security and virtualization in the data center

Security and Virtualization in the Data CenterRonnie Scott - CCIE 4099T-DC-13-I

May 19th 2016

In collaboration with

Housekeeping notesThank you for attending Cisco Connect Toronto 2016, here are a few housekeeping notes to ensure we all enjoy the session today.

• Please ensure your cellphones / laptops are set on silent to ensure no one is disturbed during the session

Agenda

The New Security Landscape

Defense By Design

Bringing The Big Guns

Conclusion

Simplify and Unifysecurity solutions

Evolve while maintaining Security and Compliance

Stay ahead ofevolving threats

95% of firewall breaches

caused by misconfiguration*12% YoY growth of

devices 2014-2019

Over 100K new

threats per day

* Greg Young, Gartner Inc

PROVISIONING SCALABILITY PROTECTION

DataCenter Security Challenges

Attacker Profiles

Organized Crime Out to make money

Needs organization to stay profitable

Typically smash-and-grab style or

drive-by

Graffiti and Activism Attack you for fame

To make a point

Can be a nuisance

Can also draw unwanted attention

State Sponsored Cyber Warfare Extremely advanced

Companies are generally at a

disadvantage

Hard to defend

A-Typical

Espionage Somewhere between Organized Crime

and Military

Could be state sponsored

Replicating Intellectual Property

Gain human intelligence

Extortion

Data Manipulation

Card Not Present

IOT Zombies

BackdoorsKim Zetter – Wired Magazine, Jan 1, 2016

The Server Is Virtualized

• One Server - Multiple Guests

• Hypervisor abstractions hides hardware

• Partitioned system resources

• Application & OS encapsulation

FinancialsCRM

Exchange ERP

OracleSAP

Common Virtualization Concerns

• Physical Tools in a Virtual World

• Operations and Management Obfuscation

• Changes in Roles and Responsibilities

• Machine and Application Segmentation

Hypervisor

Initial Infection

Secondary Infection

Back to the basics … Ships in the night

Cisco SAFE

The VMDC Architecture

But what our

customers want…

…is the vision on the box.

(Not the one on the carpet)

SAFE Simplifies the Security Conversation One Step at a Time

Capability Phase Architecture Phase Design Phase

Branch

Campus

Data Center

Break the Network into Domains

Security Domains per PIN

DC Core

Mapping The Problem

WAN / Campus

Campus

App 1 AppWeb DB

Branch

Shared

Services

Business Requirements Per DomainWhen done, try to rank by importance

Data Center

Protect Customer Data

Must be easy to operationalize

Support Role-based Network Segmentation

Measurable Security Increase

Example:

PCI Domain at Branch Office

Identify the Threats, Risks, and PolicyAlso, identify the mitigating capabilities that should be considered

Data Center Domain

Policy: Role-based Network

Segmentation

Risk: Lateral Spread of Breach

Threat: Exploitation of Trust

Example:

PCI Domain at Branch Office

Security Capabilities Design

Security Capabilities DesignExample

1. No Products

2. Vendor-agnostic

L2//L3 Network

Access Control +TrustSec

To Campus

Shared Services

Next-Gen Intrusion Prevention System

App Server

PCICompliance

DatabaseZone

Flow Analytics

Host-based Security

Load Balancer

Flow Analytics

Firewall

Anti-Malware

Threat Intell-igence

Next-Generation Firewall Router

L2//L3 NetworkFirewall VPN

Switch

Web Application Firewall

Centralized Management

Policy/Configuration

Visibility/Context

AnalysisCorrelation

Analytics

Logging/Reporting

ThreatIntelligence

VulnerabilityManagement

Monitoring

To Edge

Virtualized Capabilities

3. Identify existing capabilities

4. What are common missing

capabilities?

