threat-centric security for service providers · enabling open & programmable networks...

Sam Rastogi, Service Provider Security Product Marketing, Security Business Group

Enabling Open & Programmable Networks

Threat-Centric Security for Service Providers

September 1, 2015

Bill Mabon, Network Security Product Marketing, Security Business Group

2 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

Trends: New Opportunities … The world has gone mobile Traffic growth, driven by video

Rise of cloud computing Machine-to-Machine

Changing Customer

Expectations Ubiquitous Access to Apps & Services

10X Mobile Traffic Growth From 2013-2019

Changing Enterprise Business Models Efficiency & Capacity

Soon to Change SP

Architectures/ Service Delivery

Emergence of the Internet of Everything

Process Things People Data

Pet

abyt

es p

er M

onth

Other (43%, 25%) 120,000

100,000

80,000

60,000

40,000

20,000

0

Internet Video (57%, 75%)

2013 2014 2015 2016 2017 2018

23% Global CAGR 2013-

2018

New Threats

Dynamic Threat Landscape

Increasing Threat Sophistication

Risks to Service Providers and Their Customers


Security for Open & Programmable Networks

Applications & Services

Evolved Programmable Network

Cisco Services

Storage Network Compute

Service Broker

SMART SERVICE

CAPABILITIES

OP

EN

AP

Is O

PE

N A

PIs

OP

EN

AP

Is

OP

EN

AP

Is

Security

Evolved Services Platform Orchestration

Engine

Catalog of Virtual Functions

Service Profile

Benefits: •  New Revenue Streams •  Increased Business Agility •  Lower Operating Costs

Cisco Service Provider Architecture


Legacy Security: Costly & Complex

Siloed

Inefficient

Manual

Limited integration, security gaps

Hard-coded processes

Over-provisioned, static, and slow

Hinders realization of

open and programmable

networks


1001 0001011110001011

10

1001 0001011110001011

10

1001 0001011110001011

10

1001 0001011110001011

10

1001 0001011110001011

10

Legacy Security: Siloed, Inefficient & Expensive

Data Packet

1001 0001011110001011

10

/

1001 0001011110001011

10

DDoS Platform

SSL Platform FW Platform

WAF Platform

IPS Platform

Sandbox Platform

SSL

DDoS WAF

FW IPS

Sandbox

Reduced Effectiveness Increased Latency Slows Network Static & Manual


Cisco’s Threat-Centric Security Model

Network Endpoint Mobile Virtual Cloud

Point in Time Continuous

DURING Detect Block

Defend

AFTER Scope

Contain Remediate

BEFORE Discover Enforce Harden

Covers the Entire Attack Continuum

Advanced Malware Protection VPN Firewall NGIPS DDoS

Policy Management Application Control

Secure Access + Identity Services

Malware Sandboxing Web Security

Email Security Network Behavior Analysis

Security Services


Operational Efficiency

Integrated Security

Enhanced Agility

High speed, scalable security

Dynamic service stitching

Dynamic provisioning across physical, virtual, and cloud

Automated and consistent security policies

Lower integration costs and complexity

RESTful APIs and 3rd party tool integration

Best of Breed security = Cisco + 3rd party

Security services in a consolidated platform

Visibility and correlation

Threat-Centric Security for Service Providers


Carrier-Class

Firepower 9300 Platform High-Speed, Scalable Security

Modular Multi-Service Security

Benefits •  Integration of best-of-breed security •  Dynamic service stitching

Features* •  ASA container •  Firepower Threat Defense containers

•  NGIPS, AMP, URL, AVC •  3rd Party containers

•  Radware DDoS •  Other ecosystem partners

Benefits •  Standards and interoperability •  Flexible Architecture

Features •  Template driven security •  Secure containerization for customer

apps •  Restful/JSON API •  3rd party orchestration/management

Benefits •  Industry Leading Performance / RU

•  600% Higher Performance •  30% higher port density

Features •  Compact, 3RU form factor •  10G/40G I/O; 100G ready •  Terabit backplane •  Low latency, Intelligent fastpath •  NEBS ready

* Contact Cisco for services availability


Cisco Transforms Security Service Integration Data Packet

1001 0001011110001011

10

DDoS Platform

SSL Platform FW Platform

WAF Platform

IPS Platform

Sandbox

SSL

DDoS WAF

FW IPS

Sandbox

Limited effectiveness Increased latency Slows network Static & Manual Unified Platform

