Next Generation Data Center Networks - Cisco · Next Generation Data Center Networks 3.3 Data...

Next Generation Data Center Networks 3.3 Data Center

Bradley Wong

Director - Engineering, INSBU

Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public

Security Operations

• Manual process

• Short on resources

• Long provisioning times

Evolving Threats

• Detect,

understand and

block

Compliance

• Costly

• Complex validation

process

Data Center Security Challenges


Right Architecture for Data Center Security ?

VIRTUALIZATION

CENTRIC No Physical

Support

Limited

Visibility

Management

Complexity

APPLICATION CENTRIC Any workload and any place Full Visibility Automated

PERIMETER CENTRIC Manual and

Complex Error-Prone Static

Topology

Limited

Places


ACI Security: Secure Multi-Tenancy at Scale Policy Based Segmentation and Isolation

Complete Isolation of

Tenant with Security at

Scale

Eco-system (Service

Chaining and L4-7 Policy

Automation) and Open APIs

Centralized Policy

Management, Visibility

and Auditing

Group Policy based

Segmentation,

White list Policy

HPC HR Finance

Open APIs Policy

Engine

APPLICATION

NETWORK PROFILE

Group-Based Policies


VM

VM

…

VM

VM

…

VM

VM

…

web app db

applic

ation

The

Outside

a collection of end-

points connecting to

the network… VMs,

physical compute, …

Component

Tier

End Point Group

a set of network requirements

specifying how application

components communicate with

each other

Contract Access Control

QoS

Network Services

rules of how application

communicates to the

external private or public

networks

Network Profile application-centric network policy network Virtual Patch Panel


End-points

A compute, storage or service instance attaching to a fabric

NIC

vNIC

.

.

.

end-points [ EP ]

Things that connect to the fabric and use it to interface with other things

ACI Fabric


A compute, storage or service instance attaching to a fabric

EP

.

.

.

A collection of end-points with

identical network behavior form a

… End Point Group (EPG)

Things that connect to the fabric and use it to interface with other things

EP

EP

End-points


End-point Groups (EPGs)

EP

.

.

EP

EP

… end-point group [ EPG ]

Can flexibly map into

application tier of multi-tier app

segmentation construct (ala VLAN)

a security construct

ESX port group, VM Network, Container

…

Allows to specify rules and policies on

groups of physical or virtual end-points

without understanding of specific

identifiers and regardless of physical

location.

EPG WEB

EPG APP SERVER

policies


Tenant L3, L2 isolation

EP

.

.

.

EP

EP

EPG WEB

BD

EPG APP SERVER

EPG …

BD

subnet

subnet

L3 context (isolated tenant VRF)

With or

without

flooding

semantics

network profile

Tenant self-contained

tenant definition

representable as a

recursive

structured text

document

outside


EXAMPLE: Three-tier APP

EPG WEB EPG APP EPG DB

NW Public

NW Private subnet

subnet

pro

vid

e

pro

vid

e

pro

vid

e

provide provide provide

infra shared services

consume consume consume

L3 context bd bd bd

we

b c

on

tract

java c

on

tract

sql c

ontra

ct

mgmt bundle

Outside consume consume

consume


ACI Whitelist Policy Supports “Zero Trust” Model

TRUST BASED ON LOCATION (Traditional DC Switch)

Servers 2 and 3 can

communicate unless blacklisted

1 4 2 3

No communication allowed between

Servers 2 and 3 unless there is a whitelist policy

ZERO TRUST ARCHITECTURE (Nexus 9000 with ACI)

EPG 1

“WEB”

EPG 2

“APP”

1 2 3 4

Whitelist policy = Explicitly configured ACI contract between EPG 1 and EPG 2 allowing traffic between their members

ACI architecture allows flexible EPG membership, enabling wide range of security policies


Strategic Security Imperatives Addressed By ACI

Policy based Compliance,

Automated Compliance

Management

Secure Multi-tenancy,

Micro-Segmentation Open Security Framework,

L4-7 Security Automation

COMPLIANCE THREAT-MITIGATION AUTOMATION

Network Endpoint Virtual Cloud

Threat Mitigation


Centralized Compliance and Auditing

Import / Export Policy via API

(Support for External Policy Engines)

