Private cloud on Cisco Integrated Infrastructures with Cisco UCS Director
-
Upload
cisco-data-center -
Category
Technology
-
view
964 -
download
2
description
Transcript of Private cloud on Cisco Integrated Infrastructures with Cisco UCS Director
![Page 1: Private cloud on Cisco Integrated Infrastructures with Cisco UCS Director](https://reader033.fdocuments.net/reader033/viewer/2022061222/54c0a3114a7959712a8b4571/html5/thumbnails/1.jpg)
Private Cloud on Cisco Integrated Infrastructures with Cisco UCS Director
Chris O’Brien
Technical Marketing Manager
Creating a more flexible, functional, and secureapplication environment
![Page 2: Private cloud on Cisco Integrated Infrastructures with Cisco UCS Director](https://reader033.fdocuments.net/reader033/viewer/2022061222/54c0a3114a7959712a8b4571/html5/thumbnails/2.jpg)
Cisco Confidential 2© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Today’s SecurityMultiple products, policies, unmanaged devices and cloud access
Comm. / SMB / Branch
WWW
Enterprise DC
UCSGlobal
Orchestration
Connect
Branch
Campus
Cellular
Internet
Edge
WWW
Edge
WWW
SaaS
CSR
SP Cloud
SP-1
SP-2
SP Core/ Edge
ASR
CSRWeb
SecurityGateway
WWW
WWW
WWWUCS
Global Orchestration
Multiple Management Paradigms
Multiple IdentityStores
IsolatedThreat Intelligence
InconsistentEnforcement
ANYANY
![Page 3: Private cloud on Cisco Integrated Infrastructures with Cisco UCS Director](https://reader033.fdocuments.net/reader033/viewer/2022061222/54c0a3114a7959712a8b4571/html5/thumbnails/3.jpg)
Cisco Confidential 3© 2013-2014 Cisco and/or its affiliates. All rights reserved.
DC | CLOUD TRANSITION
Unifying the network services Securing multi-tenancy designs
Extending security posture# ! %
AGILITY FLEXIBITY AUTOMATION AGILITYAUTOMATION
EFFICIENCYVISIBILITYCONSISTENCY CONSISTENCY
CONSOLIDATION COST REDUCTION ELASTIC CONSOLIDATIONELASTIC
AGILITY FLEXIBITY AUTOMATION AGILITYAUTOMATION
EFFICIENCYVISIBILITYCONSISTENCY CONSISTENCY
CONSOLIDATION COST REDUCTION ELASTIC CONSOLIDATIONELASTIC
Physical
Virtual Cloud
![Page 4: Private cloud on Cisco Integrated Infrastructures with Cisco UCS Director](https://reader033.fdocuments.net/reader033/viewer/2022061222/54c0a3114a7959712a8b4571/html5/thumbnails/4.jpg)
Cisco Confidential 4© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Erodes efficiency gains and delays new services implementation by months
“Bolted on” Security Inhibits Data Center Acceleration
Cannot scale to today’s data center network performance requirements
Cannot proactively defend against emerging threats
![Page 5: Private cloud on Cisco Integrated Infrastructures with Cisco UCS Director](https://reader033.fdocuments.net/reader033/viewer/2022061222/54c0a3114a7959712a8b4571/html5/thumbnails/5.jpg)
Cisco Confidential 5© 2013-2014 Cisco and/or its affiliates. All rights reserved.
The New Security Model - Cisco
BEFOREDetect Block Defend
DURING AFTERControlEnforce Harden
ScopeContain
Remediate
Attack Continuum
Network Endpoint Mobile Virtual Cloud
Point in time Continuous
![Page 6: Private cloud on Cisco Integrated Infrastructures with Cisco UCS Director](https://reader033.fdocuments.net/reader033/viewer/2022061222/54c0a3114a7959712a8b4571/html5/thumbnails/6.jpg)
Cisco Confidential 6© 2013-2014 Cisco and/or its affiliates. All rights reserved.
