René Raeber, rraeber@cisco.com

DSE WW Datacenter & Cloud

IEEE-802.1 DCB Architect

@rraeber

Datacenter Patent Reviewer

Master Business IT Security

Datacenter Security

How do Datacenters have to react in the Era of Digitization-

Agenda

2

Introduction

Policy driven Datacenter

Segmentation

Visibility

Conclusion / Discussion

Datacenter Evolution

Infrastructure Revolution

Software-defined

Infrastructure

Autonomous

InfrastructureContainer-Technologien

Server

Host OS

Docke

r

Binaries/ LibrariesBinaries/ Libraries

Ap

p 1

Ap

p 1

‘

Ap

p2

‘

Ap

p2

‘

Ap

p 2

Compute

Storage

Network

Integrated Architectural Approach

Best of Breed Portfolio

Cisco’s Approach Security Everywhere

Cisco’s Integrated Architectural Approach

Pervasive | Integrated | Continuous | Open

Threat Intelligence

Unified Management

Network Endpoint Cloud

Services

Visibility

Threat Intelligence

Cisco Datacenter Strategy

Defined by Applications. Driven by Policy. Delivered as a Solution / Service.

Compute

CloudNetwork

PolicyPolicy

Policy

8

8

Policy ModelIdentity

Authority

Perimeter

Security

ACI

TrustSec

ISE

APIC

VTS

ACI

Prog. NW

Prog. Fab.

Segmentation

ACI

Non ACI

UCS

Analytics

Tetration

Stealthwatch

Cisco Firewalls / NGFW / IPS / IDS

Certified Security Ecco System

“We Securely connect On-Prem and Off-Prem Everything to make Anything possible”

Cisco Datacenter Security Overview

The FOCUS areas

The Priorities per each area

9

Cisco SAFE

Cisco SAFE Conceptual LayoutData Center Edge Cloud

BranchCampus

WAN Internet

SP

WAN

SAFE Simplifies Security: Data Center

L2//L3

Network

To Campus

Shared Services

Zone

App ServerZone

PCICompliance

Zone

DatabaseZone

Flow

Analytics

Host-based

SecurityLoad

Balancer

Flow

Analytics

Firewall

Next-Gen

Intrusion

Prevention

SystemSwitch

Web

Application

Firewall

Centralized Management

Policy/

Configuration

Visibility/

Context

Analysis

Correlation

Analytics

Logging/

Reporting

Threat

Intelligence

Vulnerability

Management

Monitoring

To Edge

Virtualized Capabilities

WAN

Application Centric Infrastructure

12

Policy(May)

Assurance(Can)

Analytics(Did)

ADM

Security

Compliance

Audit, …

Agenda

13

Introduction

Policy driven Datacenter

Segmentation

Visibility

Conclusion / Discussion

What do we mean by Policy ?

POLICY

Public Cloud

APP

APP

APP

APP

APP

Edge

Network is single source of truth

Applications are Everywhere, Good News, So are We

DATA CENTER

Network Language

Compute/Storage

Language

Security Language

How? Teach the Infrastructure the Language of the Applications

Decouple Application and

Policy From Underlying Infrastructure

Infrastruct

ure

Common

PolicyApp

Networ

k

Profile

USC

Servic

e

Profile

Policy-Driven

Infrastructure

This is what we call Policy

Application Language

• Application tier policy and dependencies

• Security requirements

• Service level agreement

• Application performance

• Compliance

• Geo dependencies

Network is the best place to put policy because it touches everything. The Network never lies.

Why? The Network Is the Best Place to Put Policy

POLICY

Public CloudEdge

DATA CENTER

APP

APP

APP

APP

APP

Policy Driven Integrated Infrastructure In Action

4

Choose Any

Other Cloud

Managed

Public

Private

Private Cloud Stack

Integrated Infrastructure

3

Build Your

Private Cloud

8 Edge – Push Policy Model

POLICY

Automate and

Simplify

2

Move Data and

Workloads Securely

5

Self-Service Portal

(IT as a Service)

6

Extend Policy Model

7

SECURITY Everywhere9

1

Network / L4-7

Compute

Storage

Security

Modernize Infrastructure:

Open and Programmable

DATA CENTER

Analytics Everywhere10

Application Centric Infrastructure (ACI)

“DB”“App”

Unified Management

and Visibility

Flat Hardware

Accelerated Network

Logical Endpoint

Groups by Role

Fabric Port

ServicesFlexible Insertion

APIC Logical View

Tenant

Bridge Domain

EPG A EPG B EPG C

Context

Subnet A , Subnet B

Context

Bridge Domain

EPG B EPG C

Subnet A

Subnet D

Bridge Domain

EPG A EPG C

Subnet A

Subnet D

Application decommission & the compliance / audit demand

“Due to compliance regulations, when an application gets decommissioned,

every IT resource associated with that must be removed and/or wiped out”

UCS allows one do dissociate service

profile(s) associated with this application.

Audit OK !

Storage arrays can wipe-out the data or

associated disks can be trashed.

Audit OK !

