nw19 - cisco: trends in enterprise networking
TRANSCRIPT
Copyright © 2015 Rockwell Automation, Inc. All rights reserved.Rockwell Automation TechED 2015 @ROKTechED #ROKTechED
PUBLIC INFORMATION
NW19: CiscoTrends in Enterprise Networking
Copyright © 2015 Rockwell Automation, Inc. All rights reserved.Rockwell Automation TechED 2015 @ROKTechED #ROKTechED
PUBLIC INFORMATION
Trends in Enterprise Networking
TopicsSDN – Software Defined Networking
Cisco TrustSec
IPV6 and BYOD
Cloud Applications
Copyright © 2015 Rockwell Automation, Inc. All rights reserved.Rockwell Automation TechED 2015 @ROKTechED #ROKTechED
Software Defined Networking
SDN – Software Defined Networking
Copyright © 2015 Rockwell Automation, Inc. All rights reserved.Rockwell Automation TechED 2015 @ROKTechED #ROKTechED
Control and Data Plane resides within Physical DeviceControl plane decides what to do with incoming packets
Data plane just forwards the packets
The network paradigm as we know it…
Copyright © 2015 Rockwell Automation, Inc. All rights reserved.Rockwell Automation TechED 2015 @ROKTechED #ROKTechED
In other words…
In the SDN paradigm, not all processing happens inside the same device. The
control plane is separated, and runs on a separate device called a controller
The SDN Paradigm
Copyright © 2015 Rockwell Automation, Inc. All rights reserved.Rockwell Automation TechED 2015 @ROKTechED #ROKTechED
Cisco has a similar model for wirelessUnified model has a central controller
The wireless architecture started with
autonomous access points that are configured
separately. No coordination. This model is fine
for smaller deployments.
Cisco now uses a Unified architecture, with a
central controller managing many access
points. They get all of their configuration from
the controller.
Copyright © 2015 Rockwell Automation, Inc. All rights reserved.Rockwell Automation TechED 2015 @ROKTechED #ROKTechED
Network Programmability ModelsPhysical / Virtual
Network Overlays Apply to All Models (Physical/Virtual)Custom Features Can Be Built
Current Switch/Router
Applications
APIs
Control Plane
Data Plane
Resilient, Scalable, Secure, Rich Features, Evolutionary, Investment Protection
“SDN” Approach
Data Plane Data Plane…
Applications
APIs
Controller
Simpler Provisioning, Centralized NW Topology
Hybrid Model
Control Plane
Data Plane
…
Control Plane
Data Plane
Applications
APIs
Controller
Combined Benefits, Evolutionary Model, Investment Protection
…
Copyright © 2015 Rockwell Automation, Inc. All rights reserved.Rockwell Automation TechED 2015 @ROKTechED #ROKTechED
OpenFlow is a Layer 2 communications protocol that allows the control plane to talk to the data plane over the network
What is Openflow?
Define Openflow
Copyright © 2015 Rockwell Automation, Inc. All rights reserved.Rockwell Automation TechED 2015 @ROKTechED #ROKTechED
Four partsto Openflow:Start with theApplication,CIP traffic,Email, etc
Let’s take a closer look at Openflow …
Copyright © 2015 Rockwell Automation, Inc. All rights reserved.Rockwell Automation TechED 2015 @ROKTechED #ROKTechED
Central Administrationand Operations
point forNetwork Elements.
