network security for service providers · enabling open & programmable networks network...

Enabling Open & Programmable Networks

Network Security for Service Providers

Dan Crawford, Cloud and Network Infrastructure, Cisco Scott Hammond, Senior Optical Specialist, Cisco

March 23rd, 2016 Abhishek Sharma, Systems Engineer, Cisco

2 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

Trends: New Opportunities … The world has gone mobile Traffic growth, driven by video

Rise of cloud computing Machine-to-Machine

Changing Customer

Expectations Ubiquitous Access to Apps & Services

10X Mobile Traffic Growth From 2013-2019

Changing Enterprise Business Models Efficiency & Capacity

Soon to Change SP

Architectures/ Service Delivery

Emergence of the Internet of Everything

Process Things People Data

Pet

abyt

es p

er M

onth

Other (43%, 25%) 120,000

100,000

80,000

60,000

40,000

20,000

0

Internet Video (57%, 75%)

2013 2014 2015 2016 2017 2018

23% Global CAGR 2013-

2018

New Threats

Dynamic Threat Landscape

Increasing Threat Sophistication

Risks to Service Providers and Their Customers


Security for Open & Programmable Networks

Applications & Services

Evolved Programmable Network

Cisco Services

Storage Network Compute

Service Broker

SMART SERVICE

CAPABILITIES

OP

EN

AP

Is O

PE

N A

PIs

OP

EN

AP

Is

OP

EN

AP

Is

Security

Evolved Services Platform Orchestration

Engine

Catalog of Virtual Functions

Service Profile

Benefits: •  New Revenue Streams •  Increased Business Agility •  Lower Operating Costs

Cisco Service Provider Architecture


Network Security

Layer 0 – Media

Layer 1 – Physical

Layer 2 – Data Link

Layer 3 – Network

Layer 4 – Transport

Layer 5 – Session

Layer 6 -- Presentation

Layer 7 – Application

Cisco Solutions


Operational Efficiency

Integrated Security

Enhanced Agility

High speed, scalable security

Dynamic service stitching

Dynamic provisioning across physical, virtual, and cloud

Automated and consistent security policies

Lower integration costs and complexity

RESTful APIs and 3rd party tool integration

Best of Breed security = Cisco + 3rd party

Security services enabled across platforms

Visibility and correlation

Security for Service Providers

Secure Transport Securing the Network Infrastructure


The Challenge Securing the Physical Layer

Network node

Network node

Network node !  Major concerns on data confidentiality and integrity

!  Lack of Encryption between Network nodes or Data Centers due to infrastructure complexity

!  False level of trust in private & leased fiber & circuits over MAN or WAN

!  Belief that encryption incurs unacceptable latency

!  Difficulties associated with cost effective & scalable security solutions

Common Challenges


Do you see the Commonality?


Fiber Optic Hack using off the shelf equipment

•  Stressing an Optical Fiber causes loss. •  Put a bend / series of micro-bends in the fiber and aim a detector at the light that leaks out due to the stress. •  Best to do nearer the transmit end of the fiber, as power is strongest there. •  Hard for a person monitoring to notice as thermal variations in the cable cause greater power shifts.

https://www.youtube.com/watch?v=bnzeyBK3kAY


Data Center B

Transport Encryption Architecture

Data Center A Data Center C

10G/40G/100G Transport Cisco Private DWDM

3rd Party Private DWDM Leased Line 10G Services

Dark Fiber

AES 256 Bit Encryption FIPS Certified

Ethernet

Fibre Channel

SONET/SDH OTN

Ethernet

Fibre Channel

SONET/SDH OTN


Physical Layer Encryption?

Data Center A

Data Center B

Data Center C

Data Center C

Data Center A

OTN Overhead PAYLOAD OTN

Overhead

OC-192/STM-64 Fibre Channel Ethernet OTU-2


Cisco Encryption Features

Security Certified

Passive Attack Detection

Secure Boot

ECDH(E) Key Exchange

Key Zeroization Active Attack

Detection

Card to Card Authentication

Role Based Access Control

GMAC Authentication

User and Cryptographic Lifecycle Management

XTS-AES 256 Encryption

Key Generation Using TLS

Secure Chip


Fortifying Your Networks

10 Gbps Encryption Line Card, AES-256, Suite-B, FIPS, Common Criteria,

Suited for Secure Access/Edge deployments

10/40/100 Gbps Encryption Line Card, AES-256, Suite-B, FIPS, Common Criteria,

Suited for Secure Aggregation/MAN deployments

Dense 10/40/100 Gbps Encryption Line Card*, Suited for Secure Core/Long-haul deployments

High Density 10/40/100 Gbps Encryption Device, AES-256, Mac-Sec*, Suited for Secure DCI

Shipping Today Shipping Today

Shipping Today Shipping Soon


Cisco’s Layer 1 Product Portfolio

2 RU, 2 slots 6 RU, 6 slots 14 RU, 15 slots 2 RU, 4 slices

NCS 1002 NCS 2002 NCS 2006 NCS 2015

Shipping Today?

