security and virtualization in the data center

Cisco Confidential© 2015 Cisco and/or its affiliates. All rights reserved. 1

Security and Virtualization in the Data CenterRonnie Scott - CCIE 4099T-DC-13-I

May 19th 2016

In collaboration with

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2

Housekeeping notesThank you for attending Cisco Connect Toronto 2016, here are a few housekeeping notes to ensure we all enjoy the session today.

• Please ensure your cellphones / laptops are set on silent to ensure no one is disturbed during the session


Agenda

3

The New Security Landscape

Defense By Design

Bringing The Big Guns

Conclusion


Simplify and Unifysecurity solutions

Evolve while maintaining Security and Compliance

Stay ahead ofevolving threats

95% of firewall breaches

caused by misconfiguration*12% YoY growth of

devices 2014-2019

Over 100K new

threats per day

* Greg Young, Gartner Inc

PROVISIONING SCALABILITY PROTECTION

DataCenter Security Challenges


Attacker Profiles

Organized Crime Out to make money

Needs organization to stay profitable

Typically smash-and-grab style or

drive-by

Graffiti and Activism Attack you for fame

To make a point

Can be a nuisance

Can also draw unwanted attention

State Sponsored Cyber Warfare Extremely advanced

Companies are generally at a

disadvantage

Hard to defend

A-Typical

Espionage Somewhere between Organized Crime

and Military

Could be state sponsored

Replicating Intellectual Property

Gain human intelligence


Extortion

Data Manipulation

Card Not Present

IOT Zombies

BackdoorsKim Zetter – Wired Magazine, Jan 1, 2016

Th

e B

ig 5

-2016


The Server Is Virtualized

13

• One Server - Multiple Guests

• Hypervisor abstractions hides hardware

• Partitioned system resources

• Application & OS encapsulation


FinancialsCRM

Exchange ERP

OracleSAP


Common Virtualization Concerns

15

• Physical Tools in a Virtual World

• Operations and Management Obfuscation

• Changes in Roles and Responsibilities

• Machine and Application Segmentation

Hypervisor

Initial Infection

Secondary Infection


Back to the basics … Ships in the night


Cisco SAFE


The VMDC Architecture


But what our

customers want…


…is the vision on the box.

(Not the one on the carpet)


SAFE Simplifies the Security Conversation One Step at a Time

Capability Phase Architecture Phase Design Phase


WAN

Branch

Campus

Data Center

Edge

Break the Network into Domains

Security Domains per PIN


DC Core

Mapping The Problem

WAN / Campus

Core

Campus

App 2

Web

App

App 1 AppWeb DB

Branch

Site

1

Site

2

Edge

Shared

Services

DNS

DHCP

SQL

SLB


Business Requirements Per DomainWhen done, try to rank by importance

Data Center

Protect Customer Data

Must be easy to operationalize

Support Role-based Network Segmentation

Measurable Security Increase

Example:

PCI Domain at Branch Office


Identify the Threats, Risks, and PolicyAlso, identify the mitigating capabilities that should be considered

Data Center Domain

Policy: Role-based Network

Segmentation

Risk: Lateral Spread of Breach

Threat: Exploitation of Trust

Example:

PCI Domain at Branch Office


Security Capabilities Design


Security Capabilities DesignExample

1. No Products

2. Vendor-agnostic

L2//L3 Network

Access Control +TrustSec

To Campus

Shared Services

Zone

Next-Gen Intrusion Prevention System

App Server

Zone

PCICompliance

Zone

DatabaseZone

Flow Analytics

Host-based Security

Load Balancer

Flow Analytics

Firewall

Anti-Malware

Threat Intell-igence



Next-Generation Firewall Router

L2//L3 NetworkFirewall VPN

Switch

Web Application Firewall

Centralized Management

Policy/Configuration

Visibility/Context

AnalysisCorrelation

Analytics

Logging/Reporting

ThreatIntelligence

VulnerabilityManagement

Monitoring

To Edge

Virtualized Capabilities

WAN


3. Identify existing capabilities

4. What are common missing

capabilities?