The Secure Enclave Architecture (SEA)
![Page 7: Private cloud on Cisco Integrated Infrastructures with Cisco UCS Director](https://reader033.fdocuments.net/reader033/viewer/2022061222/54c0a3114a7959712a8b4571/html5/thumbnails/7.jpg)
Cisco Confidential 7© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Tenant
BTenant
C
Virtualized and Bare-Metal
Compute and Hypervisor
B CANetwork and
Services
VM VM BareMetal
Tenant
A
Cisco and our technology partners (NetApp, EMC, Lancope, etc.) working together
Consistent design and documentation
Builds on top of existing FlexPod Data Center
Strong focus on applications
Secure Enclave ArchitectureSecurity Services on Cisco Integrated Systems
ContinuousPoint in time
•Scope•Contain•Remediate
•Detect•Block•Defend
•Control•Enforce•Harden
Before
During
After
![Page 8: Private cloud on Cisco Integrated Infrastructures with Cisco UCS Director](https://reader033.fdocuments.net/reader033/viewer/2022061222/54c0a3114a7959712a8b4571/html5/thumbnails/8.jpg)
Cisco Confidential 8© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Least common mechanism: To globalize common/shared modules (enforcement) as it has the effect of reducing duplicates which can result in less opportunities for compromise. Potential performance and maintenance benefits
Minimized Sharing: Sharing should be limited to reduce potential encroachment. Only explicitly requested and granted access
Efficient Mediated Access: States that functions of access control should be allocated to the lowest possible level (closer to hardware) while still meeting flexibility requirements.
Secure Enclave FrameworkDesign Principles
![Page 9: Private cloud on Cisco Integrated Infrastructures with Cisco UCS Director](https://reader033.fdocuments.net/reader033/viewer/2022061222/54c0a3114a7959712a8b4571/html5/thumbnails/9.jpg)
Cisco Confidential 9© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Domain Managers
OS and Virtual
Machines
Storage
Network
Compute
Cisco UCS Director Integration
Cisco® UCS B-Series Blade Servers, C-Series and UCS Manager
Cisco Nexus® Family Switches
NetApp FAS Series Storage Systems
On-DemandAutomated Delivery
Policy-Driven Provisioning
Integrated
System
VMsComputeNetwork Storage
Single Pane of Glass
End-to-End Automation
and Lifecycle
Management
UCS Director
Tenant
BTenant
C
Virtualized and Bare-Metal
Compute and Hypervisor
B CANetwork and
Services
VM VM BareMetal
Tenant
A
![Page 10: Private cloud on Cisco Integrated Infrastructures with Cisco UCS Director](https://reader033.fdocuments.net/reader033/viewer/2022061222/54c0a3114a7959712a8b4571/html5/thumbnails/10.jpg)
Cisco Confidential 10© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Enclave ModelLogical Structure
Access control point into the secure region (public)
Access control within and between application tiers (private)
Cyber Threat Defense (CTD) operations to expose and identify malicious traffic
Cisco TrustSec (CTS) using Secure Group Access control to identify server roles and to enforce security policy
Out-of-band management for centralized administration of the Enclave and its resources
Optional load balancing capabilities
Enclave Model
Public Access Control
Private Access Control
Cisco TrustSec
Load Balancing
Cisco Cyber Security and
Threat Defense
Database TierWeb Tier Application
Tier
W1 WX App1 AppX DB1 DBx
External Network
Management
![Page 11: Private cloud on Cisco Integrated Infrastructures with Cisco UCS Director](https://reader033.fdocuments.net/reader033/viewer/2022061222/54c0a3114a7959712a8b4571/html5/thumbnails/11.jpg)
Cisco Confidential 11© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Tenant
BTenant
C
Virtualized and Bare-Metal
Compute and Hypervisor
B CANetwork and
Services
VM VM BareMetal
Tenant
A
Latest and greatest Cisco Security capabilities all working together
Consistent design and documentation
Builds on top of Cisco Integrated Systems
Strong focus on enterprise applications
