title size 30pt
TRANSCRIPT
René Raeber, [email protected]
DSE WW Datacenter & Cloud
IEEE-802.1 DCB Architect
@rraeber
Datacenter Patent Reviewer
Master Business IT Security
Datacenter Security
How do Datacenters have to react in the Era of Digitization-
Agenda
2
Introduction
Policy driven Datacenter
Segmentation
Visibility
Conclusion / Discussion
Datacenter Evolution
Infrastructure Revolution
Software-defined
Infrastructure
Autonomous
InfrastructureContainer-Technologien
Server
Host OS
Docke
r
Binaries/ LibrariesBinaries/ Libraries
Ap
p 1
Ap
p 1
‘
Ap
p2
‘
Ap
p2
‘
Ap
p 2
Compute
Storage
Network
Integrated Architectural Approach
Best of Breed Portfolio
Cisco’s Approach Security Everywhere
Cisco’s Integrated Architectural Approach
Pervasive | Integrated | Continuous | Open
Threat Intelligence
Unified Management
Network Endpoint Cloud
Services
Visibility
Threat Intelligence
Cisco Datacenter Strategy
Defined by Applications. Driven by Policy. Delivered as a Solution / Service.
Compute
CloudNetwork
PolicyPolicy
Policy
8
8
Policy ModelIdentity
Authority
Perimeter
Security
ACI
TrustSec
ISE
APIC
VTS
ACI
Prog. NW
Prog. Fab.
Segmentation
ACI
Non ACI
UCS
Analytics
Tetration
Stealthwatch
Cisco Firewalls / NGFW / IPS / IDS
Certified Security Ecco System
“We Securely connect On-Prem and Off-Prem Everything to make Anything possible”
Cisco Datacenter Security Overview
The FOCUS areas
The Priorities per each area
9
Cisco SAFE
Cisco SAFE Conceptual LayoutData Center Edge Cloud
BranchCampus
WAN Internet
SP
WAN
SAFE Simplifies Security: Data Center
L2//L3
Network
To Campus
Shared Services
Zone
App ServerZone
PCICompliance
Zone
DatabaseZone
Flow
Analytics
Host-based
SecurityLoad
Balancer
Flow
Analytics
Firewall
Next-Gen
Intrusion
Prevention
SystemSwitch
Web
Application
Firewall
Centralized Management
Policy/
Configuration
Visibility/
Context
Analysis
Correlation
Analytics
Logging/
Reporting
Threat
Intelligence
Vulnerability
Management
Monitoring
To Edge
Virtualized Capabilities
WAN
Application Centric Infrastructure
12
Policy(May)
Assurance(Can)
Analytics(Did)
ADM
Security
Compliance
Audit, …
Agenda
13
Introduction
Policy driven Datacenter
Segmentation
Visibility
Conclusion / Discussion
What do we mean by Policy ?
POLICY
Public Cloud
APP
APP
APP
APP
APP
Edge
Network is single source of truth
Applications are Everywhere, Good News, So are We
DATA CENTER
Network Language
Compute/Storage
Language
Security Language
How? Teach the Infrastructure the Language of the Applications
Decouple Application and
Policy From Underlying Infrastructure
Infrastruct
ure
Common
PolicyApp
Networ
k
Profile
USC
Servic
e
Profile
Policy-Driven
Infrastructure
This is what we call Policy
Application Language
• Application tier policy and dependencies
• Security requirements
• Service level agreement
• Application performance
• Compliance
• Geo dependencies
Network is the best place to put policy because it touches everything. The Network never lies.
Why? The Network Is the Best Place to Put Policy
POLICY
Public CloudEdge
DATA CENTER
APP
APP
APP
APP
APP
Policy Driven Integrated Infrastructure In Action
4
Choose Any
Other Cloud
Managed
Public
Private
Private Cloud Stack
Integrated Infrastructure
3
Build Your
Private Cloud
8 Edge – Push Policy Model
POLICY
Automate and
Simplify
2
Move Data and
Workloads Securely
5
Self-Service Portal
(IT as a Service)
6
Extend Policy Model
7
SECURITY Everywhere9
1
Network / L4-7
Compute
Storage
Security
Modernize Infrastructure:
Open and Programmable
DATA CENTER
Analytics Everywhere10
Application Centric Infrastructure (ACI)
“DB”“App”
Unified Management
and Visibility
Flat Hardware
Accelerated Network
Logical Endpoint
Groups by Role
Fabric Port
ServicesFlexible Insertion
APIC Logical View
Tenant
Bridge Domain
EPG A EPG B EPG C
Context
Subnet A , Subnet B
Context
Bridge Domain
EPG B EPG C
Subnet A
Subnet D
Bridge Domain
EPG A EPG C
Subnet A
Subnet D
Application decommission & the compliance / audit demand
“Due to compliance regulations, when an application gets decommissioned,
every IT resource associated with that must be removed and/or wiped out”
UCS allows one do dissociate service
profile(s) associated with this application.
Audit OK !
Storage arrays can wipe-out the data or
associated disks can be trashed.
Audit OK !
Current network approach and solutions
don’t have a way to map application
workflow and “remove” it.
