Building the Next Gen Secure Data Center Apr 14

7/21/2019 Building the Next Gen Secure Data Center Apr 14

http://slidepdf.com/reader/full/building-the-next-gen-secure-data-center-apr-14 1/40

© 2015 Cisco and/or its affiliates. All rights reserved.


Building NextGen Secure

CenterPositioning Secure Data CenterR Krishnan

TME – DC Security

March 2015




What You’ll Learn From This Presentation

Cisco’s data center security strategy and

its business benefits

How to leverage Partner Programs to Increase theDC Security Opportunity

Positing the Cisco’s New Security model

in DC Architecture


DC Security Use Cases





Cisco’s Data Center Security StrategyBusiness Benefits




Data Center Security Challenges

Agility, Reduce complexity andfragmentation of security

solutions

Maintain security andcompliance while the data

center evolves

Stay athe evol

land

95% of firewall breaches

caused by misconfigurations*3000% increase in network

connections per second

by 2015

Over 100,00

eve

Provisioning Performance Prot

* Greg Young, Gartner Inc




Trends impacting the Data Center



Cisco Security Supports DC Purchasing

Threat Management: Global/local threat correlation with contextual analys

Segmentation: Cisco supports strong, policy-based data center segmenta

Expanded Deployment Options: Cisco can enforce policy across inter-DC

Resiliency: Cisco provides high availability and dynamic clustering

Scalability: Cisco delivers policy enforcement at data center speeds

Virtualization: Cisco can secure east-west traffic in multi-hypervisor enviro



Cisco Security is Designed for the Data C

Ease of Provisioning Optimum Performance Actionabl

• Can be deployed dynamically

and quickly

• Ties data center and security

policy together

• Gives the right tool

to the right team

• Optimized for DC performance

– to handle data bursts

• Highly available and resilient

• Matches security performance

to network performance

• Supports asymmetrical

traffic flows

• Before, During

protection

• Can inspect b

and east-west

• Custom applic

• Protects tradit

and cloud env




Visibility and Context

Firewall

NGFW

NAC + Identity Services

VPN

UTM

NGIPS

Web Security

Email Security

Advanced Malware Protectio

Retrospective Security

Cisco’s New Security Model

BEFORE

Discover

Enforce

Harden

AFTER

Scope

Contain

Remediate

Attack Continuum

Detect

Block

Defend

DURING

Secure DC, Enterprise Licensing Agreement, Enterprise Mobility

IoCs/Incident Response




Cisco Validated Design ProcessInnovation and Quality Through System-Level Design and Validation

Critical customer engagementsconsider end-to-end view

Product development

Cross-platform collaboration

ThougSystem-leve

Sys

Tested and valid

System

Development

Fundamentals

System Development Guidelines

Planning Design End-to-End Validation

U n i t

F e a t u r e

I n t e g r a t i o n

S y s t e m

C u s t o m e r




New Secure Data Center CVDs

• Five Secure DC CVD Solutions

• Focused on integrated solutions and Cyber

Threat Defense

- Fully Tested and Validated Architectures

- Best Practices Designs and Blueprints

- Support physical, virtual, cloud, and hybrid

environments• Integrate Cisco and Sourcefire

Technologies

Secure Enclave

Architecture

Single Site

ClusteringThreat Mgmt

Cyber Threat

Defense

Secur

Data



© 2015 Cisco and/or its affiliates. All rights reserved.© 2015 Cisco and/or its affiliates. All rights reserved.

Positing the Cisco’s New Security moDC Architecture




ASA 5585-S20F20

ASA 5585-S40F40

AS

ASA 5585-S10F10

Cisco ASA with FirePOWER ServicesNext-Generation Security for the Internet Edge and Data Center

4.5 Gbps AVC

2 Gbps AVC + IPS

500,000 connections

40,000 CPS

Medium Internet Edge

7 Gbps AVC

4.5 Gbps AVC + IPS

1 million connections

75,000 CPS

10 Gbps AVC

6 Gbps AVC + IPS

1.8 million connections120,000 CPS

Large Internet Edge/Dat

1

10 G

4 mil

1

1

S



ASA with Firepower ModuleComprehensive Capabilities to Solve the Threa

• World’s most wienterprise-classfirewall

• Granular Cisco®

Visibility and Co

• Industry-leading

next-generation

• Scalable Segme

• Advanced malw

Cisco ASA + FirePOWER

Identity-PolicyControl & VPN

URL Filtering(Subscription)

FireSIGHT

Analytics &

Automation

Advanced

Malware

Protection(Subscription)

ApplicationVisibility & ControlNetwork FirewallRouting | Switching

Clustering &

High Availability

WWW

Cisco Talos Enabled

Built-in NetworkProfiling

Intrusion

Prevention(Subscription)