Security Capabilities DesignExample

L2//L3 Network


To Campus

Shared Services

Zone


App Server

Zone

PCICompliance

Zone

DatabaseZone

Flow Analytics

Host-based Security

Load Balancer

Flow Analytics

Firewall

Anti-Malware

Threat Intell-igence



Next-Generation Firewall Router

L2//L3 NetworkFirewall VPN

Switch

Web Application Firewall

Centralized Management

Policy/Configuration

Visibility/Context

AnalysisCorrelation

Analytics

Logging/Reporting

ThreatIntelligence

VulnerabilityManagement

Monitoring

To Edge

Virtualized Capabilities

WAN


Interconnected Enclaves

Web

ServerWeb

Server

Permit TCP/80 (HTTP) Permit TCP/22 (SSH)

Permit Web

to App

Web

Group

DB

serverDB

server

DB

Group

App

ServerApp

Server

App

GroupPermit App

to DB

Deny All

Inter-Zone

Firewall

Intra-Zone

FirewallIntra-Zone

Firewall

Web

ServerWeb

Server


Permit Web

to App

Web

Group

DB

serverDB

server

DB

Group

App

ServerApp

Server

App

GroupPermit App

to DB

Deny All

Inter-Zone

Firewall

Intra-Zone

FirewallIntra-Zone

Firewall

Web

ServerWeb

Server


Permit Web

to App

Web

Group

DB

serverDB

server

DB

Group

App

ServerApp

Server

App

GroupPermit App

to DB

Deny All

Inter-Zone

Firewall

Intra-Zone

FirewallIntra-Zone

Firewall

BBI

Data Center

Core

DMZCampus

ACLs/

Firewall

ACLs/

Firewall

AMP or

IDS


Shared Services

Web

ServerWeb

Server


Permit Web

to App

Web

Group

DB

serverDB

server

DB

Group

App

ServerApp

Server

App

GroupPermit App

to DB

Deny All

Inter-Zone

Firewall

Intra-Zone

FirewallIntra-Zone

Firewall

Web

ServerWeb

Server


Permit Web

to App

Web

Group

DB

serverDB

server

DB

Group

App

ServerApp

Server

App

GroupPermit App

to DB

Deny All

Inter-Zone

Firewall

Intra-Zone

FirewallIntra-Zone

Firewall

Web

ServerWeb

Server


Permit Web

to App

Web

Group

DB

serverDB

server

DB

Group

App

ServerApp

Server

App

GroupPermit App

to DB

Deny All

Inter-Zone

Firewall

Intra-Zone

FirewallIntra-Zone

Firewall

Data Center

Core

Permit TCP/5000-5010

Backup

Server

Inter-Zone

Firewall

Backup

Server


Inside The Enclave

Web

ServerWeb

Server


Permit Web

to App

User

Web

Group

DB

serverDB

server

DB

Group

App

ServerApp

Server

App

GroupPermit App

to DB

Deny All

Inter-Zone

Firewall

Intra-Zone

FirewallIntra-Zone

Firewall

Perimeter

Firewall

AMP or

IPS

SLB

WAAS

SLB


Architecture PhaseAssign capabilities to devices


Building the SolutionLower-level designs with the details


Physical vs. Virtualized

Web

ServerWeb

Server


Permit Web

to App

Web

Group

DB

serverDB

server

DB

Group

App

ServerApp

Server

App

GroupPermit App

to DB

Deny All

Intra-Zone

Firewall

Intra-Zone

Firewall

Web

ServerWeb

Server


Permit Web

to App

Web

Group

DB

serverDB

server

DB

Group

App

ServerApp

Server

App

GroupPermit App

to DB

Deny All

Intra-Zone

Firewall

Intra-Zone

Firewall

Web

ServerWeb

Server


Permit Web

to App

Web

Group

DB

serverDB

server

DB

Group

App

ServerApp

Server

App

GroupPermit App

to DB

Deny All

Intra-Zone

