASA (5585-X)
NGIPS (FP-8250)
ASA / FirePOWER Appliance Set
Source Destination
ASA Cluster – Enclave 1 Contexts
NGIPS – Enclave 1 Virtual Switches
VLAN 2101
VLAN 3101
VLAN 3101 VLAN 2101 External Internal
VLAN 2001
VLAN 3001
Inside Firewall Policy
Outside
North Context
PC-Links
DATA DATA
Cisco Confidential 23 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Device Scalability
Redundant Switches
Redundant Firewalls
Single Logical Firewall
Clustering with full state backup
Single Virtual Switch
Virtual PortChannel (vPC) on Nexus Virtual Switch System (VSS) on Catalyst
Complete Fault Tolerance
Spanned Etherchannel with LACP for ports Non-Stop Forwarding (NSF) for OSPF/BGP
Cluster
vPC/VSS
Cisco Confidential 24 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Site Scalability
Site A Site B
Endpoint Mobility
Local Traffic Processing Inter-site Clustering
Clustering with full state backup Site-specific switch connections
VLAN Segment Extension
Overlay Transport Virtualiation (OTV) Clustering retains connection state
Cisco Confidential 25 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Network
ASA
FirePOWER
Scalable Data Center Security Solution
Cluster
vPC/VSS
Seamless Network Insertion • Etherchannel/LACP • Equal Cost Multipath (ECMP) • Non-Stop Forwarding (NSF) • Virtual Port Channel (vPC) • Virtual Switch System (VSS) • Overlay Transport Virtualization (OTV)
Segmentation and Symmetry • Stateful flow security • Same and Inter-site Clustering • Selective redirection to FirePOWER
Complete Threat Visibility • Industry leading AVC, NGIPS, AMP • Fully symmetrical flows • Trusted flow offload to ASA
Cisco Confidential 26 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
vSensor ASAv
ASA5585-X
Core
Aggregation
Access
Compute
Data Center
Enterprise Network Physical vs Virtual ASA Network Integration
Cisco Confidential 27 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
ASAv L2FW PCI
L3FW Tenant Edge
Core
Aggregation
Access
Layer 3 Links
Layer 2 Trunks
Transparent vs Routed ASA Network Integration
Compute
Data Center
ASA L2FW
Enterprise Network
ASA L3FW
Cisco Confidential 28 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Threat Focused Visibility
Cisco Confidential 29 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Superior Integrated & Multilayered Protection
Cisco ASA
Identity-Policy Control & VPN
URL Filtering (Subscription) FireSIGHT
Analytics & Automation
Advanced Malware
Protection (Subscription)
Application Visibility & Control Network Firewall
Routing | Switching
Clustering & High Availability
WWW
Cisco Collective Security Intelligence Enabled
Built-in Network Profiling
Intrusion Prevention
(Subscription)
World’s most widely deployed, enterprise-class ASA stateful firewall
Granular Cisco® Application Visibility and Control (AVC)
Industry-leading FirePOWER next-generation IPS (NGIPS)
Reputation- and category-based URL filtering
Advanced malware protection
Cisco Confidential 30 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Application Security and Visibility
• Enhanced Visibility o 1,800+ Applications + stats o File types, transfer direction/protocol o Mobile Device type, OS, version o Geolocation (country, postcode, time zone, lat/
long., ISP, etc.) o IPv6 address support throughout
• Improved UI/Admin o Visual Device Management o Security and Network Admin Roles o Admin Role Editor
• Dashboards/Reporting o Customizable Widgets o Graphical Reports – Report Creator
Cisco Confidential 31 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Granular Controls and Advanced Malware Protection
• Expanded Controls o Application Control on NGIPS o URL Filtering o File Blocking o Security Intelligence / IP Blacklisting o Geolocation Blocking
• Security Automation o Impact Assessment o Recommended Rules
• Advanced Malware Protection o Network File Trajectory o Network Malware Blocking
Cisco Confidential 32 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Application Security & Visibility • Defense Center with FireSight
32
Cisco Confidential 33 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Application Security & Visibility • Geo Location Information
33
Cisco Confidential 34 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Retrospective Security • Network File and Device Trajectory
34
Cisco Confidential 35 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Q&A
Thank you.