The controlleris just a server
Openflow Controller
Copyright © 2015 Rockwell Automation, Inc. All rights reserved.Rockwell Automation TechED 2015 @ROKTechED #ROKTechED
Agent runs on the network device
Agent receives instructions from Controller
Agent programs device tables
Openflow Device Agent
Copyright © 2015 Rockwell Automation, Inc. All rights reserved.Rockwell Automation TechED 2015 @ROKTechED #ROKTechED
Openflow Protocol is…
“A mechanism for the Openflow Controller to
communicate with Openflow Agents…”
Openflow Protocol
Copyright © 2015 Rockwell Automation, Inc. All rights reserved.Rockwell Automation TechED 2015 @ROKTechED #ROKTechED
Some Things Will Never Be Equal
Openflow will not turn this… Into this…
Copyright © 2015 Rockwell Automation, Inc. All rights reserved.Rockwell Automation TechED 2015 @ROKTechED #ROKTechED
Cisco’s ACI (Application Centric Infrastructure)
Copyright © 2015 Rockwell Automation, Inc. All rights reserved.Rockwell Automation TechED 2015 @ROKTechED #ROKTechED
Cisco TrustSec
Cisco TrustSec –Enable Identity-aware NetworkWho can do what…
Copyright © 2015 Rockwell Automation, Inc. All rights reserved.Rockwell Automation TechED 2015 @ROKTechED #ROKTechED
Challenges with Enterprise Security and Access Control Policy
Protected assets are defined by their network connection
• Policies are statically and manually configured
• Rules are based on network topology (subnets, addresses)
• IP Address does not provide user context or meaning
Method does not facilitate key Business / IT requirements like:
• Frequent organizational changes
• Mobile workforces
• Device choice
• Virtualization
Copyright © 2015 Rockwell Automation, Inc. All rights reserved.Rockwell Automation TechED 2015 @ROKTechED #ROKTechED
Cisco TrustSec – Identity Services
Copyright © 2015 Rockwell Automation, Inc. All rights reserved.Rockwell Automation TechED 2015 @ROKTechED #ROKTechED
access-list 102 permit tcp 131.249.33.123 0.0.0.127 lt 4765 71.219.207.89 0.255.255.255 eq 606access-list 102 deny tcp 112.174.162.193 0.255.255.255 gt 368 4.151.192.136 0.0.0.255 gt 4005access-list 102 permit ip 189.71.213.162 0.0.0.127 gt 2282 74.67.181.47 0.0.0.127 eq 199access-list 102 deny udp 130.237.66.56 255.255.255.255 lt 3943 141.68.48.108 0.0.0.255 gt 3782access-list 102 deny ip 193.250.210.122 0.0.1.255 lt 2297 130.113.139.130 0.255.255.255 gt 526access-list 102 permit ip 178.97.113.59 255.255.255.255 gt 178 111.184.163.103 255.255.255.255 gt 959access-list 102 deny ip 164.149.136.73 0.0.0.127 gt 1624 163.41.181.145 0.0.0.255 eq 810access-list 102 permit icmp 207.221.157.104 0.0.0.255 eq 1979 99.78.135.112 0.255.255.255 gt 3231access-list 102 permit tcp 100.126.4.49 0.255.255.255 lt 1449 28.237.88.171 0.0.0.127 lt 3679access-list 102 deny icmp 157.219.157.249 255.255.255.255 gt 1354 60.126.167.112 0.0.31.255 gt 1025access-list 102 deny icmp 76.176.66.41 0.255.255.255 lt 278 169.48.105.37 0.0.1.255 gt 968
Taking Complexity out of Network Security
Copyright © 2015 Rockwell Automation, Inc. All rights reserved.Rockwell Automation TechED 2015 @ROKTechED #ROKTechED
Traditional Security Administration
Adding destination Object
Adding source Object
ACL for 3 source objects & 3 destination objects
permit NY to SRV1 for HTTPSdeny NY to SAP2 for SQLdeny NY to SCM2 for SSHpermit SF to SRV1 for HTTPSdeny SF to SAP1 for SQLdeny SF to SCM2 for SSHpermit LA to SRV1 for HTTPSdeny LA to SAP1 for SQLdeny LA to SAP for SSH
Permit SJC to SRV1 for HTTPSdeny SJC to SAP1 for SQLdeny SJC to SCM2 for SSHpermit NY to VDI for RDPdeny SF to VDI for RDPdeny LA to VDI for RDPdeny SJC to VDI for RDP
A Global Bank dedicated 24 global resources
to manage Firewall rules currently
Complex Task and High OPEX continues
Traditional ACL/FW Rule
Source Destination
NY
SF
LA
DC-MTV (SRV1)
DC-MTV (SAP1)
DC-RTP (SCM2)
NY
10.2.34.0/24
10.2.35.0/24
10.2.36.0/24
10.3.102.0/24
10.3.152.0/24
10.4.111.0/24
….SJC DC-RTP (VDI)
Production
Servers
Copyright © 2015 Rockwell Automation, Inc. All rights reserved.Rockwell Automation TechED 2015 @ROKTechED #ROKTechED
Security Administration with TrustSec
Permit Employee to Production_Servers eq HTTPSDeny Employee to Production_Servers eq SQLDeny Employee to Production_Servers eq SSHPermit Employee to VDI eq RDP
Deny BYOD to Production_ServersDeny BYOD to VDI eq RDP
Policy Stays with Users / Servers regardless of location/topology
Simple to define, Audit, and Manage