ASA Feature Set

ASAv

Removed clustering and

multiple context mode

Parity to physical form-factor feature

Scaling through virtualization

Up to 10 virtual NIC interfaces

Hypervisor-agnostic

vSwitch-independent

Restful API support SDN and traditional management too

Scales to 4 virtual CPUs and 8 GB of

Performance – 1 to 2Gbps

Ability to manage one policy on both

physical and virtual ASAs

Cisco Virtual ASA (ASAv) Firewall



Cisco ASAv Data Sheet: Performance and Scale

Data Sheet Metric Cisco ASAv10 Cisco ASAv30

Stateful Inspection Throughput (Maximum) 1 Gbps 2 Gbps

Stateful Inspection Throughput (Multiprotocol) 500 Mbps 1 Gbps

Concurrent Sessions 100,000 500,000

Connections per Second 20,000 60,000

VLANS 50 200

Cisco® Cloud Web Security Users 100 500

3DES and AES VPN Throughput 50 Mbps 300 Mbps

S2S IPsec IKEv1 Client VPN User Sessions 250 750

Cisco AnyConnect® or Clientless User

Sessions250 750

Unified Communications Phone Proxy 250 1,000

Tested o

Cisco UCS® C2

Cisco UCS B20

Intel Xeon proc

Reserva 5000 kHz on Ci

20,000 kHz on

(Cisco ASAv re



Industry-Best NG Intrusion P

Real-Time Contextual Aware

Full Stack Visibility

Unparalleled Performance a

Physical and Virtual Form Fa

Traditional DC and ACI/AP

Detects and Inspects Custom

Easily add Application Contr

and Advanced Malware Prot

optional subscription license

FirePOWER NGIPS/vNGIPS with AMP



8270/8360*8260

8250

8140

8120/ (8150

20 Gbps

10 Gbps

6 Gbps

4 Gbps

2 Gbps

IPS Throughput

8130

40 Gbps

30 Gbps

8290

FirePOWER NGIPS Appliance Range and Perfo

60Gbps 8390*45 Gbps 8370*

15Gbps 8350*

Appliances & SFR on ASA Managed via (Defense Center) FireSight Management CeAppliances-10, 35, 150 devices. VM- 2, 10 or 25 devices

Model #



Cisco ISE With TrustSec Policy Segmentation

Employee/ Laptop

Employee/ iPad

Guest / Laptop

Intellectual

Property

Employee

IntranetInternet

✗

✔

✗

✔

Guest / iPad ✗

✗ ✔

✔

✔

✔ ✗

Simplifies Policy with Security Gro

Reduces ACL and Firewall Rule

Allows for Segmentation witho

Who can talk to whom?

Who can talk to which systems?

Which systems can talk to other systems?

Desired Policy

✔

Flexible and Scalable Policy En

Switch Router ASA DC

Swi

Streamlines Secure Data Center

Scalable Segmentation

Design 1# : Cisco Secure Data Center for the Enterp



Physical-Virtual-Mixed Workload Environments

Advanced Real-timeThreat Defense

NGFW

ASA+FP

Cluster

QFP

Physical

Access

Compute

Storage

Converged Network Stack Rack Server Deployment

Physical

Access vSphere

App

OS

App

OS

App

OS

App

OS

Tier1

Nexus1000V

vSphere

App

OS

App

OS

App

OS

App

OS

Tier2

Nexus1000V

vSphere

App

OS

App

OS

App

OS

App

OS

TierN

Nexus1000V

WAN

QFP

C l u s t er C on t r ol L i nk

vPC/vPC+

Design 1# : Cisco Secure Data Center for the EnterpScaling the Data Center in Single Site (ASA with FirePOWER Module)

DC Core Layer

DC Aggregation

and Service Layer

Virtual Network and

Access

Identity Services

Engine

ISE Policy

Manager

Cisco Security

Manager

UCS Director

Defense

Center/FirePO

WER

Management

Center

Management and

Operations ASA5585-X

North-South

Scale upto 1

Support Spa

Mode

640G/196G 50 Million C

2.8 Million C

250 Context

Integrated w

TrustSec to

Firewall on

ASAv and

East-West

ASAv in th

tiers with V

Multi-Hype

Open API

Throughpu

Same Ma

Physical a

D i 2# Ci S D t C t f th E t



Physical-Virtual-Mixed Workload Environments

Advanced Real-timeThreat Defense

NGFW ASA+IPS Cluster

QFP

Physical

Access

Compute

Storage

Converged Network Stack Rack Server Deployment

Physical

Access vSphere

App

OS

App

OS

App

OS

App

OS

Tier1

Nexus1000V

vSphere

App

OS

App

OS

App

OS

App

OS

Tier2

Nexus1000V

vSphere

App

OS

App

OS

App

OS

App

OS

TierN

Nexus1000V

WAN

QFP

C l u s t er C on t r ol L i nk

vPC/vPC+

Design 2# : Cisco Secure Data Center for the EnterScaling the Data Center in Single Site (ASA with SourceFIRE Appliance

