creating highly secure data centers

Creating Highly Secure Data Centers

Jamie Sanbower, CCIE #13637 R&S/Security/Wireless

Technical Solutions Architect

February 2015

Cisco Confidential 2 © 2013-2014 Cisco and/or its affiliates. All rights reserved.

§  Data Center Security Primer §  Cisco’s DC Security Architecture

§  Threat Focused Visibility

§  Q&A

Agenda


Data Center Security Primer


§  Manual provisioning §  Limited scaling §  Rackwide VM mobility

Compute Compute Storage Storage Services Services L2, L3

Cloud

Fabric

Compute Compute Storage Storage Services Services L2, L3

Programmable Provisionable

Monitoring Apps

Provisioning Apps

Networking Apps

End-User Apps

§  Policy-based provisioning §  Scale physical and virtual/cloud §  DC-wide/Cross-DC VM mobility

§  Service-centric provisioning §  Flexible – Anywhere, anytime §  Cross-cloud VM mobility

Integrated Fabric and Cloud World of Many Clouds

Data Center Evolution

Cloud

Distributed Fabric-Based Application-Directed


Data Center Security Requirements

Scalability: Need for policy enforcement for high speed networks

Segmentation: Policy between specific groups, users, or applications

Resiliency: High availability is imperative for applications

Expanded Deployment Options: Policy enforcement on inter-DC traffic

Threat Centric: Threat correlation with contextual analysis

Virtualization: Security for east-west traffic in multi-hypervisor environments


Edge Security NOT Designed for the DC

•  Only sees symmetric traffic

•  Mostly sees Internet apps and micro-apps

•  Static scalability for predictable data volume, limited by edge data connection

•  Monitors Ingress and Egress traffic. •  Only requires a physical appliance. Virtual devices (if any) limited to one hypervisor •  Standard deployment takes days or weeks

•  Vendor support focused on traditional network deployments

•  Must manage asymmetric traffic

•  Sees customized and home-grown applications •  Requires dynamic scalability to secure high volume data bursts

•  Security needs to be integrated in-line (East/West) •  Requires both a physical and a virtual solution. 42% of DCs have multiple hypervisors

•  Must be deployed in hours or minutes

•  The DC requires specialized support for planning, design, and implementation

Internet Edge Security Data Center Security


1. Security Must Be Designed for the DC

Network Integration Optimum Performance Threat-Based Security

•  Must be deployed dynamically and quickly

•  Ties data center and security policy together

•  Gives the right tool to the right team

•  Optimized for DC data bursts •  Highly available and resilient •  Matches security performance

to network performance •  Supports asymmetric traffic.

•  North-south and East-west protection

•  Signature and signatureless protection

•  Reputation-based protection •  Custom application inspection


2. Security Must Address The DC Architecture

8

East – West Traffic

76%

North – South Traffic

17% 7%

Inter-DC Traffic


3. Security Must Adapt As The DC Evolves

9

Changing business models and competitive environments are driving IT organizations down a DC evolutionary path: Virtualization, SDN, NFV, ACI, Cloud… But what about security?


4. Security Must Be Threat Oriented

Before Control Enforce Harden

After Scope

Contain Remediate

Attack Continuum

Network Endpoint Mobile Virtual Cloud

Detect Block

Defend

During

Point in Time Continuous


5. Data Centers Don’t Exist In A Vacuum Data – and threats – flow horizontally across a network


Cisco’s DC Security Architecture

Cisco Confidential 13 C97-731808-00 © 2014 Cisco and/or its affiliates. All rights reserved.

Combined Overview of CVD Architecture

SEA FlexPod

Active Directory

Identity Services Engine

Cisco Security Manager

Enterprise Core

NetFlow Generation Appliances

Cisco Nexus® 1000v Virtual Supervisor

Module Data

CCL

Storage SAN

Cyber Threat Defense

Single Site ASA Clustering

Threat Management with NextGen IPS


Secure Data Center for the Enterprise Portfolio Modular approach for Customer Investment Protection

PLUS, a NEW CVD is now available for Secure DC Cloud! That’s FIVE solutions jointly validated to create a complete portfolio

Cisco Confidential 15 C97-731808-00 © 2014 Cisco and/or its affiliates. All rights reserved.

