next gen dc secu - cisco · segmentation •establish boundaries: network, compute, virtual...
TRANSCRIPT
Segmentation
• Establish boundaries: network, compute, virtual
• Enforce policy by functions, devices, organizations,
compliance
• Control and prevent unauthorized access to networks,
resources, applications
Threat Defense
• Stop internal and external attacks and interruption of
services
• Patrol zone and edge boundaries
• Control information access and usage, prevent data loss
and data modification
Visibility
• Provide transparency to usage
• Apply business context to network activity
• Simplify operations and compliance reporting
Secure Internal Zone from External Zone
Secure Application Tiers
Secure Data for Compliance
Secure Multitenancy
1 2
3 4
vPC
Campus/Data Center
Internet
Cisco VXI
Front-End (Presentation)
Web Tier (Business Logic)
DB Tier (Data Access)
CTX2
CTX1
VDC1
VDC2
CTX1
CTX2
vPC
Vendor
Partner
Extranet
vPC
CTX1
CTX2
6
Aggregation Layer
Services Layer (option)
Virtual Network & Access
• Initial filter for all ingress and egress to DC services &
compute - “North-South” protection
• Stateful filtering and logging for all ingress and egress
traffic flows
• Physical appliances can be virtualized and applied to
server enclaves
• Virtual firewall, zone/enclave based filtering
• IP-Based Access Control Lists
• VM attribute-based policies – Should Follow VM
• “East-West” protection
Data Center Edge
• Physical Delineation for all ingress and egress into the
‘CORE’ of the DC – Traditional Security Models apply
to North-South Protection
• Additional services location for server farm specific
protection and other potential zones
Traditional Edge
Security
Internal
Zoning
VIRTUAL ACCESS
DC Aggregation
DC Core
DC Access
DC Virtual Access
DC Edge
Layer 3
Layer 2 - 10GE
4/8 Gb FC
Internet Partners IP-NGN (BBG)
VRF-lite
VRF
Vlan/802.1q
Firewall/IDS Partitioning
FEX/A-FEX/VM-FEX
Virtual FW
Vlan/Pvlan
VXLAN
VDC
Compute Separation:
vNICs, VLANs, Port Profiles
Storage Separation:
VSAN, FC Zoning, LUN masking,
vFilers
Application Tier : logical and Physical
segmentation with L2/L3 firewalling
and security zoning
Network Separation:
Per-tenant routing and forwarding
tables (VRF)
VLAN IDs and 802.1 tag provide
isolation and identification of tenant
traffic across L2 domain
VRF-lite implemented at core and
aggregation layers provides per
tenant isolation at L3
VDC to segregate and virtualize the
equipment
Defense in Depth per consumer
(front end ASA, back end VSG)
8
Physical
Hosts
NGIPS ASA FW
• Control North/South traffic with ASA 5585
• Scale and HA with Clustering
• Inspect North/South traffic with NGIPS
• Segment and Protect virtual enclave with ASAv and vNGIPS
9
NGIPS
ASA FW
Clustering
NGA
Virtual FlowSensor
CTD : Cisco Thread Defense
Leverage your Cisco Infrastructure to fight Advanced Pervasive Threats
TrustSec with Security Group Tagging
SGT
SGT SGT
SGT SGT
SGT
SGT
SGT
ISE SGT
Simplify
Automate
Accelerate
Standardize
SGT
Users,
Device
Switch Router DC FW DC Switch
HR Servers
Enforcement
SGT Propagation
Fin Servers SGT = 4
SGT = 10
ISE Directory Classification
Data + SGT:5 SGT = 5
•
•
®
•
•
Clu
ste
r C
on
tro
l L
ink
Sourcefire on 5585-X
(Blade)
