[ x n$r.. :.. òf Þ - cisco and managed service dc production it it t bkeda li ti intrusion...
Post on 09-Mar-2018
218 Views
Preview:
TRANSCRIPT
임강빈 (kanlim@cisco.com)
Ci S t K
© 2008 Cisco Systems, Inc. All rights reserved. 1
Cisco Systems Korea
Driver for Service Delivery Data CenterDriver for Service Delivery Data CenterN
N
LI
CAT
ION
LAYE
RLI
CAT
ION
LAYE
R
DC Infrastructure
DC Infrastructure
VoD / HDTV GAMING
VoD / HDTV GAMING COMMCOMM
WEB SERVICES
WEB SERVICES
MOBILE APPS
MOBILE APPS
IP CONTACT CENTER
IP CONTACT CENTER
APP
L LA
PPL L
Service ExchangeService ExchangeService Delivery Data Centers
ERVI
CE
ON
TRO
L LA
YER
ERVI
CE
ON
TRO
L LA
YER Open Framework
for Enabling Triple Play On The Move
Open Framework for Enabling Triple Play On The Move
Se ce c a geSe ce c a ge
S CO LS CO L y
(Data, Voice, Video, Mobility)y
(Data, Voice, Video, Mobility)
K
K
IntelligentEdge
IntelligentEdge
CustomerElement
CustomerElement
MultiserviceCore
MultiserviceCore
Access / Aggregation
Access / Aggregation
TransportTransportSEC
UR
E N
ETW
OR
KLA
YER
SEC
UR
E N
ETW
OR
KLA
YER
© 2008 Cisco Systems, Inc. All rights reserved. 3INTELLIGENT NETWORKINGINTELLIGENT NETWORKING
TransportTransportS NS N
SP & Core NetworkManaged Service DCVAS and
Production ITI t t
B k E d A li ti
IntrusionDetection
ServerLoad Balancing
ContentCaching
StatefulFirewalls
Front-End Application Servers
Internet
High DensityMultilayer
LAN Switch
Aggregation Node
Carrier Ethernet Aggregation
Residential BNG
Access Edge
Ethernet
Business
Corporate
Back-End Application Servers
High DensityMultilayer
SAN Directors
Storage Arrays
Enterprise #1 DC
Business
Corporate
Distribution Node
Access Node
STP ETTX Access Rings
CoreServer
Load Balancing
ContentCaching
StatefulFirewalls
Internet
High DensityMultilayer
LAN Switch
Aggregation NetworkMPLS/IP
Business
Corporate
Distribution Aggregation
Nodes
Core Network
IP / MPLS
Back-End Application Servers
High DensityMultilayer
SAN Directors
IntrusionDetection
Front-End Application Servers
DSL Access Node
Business MSE
Node
Aggregation Node
Business
Corporate
Internal IT DC
Storage Arrays
Enterprise #N DC
© 2008 Cisco Systems, Inc. All rights reserved. 4
Shared Services
SP
IT DC VAS DC DC
SP
IPTV, Mobile/, IPTV, Mobile/ Broadband
( , B2C )
,
Shared
SP , < 1K+ , 1M ,< 1K+,1M
Time-to- /Top Priority Security, HA , Time-to-market, Security
, /Security
securityF/W(L2/Virtual)
DDOSVideo
© 2008 Cisco Systems, Inc. All rights reserved. 5
Video
SP Security
Infrastructure Security• IDC
Out of Path
• Control-Plane Security
• Data-Plane Security
Service LayerDDOS
Out of Path
• Anti-Spoofing
• App. SecurityService Layer
SecuritySecurity
Technology데이터 센터Security
• NETFLOW
L3ACL/VACL
• Virtualization
Enhanced ACL (FPM)Access-Layer Security
• L3ACL/VACL
• DAI
• IPSG
• Enhanced ACL (FPM)
• Service Control
• Visibility in DC
© 2008 Cisco Systems, Inc. All rights reserved. 6
IPSG y(NETFLOW, SCE)
SP Security Point
ISP BBSP B/B
Core- CoPP MLS rate
11DDOS
-33
SP B/B
- CoPP, MLS rate
- SCE, Netflow v955
Aggregation
Vi t li ti
SCE, Netflow v9
Access
Virtualization-
44
(Multicast)....