Less operational effort and faster to deploy new services
Security Group
Filtering
NY
SF
LA
DC-MTV (SRV1)
DC-MTV (SAP1)
DC-RTP (SCM2)SJC DC-RTP (VDI)
Production
Servers
VDI Servers
BYOD
Employee
Source SGT:
Employee (10)
BYOD (200)
Destination SGT:
Production_Servers (50)
VDI (201)
Copyright © 2015 Rockwell Automation, Inc. All rights reserved.Rockwell Automation TechED 2015 @ROKTechED #ROKTechED
Flexible Classification for Security Group Tags (SGT)
VLAN-SGT
IP-SGT
Port
Profile
Port-SGT
IPv4 Prefix
Learning
IPv6 Prefix
LearningIPv6 Prefix-SGT
IPv4 Subnet-SGT
802.1X
MAB
Web
Auth
Profiling
SGT
SGT
Addr.Pool-SGT
VLAN-SGT
Data Center/
Virtualization
User/Device/Location
Cisco access layer
ISE
NX-OS/
CIAC/
Hypervisors
IOS/Routing
Campus
& VPN Access
non-Cisco
& legacy env
Business Partners & Supplier access controls
SGT
• TrustSec decouples network topology and security policy to simplify access control and segmentation
• Classification process groups network resources into Security Groups
Copyright © 2015 Rockwell Automation, Inc. All rights reserved.Rockwell Automation TechED 2015 @ROKTechED #ROKTechED
SGT Propagation
Wired
Access
Wireless
Access
DC Firewall
Enterprise
Backbone
DC
Virtual
AccessCampus Core DC Core
DC
Distribution
Physical
Server
Physical
Server
VM
Server
VM
Server
DC
Physical
Access
SGT 20
SGT 30
IP Address SGT SRC
10.1.100.98 50 Local
SXP IP-SGT Binding Table
SXP
SGT = 50
ASIC ASIC
Optionally Encrypted
Inline SGT Tagging
SGT=50
ASIC
L2 Ethernet Frame
SRC: 10.1.100.98
IP Address SGT
10.1.100.98 50SXP
Non-SGT
capable
SXP – SGT Exchange Protocol
Copyright © 2015 Rockwell Automation, Inc. All rights reserved.Rockwell Automation TechED 2015 @ROKTechED #ROKTechED
Campus User Segmentation
Voice Employee Guest Quarantine
Employee Tag
Supplier Tag
Guest Tag
Quarantine Tag
Data Center Firewall
Voice
Building 3
Data VLAN
Campus Core
Data Center
Main Building
Data VLAN
Employee Quarantine
Enforcement is based on Security
Group, even for communication in
same VLAN
Employee
Supplier
Guest
EmployeeSRC
DSTSupplier Remed. Internet
✗
✗
✗
✔ ✗
Quarantine ✗ ✗✗ ✗ ✔
✔
✔✗
✔ ✗
✔
Access Layer
Employee
Copyright © 2015 Rockwell Automation, Inc. All rights reserved.Rockwell Automation TechED 2015 @ROKTechED #ROKTechED
Cisco TrustSec Summary
Efficient
Simplifies implementation of security policy
Highly scalable & Inline rate
Simplifies Data Center network design
Secure
Embed security within the infrastructure
Enforcement based on rich context
Solution simplicity enables end-to-end approach
Demonstrable ROI
Reduces ACL and VLAN complexity & maintenance
Automates FW policy
Improve both performance & availability
Copyright © 2015 Rockwell Automation, Inc. All rights reserved.Rockwell Automation TechED 2015 @ROKTechED #ROKTechED
Cisco TrustSec
IPV6
Copyright © 2015 Rockwell Automation, Inc. All rights reserved.Rockwell Automation TechED 2015 @ROKTechED #ROKTechED
IPV6 is Happening
Ever So Slowly
Copyright © 2015 Rockwell Automation, Inc. All rights reserved.Rockwell Automation TechED 2015 @ROKTechED #ROKTechED
So What’s Your Address?
Sta
tus
Why everyone is quiet on IPv6
Going forward
What is it Where will it start
Copyright © 2015 Rockwell Automation, Inc. All rights reserved.Rockwell Automation TechED 2015 @ROKTechED #ROKTechED
Why everyone is quiet on IPv6?
Enterprises find no panic condition to adopt IPv6
Migration to IPv6 is not into the priority list of decision makers
End consumer lacks readiness of IPv6
Governments lagging in their deployment targets
Lots of doubts and fear regarding adoption of IPv6
Conversation around IPv6 is low..
Copyright © 2015 Rockwell Automation, Inc. All rights reserved.Rockwell Automation TechED 2015 @ROKTechED #ROKTechED
Going Where?
Pro
ject
sco
pe
Why everyone is quiet on IPv6 ?
Going forward
What is it Where will it start
Copyright © 2015 Rockwell Automation, Inc. All rights reserved.Rockwell Automation TechED 2015 @ROKTechED #ROKTechED
Going forwardImplementation of IPv6 has been a marathon…… not a sprint race
Source: Heavy Reading (March, 2013) Current Analysis (August, 2013), IT Business edge, GCN
End-consumers need to get upgraded or replace their huge legacy electronics equipment, which supports IPv4 protocol but not IPv6
Status– End consumers are least motivated for migration to IPv6 supported equipment
CDN and web hosting companies are required to increase IPv6-enabled content.