Initial solution Target 2Q CY 2014
Secure Enclave ArchitectureSecurity Services on a Cisco Integrated System
UCS Director
![Page 12: Private cloud on Cisco Integrated Infrastructures with Cisco UCS Director](https://reader033.fdocuments.net/reader033/viewer/2022061222/54c0a3114a7959712a8b4571/html5/thumbnails/12.jpg)
Cisco Confidential 12© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Enclave Framework: Transparent Firewalling
VMware ESXi
VMware HA Cluster
Web Application Database
Enclave-1
Cisco UCS FabricInterconnects
Cisco NexusSwitching
Cisco ISEPolicy Manager
Cisco ASATransparent
Virtual Context
SXPVLAN 3001- Enclave-1 VLAN (Inside)
VLAN 2001- Enclave-1 VLAN (Outside)
VLAN 3253- Common VTEP VLAN
SXP
PAC
PAC
Cisco Nexus 1000V VXLAN 30011
VMware ESXi
VMware ESXi
CiscoVSG
LoadBalancing
vmk4vmk3 vmk4vmk3 vmk4vmk3
• ISE provides centralized authentication and security group table information via PAC file
• SGT applied at the VM port profile• SXP propagates SGT information across
the fabric from Nexus 1000V• ASA virtual context in transparent mode
provides access control• Single VLAN into the Enclave• One or more VXLANs for VM-to-VM traffic• Virtual Security Gateway provides access
control across the Enclave• Vmk4 supports NFS for the Enclave• Vmk5 supports iSCSI for the Enclave• Load balancing services (optional)
![Page 13: Private cloud on Cisco Integrated Infrastructures with Cisco UCS Director](https://reader033.fdocuments.net/reader033/viewer/2022061222/54c0a3114a7959712a8b4571/html5/thumbnails/13.jpg)
Cisco Confidential 13© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Enclave Traffic Patterns
Enclave Model
Public Access Control
Private Access Control
Cisco TrustSec
Load Balancing
Cisco Cyber Security
and Threat Defense
Database TierWeb Tier Applicatio
n Tier
W1 WX App1 AppX DB1 DBx
External Network
Management
Enclave Model
Public Access Control
Private Access Control
Cisco TrustSec
Load Balancing
Cisco Cyber Security
and Threat Defense
Database TierWeb Tier Applicatio
n Tier
W1 WX App1 AppX DB1 DBx
External Network
Management
North South
East West
Enclave Enclave
North South
East West
![Page 14: Private cloud on Cisco Integrated Infrastructures with Cisco UCS Director](https://reader033.fdocuments.net/reader033/viewer/2022061222/54c0a3114a7959712a8b4571/html5/thumbnails/14.jpg)
Cisco Confidential 14© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Builds on top of existing Cisco Integrated Systems (Standardize the physical & logical platforms)
Latest and greatest Cisco Security capabilities all continuously working together (Before, During, After)
Strong focus on applications
Expedite and remove risk through automation
Summary
Tenant
BTenant
C
Virtualized and Bare-Metal
Compute and Hypervisor
B CANetwork and Services
VM VM BareMetal
Tenant
A
UCS Director
![Page 15: Private cloud on Cisco Integrated Infrastructures with Cisco UCS Director](https://reader033.fdocuments.net/reader033/viewer/2022061222/54c0a3114a7959712a8b4571/html5/thumbnails/15.jpg)
Thank you.
![Page 16: Private cloud on Cisco Integrated Infrastructures with Cisco UCS Director](https://reader033.fdocuments.net/reader033/viewer/2022061222/54c0a3114a7959712a8b4571/html5/thumbnails/16.jpg)
Cisco Confidential 16© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Secure Enclaves Architecture Design Guidehttp://www.cisco.com/c/en/us/products/collateral/servers-unified-computing/ucs-manager/whitepaper-c07-731204.html
Secure Data Center for Enterprise Solution Design Guide at http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/sdc-dg.pdf
Cisco Secure Data Center for Enterprise (Implementation Guide) at http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/sdc-ig.pdf
Cisco Cyber Threat Defense for the Data Center Solution: First Look Guide at http://www.cisco.com/en/US/solutions/collateral/ns340/ns414/ns742/ns744/docs/ctd-first-look-design-guide.pdf
Reference Material