Simplifying Security Across the Enterprise End-to-End Cisco TrustSec® Security

Data Center

Master

Slaves

Cisco® ASA 5585-X Firewall Cluster

Allow

Limited Access

Deny

Allow

Limited Access

Deny

Cisco® Security Manager

Policies

SG Tags

Cisco UCS® Director

Allow

Limited Access

Deny

Roles-Based Policies

Authorized Users

Guest Access

Devices

User Identity

Campus and Mobile Workers

Remote VPN User

IT Managed Devices

Wireless User

Personal Devices

Wired User

ASA firewall learns when new a workload is provisioned and automatic applies

security policy

Administrator assigns workload to proper group. Switches send update to devices for

policy maps.

Physical Access

Compute

Storage

Converged Network Stack

vSphere

App

OS

App

OS

App

OS

App

OS

Tier 1

Cisco Nexus 1000V

vSphere

App

OS

App

OS

App

OS

App

OS

Tier 2

Cisco Nexus 1000V

App

OS

App

OS

App

OS

App

OS

Tier N

Cisco Nexus 1000V

Vblocks/ FlexPods

Cisco Nexus® 7000

Identity Services Engine

WiFi


System Isolation via Microsegmentation Fabric or Traditional DC Network

Policy Per App Tier, Per VM, Per vNIC

Tenant B VDC

Web App

Web DB

Nexus 1000V

VDC

ASAv/NGFW

Nexus 1000V

Web Tier App Tier

Control ingress/egress & inter-VM traffic

NGFW/NGIPS, FW, SGACL, PVLANs

Traffic and Threat Visibility

Advanced Malware Protection

Administrative Segregation Server • Network • Security

Tenant A

ASAv/NGFW

VSG

VSG


ACI policy model ENABLES Micro-Segmentation across physical and virtual workloads

DATA CENTER MICRO-SEGMENTATION IN ACI USING EPG AND CONTRACTS

Virtual Virtual Physical

§  ACI micro-segmentation provides security for east/west traffic

§  Supports physical and virtual workloads §  Automated on white-list application centric policy

model §  L4-7 Security Device Integration and Policy

Automation §  Enables visibility and troubleshooting


ACI WHITELIST policy SUPPORTS “ZERO TRUST” MODEL

TRUST BASED ON LOCATION (Traditional DC Switch)

Servers 2 and 3 can communicate unless blacklisted

1 4 2 3

No communication allowed between Servers 2 and 3 unless there is a whitelist policy

ZERO TRUST ARCHITECTURE (Nexus 9000 with ACI)

EPG 1 “WEB”

EPG 2 “APP”

1 2 3 4

Whitelist policy = Explicitly configured ACI contract between EPG 1 and EPG 2 allowing traffic between their members ACI architecture allows flexible EPG membership, enabling wide range of security policies


ASA Cluster Scalability

Nexus 7K #2 Nexus 7K #1

Layer-2 Deployment Data Plane

ASA 5585-X Cluster

Nexus 7Ks are vPC Peers

Master

Slave

Slave

Slave

Slave

Slave

Slaves

Slave

...

PC-1 PC-1

A 16 node ASA 5585-X cluster* can deliver up to: §  256Gps of real-world mixed traffic throughput

(640Gbps Max) §  50M concurrent connections §  Consistent scaling factor regardless

of units in cluster §  Handles the expected asymmetric traffic flows

found in a modern data centers §  Integrates with FirePOWER Appliances and

Services Modules for AVC and NextGen IPS

*Cisco ASA Software release 9.2 +

1

2

3

4

5

6

7-15

16


Cisco ASA Clustering Correct Asynchronous Flows

Inside Outside

South Context

Inside Outside

North Context

ASA-1 (5585-X)

NGIPS-1

ASA / FirePOWER Appliance Set #1

Flow Inspection

Inside Outside

South Context

Inside Outside

North Context

ASA-2 (5585-X)

NGIPS-2

ASA / FirePOWER Appliance Set #2

Cluster lookup of flow owner

Request

Reply

Source

Destination

Firewall Policy

Firewall Policy

Flow Inspection

DATA

CCL

DATA

ASA Clustering eliminates the need for a statefull load-balancer in the data center to scale security services performance