Status– Number of people in the industry planning to implement IPv6 has increased, so IPv6 supported content for these users needs to be ready
More professional services from service providers and IPv6 skilled workforce by enterprises is desired
Status– Decision makers finding themselves resistant to adopt to IPv6 because of scarce skills
Copyright © 2015 Rockwell Automation, Inc. All rights reserved.Rockwell Automation TechED 2015 @ROKTechED #ROKTechED
What is it Where will it start?
Pro
ject
sco
pe
Why everyone is quiet on IPv6 ?
Going forward
What is it Where will it start
Copyright © 2015 Rockwell Automation, Inc. All rights reserved.Rockwell Automation TechED 2015 @ROKTechED #ROKTechED
You said it was how many?
340,282,366,920,938,463,374,607,432,768,211,456(IPv6 Address Space - 340 Trillion Trillion Trillion)
vs
4,294,967,296(IPv4 Address Space - 4 Billion)
.
Our Sun
Let’s assume a phone booth represents 4 Billion Addresses
The IPv6 Address space would approach the size of the Sun
Copyright © 2015 Rockwell Automation, Inc. All rights reserved.Rockwell Automation TechED 2015 @ROKTechED #ROKTechED
What does it look like?
16-bit hexadecimal numbers Basically combines IP address and MAC address into one Numbers are separated by a comma (:) Hex numbers are not case sensitive Abbreviations are possible
• Contiguous blocks of zeros could be represented by (::) Example:
2001:0db8:0000:130F:0000:0000:087C:140B
2001:0db8:0:130F::87C:140B
Double colon can only appear once in the address
• Leading zeros in a block can be omitted Example:
2001:0db8:00e2:0300::087C:140B
2001:db8:e2:300::87C:140B
Copyright © 2015 Rockwell Automation, Inc. All rights reserved.Rockwell Automation TechED 2015 @ROKTechED #ROKTechED
Bring Your Own Device
This is really more about Wireless
Cooperate with IT or prepare to face failure
Device Security – Integrated
This is why IPV6 will happen!
Copyright © 2015 Rockwell Automation, Inc. All rights reserved.Rockwell Automation TechED 2015 @ROKTechED #ROKTechED
BYOD Use Cases
Differentiated Services, On-Boarding Securely
Personal and Corporate Devices
Deny Some Devices
Focus on Basic Services,Guest Access
Broader Device Types
Internet Only
Posture from Mobile Device Management
Any Device, Any Ownership
MDM Compliance
LIMITED ADVANCEDENHANCEDBASIC/GUEST
Environmentswith Tight Controls
Only Corporate Devices
IT Whitelist
Copyright © 2015 Rockwell Automation, Inc. All rights reserved.Rockwell Automation TechED 2015 @ROKTechED #ROKTechED
Integration with Virtualization Clients
Virtualized App Environment
ApplicationVirtualizationClient
Application Portability:
Delivering legacy/non-native apps to broad device set
Example: iPad does not support an application natively
Data Loss Prevention:
Securing Enterprise applications and data
Example: avoid storing data locally, use of virtualization for application subset – confidential, intellectual property, financial
Copyright © 2015 Rockwell Automation, Inc. All rights reserved.Rockwell Automation TechED 2015 @ROKTechED #ROKTechED
BYOD will Force IPV6
Why
Literally 100’s of Thousands of devices
Cisco as an example:
65,XXX employees
1 IP Phone
1 Smart Phone
1 Tablet
1 Laptop
That’s 65,500 x 4 = 262,000 addresses
Copyright © 2015 Rockwell Automation, Inc. All rights reserved.Rockwell Automation TechED 2015 @ROKTechED #ROKTechED
But wait!
Now add:
Door locks
Thermostats
Security Cameras
Servers
PACs
I/O
And…
Copyright © 2015 Rockwell Automation, Inc. All rights reserved.Rockwell Automation TechED 2015 @ROKTechED #ROKTechED
Cloud Computing- Service Model
Service Model
SaaS (Software as a service) Users run existing online applications
Ex. Google Docs, Salesforce.com
IaaS (Infrastructure as a service) Run applications on someone else’s servers
Imagine running Factorytalk Historian somewhere besides your own servers
PaaS (Platform as a service)
Environment for creating and hosting web applications
Copyright © 2015 Rockwell Automation, Inc. All rights reserved.Rockwell Automation TechED 2015 @ROKTechED #ROKTechED
Cloud Computing-Deployment Model
Businesses are choosing a variety of cloud models to meet their unique needs and priorities.
Private cloud: IT capabilities are provided “as a service” over an intranet, within the enterprise and
behind the firewall.
Public Cloud: IT activities and functions are provided “as a service” over the Internet.