network security for service providers · enabling open & programmable networks network...
TRANSCRIPT
Enabling Open & Programmable Networks
Network Security for Service Providers
Dan Crawford, Cloud and Network Infrastructure, Cisco Scott Hammond, Senior Optical Specialist, Cisco
March 23rd, 2016 Abhishek Sharma, Systems Engineer, Cisco
2 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Trends: New Opportunities … The world has gone mobile Traffic growth, driven by video
Rise of cloud computing Machine-to-Machine
Changing Customer
Expectations Ubiquitous Access to Apps & Services
10X Mobile Traffic Growth From 2013-2019
Changing Enterprise Business Models Efficiency & Capacity
Soon to Change SP
Architectures/ Service Delivery
Emergence of the Internet of Everything
Process Things People Data
Pet
abyt
es p
er M
onth
Other (43%, 25%) 120,000
100,000
80,000
60,000
40,000
20,000
0
Internet Video (57%, 75%)
2013 2014 2015 2016 2017 2018
23% Global CAGR 2013-
2018
New Threats
Dynamic Threat Landscape
Increasing Threat Sophistication
Risks to Service Providers and Their Customers
3 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Security for Open & Programmable Networks
Applications & Services
Evolved Programmable Network
Cisco Services
Storage Network Compute
Service Broker
SMART SERVICE
CAPABILITIES
OP
EN
AP
Is O
PE
N A
PIs
OP
EN
AP
Is
OP
EN
AP
Is
Security
Evolved Services Platform Orchestration
Engine
Catalog of Virtual Functions
Service Profile
Benefits: • New Revenue Streams • Increased Business Agility • Lower Operating Costs
Cisco Service Provider Architecture
4 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Network Security
Layer 0 – Media
Layer 1 – Physical
Layer 2 – Data Link
Layer 3 – Network
Layer 4 – Transport
Layer 5 – Session
Layer 6 -- Presentation
Layer 7 – Application
Cisco Solutions
5 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Operational Efficiency
Integrated Security
Enhanced Agility
High speed, scalable security
Dynamic service stitching
Dynamic provisioning across physical, virtual, and cloud
Automated and consistent security policies
Lower integration costs and complexity
RESTful APIs and 3rd party tool integration
Best of Breed security = Cisco + 3rd party
Security services enabled across platforms
Visibility and correlation
Security for Service Providers
Secure Transport Securing the Network Infrastructure
7 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
The Challenge Securing the Physical Layer
Network node
Network node
Network node ! Major concerns on data confidentiality and integrity
! Lack of Encryption between Network nodes or Data Centers due to infrastructure complexity
! False level of trust in private & leased fiber & circuits over MAN or WAN
! Belief that encryption incurs unacceptable latency
! Difficulties associated with cost effective & scalable security solutions
Common Challenges
8 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Do you see the Commonality?
9 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Fiber Optic Hack using off the shelf equipment
• Stressing an Optical Fiber causes loss. • Put a bend / series of micro-bends in the fiber and aim a detector at the light that leaks out due to the stress. • Best to do nearer the transmit end of the fiber, as power is strongest there. • Hard for a person monitoring to notice as thermal variations in the cable cause greater power shifts.
https://www.youtube.com/watch?v=bnzeyBK3kAY
10 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Data Center B
Transport Encryption Architecture
Data Center A Data Center C
10G/40G/100G Transport Cisco Private DWDM
3rd Party Private DWDM Leased Line 10G Services
Dark Fiber
AES 256 Bit Encryption FIPS Certified
Ethernet
Fibre Channel
SONET/SDH OTN
Ethernet
Fibre Channel
SONET/SDH OTN
11 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Physical Layer Encryption?
Data Center A
Data Center B
Data Center C
Data Center C
Data Center A
OTN Overhead PAYLOAD OTN
Overhead
OC-192/STM-64 Fibre Channel Ethernet OTU-2
12 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cisco Encryption Features
Security Certified
Passive Attack Detection
Secure Boot
ECDH(E) Key Exchange
Key Zeroization Active Attack
Detection
Card to Card Authentication
Role Based Access Control
GMAC Authentication
User and Cryptographic Lifecycle Management
XTS-AES 256 Encryption
Key Generation Using TLS
Secure Chip
13 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Fortifying Your Networks
10 Gbps Encryption Line Card, AES-256, Suite-B, FIPS, Common Criteria,
Suited for Secure Access/Edge deployments
10/40/100 Gbps Encryption Line Card, AES-256, Suite-B, FIPS, Common Criteria,
Suited for Secure Aggregation/MAN deployments
Dense 10/40/100 Gbps Encryption Line Card*, Suited for Secure Core/Long-haul deployments
High Density 10/40/100 Gbps Encryption Device, AES-256, Mac-Sec*, Suited for Secure DCI
Shipping Today Shipping Today
Shipping Today Shipping Soon
14 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cisco’s Layer 1 Product Portfolio
2 RU, 2 slots 6 RU, 6 slots 14 RU, 15 slots 2 RU, 4 slices
NCS 1002 NCS 2002 NCS 2006 NCS 2015
Shipping Today?