Security Capabilities DesignExample

L2//L3 Network

To Campus

Shared Services

App Server

PCICompliance

DatabaseZone

Flow Analytics

Host-based Security

Load Balancer

Flow Analytics

Firewall

Anti-Malware

Threat Intell-igence

Next-Generation Firewall Router

L2//L3 NetworkFirewall VPN

Switch

Web Application Firewall

Centralized Management

Policy/Configuration

Visibility/Context

AnalysisCorrelation

Analytics

Logging/Reporting

ThreatIntelligence

VulnerabilityManagement

Monitoring

To Edge

Virtualized Capabilities

Interconnected Enclaves

ServerWeb

Server

Permit TCP/80 (HTTP) Permit TCP/22 (SSH)

Permit Web

to App

serverDB

server

ServerApp

Server

GroupPermit App

Deny All

Inter-Zone

Firewall

Intra-Zone

FirewallIntra-Zone

Firewall

ServerWeb

Server

Permit Web

to App

serverDB

server

ServerApp

Server

GroupPermit App

Deny All

Inter-Zone

Firewall

Intra-Zone

FirewallIntra-Zone

Firewall

ServerWeb

Server

Permit Web

to App

serverDB

server

ServerApp

Server

GroupPermit App

Deny All

Inter-Zone

Firewall

Intra-Zone

FirewallIntra-Zone

Firewall

Data Center

DMZCampus

Firewall

AMP or

Shared Services

ServerWeb

Server

Permit Web

to App

serverDB

server

ServerApp

Server

GroupPermit App

Deny All

Inter-Zone

Firewall

Intra-Zone

FirewallIntra-Zone

Firewall

ServerWeb

Server

Permit Web

to App

serverDB

server

ServerApp

Server

GroupPermit App

Deny All

Inter-Zone

Firewall

Intra-Zone

FirewallIntra-Zone

Firewall

ServerWeb

Server

Permit Web

to App

serverDB

server

ServerApp

Server

GroupPermit App

Deny All

Inter-Zone

Firewall

Intra-Zone

FirewallIntra-Zone

Firewall

Data Center

Permit TCP/5000-5010

Backup

Server

Inter-Zone

Firewall

Backup

Server

Inside The Enclave

ServerWeb

Server

Permit Web

to App

serverDB

server

ServerApp

Server

GroupPermit App

Deny All

Inter-Zone

Firewall

Intra-Zone

FirewallIntra-Zone

Firewall

Perimeter

Firewall

AMP or

Architecture PhaseAssign capabilities to devices

Building the SolutionLower-level designs with the details

Physical vs. Virtualized

ServerWeb

Server

Permit Web

to App

serverDB

server

ServerApp

Server

GroupPermit App

Deny All

Intra-Zone

Firewall

Intra-Zone

Firewall

ServerWeb

Server

Permit Web

to App

serverDB

server

ServerApp

Server

GroupPermit App

Deny All

Intra-Zone

Firewall

Intra-Zone

Firewall

ServerWeb

Server

Permit Web

to App

serverDB

server

ServerApp

Server

GroupPermit App

Deny All

Intra-Zone

Firewall

Intra-Zone

Firewall

ServerWeb

Server

Permit Web

to App

serverDB

server

ServerApp

Server

GroupPermit App

Deny All

Intra-Zone

Firewall

Intra-Zone

Firewall

Virtualized vs. Virtualization

ServerWeb

Server

Permit TCP/80

(HTTP)

Permit TCP/22

Permit Web

to App

serverDB

server

ServerApp

Server

GroupPermit App

Deny All

Intra-Zone

Firewall

Intra-Zone

Firewall

ServerWeb

Server

Permit TCP/80

(HTTP)

Permit TCP/22

Permit Web

to App

serverDB

server

ServerApp

Server

GroupPermit App

Deny All

Intra-Zone

Firewall

Intra-Zone

Firewall

ServerWeb

Server

Permit TCP/80

(HTTP)

Permit TCP/22

Permit Web

to App

serverDB

server

ServerApp

Server

GroupPermit App

Deny All

Intra-Zone

Firewall

Intra-Zone

Firewall

ServerWeb

Server

Permit TCP/80

(HTTP)

