data center optimization and security design
TRANSCRIPT
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 1
Data Center Optimization and Security Design
April 2009
Teerapol Tuanpusa
Cisco Systems Thailand
Email: [email protected]
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 2
Agenda
Optimize and Secure Data Center
Drivers and Requirements
Design Guidance
Common Points of Interest
ACE vs FWSM vs Appliances
Key Takeaways
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 3
Business Continuity
Effective crisis management
Protected data redundancy
Improved global access to core critical services and data
Optimize and Secure Data Center
Compliance Issues
SOX
PCI
HIPAA
Gramm-Leach-Bliley Act (GLBA)
Load sharing and acceleration
Application protection
SSL Offload and load balancing
Perimeter Protection
Encryption Services
Virtualized data inspection services
XML/APP Security
Service Resilience
Data Protection
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 4
Data Center are EvolvingIT
Rele
van
ce a
nd
Co
ntr
ol
Application Architecture Evolution
Data Center 1.0
Mainframe
CENTRALIZED
Data Center 2.0
Client-Server and
Distributed Computing
DECENTRALIZED VIRTUALIZED
Data Center 3.0
Service Oriented and
Web 2.0 Based
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 5
5
© 2005 Cisco Systems, Inc. All rights reserved.
• Net-Centric Server
Evolution
• Virtual Machine
Network Coupling
• Inline Data
Protection
• Separation of Policy
and Forwarding
Automation
Session Number
Presentation_ID
• Scale
• Performance
• Density
• Availability
• Operational Manageability
• Investment Protection
Data Center Strategy and Evolution
Virtualization
• Power Savings
• Service Velocity
• Opex Alignment
• Capital Utilization Improvement
• Flexibility
VirtualizationConsolidation
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 6
DC Optimization and Acceleration Technologies
WAE
(WAAS)
WAE
(WAAS)AVS
(Now integrated into ACE)
Cat6K
ACE
Branch
Applications
Datacenter
WAN
Storage
Content
ISR
Wide Area Application Engine (WAE)
Integrated Services Router (ISR)
IOS with NetFlow, NBAR, QoS, IP-SLAs…
Branch/WAN Data Center
Application Velocity System (AVS)
Application Control Engine (ACE)
Catalyst 6500 switches
HQ Router
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 7
Cisco Application Control Engine (ACE) Solution
WAAS
MDS 9500
w/ Fabric
Services
Enterprise
Class
Storage
Web
Servers Application
Servers
Virtualized application services
Application Switching and Server Offload
(SSL Offload)
Application Acceleration (AVS integrated)
Application and Server Farm Security
Solution Benefits:
Faster application deployment/scale
Maximum availability and performance
Comprehensive security
Ready for SOA evolution
Network Services for
SOA and Web 2.0 Applications
Catalyst 6500 ACE
Web
Services
ACE XML Gateway
Multi-DC Application
Traffic Mgmt
ACE GSS
Application Fluent Networking for Data Center
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 8
Supporting Multiple Applications : The Old Way
OR
No isolation
Device sprawl
Underutilized device resources
Complex to upgrade
Inefficient Isolation
One Physical
Application
Switch
Many
Physical
Application
Switches
Applications compete for resources
Changes to one app can impact others
Overly complex device config files
Device 1
Application 1
Device 1
Application 3Application 2Application 1
Device 2
Application 2
Device 3
Application 3
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 9
Supporting Multiple Applications :The Cisco ACE Way
Multiple Virtual
Devices
Ideal Isolation
One Physical
Application
Switch
Isolate and secure applications, customers, and/or departments based on virtual devices
Single ACE
Customized, guaranteed resources per application
ACE Virtualized Architecture: Virtual Devices and RBA
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 10
Cisco Wide Area Application Service (WAAS)Bridging the gap between centralized IT and distributed users
Solutions
Application acceleration
Branch IT consolidation
WAN bandwidth optimization
Improved data compliance
Technologies
Compression & acceleration
Router integration
Security integration
Application SLA integration
Deployment
Software: Wide Area Application Services
Hardware: Wide Area Application Engine
Branch and data center deployment
Mobile VPN acceleration deployment
Branch Office
Regional
Office
WAAS
WAASWAAS Data Center
WAAS
Mobile
Server VPN VPN
WAAS
Mobile
Server
International
Mobile User
WAAS Mobile SW
over VPNWAAS Mobile SW
over VPN
Domestic
Mobile User
WAN
Internet
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 11
Wide Area Application Services (WAAS)Acceleration Technologies