PP
....
Decoder
#1 #2- DAI/IPSG/ACL
22
© 2008 Cisco Systems, Inc. All rights reserved. 7
NVoDIP-Mux Video Source#3 #4
SP - 6500 MLS Rate-Limiters6500 MLS Rate Limiters
: mls rate-limit multicast ipv4 fib-ICMP/ARP Routing Protocol
mls rate limit multicast ipv4 fibmiss 10000 10mls rate-limit unicast cef glean 1000 10
Punt ,
:
mls rate-limit unicast ip icmp unreachable acl-drop 500 10mls rate-limit all ttl-failure 500 10
:MLS
Policing (Attack
DoS Attack – TTL=1 Unicast Traffic
8090
100No Rate Limiter
100pps TTL=1 rateon)
ICMP Redirect, Unreachable
304050607080 100pps TTL=1 rate
limiter
PU U
tiliz
atio
U eac ab e
0102030
1000pps 5000pps 10000pps 844590pps
CP
© 2008 Cisco Systems, Inc. All rights reserved. 9
Traffic Rate (pps)
SP - Control-Plane ProtectionControl Plane Protection
: CoPP의 동작 원리
Control Packet
CPU
CoPP의 동작 원리
OpenTCP/UDP Port Software Control
Plane Policing
:CoPPCoPP
MQC
T ffi R t DFC3DFC3 PFC3
HW Control Policing
HW Control Policing
HW Control Policing
Traffic Rate DFC3DFC3 PFC3
Trafficto CPU
Trafficto CPU
Trafficto CPU
© 2008 Cisco Systems, Inc. All rights reserved. 10
to CPU to CPU to CPU
SP - NetflowNetflow
Monitoring (N x 10G , )
IPTV Monitoring
해결 방안Network Planning
v9 Export
Security/Accounting/Billing
© 2008 Cisco Systems, Inc. All rights reserved. 11
Security/Accounting/Billing
SP – Multicast SecurityMulticast Security
Multicast
© 2008 Cisco Systems, Inc. All rights reserved. 12
SP DDOS
DDOS
DDOS
DDOS
Detector (2G)
Guard
DDOS
DDOS
Detector Netflow
Guard Farm
DDOS
Guard Farm
( )
ACE Redirection
© 2008 Cisco Systems, Inc. All rights reserved. 13
SP – Virtualization
SP DC ,
Virtualization
As-Is TO-BE
Catalyst 6500
TCP L7 Filter
WEBCSM
Catalyst 6500
VLAN
VLAN
N
FWSM ACE
APPFWSM CSM
VLAN
AN
FWSM ACE
DBCatalyst 6500
VLA
VLAN
VLAN
• ,
Catalyst 6500 V
Catalyst 6500
© 2008 Cisco Systems, Inc. All rights reserved. 15
,• , /
SP – Nexus 7000 VirtualizationNexus 7000 Virtualization
Productiont k Device
Virtual Device Context:
Network Network VirtualizationVirtualizationNetwork Network VirtualizationVirtualization
VDC Lab network
network Device Consolidation
H/W 자원과 S/W 구성을유연하게 배치 가능
Secure한 Context별 관리Network
ConsolidationSecure한 Context별 관리제공
S/W 장애에 대한 격리VDC
Infosec
Network Ops
Consolidation
Use Cases:다수의 서비스 통합 구성 시
신규 서비스 추가 시 용이
서비스 성격에 맞는 적정Resource 할당 gg
1
gg2
gg3
CoreSystem ResourceScaling
© 2008 Cisco Systems, Inc. All rights reserved. 16
Ag A A
SP – FPMFPM
, ACL IP/Port
Header Pattern Enhanced ACLHeader Pattern Enhanced ACL
FPM (Flexible Packet Matching)( g)
© 2008 Cisco Systems, Inc. All rights reserved. 17
SP – FPM