Permit TCP/22

Permit Web

to App

serverDB

server

ServerApp

Server

GroupPermit App

Deny All

Intra-Zone

Firewall

Intra-Zone

Firewall

Cloud Provisioning

Automation and Orchestration

ServerWeb

Server

Permit Web

to App

server DB

server

ServerApp

Server

GroupPermit App

Deny All

Inter-Zone

Firewall

Intra-Zone

FirewallIntra-Zone

Firewall

ServerWeb

Server

Permit Web

to App

server DB

server

ServerApp

Server

GroupPermit App

Deny All

Inter-Zone

Firewall

Intra-Zone

FirewallIntra-Zone

Firewall

ServerWeb

Server

Permit Web

to App

server DB

server

ServerApp

Server

GroupPermit App

Deny All

Inter-Zone

Firewall

Intra-Zone

FirewallIntra-Zone

Firewall

ServerWeb

Server

Permit Web

to App

server DB

server

ServerApp

Server

GroupPermit App

Deny All

Inter-Zone

Firewall

Intra-Zone

FirewallIntra-Zone

Firewall

Self-Service

Orchestration

Automation

Network-Integrated,

Broad Sensor Base,

Context and Automation

Continuous Advanced Threat

Protection, Cloud-Based

Security Intelligence

Agile and Open Platforms,

Built for Scale, Consistent

Control, Management

Security Solutions Strategic Imperatives

Network Endpoint Mobile Virtual Cloud

Visibility-Driven Threat-Focused Platform-Based

Web-zone Fileserver-zoneApplication-zone

Hypervisor

Nexus 7000

1000V Primary VLAN 20

VLAN 20

VLAN 100Isolated

VLAN 200

IsolatedVLAN 300

Community

Layer 2 Segmentation

• Isolate VMs in shared Layer 2 subnet

• Limit communication to Layer 3 gateway

• ACLs block unwanted communication

PVLANs for Physical and Virtual Isolation

.1Q Trunk

ACI SecurityAutomated Security With Built In Multi-Tenancy

Security AutomationEmbedded Security

• White-list Firewall Policy Model

• RBAC rules

• Hardened CentOS 7.2

• Authenticated Northbound API (X.509)

• Encrypted Intra-VLAN (TLS 1.2)

• Secure Key-store for Image Verification

• Dynamic Service Insertion and Chaining

• Closed Loop Feedback for Remediation

• Centralized Security Provisioning & Visibility

• Security Policy Follows Workloads

Distributed Stateless Firewall

Line Rate Security Enforcement

Open: Integrate Any Security Device

PCI, FIPS, CC, UC-APL, USG-v6

ACI Services

Micro-Segmentation

• Hypervisor Agnostic (ESX, Hyper-V, KVM*)

• Physical, Virtual Machine, Container

• Attribute Based Isolation/Quarantine

• Point and Click Micro-segmentation

• TrustSec-ACI Integration

Encryption

• Link MACSEC

• INS-SEC Overlay Encryption

• MKA, SAP

• GCM-AES-256/128-XPN

• GCM-AES-256/128

Segmentation begins with visibility

You can’t protect what you can’t see

Who is on the Network?

And what are they up to?

Make Fully Informed Decisions with Rich Contextual Awareness

Context

IP address 192.168.1.51

Unknown

Tablet, iOS, v. 9.1x

Building 200, first floor

11:00 a.m. EST on April 10

Wireless

The right user, on the right device, from the

right place is granted the right access

Any user, any device, anywhere gets on

the networkResult

Poor Context Awareness Extensive Context Awareness

Visibility with Cisco Identity Services Engine (ISE)Discover Known and Unknown in Your Network

PARTNER CONTEXT

NETWORK / USER

CONTEXT

WhatWho

WhereWhen

CONSISTENT SECURE ACCESS POLICY ACROSS WIRED, WIRELESS and VPN

Access Policy

PxGrid

Flexible and Scalable Policy Enforcement

Switch Router DC FW DC Switch

Security Control Automation

Simplified Access Management

Improved Security Efficacy

access-list 102 deny icmp 76.176.66.41 0.255.255.255 lt 278 169.48.105.37 0.0.1.255 gt 968access-list 102 permit ip 8.88.141.113 0.0.0.127 lt 2437 105.145.196.67 0.0.1.255 lt 4167access-list 102 permit udp 60.242.95.62 0.0.31.255 eq 3181 33.191.71.166 255.255.255.255 lt 2422access-list 102 permit icmp 186.246.40.245 0.255.255.255 eq 3508 191.139.67.54 0.0.1.255 eq 1479access-list 102 permit ip 209.111.254.187 0.0.1.255 gt 4640 93.99.173.34 255.255.255.255 gt 28access-list 102 permit ip 184.232.88.41 0.0.31.255 lt 2247 186.33.104.31 255.255.255.255 lt 4481access-list 102 deny ip 106.79.247.50 0.0.31.255 gt 1441 96.62.207.209 0.0.0.255 gt 631access-list 102 permit ip 39.136.60.170 0.0.1.255 eq 4647 96.129.185.116 255.255.255.255 lt 3663access-list 102 permit tcp 30.175.189.93 0.0.31.255 gt 228 48.33.30.91 0.0.0.255 gt 1388access-list 102 permit ip 167.100.52.185 0.0.1.255 lt 4379 254.202.200.26 255.255.255.255 gt 4652access-list 102 permit udp 172.16.184.148 0.255.255.255 gt 4163 124.38.159.247 0.0.0.127 lt 3851access-list 102 deny icmp 206.107.73.252 0.255.255.255 lt 2465 171.213.183.230 0.0.31.255 gt 1392