Sourcefire on 5500-X
(Software)
Subscriptions: Threat: IPS, AVC, URL Filtering, AMP
ASA 9.2 : INCREASED CLUSTERING SIZE AND PERFORMANCE
*Estimated Max with Jumbo frame no asymmetric traffic
Nexus 7000 Nexus 7000
Nexus
2000
Nexus
5000
10Gig Server Rack
vP
C
ASA5585-X
vP
C
Cisco
UCS
vP
C
vP
C
ASA5585-X
DC Edge
Internal DC
Zone(s)
DCI With
Dark Fiber
DC Core VDC
(Routed) Nexus 7000 Nexus 7000
DC Aggregation
Layer VDC
Compute Access
Layer
Nexus
1000v
VSG ASA1000
v
FW
CLUST
ER
Nexus 7000 Nexus 7000
Nexus
2000
Nexus
5000
10Gig Server Rack
vP
C
ASA5585-X
vP
C
Cisco
UCS
vP
C
vP
C
ASA5585-X
Nexus 7000 Nexus 7000
Nexus
1000v
VSG ASA1000
v
FW
CLUST
ER
RTT <10ms +
<100Km
Double-Sided vPC over Dark Fiber
10G-400G
Dark Fiber could be
connected to Core /
Aggregation or to a
dedicated Services
layer. Each has pros
and cons based
upon environment
Inter-DC FW
CLUSTER
C
CL
Nexus 7000
Nexus 7000
Nexus
2000
Nexus
5000
10Gig Server Rack
vP
C
ASA5585-X
vP
C
Cisco
UCS
vP
C
vP
C
ASA5585-X
DC Edge
Internal DC
Zone(s)
DCI (OTV)
Extranet
DC Core VDC
(Routed) Nexus 7000
DC Aggregation
Layer VDC
Compute Access
Layer
Nexus
1000v
VSG ASA1000
v
Inter-DC FW
CLUSTER
Nexus 7000
Nexus 7000
Nexus
2000
Nexus
5000
10Gig Server Rack
vP
C
ASA5585-X
vP
C
Cisco
UCS
vP
C
vP
C
ASA5585-X
Nexus 7000
Nexus
1000v
VSG ASA1000
v
FW
CLUST
ER
OTV VDC OTV VDC
Layer 2
Extension (OTV)
CCL
RTT <10ms +
<100Km
FabricPath Spine
Compute Access
Layer
Pod A3
Pod B2 Pod B1 Pod A1 Pod A2
Data Center A
Interconne
ct
L2 or L3
Data Center B
Pod B3
FabricPath Leaf
RTT <10ms +
<100Km
ASA
Cluster
•
-
-
-
-
•
•
•
•
•
•
Data Center Design Zone : http://www.cisco.com/go/vmdc
Source: Cisco® Global Cloud Index 2012
• Proven Cisco® security: virtualized
physical and virtual consistency
• Collaborative security model
Cisco Virtual Secure Gateway (VSG)
for intra-tenant secure zones
Cisco ASA 1000V for tenant edge
controls
• Transparent integration
With Cisco Nexus® 1000V Switch and
Cisco vPath
• Scale flexibility to meet cloud
demand
Multi-instance deployment for scale-
out deployment across the data
center
Tenant B Tenant A VDC
vApp
vApp
VDC
Cisco
VSG Cisco
VSG
Cisco
VSG
Cisco ASA
1000V
Cisco ASA
1000V
Cisco
VSG
Removed clustering and
multiple context mode
• Parity to physical form-factor feature-set
• Scaling through virtualization
• Up to 10 vNIC interfaces
• Crypto in software
• SDN and traditional management tools
• Scales to 4 vCPUs and 8 GB of memory
• Ability to manage one policy on both physical
and virtual ASAs
MULTI-TENANT AND APPLICATION AWARE
READ / WRITE SOUTHBOUND API
PUBLISHED DEVICE MGMT PACKAGE FOR
ACI
STANDARDS COMPLIANT
MONITORING FEATURES
Hypervisor Support
Orchestration Frameworks
ASA OPEN SECURITY PLATFORM
System Management
CSM
PNSC
ASA
ASAv
(Active) ASAv
(Standby)
2
4
Routed Firewall • Routing traffic between vNICs
• Maintains ARP and routing table
• Tenant edge firewall
Transparent Firewall
• VLAN or VxLAN Bridging / Switching
• Maintains MAC-address tables
• Non-disruptive to L3 designs
Service Tag Switching
• Applies inspection between service tags
• No network participation
• Fabric integration mode
®
®
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
9.2.1 9.3.1/9.3.2
ASAv PHASED RELEASE