Services Chaining Automated

Bio-Chemical Undergrad HPC HR Finance Guests

ACI Security – Networking, Segmentation, Isolation

16

Complete Isolation with

Full Scalability and Security

Policy Separated from Network

Forwarding

Open

APIs Policy

Engine

Undergrad and Guests

APPLICATION

NETWORK PROFILE


PRODUCTION

POD DMZ

SHARED

SERVICES

Basic DC Network

Segmentation

VLAN 1 VXLAN 2

VLAN 3

Network centric

Segmentation by VLAN

DEV TEST

PROD

Segment by Application

Lifecycle

WEB APP

DB

Per Application-tier / Service

Level Segmentation

Level of Segmentation/ Isolation/ Visibility

ACI Enables Segmentation based on Business Needs


Micro-Segmentation for Physical and Virtual with ACI

18

Virtual Virtual Physical

• Micro-segmentation provides security for east/west traffic

• Embedded L4 distributed stateless firewall

• Hardware-assisted stateful firewall for Virtual*

• Automates L4-7 security between application tiers for advanced protection

• Physical and Virtual Apps

• Full visibility of all traffic between segments

* Requires Application Virtual Switch (AVS)


Hardware Assisted Stateful firewall

Provider

B Consumer

A

Src class Src port Dest Class Dest port Flag Action

A * B 80 * Allow

B 80 A * ACK Allow

• Create flow table entry

• Forward packet to Leaf

Leaf evaluates

stateless policy

Hardware policy

permits the packet

Create flow state only

for TCP SYN packet

received from PNIC

Deliver packet to

destination VM

• Packet received from VM

• Lookup flow table

VLAN Proto Src ip Src port Dst IP Dst port

A tcp IP_A 1234 IP_B 80

A tcp IP_B 80 IP_A 1234

VLAN Proto Src ip Src port Dst IP Dst port

B tcp IP_A 1234 IP_B 80

B tcp IP_B 80 IP_A 1234

On flow table hit

forward packet to Leaf

Policy Enforcement

done at Leaf

Connection

Tracking at vLeaf

Response from VM

Perform flow table lookup

New in 1.1 Release

Automation


ACI Supports Flexible East-West Security Models

L4 Stateless Security

Firewall at Each

Leaf switch

Servers (Physical or Virtual)

L4 Distributed Stateless Firewall

L4 Stateless Firewall Attached to Every Server Port

Line Rate Policy Enforcement

Policy Follows Workloads

L4-7 Security

Services (physical or virtual,

location independent)

L4-7 Security Via ACI Service Graph

Advanced Protection with NGFW, IPS/IDS, DDoS Services Insertion

Sizing at Scale-Enabled via Pool and ACI Dynamic Redirection

L4-7 Security Policy Applied Consistently for Any Workload

ACI Services Graph L4-7 Visibility and Control


Challenges with Network Service Insertion

Service Insertion In traditional Networks

Router

Router

Switch

LB

FW

Configure firewall network parameters

Configure Network to insert Firewall

Configure firewall rules as required by the application

Configure Router to steer traffic to/from Load Balancer

Configure Load Balancer Network Parameters

Configure Load Balancer as required by the application

vFW

servers

Service insertion takes days

Network configuration is time consuming and error prone

Difficult to track configuration on services

22


Application Policy

Consumes

Contract

dB Contract

MSSQL: Accept

MySQL: Accept

HTTP: Accept, Count

Filter Named collection of L4 port

ranges

- HTTP = [80, 443]

- MSSQL = [1433-1434]

- MySQL = [3306, 25565]

- DNS = [53, 953, 1337, 5353]

Action What action or actions to take on

packet

- Accept

- Service Insert

- Count

- Copy (future sw release)

Provides

EPG - APP EPG - DB

APP DB

23


Network Service Insertion

WEB EXTERNAL Consumes Web Contract

HTTP: Accept, Service Graph

FW

LB

Contract provides a mechanism to add Network Services through associating a Service Graph

APIC configures network service functions on devices like firewall, Load Balancers through a device packages

Consumer Provider

A Service Graph identifies a set of network service functions required by an application

A device package can be uploaded on APIC at run time

Adding new network service support through device package does not require APIC reboot