Traditional Security Policy

Business

Policy

Software Defined Segmentation

Building a Policy Matrix

TrustSec Components

Access

Switch

Router DC FW DC Switch

HR Servers

EnforcementFin Servers

ISE DirectoryClassification

User /

Endpoint

Propagation

ISE Dynamically provisions TrustSec

Security Groups in APIC-DC

ACITrustSec

Security Groups External (Outside Fabric) EPGs

TrustSec Security Groups Provisioned in ACI

ISE dynamically learns EPGs and

VM Bindings from ACI fabric

VM1 VM1000TrustSec Domain

TrustSec

Internal (Inside Fabric) EPGsSecurity Group from APIC-DC

ACI Application Servers are Automatically Propagated to the TrustSec Domain

Assigning Security Groups

Dynamic Classification Static Classification

• IP Address

• VLANs

• Subnets

• L2 Interface

• L3 Interface

• Virtual Port Profile

• Layer 2 Port Lookup

Common Classification for

Mobile Devices

Classification for Servers,

Topology-based assignments.

802.1X Authentication

MAC Auth Bypass

Web AuthenticationSGT

Nexus 1000V: SGT Assignment in Port Profile

• Port Profile

– Container of network properties

– Applied to different interfaces

• Server Admin assign Port Profiles

• VMs inherit SGT from port-profile

• SGT bound to the VM

Firewall Policy based on SGT

Security Group

definitions from ISE

Trigger FirePower

services by SGT policies

Can still use Network Object (Host,

Range, Network (subnet), or FQDN)

AND / OR the SGT

Evolution of Firepower and ASA

October 2013

Firepower AND

September 2014

ASA with Firepower Services

ON the ASA-5500-X and

ASA-5585-X

March 2016

Firepower Threat Defense

FOR the ASA-5500-X,

FP-4100, and FP-9300

Introducing FirePOWER 9300

FirePOWER 9300

Security Appliance

Ultra High Performance

High Port Density

Multi-Services

Flexible Programmability

Power Efficiency

Best in Class Price

&Performance

Per RU

Security Modules

• Two configurations

SM-36 “Extreme”: 72 x86 CPU cores (up to 80Gbps)

SM-24 “Enterprise”: 48 x86 CPU cores (up to 60Gbps)

• Dual 800GB SSD in RAID1 by default

• Built-in hardware Smart NIC and Crypto Accelerator

Hardware VPN acceleration

Introducing Virtual Security Gateway

• L2 transparent FW

• Inspection between L2 adjacent hosts

• Uses VMware attributes for policy

• L2 separation for East-West traffic

• One or more VSGs per tenant

• Based on Nexus 1000V vPathVirtual Hosts

Virtual Hosts

Cisco ASAv Platforms

Cisco ASAv30 2 Gbps

Cisco® ASAv5

• ASA Code Base

• Hypervisor Agnostic

• Lab Edition license

Cisco ASAv10 1 Gbps

100 Mbps

Comparing Cisco Virtual Firewalls

Cisco ASAv Cisco VSG

Layer 2 and 3 modes Layer 2 mode

Dynamic and static routing No routing

DHCP server and client support No DHCP support

Site-to-site and RA-VPN No IPsec support

CLI and Cisco® ASDM, Cisco

Security Manager, and APICCisco Prime NSC

ASA CLI, SSH, and REST API Limited CLI and SSH configuration

Firepower Threat Defense (FTD)

Converged ASA+FirePOWER Image

FirePOWER capabilities + select ASA features

Firepower Management Center 6.0

Same subscriptions as FirePOWER Services

• Delivered via Smart Licensing only

Threat (IPS + SI)

Malware (AMP + ThreatGrid)

URL Filtering

Firepower Threat Defense 6.0

ASA features

Unified ASA / Firepower Rules and

Objects

ASA Dynamic and Static NAT

OSPFv2, BGP4, RIP, Static

Syn Cookies, Anti-Spoofing

ASA ALGs (fixed configuration)