Data Redundancy Elimination(DRE) and compression
Strong data reduction (5-10x typical, 100x peak)
Excellent support for HTTP, FTP, CIFS,MAPI, notes, and most known protocols
TCP Flow Optimizations (TFO) Fill-the-pipe: Window scaling,congestion management
Support transactional traffic throughnetwork latency reduction
Up to 450Mbps optimized traffic
Support for File Server ConsolidationSafe caching of data, meta-data
Predictive read-ahead, write-behind, 93% latency reduction
Pre-position, disconnected operation
Print services
10x OFFLOAD factor
DRE Database
NO MATCHNO MATCHNO MATCHNO MATCH
Original
Message
Encoded
Message
Non-Redundant Data and New Signatures
= 552 Bytes Transferred
cwnd
TCP
Cisco TFO Provides Significant Throughput
Improvements over Standard TCP Implementations
TFO
Time (RTT)Slow Start Congestion Avoidance
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 12
Branch User Acceleration Technologies
WAN
Advanced Compression/
Cache
Data Redundancy Elimination
(Up to 100:1 compression)
Persistent LZ Compression
(Additional 10:1 compression)
Application Specific
Acceleration
Application protocol aware
Windows file services (CIFS)
Windows print services
Server offload technology)
TCP Flow
Optimization (TFO)
LAN-like TCP behavior
Loss mitigation
Slow-start mitigation)
Th
rou
gh
pu
t
Throughput
60Mbps
10 Mbps
20 Mbps
30 Mbps
40 Mbps
50 Mbps
01:20 01:21 01:22 01:23 01:24 01:25 01:26
Th
rou
gh
pu
t
Throughput
3 Mbps
.5 Mbps
1 Mbps
1.5 Mbps
2 Mbps
2.5 Mbps
01:20 01:21 01:22 01:23 01:24 01:25 01:26
End User Throughput
Goes Up 5xWAN Consumption
Drops 67%
LAN-Like
Throughput
Bandwidth Savings
Fewer Roundtrips
Optimization Enabled
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 13
ACNS/WAAS Bandwidth Savings
Similar to ACNS, but now for *all* TCP protocols
Bandwidth savings
Improved response time as a result of chattiness reduction
Enabler for additional consolidation and virtualization
Before
ACNSAfter
ACNS
HTTP*
Non-HTTP
HTTP
Non-HTTP
* Note: ACNS also reduces Video streaming and CIFS for laptop re-imaging
Before
WAAS
After
WAAS
HTTP*
Non-HTTP
WAN
volume
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 14
ANS Acceleration Findings
Observation
Varies greatly by protocol, application & network capacity / delay
Data Points (based on a subset of technologies)
Remote users: typically 1.5 to 20x faster for unencrypted apps
HTTP: 2.5 to 10x faster
Outlook/Exchange: 1.5 to 2x faster (small RPC/MAPI buffer size)
CIFS over the WAN: 1.5 to 20x faster
HTTPS: no data (limited acceleration today using AVS, more with WAAS+ Distributed Reverse Proxy in future)
Nearby users: 1.0 to 2.5x faster
Productivity Impact
Assume 20 HTTP pages / user / day at 30 seconds each = 10 mins
Key Messages
Absolute “wait time” can be excessive (30-90 seconds for 1 HTTP page not a seldom exception)
The worse the performance caused by WAN, the better the acceleration
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 15
Application Vendor Validated
Cisco WAAS + VPN Routers (IOS 12.3) Certified by SAP:
•WAN Optimization, Enterprise SOA compliant
•SAP NetWeaver
•Application Server 7.0
•SAP ERP ECC 6.0
―Working together with Cisco on their application delivery and application-oriented
networking solutions, we aim to raise the application awareness of the network
layers of the IT architecture, resulting in a stronger, more effective business process
framework for our customers.‖
- Gordon Simpson, Vice President of Applied Platform Technology, SAP
―Cisco WAAS has accelerated our SAP response time for
up to 75% across WAN, and given us the best compatibility
and lowest TCO.‖
— Jim Ward, CIO, Pacer International
Company
Validation
Product
Validation
Customer
Validation
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 16
Features of a typical data center design
Maximum protection at the application and data layers
Higher level of protection from DDoS and malicious traffic
Three Tiers of Data Center Security
1 2 3
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 16
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 17
Security Services in the Data Center
Firewalls
SLB+SSL
IDS (IPS)
VPN
DDoS detection and mitigation
Application Firewalls
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 18
Typical Concerns from Customers
Segmentation and Insertion
Logging/Reporting/Operations
Performance bottlenecks
Server-to-Server, Client-to-Server
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 19
Services Layer Security
The services-plane for a Service Provider‟s Data Center typically supports the „Managed Services‟ delivered to end-customers. Services like managed firewall and network-based VPN services.