Firewall

Intra-Zone

Firewall

Web

ServerWeb

Server


Permit Web

to App

Web

Group

DB

serverDB

server

DB

Group

App

ServerApp

Server

App

GroupPermit App

to DB

Deny All

Intra-Zone

Firewall

Intra-Zone

Firewall


Virtualized vs. Virtualization

Web

ServerWeb

Server

Permit TCP/80

(HTTP)

Permit TCP/22

(SSH)

Permit Web

to App

Web

Group

DB

serverDB

server

DB

Group

App

ServerApp

Server

App

GroupPermit App

to DB

Deny All

Intra-Zone

Firewall

Intra-Zone

Firewall

Web

ServerWeb

Server

Permit TCP/80

(HTTP)

Permit TCP/22

(SSH)

Permit Web

to App

Web

Group

DB

serverDB

server

DB

Group

App

ServerApp

Server

App

GroupPermit App

to DB

Deny All

Intra-Zone

Firewall

Intra-Zone

Firewall

Web

ServerWeb

Server

Permit TCP/80

(HTTP)

Permit TCP/22

(SSH)

Permit Web

to App

Web

Group

DB

serverDB

server

DB

Group

App

ServerApp

Server

App

GroupPermit App

to DB

Deny All

Intra-Zone

Firewall

Intra-Zone

Firewall

Web

ServerWeb

Server

Permit TCP/80

(HTTP)

Permit TCP/22

(SSH)

Permit Web

to App

Web

Group

DB

serverDB

server

DB

Group

App

ServerApp

Server

App

GroupPermit App

to DB

Deny All

Intra-Zone

Firewall

Intra-Zone

Firewall


Cloud Provisioning

Stack

Automation and Orchestration

Web

ServerWeb

Server


Permit Web

to App

Web

Group

DB

server DB

server

DB

Group

App

ServerApp

Server

App

GroupPermit App

to DB

Deny All

Inter-Zone

Firewall

Intra-Zone

FirewallIntra-Zone

Firewall

Web

ServerWeb

Server


Permit Web

to App

Web

Group

DB

server DB

server

DB

Group

App

ServerApp

Server

App

GroupPermit App

to DB

Deny All

Inter-Zone

Firewall

Intra-Zone

FirewallIntra-Zone

Firewall

Web

ServerWeb

Server


Permit Web

to App

Web

Group

DB

server DB

server

DB

Group

App

ServerApp

Server

App

GroupPermit App

to DB

Deny All

Inter-Zone

Firewall

Intra-Zone

FirewallIntra-Zone

Firewall

Web

ServerWeb

Server


Permit Web

to App

Web

Group

DB

server DB

server

DB

Group

App

ServerApp

Server

App

GroupPermit App

to DB

Deny All

Inter-Zone

Firewall

Intra-Zone

FirewallIntra-Zone

Firewall

Self-Service

Orchestration

Automation


Network-Integrated,

Broad Sensor Base,

Context and Automation

Continuous Advanced Threat

Protection, Cloud-Based

Security Intelligence

Agile and Open Platforms,

Built for Scale, Consistent

Control, Management

Security Solutions Strategic Imperatives

Network Endpoint Mobile Virtual Cloud

Visibility-Driven Threat-Focused Platform-Based


Web-zone Fileserver-zoneApplication-zone

Hypervisor

Nexus 7000

Nexus

1000V Primary VLAN 20

VRF

VLAN 20

UCS

VLAN 100Isolated

VLAN 200

IsolatedVLAN 300

Community

Layer 2 Segmentation

• Isolate VMs in shared Layer 2 subnet

• Limit communication to Layer 3 gateway

• ACLs block unwanted communication

PVLANs for Physical and Virtual Isolation

.1Q Trunk

47


ACI SecurityAutomated Security With Built In Multi-Tenancy

Security AutomationEmbedded Security

• White-list Firewall Policy Model

• RBAC rules

• Hardened CentOS 7.2

• Authenticated Northbound API (X.509)