Audit Fail
ACI is the only one that can, inclusive
programmatically and automated
Audit OK !
Disjointed Identity & Security Policy DomainsBetween Campus and Data Center
TrustSec domain
Voice Employee Supplier BYOD
Campus / Branch / Non-Fabric
TrustSec Policy Domain
Voic
e
VLA
N
Data
VLAN
Web App DBACI Fabric
Data Center
APIC Policy DomainAPIC
WAN
Disjointed
Identity
Policy Domains
TrustSec Policy Domain APIC Policy Domain
• Today customer has two disjointed identity and security policy domains in Campus and Data Center:
• TrustSec User Identity, SGT and SGACL in Campus
• APIC App Endpoint Identity, EPG and Contract in Data Center
• Customer Requirement:
• Need Common “Identity,” Tagging and “Security Policy” between TrustSec and ACI domains
ISE and ACI Policy Models
Src-SGT
(identity)
Dest-SGT
(identity)SGACL
ISE Policy Model
Src-EPG
(identity)
Dest-EPG
(identity)Contract
ACI Policy Model
ISE Controller
APIC Controller
Policy Mapping
Campus “User Identity Scale Up” Automatically Propagated into ACI Data Center
ISE Controller
User 1
User 1000
SGT Binding Scale Up
APIC dynamically learns
Scale Up User Bindings in Campus
ACI Data Center
ACI “App Endpoint Scale Up” Automatically Propagated into Campus ISE Controller
ISE dynamically learns
Scale Up VM Bindings in DC
ISE Controller ACI Data Center
App Dynamic Scale Up in DC
VM1
VM1000
Trustsec Domain
Agenda
25
Introduction
Policy driven Datacenter
Segmentation
Visibility
Conclusion / Discussion
Spectrum of Micro Segmentation
Segmentation
Micro-Segmentation
Per EPG
Per vNIC
Level of Segmentation/Isolation/Visibility
ACI Enables Segmentation Based on Business Needs
VLAN 1 VXLAN 2
VLAN 3
Network centric
Segmentation
DEV
TEST
PROD
Segment by Application
Lifecycle
PRODUCTION
PODDMZ
SHARED
SERVICES
Basic DC Network
Segmentation
Per Application-tier /
Service Level
Micro-Segmentation
WEB
APP
DB
Intra-EPG
Micro-Segmentation
WEB
WEB
Container Security
VM
OVS/OpFlex
New
VMware VDS Microsoft Hyper-V KVM Cisco AVS Physical
EPG Based / Intra EPG Based / Attributes Based
Micro-Segmentation Supports Contracts and Service-Graphs
Application with EPG, Contract and Service Graphs
uSeg-video-client
Video-Streaming
uSeg EPGs with Contract
uSeg EPGs with Service Graphs
ACI and SourceFire – Security Closed Feedback Loop
CORPEPG
FW
NGIPS10.1.0.234
Atta
ck
PUBLICEPG
REMEPG
QUAEPG
FW
FireSIGHT Management
Center
REST Calls to
APIC NB API
Move VM
To Quarantine
Quarantine for RemediationPost Remediation Move Cleaned VM
DVS Micro-Segmentation and Custom Attributes
Attributes supported
for DVS Useg
Custom Attributes
Guest OS
VM Name
VM (id)
VNIC (id)
DVS
DVS Port-group
Datacenter
MAC
IP Address Prefix
Custom Attributes Use:
vSphere Web Client Plugin 6.0
Segmentation with ACI – Available Today!Whitelist, Multi-Tenant Isolation, Service Automation
ACI Services Graph
L4-7 Security Services(physical or virtual,
location independent)
Servers (Physical or Virtual, Containers, Micro Services)
Firewall at Each Leaf switch
• White-list Firewall Policy Model (line rate)
• Authenticated Northbound API (X.509)
• Encrypted Management Plane (TLS 1.2)
• Integrated any security device
• PCI, FIPS
• VMware AVS, VDS (by H1CY16), Microsoft Hyper-V and Bare Metal Workloads
• Intra End-Point-Group (EPG) isolation
• Attribute Based isolation and quarantine
• Dynamic Service Insertion and Chaining
• Security Policy follows workloads
• Centralized Security provisioning and visibility
Embedded Security Micro-Segmentation Security Automation
Agenda
32
Introduction
Policy driven Datacenter
Segmentation
Visibility
Conclusion / Discussion
Deterministic …
34
We may regard the present state of the Universe
as the effect of its past and the cause of its future.
If you know everything about a system at some instant of time, and you also know
the equation that govern how the system changes, then you can predict the future.
The Classical Law of Physics, deterministic !
If we can say the same thing, but with the past and the future reversed, the equation
Tells you everything about the past. Such a system is called reversible.
Now, can we do this with IT ?