Insertion of “Virtualized” Services adds new challenges
Resource Management
Service Chaining
Service path selection
Network service scale – VLANs, VRFs, Interfaces, Bandwidth
Virtualized
Cust
1
Cust
2
Cust
N…
Virtual
Network Service
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 20
Services Layer Security
The services-plane for a Service Provider‟s Data Center typically supports the „Managed Services‟ delivered to end-customers. Services like managed firewall and network-based VPN services.
Insertion of “Virtualized” Services adds new challenges
Resource Management
Service Chaining
Service path selection
Network service scale – VLANs, VRFs, Interfaces, Bandwidth
Virtualized
Cust
1
Cust
2
Cust
N…
Virtual
Network Service
VRF, VPN, VSS
ACE Context, RBAC
FWSM Context, RBAC
Virtual Sensor
VLAN, PVLAN
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 21
Server to Server traffic3 Tier Server Design
Minimize VLAN consumption – Shared VLAN for Client traffic
Dynamic path selection for severs behind Services (RHI)
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 22
Service InsertionConsolidate in DC Aggregation or Core
Consolidate FW, SSL and SLB services in the Aggregation or Core layers
Cost drives consolidation to Core, bandwidth not an issue
Server-to-Server Traffic requirements may drive services to Aggregation
Segment TrafficLayer 2 VLAN/PVLANs
Layer 3 VRF/VPNs
DC CoreCore
Access
L3 Edge
Aggregation
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 23
Service InsertionServices Chassis
DC CoreCore
Access
L3 Edge
Aggregation
Services Switching Chassis
Free slots in Agg and Core layers for 10GE ports
10GigEtherchannel Interconnectivity
Segment Traffic
Layer 2 VLAN/PVLANs
Layer 3 VRF/VPNs
Dual Chassis for HA Resilience
Services Chained in Web, Application and Database Tiers
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 24
FWSM and Private VLANSecure Server-to-Server Traffic on 1 VLAN
Dot1Q Trunk
Secure Server-to-Server Traffic
PVLAN at the Access layer
Server Access Port isolated
Trunk Primary VLAN to FWSM
Set Permit intra-interface on FWSM
VLAN
Cons
Each server requires static route to
server on same VLAN
Save VLAN consumption, but now
consume BW resources between AGG
and ACCESS
Server-to-Server and Server-Client
traffic counted at FWSM, could be
problematic for billing
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 25
Service Module VirtualizationResource Management
There are NO templates or cookie-cutter designs
First Goal should be to protect against resource exhaustion
Cap “Connections” and “Inspections”
FWSM Logging requires control
Most log on “deny connections”
ACE logging done in “fast-path”
If not logging in fast-path then Control-plane based syslog resource management required
Difference in CLI can be challenging
ACE FWSM
Defined as percentage % Defined as a percentage or absolute number
Resource set as “maximum equal minimum” or unlimited
Resource set as maximum
Bandwidth treated as resource
Not an option
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 26
Service Layer DesignFault-Tolerant Service Design
Active-Active Service Design
Application Control Engine
Active-standby distribution per context
Firewall Service Module (3.x)
Two active-standby groups permit distribution of contexts across two FWSM‟s (not per context)
Permits uplink load balancing while having services applied
Increases overall service performance
Complex troubleshooting
vlan6 vlan6
vlan5 vlan6 vlan6 vlan5
Core
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 27
Service Layer Design Fault-Tolerant Service Design
Active/Standby alignment
Align server access to primary components in aggregation layer:
–primary HSRP instance
–Active/standby service context
–path preference
Provides more predictable design
Simplifies troubleshooting
More efficient traffic flowDecreases chance of flow ping-pong across inter-switch link
Core
vlan5 vlan6 vlan6 vlan5