• Encrypted Intra-VLAN (TLS 1.2)

• Secure Key-store for Image Verification

• Dynamic Service Insertion and Chaining

• Closed Loop Feedback for Remediation

• Centralized Security Provisioning & Visibility

• Security Policy Follows Workloads

Distributed Stateless Firewall

Line Rate Security Enforcement

Open: Integrate Any Security Device

PCI, FIPS, CC, UC-APL, USG-v6

ACI Services

Graph

Micro-Segmentation

• Hypervisor Agnostic (ESX, Hyper-V, KVM*)

• Physical, Virtual Machine, Container

• Attribute Based Isolation/Quarantine

• Point and Click Micro-segmentation

• TrustSec-ACI Integration

Encryption

• Link MACSEC

• INS-SEC Overlay Encryption

• MKA, SAP

• GCM-AES-256/128-XPN

• GCM-AES-256/128


Segmentation begins with visibility

You can’t protect what you can’t see

Who is on the Network?

And what are they up to?


Make Fully Informed Decisions with Rich Contextual Awareness

Context

Who

What

Where

When

How

IP address 192.168.1.51

Unknown

Unknown

Unknown

Unknown

Bob

Tablet, iOS, v. 9.1x

Building 200, first floor

11:00 a.m. EST on April 10

Wireless

The right user, on the right device, from the

right place is granted the right access

Any user, any device, anywhere gets on

the networkResult

Poor Context Awareness Extensive Context Awareness


Visibility with Cisco Identity Services Engine (ISE)Discover Known and Unknown in Your Network

PARTNER CONTEXT

DATA

NETWORK / USER

CONTEXT

How

WhatWho

WhereWhen

CONSISTENT SECURE ACCESS POLICY ACROSS WIRED, WIRELESS and VPN

Access Policy

PxGrid


Flexible and Scalable Policy Enforcement

Switch Router DC FW DC Switch

Security Control Automation

Simplified Access Management

Improved Security Efficacy

access-list 102 deny icmp 76.176.66.41 0.255.255.255 lt 278 169.48.105.37 0.0.1.255 gt 968access-list 102 permit ip 8.88.141.113 0.0.0.127 lt 2437 105.145.196.67 0.0.1.255 lt 4167access-list 102 permit udp 60.242.95.62 0.0.31.255 eq 3181 33.191.71.166 255.255.255.255 lt 2422access-list 102 permit icmp 186.246.40.245 0.255.255.255 eq 3508 191.139.67.54 0.0.1.255 eq 1479access-list 102 permit ip 209.111.254.187 0.0.1.255 gt 4640 93.99.173.34 255.255.255.255 gt 28access-list 102 permit ip 184.232.88.41 0.0.31.255 lt 2247 186.33.104.31 255.255.255.255 lt 4481access-list 102 deny ip 106.79.247.50 0.0.31.255 gt 1441 96.62.207.209 0.0.0.255 gt 631access-list 102 permit ip 39.136.60.170 0.0.1.255 eq 4647 96.129.185.116 255.255.255.255 lt 3663access-list 102 permit tcp 30.175.189.93 0.0.31.255 gt 228 48.33.30.91 0.0.0.255 gt 1388access-list 102 permit ip 167.100.52.185 0.0.1.255 lt 4379 254.202.200.26 255.255.255.255 gt 4652access-list 102 permit udp 172.16.184.148 0.255.255.255 gt 4163 124.38.159.247 0.0.0.127 lt 3851access-list 102 deny icmp 206.107.73.252 0.255.255.255 lt 2465 171.213.183.230 0.0.31.255 gt 1392