Firewall Policy

Firewall Policy

LACP chooses

ASA to send packet to


Integrated Design – Connect an Enclave

Main System

Policy Based Diverted Traffic

NGIPS – FirePOWER Service Module Blade

Flow Inspection

Firewall Policy

VPN Decryption Outside

ASA / FirePOWER Set

ASA Cluster – Enclave 1 Contexts

Source Destination

Inside


Appliance Design – Connect an Enclave

Flow Inspection

Inside Firewall Policy

Outside

South Context

ASA (5585-X)

NGIPS (FP-8250)

ASA / FirePOWER Appliance Set

Source Destination

ASA Cluster – Enclave 1 Contexts

NGIPS – Enclave 1 Virtual Switches

VLAN 2101

VLAN 3101

VLAN 3101 VLAN 2101 External Internal

VLAN 2001

VLAN 3001

Inside Firewall Policy

Outside

North Context

PC-Links

DATA DATA


Device Scalability

Redundant Switches

Redundant Firewalls

Single Logical Firewall

Clustering with full state backup

Single Virtual Switch

Virtual PortChannel (vPC) on Nexus Virtual Switch System (VSS) on Catalyst

Complete Fault Tolerance

Spanned Etherchannel with LACP for ports Non-Stop Forwarding (NSF) for OSPF/BGP

Cluster

vPC/VSS


Site Scalability

Site A Site B

Endpoint Mobility

Local Traffic Processing Inter-site Clustering

Clustering with full state backup Site-specific switch connections

VLAN Segment Extension

Overlay Transport Virtualiation (OTV) Clustering retains connection state


Network

ASA

FirePOWER

Scalable Data Center Security Solution

Cluster

vPC/VSS

Seamless Network Insertion •  Etherchannel/LACP •  Equal Cost Multipath (ECMP) •  Non-Stop Forwarding (NSF) •  Virtual Port Channel (vPC) •  Virtual Switch System (VSS) •  Overlay Transport Virtualization (OTV)

Segmentation and Symmetry •  Stateful flow security •  Same and Inter-site Clustering •  Selective redirection to FirePOWER

Complete Threat Visibility •  Industry leading AVC, NGIPS, AMP •  Fully symmetrical flows •  Trusted flow offload to ASA


vSensor ASAv

ASA5585-X

Core

Aggregation

Access

Compute

Data Center

Enterprise Network Physical vs Virtual ASA Network Integration


ASAv L2FW PCI

L3FW Tenant Edge

Core

Aggregation

Access

Layer 3 Links

Layer 2 Trunks

Transparent vs Routed ASA Network Integration

Compute

Data Center

ASA L2FW

Enterprise Network

ASA L3FW


Threat Focused Visibility


Superior Integrated & Multilayered Protection

Cisco ASA

Identity-Policy Control & VPN

URL Filtering (Subscription) FireSIGHT

Analytics & Automation

Advanced Malware

Protection (Subscription)

Application Visibility & Control Network Firewall

Routing | Switching

Clustering & High Availability

WWW

Cisco Collective Security Intelligence Enabled

Built-in Network Profiling

Intrusion Prevention

(Subscription)

World’s most widely deployed, enterprise-class ASA stateful firewall

Granular Cisco® Application Visibility and Control (AVC)

Industry-leading FirePOWER next-generation IPS (NGIPS)

Reputation- and category-based URL filtering

Advanced malware protection


Application Security and Visibility

•  Enhanced Visibility o  1,800+ Applications + stats o  File types, transfer direction/protocol o  Mobile Device type, OS, version o  Geolocation (country, postcode, time zone, lat/

long., ISP, etc.) o  IPv6 address support throughout

•  Improved UI/Admin o  Visual Device Management o  Security and Network Admin Roles o  Admin Role Editor

•  Dashboards/Reporting o  Customizable Widgets o  Graphical Reports – Report Creator


Granular Controls and Advanced Malware Protection

•  Expanded Controls o  Application Control on NGIPS o  URL Filtering o  File Blocking o  Security Intelligence / IP Blacklisting o  Geolocation Blocking

•  Security Automation o  Impact Assessment o  Recommended Rules

•  Advanced Malware Protection o  Network File Trajectory o  Network Malware Blocking


Application Security & Visibility •  Defense Center with FireSight

32


Application Security & Visibility •  Geo Location Information

33


Retrospective Security •  Network File and Device Trajectory

34


Q&A

Thank you.

creating highly secure data centers

Technology

cisco andor

security policy

dc data bursts

dc architecture

predictable data volume

internet apps

asymmetric traffic

virtualcloud dcwidecross