BRKSEC-2346
Inside The ScanSafe Architecture: Session Overview
Follow us on Twitter for real time updates of the event:
@ciscoliveeurope, #CLEUR
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2346 2
Housekeeping
We value your feedback- don't forget to complete your online session evaluations after each session & the Overall Conference Evaluation which will be available online from Thursday
Visit the World of Solutions and Meet the Engineer
Visit the Cisco Store to purchase your recommended readings
Please switch off your mobile phones
After the event don’t forget to visit Cisco Live Virtual: www.ciscolivevirtual.com
Follow us on Twitter for real time updates of the event: @ciscoliveeurope, #CLEUR
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2346 3
Abstract
This intermediate level technical summary covers what it takes to build and deploy a managed SaaS security service on a global scale. As an introduction we will understand what the ScanSafe Web Security Service is, how it works and the benefits given by using a global cloud service for any organisation. We will then look at where ScanSafe started and the history behind some of the early technology deployed along the way with some of the lessons learnt early on which allowed us to shape our architecture into what it is today. We will then explore major aspects of our service which include how we build our networks, our datawarehouses and our software and how we utilise these platforms and technologies to deliver the service. We will also look at how we monitor, deploy and manage the service day to day using specialised tools and utilities which help us maintain our high uptime SLAs and availability. The final part of the summary will review where the future of the ScanSafe service fits in with other Cisco security products like AnyConnect and ISR routers to create an easily deployable architecture which will be controlled by one policy engine to ensure a consistent user experience anywhere in the world. Plus a look at where the ScanSafe platform is heading from an architecture perspective over the next 12-36 months. The target audience should be solution architects or engineers familiar with operating systems, networks, databases, software delivery, monitoring and anything else cloud based.
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2346 4
Solution Overview
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2346 5
Introducing ScanSafe
Product
- Pioneer in SaaS Web Security
- Billions of Web requests scanned every day
- Zero-hour threat protection
Infrastructure
- Proven reliability, global footprint
- 100% uptime in 8 years
- Multi-tenant infrastructure
- On-demand capacity
Overview Customers
Awards
Partners
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2346 6
Secure Web Gateway: What’s in it?
Subscription-based Security Services
Web Proxy
Authenticatio
n / Identity Caching Logging
Management & Reporting
Data Loss Prevention
Application Visibility &
Control
URL Filtering
Anti-Malware
Policy Engine
VM / Software Cloud Appliance
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2346 7
ScanSafe’s Architecture
Cloud Infrastructure
Roaming User
Home Office
Corporate Office
Branch Office
Internet
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2346 8
Typical Deployment
Identification & Authentication
AD Light-weight agent or existing proxy
Via user’s login script or browser-based
Note: ISR G2 deployment will be covered separately
Cloud-based Secure Web gateway
Web User Firewall
Internet
More details in the session: BRKSEC-2101 Deploying Web Security
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2346 9
Infrastructure Overview
Two main components of the datacenter architecture
Scanning towers
- Scan and process the internet traffic
- Scanning towers geographically distributed
- Scanning towers = low latency
Core
- Data warehouse hub for logging
- Core datacenter in London
- Core = high performance
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2346 10
DataCenter Architecture: Hub-and-Spoke
Core
Scanning towers
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2346 11
DataCenter Footprint
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2346 12
ScanSafe Technology
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2346 13
21 locations
2600+ servers
569+ switches
227+ firewalls
122 gigabits/sec peak traffic
3.5 billion requests per day
Support team of 8 (4 x SysAdmin, 2 x NetOPS, 2 x DBAs)
Vital Statistics
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2346 14
People + Technology + Process
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2346 15
The ScanSafe Infrastructure
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2346 16
ScanSafe Infrastructure
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2346 17
ScanSafe Infrastructure
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2346 18
B
A
proxy123 .scansafe.net
proxy124 .scansafe.net
proxy125 .scansafe.net
proxy126 .scansafe.net
0
1
0
2
0
3
0
4
0
5
0
6
0
7
0
8
0
9
1
0
1
1
1
2
1
3
1
4
1
5
1
6
1
7
1
8
1
9
2
0
2
1
2
2
2
3
2
4
2
5
2
6
2
7
2
8
2
9
3
0
3
1
3
2
ScanSafe Tower Concept
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2346 19
ScanSafe Tower
Dell Blades
Console
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2346 20
ScanSafe Tower
Dell Blades
Redundant Power Distribution
3560G – Core Switch
ASA 55xx – Access Firewall
ACE 4710 – Load Balancer
2960G – Access Switch
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2346 21
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2346 22
Moore’s Law
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2346 23
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2346 24
Moore’s Law
vs
Web 2.0
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2346 25
Scanlets
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2346 26
Outbreak Intelligence Algorithm
Database of traffic which is almost ~2% of all business traffic: statistically significant
- All AV engines are publically available
- Bad guys can reverse engineers signatures to workaround
- Cisco data mines the traffic to identify the holes in the AV
- We use active-learning to highlight false negatives
Pragmatically tune our scanlets to catch the false-negative
- Phase in/out scanlets based on malware trends
Statistical Model
- Parse files and identify features that indicate malware traffic
- Percentage of PDFs with no word count + Java Script tag
- Once you identify this traffic, train the algorithm with good and bad examples
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2346 27
Performance Optimisation (Latency)
• Geographical proximity
• Peering with T1 providers
• Optimisation for parallel scanning
• Highly tuned network stack
• Simplified architecture
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2346 28
Telemetry
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2346 29
Datawarehouse
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2346 30
People + Technology + Process
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2346 31
Rotational Staffing Model
Problems Root cause investigation and resolution
Deployments (x2 weeks) Scheduled rollout of new/upgraded applications or hosts
P3+4: Service Requests Standard work requests, individually prioritised
Pages & P1+2 Incidents Incidents/SR’s which require urgent attention
Engineer 1
Engineer 2
Engineer 3
Engineer 4
Projects Continual technology improvement & personal development
Engineer
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2346 32
Continual change
Beta flag control
DevOPS interation
Agile Software Deployments
Tightly controlled continual change
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2346 33
Agile Software Deployments
Tightly controlled continual change
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2346 34
Security Architecture
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2346 35
ScanSafe Security Architecture
Physical Security
Utilization of high security facilities with biometric access control, stringent change control and authorized access approval.