Traditional Security Policy

Business

Policy

Software Defined Segmentation

Building a Policy Matrix


TrustSec Components

Access

Switch

Router DC FW DC Switch

HR Servers

EnforcementFin Servers

ISE DirectoryClassification

User /

Endpoint

Propagation


ISE Dynamically provisions TrustSec

Security Groups in APIC-DC

ACITrustSec

Security Groups External (Outside Fabric) EPGs

TrustSec Security Groups Provisioned in ACI


ISE dynamically learns EPGs and

VM Bindings from ACI fabric

ACI

VM1 VM1000TrustSec Domain

TrustSec

Internal (Inside Fabric) EPGsSecurity Group from APIC-DC

ACI Application Servers are Automatically Propagated to the TrustSec Domain


Assigning Security Groups

56

Dynamic Classification Static Classification

• IP Address

• VLANs

• Subnets

• L2 Interface

• L3 Interface

• Virtual Port Profile

• Layer 2 Port Lookup

Common Classification for

Mobile Devices

Classification for Servers,

Topology-based assignments.

802.1X Authentication

MAC Auth Bypass

Web AuthenticationSGT

56


Nexus 1000V: SGT Assignment in Port Profile

• Port Profile

– Container of network properties

– Applied to different interfaces

• Server Admin assign Port Profiles

• VMs inherit SGT from port-profile

• SGT bound to the VM


Firewall Policy based on SGT

Security Group

definitions from ISE

Trigger FirePower

services by SGT policies

Can still use Network Object (Host,

Range, Network (subnet), or FQDN)

AND / OR the SGT


Evolution of Firepower and ASA

October 2013

Firepower AND

ASA

September 2014

ASA with Firepower Services

ON the ASA-5500-X and

ASA-5585-X

March 2016

Firepower Threat Defense

FOR the ASA-5500-X,

FP-4100, and FP-9300


Introducing FirePOWER 9300

FirePOWER 9300

Security Appliance

Ultra High Performance

High Port Density

Multi-Services

Flexible Programmability

Power Efficiency

Best in Class Price

&Performance

Per RU


Security Modules

• Two configurations

SM-36 “Extreme”: 72 x86 CPU cores (up to 80Gbps)

SM-24 “Enterprise”: 48 x86 CPU cores (up to 60Gbps)

• Dual 800GB SSD in RAID1 by default

• Built-in hardware Smart NIC and Crypto Accelerator

Hardware VPN acceleration


Introducing Virtual Security Gateway

• L2 transparent FW

• Inspection between L2 adjacent hosts

• Uses VMware attributes for policy

• L2 separation for East-West traffic

• One or more VSGs per tenant

• Based on Nexus 1000V vPathVirtual Hosts

Virtual Hosts

Virtual Hosts


Cisco ASAv Platforms

Cisco ASAv30 2 Gbps

Cisco® ASAv5

• ASA Code Base

• Hypervisor Agnostic

• Lab Edition license

Cisco ASAv10 1 Gbps

100 Mbps


Comparing Cisco Virtual Firewalls

Cisco ASAv Cisco VSG

Layer 2 and 3 modes Layer 2 mode

Dynamic and static routing No routing

DHCP server and client support No DHCP support

Site-to-site and RA-VPN No IPsec support

CLI and Cisco® ASDM, Cisco

Security Manager, and APICCisco Prime NSC

ASA CLI, SSH, and REST API Limited CLI and SSH configuration


Firepower Threat Defense (FTD)

Converged ASA+FirePOWER Image

FirePOWER capabilities + select ASA features

Firepower Management Center 6.0

Same subscriptions as FirePOWER Services

• Delivered via Smart Licensing only

Threat (IPS + SI)

Malware (AMP + ThreatGrid)

URL Filtering

Firepower Threat Defense 6.0

ASA features

Unified ASA / Firepower Rules and

Objects

ASA Dynamic and Static NAT

OSPFv2, BGP4, RIP, Static

Syn Cookies, Anti-Spoofing

ASA ALGs (fixed configuration)