Tetration
Analytics
Visibility
and Forensics
Application
Insight
Network
Compliance
Policy
Think about what you could do if you had:Every Packet, Any Time, Any Where
Application
Insight
Policy
Simulation
and Impact
Assessment
Automated
Whitelist
Policy
Generation
Forensics:
Every Packet,
Every Flow,
Every Speed
Policy
Compliance
and
Auditability
Cisco Tetration Analytics
Cisco Tetration Analytics ArchitectureOverview
Analytics Engine
Cisco Tetration
Analytics™
Platform
Visualization and
Reporting
Web GUI
REST API
Push Events
Cisco Confidential-NDA Required
Data Collection
Host Sensors
Network Sensors
Third-Party
Metadata Sources
Tetration
Telemetry
Configuration
Data
Cisco Nexus®
92160YC-X
Cisco Nexus
93180YC-EX
VM
Pervasive VisibilityFlow Search and Forensics
Information
about Consumer
– Provider and
type of traffic
Detail
information
about the flow
Datacenter Wide Traffic Flow Visibility
Visual Query with Flow Exploration
Replay flow details like a DVR
Information mapped across 25 different dimensions
• Thick lines indicate common flows
• Faint lines indicate uncommon flows
Policy Simulation and Compliance
What was seen
on the network
that was out of
Policy
Permitted Traffic
Seen on the
network
Policy Compliance Verification & Simulation
Policy Compliance
• Identify policy deviations
in real-time
• Review and update
whitelist policy with one click
• Policy lifecycle
management
VM BM
VMVM
BM VM
VMVM
VM BM
VMVM
VM
Cisco Tetration
Analytics™
PlatformVM
BM
VM
Policy Enforcement
Get To Zero-Trust Model
APICApplication Policy
Recommendation
Import Policy using ACI
Toolkit
Automatic creation of EPGs
and Contracts
Real
Time
DataNetwork
Policy
App PolicyTetration
Analytics
UCS
Cisco Nexus 9000 Series
UCS
Enforcement Anywhere
Cisco
Tetration
Analytics™
Cisco ACI™ and Cisco Nexus® 9000 Series
Standalone
Linux and Microsoft Windows
Servers and VM
PublicCloud
Data
Whitelist policyWhitelist policy{
"src_name": "App",
"dst_name": "Web",
"whitelist": [
{"port": [ 0, 0 ],"proto": 1,"action": "ALLOW"},
{"port": [ 80, 80 ],"proto": 6,"action": "ALLOW"},
{"port": [ 443, 443 ],"proto": 6,"action":
"ALLOW"}
]
}
• Cisco ACI EGP/Contract Integration via Cisco ACI Toolkit
• Traditional Network ACL
• Firewall Rules
• Host Firewall Rules
Amazon
Web
Services
Microsoft
Azure
Cloud
Better together: CliQr | ACI | Tetration
App Level Policy
Enforcement / Visibility
Self-documenting Network
Real time detection &
closed loop automation
Real
Time
DataApp
Policy
App Policy
10101101
01010011
10101010
10001011
Tetration
Analytics
Nexus 9K
Amazon
Web
Services
Microsoft
Azure
Cloud
Agenda
48
Introduction
Policy driven Datacenter
Segmentation
Visibility
Conclusion / Discussion
1. “Let my app servers talk to my web servers.”
2. There is no step 2. Go do something interesting.
1. “Trunk VLAN 112 to switch 22.”
2. “Add route….”
3. “Plumb ports 7-12…”
4. Break for snack. See if there’s any leftover cake in the coffee room.
5. “Configure ACL…”
6. “Apply QoS…”
7. Repeat.
Two Operational ModelsWhich do you want your network admin using?
With ACI: Without ACI:
ACI is for Micro Segmentation
Micro Segmentation works for all workloads (bare metal, virtual, containers, management, backup …)
Same policy-model for vSphere, Hyper-V, OpenStack, Containers and Bare Metal.
With ACI 1.2 support for up to 10 vCenter (supports 5.1, 5.5 and 6.0) and up to 10,000 servers.
Works with standard virtual switch offerings, including VMware VDS, OVS, MSFT vSwitch (AVS is optional for vSphere)
Stateful firewall when using Cisco AVS on vSphere at no extra cost with better performance at the VMware environment
ACI Security Certifications
Certification ACI
Done
Target Q4 CY 16
Target Q3 CY 16
Target Q4 CY 16
Planning
ACI SecurityAutomated Security With Built In Multi-Tenancy
Security AutomationEmbedded Security
• White-list Firewall Policy Model
• RBAC rules
• Hardened CentOS 7.2
• Authenticated Northbound API (X.509)
• Encrypted Intra-VLAN (TLS 1.2)
• Secure Key-store for Image Verification
• Dynamic Service Insertion and Chaining
• Closed Loop Feedback for Remediation
• Centralized Security Provisioning & Visibility
• Security Policy Follows Workloads
Distributed Stateless Firewall
Line Rate Security Enforcement
Open: Integrate Any Security Device
PCI, FIPS, CC, UC-APL, USG-v6
ACI Services
Graph
Micro-Segmentation
• Hypervisor Agnostic (ESX, Hyper-V, KVM*)
• Physical, Virtual Machine, Container
• Attribute Based Isolation/Quarantine
• Point and Click Micro-segmentation
• TrustSec-ACI Integration
Encryption
• Link MACSEC
• INS-SEC Overlay Encryption