Size (RU)

Ideal Deployment Data Center Interconnect Edge and Access Aggregation / Metro Core / Long-haul

Yes Yes Yes Yes


Next…Security above the Physical Layer


Moving Up the Stack with Security


1001 0001011110001011

10

1001 0001011110001011

10

1001 0001011110001011

10

1001 0001011110001011

10

1001 0001011110001011

10

Legacy Security: Siloed, Inefficient & Expensive

Data Packet

1001 0001011110001011

10

/

1001 0001011110001011

10

DDoS Platform

SSL Platform FW Platform

VPN Platform

IPS Platform

Sandbox Platform

SSL

DDoS VPN

FW IPS

Sandbox

Reduced Effectiveness Increased Latency Slows Network Static & Manual


Cisco’s Threat-Centric Security Model

Network Endpoint Mobile Virtual Cloud

Point in Time Continuous

DURING Detect Block

Defend

AFTER Scope Contain

Remediate

BEFORE Discover Enforce Harden

Covers the Entire Attack Continuum

Advanced Malware Protection VPN Firewall NGIPS DDoS

Policy Management Application Control

Secure Access + Identity Services

Malware Sandboxing Web Security

Email Security Network Behavior Analysis

Security Services


Operational Efficiency

Integrated Security

Enhanced Agility

High speed, scalable security

Dynamic service stitching

Dynamic provisioning across physical, virtual, and cloud

Automated and consistent security policies

Lower integration costs and complexity

RESTful APIs and 3rd party tool integration

Best of Breed security = Cisco + 3rd party

Security services in a consolidated platform

Visibility and correlation

Threat-Centric Security for Service Providers


Firepower Platform High-Speed, Scalable Security

Multi-Service Security

•  ASA container •  Firepower Threat Defense containers

•  NGIPS, AMP, URL, AVC •  3rd Party containers

•  Radware DDoS •  Other ecosystem partners

•  Template driven security •  Secure containerization for customer

apps •  Restful/JSON API •  3rd party orchestration/management

Programmable Management & Orchestration

Performance & Density Optimization

•  1RU form factor •  10-Gbps and 40-Gbps interfaces •  Up to 80-Gbps throughput

•  3RU form factor •  10G/40G I/O; 100G ready •  Terabit backplane •  NEBS ready

•  ASA container •  Firepower Threat Defense containers

•  NGIPS, AMP, URL, AVC •  3rd Party containers

•  Radware DDoS •  Other ecosystem partners

•  Single management interface with Firepower Threat Defense

•  Unified policy with inheritance •  Choice of management deployment

options

Firepower 4100 Firepower 9300

21 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Arbor Networks

Threat Management System (TMS)

Network Embedded, Virtual DDoS Protection

Up to 40 Gbps Mitigation per VSM

Arbor Networks Threat Management

System (TMS)

Arbor Networks SP

+

Arbor Networks Threat Management

System (TMS)

Arbor Networks SP ASR 9000 with Virtual Services Module (VSM)

= Cisco ASR 9000

vDDoS Protection “Powered by Arbor Networks”


Cisco Transforms Security Service Integration Data Packet

1001 0001011110001011

10

DDoS Platform

SSL Platform FW Platform

WAF Platform

IPS Platform

Sandbox

SSL

DDoS WAF

FW IPS

Sandbox

Limited effectiveness Increased latency Slows network Static & Manual Unified Platform

Data Packet

1001 00010111100010

1110 DDoS FW VPN NGIPS SSL AMP

Inte

grat

ed

Maximum protection Highly efficient Scalable processing Dynamic

Silo

ed

Key: Cisco Service

3rd Party Service


Roadmap & Vision Consistent Security Across Physical, Virtual & Cloud

Virtual Cloud Physical


24

Optimization

Migration

Integration

Program Strategy

Architecture & Design

Assessments

Product Support Hosted Security Managed Security

Security Services Wrapper


End-to-End Network Visibility from SP Core to

Customer Premise

Unmatched Visibility

Consistent Control

Consistent Policies Across Network, Data Center, and

Workloads

Complexity Reduction

Reduce IT Silos, Respond Faster to New Opportunities & Business Models

Detect & Mitigate Advanced Threats

across CPE, Cloud, and Network

Advanced Threat Protection

Cisco Difference for Service Providers

Visit www.cisco.com/go/security for more information

trust.cisco.com cisco.com/go/security

network security for service providers · enabling open & programmable networks network...

Documents