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 28
Services LayerSecurity and Optimization Appliances
IPS Appliances
Inline-on-a-Stick – VLAN pairs mapped on Sensor
Server side VLANs and Service Side VLANs
ACE XG / AVS
Full Proxy insertion
Future integration w/ ACE-SLB
WAAS
MSFC WCCPv2 redirection
ACE-SLB redirection
MAC-sticky
VLAN pairs mapped to virtual
sensor
Vlan 100Vlan 10
Vlan 110
Vlan 120
Vlan 11
Vlan 12
Server Side Service Side
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 29
IPS InsertionExternal Appliances or Catalyst 4xIDSM-2 Bundle
Inline, Interface Mode (aka: on a stick)
VLANs from Servers terminate to IPS sensor via dot1q trunk
VLAN pairs mapped on Sensor
Server side Vlans
Service side Vlans
Service side Vlans are switched to appropriate Service Module
Virtual Firewall
Virtual SLB/SSL
IPS
Dot 1q Trunk
Vlan 110
Vlan 120
Inline, VLAN Group Mode
Cisco IPS appliance Put inline between CORE and AGGREGATION
Sensors put inline to monitor traffic carried on dot1q VLAN trunks
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 30
IPS Insertion Pros and Cons of each Mode
VLAN Group Mode
Pros
No Vlan changes required at the CORE or AGGREGATION Layers
Existing Failover design maintained (Flex-Links)
Monitor Inter-Vlan traffic
Cons
All traffic is monitored, no ability to select by VLAN
Re-cabling required for Sensors
NO Per VLAN IPS-Policy
Inline Interface Pair Mode
Pros
Select traffic by Vlan to be monitored by sensor
No inline cabling between CORE and Aggregation
Monitor Inter-Vlan traffic
Cons
IPS monitored Vlans require second Vlan for mapping
Failover requires Etherchannel to 2 IPS Sensors
NO Per VLAN IPS-Policy
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 31
DDoS Services
Goal – Move mitigation above Core
Detection –Netflow at the Internet Edge
Detectors Synching w/ Guards drives interest
SPs have MPLS/IP Backbone for Inter-connect
DDoS services not in Data Center
Services moved to Peering/Transit Edge
Service Modules solves Bandwidth scaling, but adds new requirements to hosting chassis
Diversion and Injection
CEF Loadbalancing
Multiple Blade support
Management
Storm Control required at Access Layer Switches
Server goes offline and Broadcast traffic brings switch to its knees
DC CoreCore
Access
L3 Edge
Aggregation
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 32
Infrastructure SecurityManagement-Plane Best Practices
Secure / Segment communications In-Band and Out-Band with IPSec, SSH, SSL
Encrypt stored password and key information
Employ remote-access filters allowing only trusted hosts and protocols and restricting all other traffic
Employ AAA services – TACACS+ for internal operations
Log changes made to the actual device and device‟s configuration
File-system integrity checks and backup and recovery services
6500 does provide challenges – No dedicated Management-Plane Protection (yet)
AAA Encryption FiltersTACACS
ServerVTY ACLs
SSH, SCP,
IPSec
Local
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 33
Infrastructure SecurityControl-Plane Best Practices
6500 and 7600 IOS
Catalyst 6500 Nodes - MLS Rate-limiters; rate-limit traffic punted to CPU
Catalyst 6500 and 7600 IOS Nodes - Control-Plane Policing; classify and police traffic classes destined to CPU
12k IOS-XR
IP/MPLS Edge – IOS-XR Nodes - Dynamic Control-Plane Policing and Local Packet Transport Switching, Selective Filter packets w/ IP options set
CORE to MPLS/IP Edge
Neighbor Authentication – OSPF, IS-IS and BGP neighbor authentication; securely authenticate topology peers before exchanging control-plane traffic
OSPF, IS-IS and BGP route-maps and prefix-lists; control the information transmitted and received between neighboring peers
ACESS Layer Edge
Layer 2 Data-Plane Filters – BPDU filtering, Spanning-tree security, Storm Control, Port Control; secure the Layer 2 edge to protect control-plane layers of upstream devices and control unknown broadcast and multicast traffic.