DC Core Layer

DC Aggregation

and Service Layer

Virtual Network and Access

Identity Services

Engine

ISE Policy

Manager

Cisco Security

Manager

UCS Director

Defense

Center/FirePO

WER

Management

Center

Management and

Operations ASA5585-

North-Sout

Scale upto

Support SMode

640G/160G 2.8 Million

96 Million

Integrated

ASA Cluste

FirePOWE

IPS can w



Mapping Attack Continuum to Functional Capa

Threat Containmentand Remediation

File, packet, and flow-based inspection andanalysis for threats

Access Controland Segmentation

Access controlpolicies, segmentation,

secure separation

IdentityManagement

User identity and accessposturing, network-based

user context

Application Visibilityand Control

File control and trajectory,network file trajectory,application quarantine,data loss prevention

LogginM

Than

Products

FirePOWER withFireSIGHT, Intrusion

Protection, Network-based AMP, Email AMP, CWS AMP, FireAMP for End

User and Mobile

Products

ASA 5585-X, SGTs,SGACLs, SXP, andTrustSec capableswitching fabric

Products

Cisco ISE,FirePOWER with

FireSIGHT

Products

FirePOWER withFireSIGHT,

Access Control,FirePOWER NGFW

Firfor

Lancfo

NetF

log

BEFORE DURING AFTER

Before, DuringBefore, During, After Before, DuringBefore, During Bef



Cisco Application Centric Infrastructure

Cisco® ACI Fabric

“Files” “Users”

Full abstraction, decoupled fromVLANs and dynamic routing, low

latency, built-in QoS

Flat Hardware Accelerated Network

Every device is one hop away,

microsecond latency, no power or port

availability constraints, ease of scaling

Flexible Insertion

Cisco ACI controller manages all

participating devices; change control

and audit capabilities

Unified Orchestrationand Visibility

Hardware filteri

gateway; transp

“service f

Fabric

Heterogene

external clo

com

Logical E



Nexus 7000

ACI Fabric

EPG Ext

Graph

EPG Ext

ACI

ASA

EPG Web

PhysicalLogical

EPG Web EPG DB

ASACluster

Units added as capincrease

Physical appliancemore power

Fabric programs inVLAN, or tag pair afor new inter-EPG

Fabric instantiatesnew tenants

PHYSICAL NORTH TO SOUTH DEPLOYEMNT



ASAv deployed in fail

New instances can bedemand for new tena

Fabric programs VLA

tag pairs for inter-EPG

APIC uses API to instadditional ASAv baseand oversubscription

ACI Fabric

Graph

Physical

Logical

EPG Web ACI ASA EPG DB

EPG WebASAv

standbyASAvactive EPG DB

VIRTUAL EAST TO WEST DEPLOYMENT




Use Cases

Ci ASA5585 X U C



Physical to Virtual

• North-South Traffic Protection

• Network Virtualization andZone/Tenant based flow control.

• Unique policies and traffic decisionsapplied to each zone

• Physical Infrastructure mapped per

zone VRF, Nexus Virtual Device Context,

VLANs, SGT

ASA 5585-X supports Max of 256Context

ASA Context supports mix of Router

and Transparent mode

Segmentation VRF-VLAN-Virtual Context

28

ASAv ASAZone A

Nexus 7K

ASA 5585-X

CTX1 CTX

VLANx1

VLAN x 2

VLANy

VLANy

Segmentation Building Blocks

Cisco ASA5585-X Uses Cases

SERVER

SGT SGT SGT



Cisco ASAv Use Cases

Cisco ASAv as Tenant Edge

Security Policy and ACL Using VLAN

Security policy per vNIC or VLAN Includes per-interface IPv4/v6 ACLs,

NAT66/NAT64/NAT46, etc. Suits a large tenant on multiple VLAN

10 vNICs and 200 VLAN subinterfa Provide Remote VPN for secure con

VM 1

VM 2

VM 3

VM 4

VM 5

VM 6

Vswitch or Cisco Nexus

vPath-Enabled ServCis

CAS

VLAN

10

Cisco ASAv for East-West Traffic Policy

Cisco ASA Firewall Policy per VLAN

Bridges up to 4 interfaces Allows for 8 BVIs per Cisco ASAv

Centralized policy on a VM

Required Vlan Stitching

All inter-VLAN traffic passes through Cisco ASAv

VM 1

VM 2

VM 3

VM 4

VM 5

VM 6

VM 7

VM 8

Cisco ASAvBridges

VLANs/vNICs

VLAN 10 VLAN 20

Cisco Nexus ® 1000V

APP Tier 1 APP Tier 2 APP Tier 1 AP



© 2013-2014 Cisco and/or its affiliates. All rights reserved.