Size (RU)
Ideal Deployment Data Center Interconnect Edge and Access Aggregation / Metro Core / Long-haul
Yes Yes Yes Yes
15 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Next…Security above the Physical Layer
16 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Moving Up the Stack with Security
17 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
1001 0001011110001011
10
1001 0001011110001011
10
1001 0001011110001011
10
1001 0001011110001011
10
1001 0001011110001011
10
Legacy Security: Siloed, Inefficient & Expensive
Data Packet
1001 0001011110001011
10
/
1001 0001011110001011
10
DDoS Platform
SSL Platform FW Platform
VPN Platform
IPS Platform
Sandbox Platform
SSL
DDoS VPN
FW IPS
Sandbox
Reduced Effectiveness Increased Latency Slows Network Static & Manual
18 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cisco’s Threat-Centric Security Model
Network Endpoint Mobile Virtual Cloud
Point in Time Continuous
DURING Detect Block
Defend
AFTER Scope Contain
Remediate
BEFORE Discover Enforce Harden
Covers the Entire Attack Continuum
Advanced Malware Protection VPN Firewall NGIPS DDoS
Policy Management Application Control
Secure Access + Identity Services
Malware Sandboxing Web Security
Email Security Network Behavior Analysis
Security Services
19 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Operational Efficiency
Integrated Security
Enhanced Agility
High speed, scalable security
Dynamic service stitching
Dynamic provisioning across physical, virtual, and cloud
Automated and consistent security policies
Lower integration costs and complexity
RESTful APIs and 3rd party tool integration
Best of Breed security = Cisco + 3rd party
Security services in a consolidated platform
Visibility and correlation
Threat-Centric Security for Service Providers
20 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Firepower Platform High-Speed, Scalable Security
Multi-Service Security
• ASA container • Firepower Threat Defense containers
• NGIPS, AMP, URL, AVC • 3rd Party containers
• Radware DDoS • Other ecosystem partners
• Template driven security • Secure containerization for customer
apps • Restful/JSON API • 3rd party orchestration/management
Programmable Management & Orchestration
Performance & Density Optimization
• 1RU form factor • 10-Gbps and 40-Gbps interfaces • Up to 80-Gbps throughput
• 3RU form factor • 10G/40G I/O; 100G ready • Terabit backplane • NEBS ready
• ASA container • Firepower Threat Defense containers
• NGIPS, AMP, URL, AVC • 3rd Party containers
• Radware DDoS • Other ecosystem partners
• Single management interface with Firepower Threat Defense
• Unified policy with inheritance • Choice of management deployment
options
Firepower 4100 Firepower 9300
21 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Arbor Networks
Threat Management System (TMS)
Network Embedded, Virtual DDoS Protection
Up to 40 Gbps Mitigation per VSM
Arbor Networks Threat Management
System (TMS)
Arbor Networks SP
+
Arbor Networks Threat Management
System (TMS)
Arbor Networks SP ASR 9000 with Virtual Services Module (VSM)
= Cisco ASR 9000
vDDoS Protection “Powered by Arbor Networks”
22 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cisco Transforms Security Service Integration Data Packet
1001 0001011110001011
10
DDoS Platform
SSL Platform FW Platform
WAF Platform
IPS Platform
Sandbox
SSL
DDoS WAF
FW IPS
Sandbox
Limited effectiveness Increased latency Slows network Static & Manual Unified Platform
Data Packet
1001 00010111100010
1110 DDoS FW VPN NGIPS SSL AMP
Inte
grat
ed
Maximum protection Highly efficient Scalable processing Dynamic
Silo
ed
Key: Cisco Service
3rd Party Service
23 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Roadmap & Vision Consistent Security Across Physical, Virtual & Cloud
Virtual Cloud Physical
24 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
24
Optimization
Migration
Integration
Program Strategy
Architecture & Design
Assessments
Product Support Hosted Security Managed Security
Security Services Wrapper
25 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
End-to-End Network Visibility from SP Core to
Customer Premise
Unmatched Visibility
Consistent Control
Consistent Policies Across Network, Data Center, and
Workloads
Complexity Reduction
Reduce IT Silos, Respond Faster to New Opportunities & Business Models
Detect & Mitigate Advanced Threats
across CPE, Cloud, and Network
Advanced Threat Protection
Cisco Difference for Service Providers
Visit www.cisco.com/go/security for more information
trust.cisco.com cisco.com/go/security