Data Packet

1001 00010111100010

1110 DDoS FW WAF NGIPS SSL AMP

Inte

grat

ed

Maximum protection Highly efficient Scalable processing Dynamic

Silo

ed

Key: Cisco Service

3rd Party Service


Roadmap & Vision Consistent Security Across Physical, Virtual & Cloud

Virtual Cloud Physical


Securing Mobile and Carrier Networks


Technology trends are driving use cases

EPC

S1 Gi/SGi S8 SWu SP Wi-Fi

Trends

3G-to-LTE IPv4-to-IPv6 Hotspots

Stateful devices Virtual

Applications & smart phones


Securing network edges is critical

•  Increase in connected devices and app complexity

•  Growing number of IP addresses

•  Migration from IPv4 to IPv6 protocol

Gi/SGi Interface Internet

•  Subscribers increasingly access customer EPCs via other operators and untrusted networks

S8 Interface Roaming

•  Proliferation of microcells, cell stations, Evolved Node Bs (eNodeBs), or hotspots

S1 Interface

•  Voice over Wi-Fi as a business imperative

SWu Interface OTT

•  Subscribers using Mobile SPs networks for their own personal Wi-Fi hotspots

SP Wi-Fi

EPC


Security for Carrier and Mobile Edge Use Case HW Requirements

•  Ultra High Performance FW •  High Port Density, 100Gbps •  NEBS •  Power Efficiency

SW Requirements •  Mobile Access: Strong

authentication, authorization (IKE v1/V2 & PKI protocols); Data confidentiality w/ IPSec ESP; LTE S1 FW (GTP, S1-SP FW)

•  Partner Edge: GTP, NAT •  Internet Edge: FW, NAT, IPS,

Content Filtering

Mob

ile P

acke

t Cor

e

Mobile Access Edge

Partner Edge

Internet Edge Internet


Securing the Data Center


Time- consuming provisioning

Complex data flows

Unpredictable data volume

In Data Center Security, Threat Defense, Agility, and Control are Challenges

Unique Threats


Data Centers Require Specialized Security

Standard edge security Data center security

Sees symmetric traffic only

Scales statically for predictable data volume, limited by edge data connection

Monitors ingress and egress traffic

Is deployed typically as a physical appliance

Deploys in days or weeks

Requires asymmetric traffic management

Must scale dynamically to secure high-volume data bursts

Needs to secure intra-data-center traffic

Requires both a physical and virtual solution

Must deploy in hours or minutes


Deployed Where You Need It Most

East-west traffic

76%

North-south traffic

17%

Inter-data-center traffic

7%


Threat Centric Security to Protect Your Data Center from Sophisticated Attacks

Sources: Verizon 2014 Data Breach Investigations Report (DBIR); Gartner; Cisco Annual Security Report 2015

Today’s adversaries are more advanced than ever

Well-funded. Both organized crime and nation states adversaries.

Inventive. Agile methodology, and now finding East-West vulnerabilities to exploit.

Insidious. They blend in with the targeted organization, sometimes taking weeks or months to establish multiple footholds in infrastructure and user databases.

60% of data is stolen in hours; detection can take weeks or months

of data center breaches can be tied to misconfigured security solutions

of companies connect to domains that host malicious files or services

95%

100%


•  Scalability: High Throughput •  Multi-Tenancy: Multi-Context •  Segmentation: Internal/External •  North-South, East-West traffic •  Multi-Site Security & Mobility •  Multi-Vendor Orchestration

Security for Data Center Requirements

Benefits •  High Scale: access rule, TrustSec •  Network Integration: Routing,

switching, inter-site DC extensions •  High Density: 40G/100G •  Clustering: Intra-chassis, Inter-

chassis, Inter-site •  Flow offload •  Consistent Policy Mgmt

Global Orchestration





Trust The Market Leader

“Cisco is the clear leader here…” IT decision-makers consider Cisco the top data center security solution supplier across 10 separate categories.

Infonetics Research Report Experts: Data Center Security Strategies and Vendor Leadership: North American Enterprise Survey, March 2014 and April 2015


End-to-End Network Visibility from SP Core to

Customer Premise

Unmatched Visibility

Consistent Control

Consistent Policies Across Network, Data Center, and

Workloads

Complexity Reduction

Reduce IT Silos, Respond Faster to New Opportunities & Business Models

Detect & Mitigate Advanced Threats

across CPE, Cloud, and Network

Advanced Threat Protection

Cisco Difference for Service Providers

threat-centric security for service providers · enabling open & programmable networks...

Documents