VMware and AWS Support

Smart Licensing Support

Cisco StealthWatch SystemNetwork Reconnaissance Using Dynamic NetFlow Analysis

Monitor Detect Analyze Respond

Understand your network normal

Gain real-time situational awareness of all traffic

Leverage Network Behavior Anomaly detection & analytics

Detect behaviors linked to APTs, insider threats, DDoS, and malware

Collect & Analyze holistic network audit trails

Achieve faster root cause analysis to conduct thorough forensic investigations

Accelerate network troubleshooting & threat mitigation

Respond quickly to threats by taking action to quarantine through Cisco ISE

*Cisco acquired Lancope Dec ‘15

Card Processor

Hacked

Server

POS Terminals

Firewall

Private

(trusted)

Credit Card

Processor

Firewall

Stores Data CenterU

Credit Card Processing HTTPS

Internet

ISR G2

Routers

ISR G2

Routers

Wireless

Wireless POS

Unified

Access

Network as a SensorHost Lock Violation and Suspect Data Loss

Public

InternetCompromised

Server

StealthWatch FlowCollector

StealthWatch Management

Console

Cisco ISE

Command and

Collect

AMP Everywhere Deployment AMPAdvanced Malware Protection

Deployment

OptionsEmail and Web

AMP for Networks

(AMP on

FirePOWER)

AMP for Endpoints AMP Private Cloud

Virtual Appliance

MethodLicense with ESA, WSA,

CWS, or ASA customersASA w/ FP, FP Appliances

Install lightweight

connector on endpoints

On-premises Virtual

Appliance

Ideal for New or existing Cisco

CWS, Email /Web Security,

ASA customers

IPS/NGFW customersWindows, Mac, Android,

and LinuxHigh-Privacy Environments

Details

ESA/WSA: Prime visibility into email/web

CWS: web and advanced malware protection in a cloud-delivered service

AMP capabilities on ASA with FirePOWER Services

Wide visibility inside

network

Broad selection of

features- before, during,

and after an attack

Comprehensive threat

protection and response

Granular visibility and

control

Widest selection of AMP

features

Anyconnect delivery

Private Cloud option for

those with high-privacy

requirements

For endpoints and

networks

PC/MAC Mobile Virtual

Meraki

PRODUCTS & TECHNOLOGIES

UmbrellaEnforcementDNS based security service protects any device, anywhere

InvestigateIntelligenceDiscover and predict attacks before they happen

OpenDNS Adds to Cisco’s Threat Prevention Portfolio

Advantages of a DNS-based Solution

ANY OPERATING SYSTEMWin, Mac, iOS, Android,

Linux, ChromeOS, and even

network devices and custom

operating systems

FAST AND SCALABLEExtremely efficient

query/response method

SIMPLE TO DEPLOYnetwork’s DHCP tells

every connected device

where to point DNS

Talos is the industry-leading threat intelligence organization. We detect and correlate threats in real time using the largest threat detection network in the world to protect against known and emerging cyber security threats to better protect your organization.

Talos Research

Cisco Talos Security Intelligence & Research

IPS Rules

Malware

Protection

Reputation

Vulnerability

Database

Updates

AEGIS™ Program

Private and Public

Threat Feeds

Sandnets

FireAMP™Community

300,000 detections added per day

Honeypots

Advanced Microsoft and Industry Disclosures

Crete Program100,000 True

Positive Events/Day

Snort and ClamAVOpen Source Communities

File Samples1,100,000 daily

SandboxingMachine Learning

Big Data Infrastructure

Threat Grid Community

www.cisco.com/go/vmdc

www.cisco.com/go/safe

Thank you.

In collaboration with

security and virtualization in the data center

Technology

security in virtual data center - cyberoam€¦ ·...

kaspersky security for virtualization - russian

security threats -...

virtualization system security service

end-to-end data center virtualization - cisco€¦ · data...

cloud and virtualization security

kaspersky security for virtualization - english

eset virtualization...

kaspersky security for virtualization

virtualization security data center sab[1]

data center virtualization @ cisco

virtualization security and threat

virtualization in the data center and how to address...

security & virtualization in the data...

security and virtualization in the data center

virtualization and cloud security

data center virtualization

trend micro security for the modern data center · trend...

network virtualization and security with vmware · pdf...

security & virtualization in the data center