NGIPSv Use Cases

Virtualizing Security SecuringVirtualization

Servi

Drivers

• Frequent expansion – requireselasticity

• Disconnected environments

• Small environments (e.g. PoS)

Solution Provides

• Support for existing virtualinfrastructure

• Rapid, low-overhead deployment

• Single pane-of-glass for physical andvirtual environments

Drivers

• Visibility into virtual networkcommunications

• Virtualized workloads in PCI scope

• Virtual hosted desktop deployments

Solution Provides

• Intrusion detection/prevention forvirtual network

• Single pane-of-glass for physical andvirtual environments

Drivers

• Virtualizing n

• Providers loovalue-added

• Organizationmodel

Solution Provi

• Cost-effectivedetection/pre

• Support for v

• Rapid, low-ov

• Consistent se



10.1.1.1

172.16.1

192.168.10

Server

192.168.1.1

192.168.1.100

172.18.20.13

Source EPG

Leaf 1, port 1 Users

Leaf 1, port 10 Users

Destination EPG

Leaf 3, port 2 Servers



Service Action

TCP/80 Redirect, ASA1




ICMP Redirect, ASA1Leaf 2, port 12 Users

Port Rules

Network Admin

Add client 172.18.20.13,

use standard ASA

template

Remove client

192.168.1.1

Create stand

ASA advanc

policy templat

APIC

Advanced policies,

limited ACL rules

Same 5 port –level

service rules and

actions

ASA1Clients

Cisco ASA in ACI Use Case




Increasing the Opportunity



Cisco Data Center Security Leadership

Cisco is thleading da

security s

Cisco holbrand for security

Cisco in t

vendors uevaluationpurposes

YOUR CALL TO ACTION: Walk your customer through this report as a standard part of

center security sales engagementshttp://wwwin.cisco.com/marketing/borderless/security/docs/Infonetics_dcSecSurvey_mar2013.pdf



Security Increases DC Deal Size

AverageDC Deal

$370K

IncrementalSecurity

$150K

ST

Nexus 7K/5K/3K/2K

UCS

Nexus 1000V

Nexus 1010

VM-FEX

UCS for Virtualized Environments

ASA 5585-X

ASAv

VSG

NGIPSIncr



Connecting the Partner Programs

Importa

Through Spartners ge

discounts o

generation

registered

Opportunit

(OIP) or Te

Program (T

http://www.c

s/incentives

urity-ignite.h

Up-Front

Discount

Back-End

Rebate

OIP or TIP

Security Ignite

VIP

Extra VIP if Gold

Up-Front

CreditTMP

Up to 6%

Up 50%

Trade inCredit

ExistingRebate

Programs



Products in the following product families are eligible for Ssome exceptions.

• Cisco® Cloud Web Security – all products

• Cisco Web Security Appliances – all products

• Cisco Email Security Appliances – all products

•Cisco Security Management Appliances – all products

• Cisco Identity Services Engine – all products

• Cisco FirePOWER® Appliances – all products

• Cisco Next-Generation Firewall – select products, refer to the list of Eligible ProSecurity Ignite page

Note: Based on Specialization

Eligible Products




Maximized

Performance

Maximized

PerformanceEase of provisioning

Maximized

PerformanceEase of provisioning

Speeds

adoption of

new services

from weeks to

hours

16% less input

power versus

competitive

firewalls

80% reduction

in manual

firewall rules

SummaryCisco Data Center Security Accelerates Your Business

vPC and

FabricPath

optimize

traffic flow

Max of 640Gb

firewall

throughput.




Data Center Security

is a Key Opportunity

Use Cisco’s Industry Leadershipand Competitive Differentiators

Leverage Cisco’s Partner Programs

Key Takeaways

1

2

3




• Go to the Secure Data Center

Solutions Web page on cisco.com

• Go to the Design Zone Website

• Provide a Capabilities Gap

Assessment

to help customers maximize their

Cisco investment• http://www.cisco.com/go/securedc

• http://www.cisco.com/go/designzone

Next Steps



Thank You

Building the Next Gen Secure Data Center Apr 14

Documents

Transcript of Building the Next Gen Secure Data Center Apr 14