CCO Application Signature TCDF (Traffic Classification Definition Files)
FPM
(Traffic Classification Definition Files)
www.cisco.com/cgi-Bin/tablebuild.pl/fpmg p pData Center
Sup32-PISA(config)#load classification bootdisk:bittorrent.tcdf
Sup32-PISA(config)#int vlan 611
Sup32-PISA(config-if)#service-policy type access-control input fpm_policy_template
Sup32-PISA(config)#int vlan 611
Sup32-PISA(config-if)#no service-policy type access-control input fpm_policy_template
© 2008 Cisco Systems, Inc. All rights reserved. 18
SP – Service Control EngineService Control Engine
10G SCE 10G SCE10G SCE
IPTV
10G SCE 10G SCE10G SCE
P2P
10G SCE10G SCE
Dynamic Signature L7 FilterZero-Day L7 Filter
Service/ Control IPTV Business Application Bandwidth Guarantee
© 2008 Cisco Systems, Inc. All rights reserved. 19
ppIDC L4~L7 Visibility
SP – SCE OverviewSCE Overview
SCE
2 x 1G ( )
2 x 10G , 15G (S/W)
SCE
Aggregation Layer
15Gbps deep packet engine
SCE
Cisco 7600 (2009. Q1)
L2/L3 IP Forwarding I/F card(s)
© 2008 Cisco Systems, Inc. All rights reserved. 20
One or more SCP
bladesOne or more Application
Blades
SUMMARYProcess Model Built for Revenue
운영 프로세스 모델
Process Model Built for Revenue
Trust/Identity
Visibility Correlation DeviceManagement
Isolation(virtual)
PolicyEnforcement
운영 프로세스 모델ru
st
ts ess
is o
f en
ts
ing
ews
titio
nys
tem
bed
Identity a age e t ( )
y st
ate
of tr
e IP
Pac
ket
yer 2
–7
and
Stat
ele
nal A
naly
sm
Wid
e Ev
e
ce H
arde
nra
tiona
l Vie
nt a
nd P
art
hout
the
sy
e Su
bscr
ibB
ehav
ior
Iden
tify
Obs
erve
Lay
Stat
eful
a
Rel
atio
nSy
stem
Dev
icO
per
Segm
enth
roug
h
Enfo
rce B
SP 네트웍 강력한 Control
© 2008 Cisco Systems, Inc. All rights reserved. 22
Visibility 확보강력한 Control
SUMMARYIP NGN Security
OO DCDC
IP NGN Security
PPLI
CAT
ION
LAY
ERPP
LIC
ATIO
N L
AYER
DC Infrastructure
DC Infrastructure
VoD / HDTV GAMING
VoD / HDTV GAMING COMMCOMM
WEB SERVICES
WEB SERVICES
MOBILE APPS
MOBILE APPS
IP CONTACT CENTER
IP CONTACT CENTER
AP N
AP N
E OL
RE OL
R O F kO F kService ExchangeService Exchange
Service Delivery Data Centers
SER
VIC
EC
ON
TRO
LAYE
R
SER
VIC
EC
ON
TRO
LAYE
R Open Framework for Enabling Triple Play On The Move
(Data, Voice, Video,
Open Framework for Enabling Triple Play On The Move
(Data, Voice, Video, Mobility)Mobility)
IntelligentIntelligentCustomerCustomer MultiserviceMultiserviceAccess / Access / RE
OR
K
ERRE
OR
K
ER SECURITYEdgeEdgeElementElement CoreCoreAggregationAggregation
TransportTransportSEC
UN
ETW
OLA
YE
SEC
UN
ETW
OLA
YE SECURITY기술 + 솔루션 + 프로세스
© 2008 Cisco Systems, Inc. All rights reserved. 23
INTELLIGENT NETWORKINGINTELLIGENT NETWORKING
top related