VMware and AWS Support

Smart Licensing Support


Cisco StealthWatch SystemNetwork Reconnaissance Using Dynamic NetFlow Analysis

Monitor Detect Analyze Respond

Understand your network normal

Gain real-time situational awareness of all traffic

Leverage Network Behavior Anomaly detection & analytics

Detect behaviors linked to APTs, insider threats, DDoS, and malware

Collect & Analyze holistic network audit trails

Achieve faster root cause analysis to conduct thorough forensic investigations

Accelerate network troubleshooting & threat mitigation

Respond quickly to threats by taking action to quarantine through Cisco ISE

*Cisco acquired Lancope Dec ‘15


Card Processor

Hacked

Server

POS Terminals

ASA

Firewall

Private

WAN

(trusted)

Credit Card

Processor

ASA

Firewall

Stores Data CenterU

pd

ate

s f

rom

PO

S S

erv

er

HT

TP

S

Credit Card Processing HTTPS

Internet

ISR G2

Routers

ISR G2

Routers

Wireless

AP

Wireless POS

C3850

Unified

Access

Network as a SensorHost Lock Violation and Suspect Data Loss

Public

InternetCompromised

Server

StealthWatch FlowCollector

StealthWatch Management

Console

Cisco ISE

Command and

Collect


AMP Everywhere Deployment AMPAdvanced Malware Protection

Deployment

OptionsEmail and Web

AMP for Networks

(AMP on

FirePOWER)

AMP for Endpoints AMP Private Cloud

Virtual Appliance

MethodLicense with ESA, WSA,

CWS, or ASA customersASA w/ FP, FP Appliances

Install lightweight

connector on endpoints

On-premises Virtual

Appliance

Ideal for New or existing Cisco

CWS, Email /Web Security,

ASA customers

IPS/NGFW customersWindows, Mac, Android,

and LinuxHigh-Privacy Environments

Details

ESA/WSA: Prime visibility into email/web

CWS: web and advanced malware protection in a cloud-delivered service

AMP capabilities on ASA with FirePOWER Services

Wide visibility inside

network

Broad selection of

features- before, during,

and after an attack

Comprehensive threat

protection and response

Granular visibility and

control

Widest selection of AMP

features

Anyconnect delivery

Private Cloud option for

those with high-privacy

requirements

For endpoints and

networks

PC/MAC Mobile Virtual

Meraki

Soon


PRODUCTS & TECHNOLOGIES

UmbrellaEnforcementDNS based security service protects any device, anywhere

InvestigateIntelligenceDiscover and predict attacks before they happen

OpenDNS Adds to Cisco’s Threat Prevention Portfolio


Advantages of a DNS-based Solution

ANY OPERATING SYSTEMWin, Mac, iOS, Android,

Linux, ChromeOS, and even

network devices and custom

operating systems

FAST AND SCALABLEExtremely efficient

query/response method

SIMPLE TO DEPLOYnetwork’s DHCP tells

every connected device

where to point DNS


Talos is the industry-leading threat intelligence organization. We detect and correlate threats in real time using the largest threat detection network in the world to protect against known and emerging cyber security threats to better protect your organization.


Talos Research


Cisco Talos Security Intelligence & Research

IPS Rules

Malware

Protection

Reputation

Feeds

Vulnerability

Database

Updates

AEGIS™ Program

Private and Public

Threat Feeds

Sandnets

FireAMP™Community

300,000 detections added per day

Honeypots

Advanced Microsoft and Industry Disclosures

Crete Program100,000 True

Positive Events/Day

Snort and ClamAVOpen Source Communities

File Samples1,100,000 daily

SandboxingMachine Learning

Big Data Infrastructure

Threat Grid Community


www.cisco.com/go/vmdc

www.cisco.com/go/safe

Thank you.

In collaboration with

security and virtualization in the data center

Technology