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 34
6500/7600 Hardware Based Control-Plane Protection
CPU
DFC3
Software Control
Plane Policing
DFC3 PFC3
Trafficto CPU
Trafficto CPU
Trafficto CPU
HW Control
Plane Policing
HW Control
Plane Policing
HW Control
Plane Policing
Each LC Processes CoPP Policy and
Rate-Limits Independently
Each LC Processes CoPP Policy and
Rate-Limits Independently
Each LC Processes CoPP Policy and
Rate-Limits Independently
The aggregate traffic that makes it through all LCs is then processed
again by centralized SW CoPP. The aggregate traffic hitting SW CoPP
can be N times larger than the configured rate limit, where N is the
number of DFCs/PFCs.
Traffic Destined to MSFC
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 35
Infrastructure SecurityData-Plane Best Practices
Data-Plane ACLs – filter illegitimate traffic
IP/MPLS Edge – Layer 3 ACLs; Infrastrucuture ACLs (iACLs)
Layer 2 – VLAN ACLs (VACLs) and Storm Control
Data-Plane QOS treatment – Classify and apply traffic polices to each class
IP/MPLS Edge – Color and Police IP traffic destined to Data Center resources
Access Layer – Color traffic based on Layer 2 COS or Layer 3 TOS
Aggregation and Core Layer – Police and Implement congestion avoidance mechanisms: LLQ, WRR, WRED, Scavenger Qs
Traffic Monitoring – SNMP interface and traffic counters, Netflow v9 analysis and data export, CPU and memory thresholds Device; monitor network usage and detect anomalies
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 36
Edge Packet Filtering
Internet Edge
Block known BAD packets – RFC-1918 and BOGON Blocks
Service Edge (Aggregation Layer)
IP and TCP checks – Malformed packets (FWSM and ACE)
Server Edge (Access Layer)
VLAN ACLs
Private VLANs – Filter at Gateway Address (SVI ACL or FWSMVLAN)
ARP ACLs
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 37
Layer 2 Port Security
What is available at the Access Layer
Low End switches have limited security
2950/2960 – Port-Security, Storm Control, ACLs, 802.1X, NAC
Layer 3 switches have required features, but increase cost per GE
3750 – L3 ACLs, Private VLAN, DAI, IP Source Guard
4948 – VACLs, Netflow
Blade switches have required features
CBS – L3 ACLs, Private VLAN, DAI, IP Source Guard
AND VLAN Aware Port Security – Shut down VLAN not entire port
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 38
Access Layer SecurityARP Poisoning and Anti-Spoofing
In a Data Center, DHCP not likely
Static Bindings for IP Source Guard (a lot of typing for a large scale DC)
DAI – Prevent MITM attacks
Static ARP ACLs
IP Source Guard – Prevent IP and MAC spoofing
Aggregation
DAI and IP Source Guard at Aggregation layer
Features enabled at Aggregation Layer
NO DAI at Access layer allows ARP traffic local to access switch (ARP broadcasts)
ARP ACLs can be used to deny server-to-server between Access layer switches
Block MITM and Spoofing between Switches
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 39
Visibility in the Data Center
2 Applications for NetFlow
Billing – v8 aggregate Mode
DDoS – v5 or v9 sampled Mode
MQC MIBs being used to monitor traffic usage in Bytes
Service Modules add Layers of Visibility
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 40
Anomaly Detection with CS-MARS
Sun AM
Mon AM
Mon PM
Sun PM
Pre-virus activityActual virus hit
Top
Destination
ports reports
On the
dashboard
Port 445
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 41
Front-End IP Access Layer
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 42
Front-End IP Access Layer
―Content Routing‖
Global Site Selection
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 43
Application and Database Layer
―Content Switching‖Load Balancing
―Server Clustering‖ High Availability
―Application Acceleration‖ Optimized Performance
―Security‖Application
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 44
Backend SAN Extension
―Storage‖ & ―Optical‖
Data
Mirroring and Replication
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 45