APPLICATION
SECURITY
INFRASTRUCTURE
Web
Tier App
Tier
DB
Tier
Trusted
Zone DB
Tier
DMZ
External
Zone
Cloud
Application Admin
Security Admin
Network Admin
Cloud Admin
Application Admin
Security Admin
Network Admin
SECURITY
Trusted
Zone DB
Tier
DMZ
External
Zone
APPLICATION
COMMON POOL OF RESOURCES
Cloud Admin
Cloud
“Users” “Apps”
Intelligent Fabric
Logical Endpoint
Groups by Role
Heterogeneous clients, servers,
external clouds; fabric controls
communication
Every device is one hop away,
microsecond latency, no power or
port availability constraints, ease of
scaling
Flexible Insertion
ACI Controller manages all
participating devices, change
control and audit capabilities
Unified Management
and Visibility
Fabric Port Services
Hardware filtering and bridging;
seamless service insertion, “service
farm” aggregation
Flat Hardware
Accelerated Network
Full abstraction, de-coupled
from VLANs and Dynamic
Routing, low latency, built-in
QoS
Cisco Nexus 9000
Service Producers EPG “Users” EPG “apps”
Leaf Nodes
Spine Nodes
ACI Fabric
EPG “Internet”
Virtual Leaf
Service Consumers
TENANT AND APPLICATION AWARE
READ / WRITE ALL FABRIC INFO
PUBLISHED DATA MODEL
OPEN SOURCE
APIC
Hypervisor Management
Automation Tools
Orchestration Frameworks
System Management
Security
ASA
Industry Standard Compliant
A Platform approach to Data Centre infrastructure
“Users” “Apps”
Policy Contract
“Users → Apps”
ACI Fabric
Define Endpoint Groups
Any endpoints anywhere within
the fabric, virtual or physical
Ingress Fabric Rules
Programmed from Contract
Hardware rules on each port, security in
depth, embedded QoS
Single Pass Firewalling
with Flow-Specific Policy
Security administrator
defines generic templates in
APIC, availed to contract
creation
Single Point of
Management
Different administrative
groups use same interface,
high level of object sharing
Application Policy
Infrastructure Controller (APIC) Define Contracts Between
Endpoint Groups
Port-level rules: drop, prioritize, push
to service chain; reusable templates
EP
.
.
.
EP
EP
EPG WEB
EPG APP SERVER
provider
consumer
Contract specifies rules and policies on groups
of physical or virtual end-points without
understanding of specific identifiers and
regardless of physical location. … …
…
identifies what
traffic
L4 port ranges
TCP options
…
identifies actions
applied
QoS
Log
Redirect into SVC graph
…
End points in group
WEB can access end-points in
group APP SERVER according
to rules specified in the contract
defined bi-directionally in the “provider” centric way
Permit
Deny
Redirect
Log … …
Copy Packet
Mark Packet DSCP
There are six policy options supported: Permit the traffic Block the traffic Redirect the traffic Log the traffic Copy the traffic Mark the traffic (DSCP/CoS)
Policy encompasses traffic handling, quality of service, security monitoring and logging.
EPG
“Web”
Application Container
“Web”
EPG
“Database”
Application Container
"Database”
Policy Contract “Web → Database”
Service Chain
“Web →
Database”
192.168.1.0/24
FW
_A
DC
1
Application
Admin
Service
Admin
ASA
5585
Netscaler
VPX
Policy-
based
Redirection
•
•
•
•
Nexus 7000
•
•
-
-
-
-
ACI Fabric
Graph Physical Logical
•
-
-
•
-
-
-
ACI Fabric
Graph
Physical
Logical