Service Insertion Architecture Device Package

Configuration Model

Device Interface: REST/CLI

APIC Script Interface

Python Scripts

Script Engine

APIC– Policy Manager

Configuration Model (XML File)

Python Scripts

Device Model defines Service Function and Configuration

Device scripts translates APIC API callouts to device specific callouts

APIC

Service Device

Script can interface with the device using REST, SSH or any mechanism

Device package contains a device model and device python scripts

Service functions are added to the APIC through a device package


Open Security Framework & Ecosystem

Broad Ecosystem enables Choice,

Investment Protection and supports

Defense in Depth Security Strategy SECURITY APPLICATIONS

(Compliance, SIEM, Security Analytics etc.)

APIC

END-TO-END LAYERED SECURITY ENFORCEMENT

ACI

Fabric DNS Firewall IDS / IPS DDoS

Open Standard

OPFLEX

Open Device

Interface

Open REST APIs


Simplified ACL / Firewall Policy Management

• Reduces security risk by eliminating

configuration errors

• Policy lifecycle management for

including de-commissioning upon

application removal enables compliance

• Retain existing policies/rules minimizing

disruptions to current operations

• Centralized L4-7 Policy Automation with

Device Package (e.g., ASA/ASAv)

• Policy supports workload mobility

APIC

App

Security

Policy

Device Package


VIRTUAL PHYSICAL

ASA 5585-X

16 Way Clustering with State

Synchronization*

ASAv

Full ASA Feature Set

Hypervisor Independent

Virtual Switch Agnostic

Dynamic Scalability

ASA

* Up to 640Gbps of Distributed Firewall capacity

CENTRALIZED SECURITY

POLICY AUTOMATION

ACI Integration with Cisco ASA


Accelerated Threat Detection and Response with ACI FirePOWER NGIPS Integration

Host 3

Application 1

(Physical)

Host 1 Host 2

Application 2

(Physical) V

M

V

M

V

M

FirePOWER IPS uses ACI fabric visibility to

detect and alert on key security threats early

in the attack lifecycle

Proactive Detection Mitigation Incident Response and Mission Assurance

Attack Lifecycle

Weaponize Execute

Deliver Control Maintain

Exploit

Recon

APIC FireSIGHT

FireSIGHT Manager continuous analytics

enables detection of advanced security threats

FireSIGHT uses APIC APIs to dynamically push

group policies to mitigate attack and quarantine

FirePOWER IPS continuously gathers events

from ACI Fabric to detect new threats

Compliance


• Reduces compliance scope and costs

• Simplifies audit based on higher level policy

• Reduces costs with a shared network and secure multi-tenancy

• Provides role-based access control

• Centralizes auditing and access monitoring

Monitoring

Access

Centralized

Audit

Security

Policy

Security

Network

Access

Control

ACI Security Validated for PCI Compliant Networks


Application Decommissioning and Compliance Compliance/Security Requirement:

When an application gets decommissioned, every IT resource associated with

that must be removed and/or wiped out.

UCS allows one do dissociate service

profile(s) associated with this application.

Audit OK !

Storage arrays can wipe-out the data or

associated disks can be trashed.

Audit OK !

Current network approach and solutions

don’t have a way to map application

workflow and “remove” it.

Audit Fail

ACI is the only solution that can support

this programmatically and in a automated

manner

Audit OK !

Symantec’s Views on ACI Security

Sheila Jordan Chief Information Officer

Vince Spina VP, Global Network Infrastructure & Data Center


ACI Group Policy with

Advanced Protection

(FirePOWER NGIPS,

ASA NGFW)

Automated Protection for

Physical and Virtual

Workloads

ACI Validated for PCI

Compliant

Networks

Detect, understand and block

Threat Centric Automation Compliance

Advanced Protection with Full Automation for Physical and Virtual Workloads

Manual process Short on resources

Long provisioning times

Costly Complex validation process

Cisco ACI Addresses Key Datacenter Security Challenges

Next Generation Data Center Networks - Cisco · Next Generation Data Center Networks 3.3 Data...

Documents

Transcript of Next Generation Data Center Networks - Cisco · Next Generation Data Center Networks 3.3 Data...