Cisco Secure Data Center Architecture
Detect and Mitigate against threats which impose a risk to availability, confidentiality and integrity
Secure both physical and logical boundaries of the Data Center network
Consolidate and Compartmentalize services (advanced virtualization)
Proactively adapt to new threats (application layer attacks targeted to Web 2.0 applications and tools are increasing)
Scale to meet challenging service-levels of the network and application(s)
Meet regulatory and business continuance requirements
Blade Chassis w/ Integrated SwitchServer
Virtualization (Zen, VMWare)
HPCToR and EoR
Server NIC Teaming
DC Aggregation
DC Core
SONET/SDHSONET/SDH
DC IP/MPLS Edge
Regional Metro
DC Inter-connect
DC Access
CWDM/DWDMCWDM/DWDMCWDM/DWDM
SANs
Long-haul
http://www.cisco.com/go/safe
(SAFE Architecture)
http://www.cisco.com/go/srnd
(Solution Reference Network Design)
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 46
Common Points of Interest
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 47
Common Points of Interest
Firewall Security Services
ACE vs FWSM
Service Modules vs Appliances
IOS Security vs Module/Appliance security
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 48
Common Points of InterestTechnology Comparisons
ACE 1.4 FWSM 3.1
Syslog Performance – Connections logged in fast-path
Log forwarding to Supervisor
Firewall Logging (log per ACL, log denied connections, filtering)
Fault-tolerant Probes
FT per Context (Active or Standby)
ACL and NAT
Object groups, Policy-NAT, Time Based ACLs
Bandwidth resource control per Context Resource Management CLI allows absolute maximum to be defined
Route Health Injection – Dynamically announce availability of hosts
More Application Inspections
Higher scale – BW, Conns, Fabric inter-connect, ACLs, NAT
TCP/IP normalizations done in hardware
Industry Firewall certification
OS dedicated to Security
Both provide:
Stateful Inspection
MCP CLI
Virtualization w/ Resource Management
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 49
Common Points of InterestEffectively positioning Technologies
ACE provides Scalable SECURE Server Load balancing
Security services meant to protect servers (ACLs, NAT, SSL)
Insertion close to Servers
FWSM provides Scalable Firewall services
Virtualization allows for consolidation in Data Centers
Consistent Firewall features expected from experience with ASA and PIX
Industry certified as a Firewall
Neither provides 100% a “Perfect Solution”
Together, scaling complex server environments
ACE secures server entrance
FWSM secures backend transactions
Services Chained by SUP720
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 50
Service Modules vs Appliances
Appliances still have use in Security services
Special Purpose Appliances – IPS, XML, Application
Appliances dedicated to Customer
Operational Separation – OS updates, Reboots
Compared to FWSM or ACE
Limiting factor of VLANs
ASA (10 and 5 G) support 250
FWSM – 1k
ACE – 2k
Requirement to Consolidate physical resources into 10GESwitching
ACE and FWSM provide means to reduce cooling, power, real-estate
Appliances require more of
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 51
Key Takeaways
DC Consolidation and Virtualization optimize DC performance and efficiency
Security considerations for Data Center must address
Business Continuity
Regulatory Compliance
Mitigating risk to service availability, service integrity and service confidentiality
Secure Data Center Designs leverage breadth and depth of defense
Services Layer design critical to delivery of Virtualized security services
Differentiate technologies based on customer requirements and placement w/in the Data Center
Deliver Secure Data Center designs based:
Scalable network
Agile services
Highly Available
Validated approach
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 52
More information
http://www.cisco.com/go/safe (SAFE Architecture)
http://www.cisco.com/go/srnd (Solution Reference Network Design)