Small number of trusted dedicated hands only allowed access and to control hardware/inventory globally
Application Security
Customer administration is provided via a secure web portal
Each administrative account is accessed via a unique username/password and the entire session is encrypted using SSL.
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2346 36
ScanSafe Security Architecture
Data Security
Dedicated Data Team manage and support the data associated - only access to data through this team
Data replicated locally and off-site in separate datacenters for DR/replication purposes
Logical Security
Dedicated Operations Team sandboxed from corporate networks for administration of the service
Use of best practice procedures and tools following ITIL workflows ensuring secure access to systems
Centralized auditing and monitoring solutions to ensure protection and delivery of service
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2346 37
Security
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2346 38
Security Incident Response
Event CSIRT
Monitoring
CSIRT
Investigations ScanSafe
False Positive
Suspected
Breach
Policy Violation
After-Action
Review
Resolve
Provide Feedback
Remediate
Remediate
Analyze Investigate + forensics
Analyze Investigate
Mitigate
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2346 39
Distributed Denial of Service – Real Experience
Detected as slowdown of single tower throughput
Huge spike in tcp connections to proxies outbound IP address
Caused CPU spike and increased session count on ASA
Changed outbound proxy IP and routed traffic to Null0
Total incident duration of less than 20 minutes
CPU was consumed by syslogging; implemented rate limiting
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2346 40
Operational Tools
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2346 41
ZenOSS
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2346 42
Puppet, Cacti
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2346 43
Autodeployer
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2346 44
Infrastructure Future Plans
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2346 45
IPv6
IPv4
Internal IPv6
IPv6 Host ScanSafe Internet Connector
IPv6 Host ScanSafe Internet Connector
DataCenter IPv6 migration
Phase I
Phase II
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2346 46
IPv6 Addressing
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2346 47
IPv6 Issues
Network-level IPv6 is generally healthy
Routing table capacity & disagreement on subnetting
AAAA records – lots of broken DNS servers
Routing optimisation – rebuilding the internet
Difficult to find subject matter experts
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2346 48
Future Developments
IPv6
Cisco-on-Cisco (UCS)
Virtualisation
Local core: Partitional data storage and portal by region – Americas, EMEAR and APAC
Simplification
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2346 49
Capacity & Future Plans
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2346 50
Capacity Management
Bandwidth capacity in the datacenters is actively managed – transparent to end users
Scale through hardware
Monitor trends and events to forecast usage spikes
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2346 51
Royal Wedding in the UK
Frankfurt +70% over typical
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2346 52
Andy Murray at Wimbledon
London +80% over typical
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2346 53
Cisco Integration
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2346 54
ScanSafe Deployment Vision
Cisco-on-Cisco
WSA
Home Office Coffee Shop Mobile User
Branch Office
Corporate Office / HQ
AnyConnect
Easy to deploy Customer choice Centralized management and reporting
ASA or ISR G2
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2346 55
ISR G2 with ScanSafe
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2346 56
ISR G2 with ScanSafe: Functionality
The connector will be available in IOS (universal) images with security feature set (SEC) licenses.
Supported on the 880, 890, 19XX, 29XX and 39XX/E ISR G2 platforms.
Supports re-direction of HTTP/HTTPS traffic.
No need of a client or agent software (Anywhere + or AnyConnect) to be installed on each laptop or desktop
No HTTP proxy settings changes for the web browsers running at the end-points.
Supports Single Sign-on based identity with LDAP and AD sync.
User provisioning are configured using ScanCenter Web Portal. Reporting (accesses allowed or denied per user or group, etc…)
ISR Connector will be able to work independently with or without IOS Security services such as (IOS FW, IPS, VPN)
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2346 57
Summary
Insight into building and maintaining a robust, scalable and multitenant artchitecture
Success depends on more than technology – people and processes
Exciting plans for leveraging Cisco technology to grow ScanSafe’s cloud
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2346 58
Questions?
Recommended Reading
Please visit the Cisco Store for suitable reading.
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2346 60
Please complete your Session Survey
Don't forget to complete your online session evaluations after each session.
Complete 4 session evaluations & the Overall Conference Evaluation
(available from Thursday) to receive your Cisco Live T-shirt
Surveys can be found on the Attendee Website at www.ciscolivelondon.com/onsite
which can also be accessed through the screens at the Communication Stations
Or use the Cisco Live Mobile App to complete the
surveys from your phone, download the app at
www.ciscolivelondon.com/connect/mobile/app.html
We value your feedback
http://m.cisco.com/mat/cleu12/
1. Scan the QR code
(Go to http://tinyurl.com/qrmelist for QR code reader
software, alternatively type in the access URL above)
2. Download the app or access the mobile site
3. Log in to complete and submit the evaluations
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2346 61
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2346 62
Thank you.