Current network approach and solutions

don’t have a way to map application

workflow and “remove” it.

Audit Fail

ACI is the only one that can, inclusive

programmatically and automated

Audit OK !

Disjointed Identity & Security Policy DomainsBetween Campus and Data Center

TrustSec domain

Voice Employee Supplier BYOD

Campus / Branch / Non-Fabric

TrustSec Policy Domain

Voic

e

VLA

N

Data

VLAN

Web App DBACI Fabric

Data Center

APIC Policy DomainAPIC

WAN

Disjointed

Identity

Policy Domains

TrustSec Policy Domain APIC Policy Domain

• Today customer has two disjointed identity and security policy domains in Campus and Data Center:

• TrustSec User Identity, SGT and SGACL in Campus

• APIC App Endpoint Identity, EPG and Contract in Data Center

• Customer Requirement:

• Need Common “Identity,” Tagging and “Security Policy” between TrustSec and ACI domains

ISE and ACI Policy Models

Src-SGT

(identity)

Dest-SGT

(identity)SGACL

ISE Policy Model

Src-EPG

(identity)

Dest-EPG

(identity)Contract

ACI Policy Model

ISE Controller

APIC Controller

Policy Mapping

Campus “User Identity Scale Up” Automatically Propagated into ACI Data Center

ISE Controller

User 1

User 1000

SGT Binding Scale Up

APIC dynamically learns

Scale Up User Bindings in Campus

ACI Data Center

ACI “App Endpoint Scale Up” Automatically Propagated into Campus ISE Controller

ISE dynamically learns

Scale Up VM Bindings in DC

ISE Controller ACI Data Center

App Dynamic Scale Up in DC

VM1

VM1000

Trustsec Domain

Agenda

25

Introduction

Policy driven Datacenter

Segmentation

Visibility

Conclusion / Discussion

Spectrum of Micro Segmentation

Segmentation

Micro-Segmentation

Per EPG

Per vNIC

Level of Segmentation/Isolation/Visibility

ACI Enables Segmentation Based on Business Needs

VLAN 1 VXLAN 2

VLAN 3

Network centric

Segmentation

DEV

TEST

PROD

Segment by Application

Lifecycle

PRODUCTION

PODDMZ

SHARED

SERVICES

Basic DC Network

Segmentation

Per Application-tier /

Service Level

Micro-Segmentation

WEB

APP

DB

Intra-EPG

Micro-Segmentation

WEB

WEB

Container Security

VM

OVS/OpFlex

New

VMware VDS Microsoft Hyper-V KVM Cisco AVS Physical

EPG Based / Intra EPG Based / Attributes Based

Micro-Segmentation Supports Contracts and Service-Graphs

Application with EPG, Contract and Service Graphs

uSeg-video-client

Video-Streaming

uSeg EPGs with Contract

uSeg EPGs with Service Graphs

ACI and SourceFire – Security Closed Feedback Loop

CORPEPG

FW

NGIPS10.1.0.234

Atta

ck

PUBLICEPG

REMEPG

QUAEPG

FW

FireSIGHT Management

Center

REST Calls to

APIC NB API

Move VM

To Quarantine

Quarantine for RemediationPost Remediation Move Cleaned VM

DVS Micro-Segmentation and Custom Attributes

Attributes supported

for DVS Useg

Custom Attributes

Guest OS

VM Name

VM (id)

VNIC (id)

DVS

DVS Port-group

Datacenter

MAC

IP Address Prefix

Custom Attributes Use:

vSphere Web Client Plugin 6.0

Segmentation with ACI – Available Today!Whitelist, Multi-Tenant Isolation, Service Automation

ACI Services Graph

L4-7 Security Services(physical or virtual,

location independent)

Servers (Physical or Virtual, Containers, Micro Services)

Firewall at Each Leaf switch

• White-list Firewall Policy Model (line rate)

• Authenticated Northbound API (X.509)

• Encrypted Management Plane (TLS 1.2)

• Integrated any security device

• PCI, FIPS

• VMware AVS, VDS (by H1CY16), Microsoft Hyper-V and Bare Metal Workloads

• Intra End-Point-Group (EPG) isolation

• Attribute Based isolation and quarantine

• Dynamic Service Insertion and Chaining

• Security Policy follows workloads

• Centralized Security provisioning and visibility

Embedded Security Micro-Segmentation Security Automation

Agenda

32

Introduction

Policy driven Datacenter

Segmentation

Visibility

Conclusion / Discussion

Deterministic …

34

We may regard the present state of the Universe

as the effect of its past and the cause of its future.

If you know everything about a system at some instant of time, and you also know

the equation that govern how the system changes, then you can predict the future.

The Classical Law of Physics, deterministic !

If we can say the same thing, but with the past and the future reversed, the equation

Tells you everything about the past. Such a system is called reversible.

Now, can we do this with IT ?

Tetration

Analytics

Visibility

and Forensics

Application

Insight

Network

Compliance

Policy

Think about what you could do if you had:Every Packet, Any Time, Any Where

Application

Insight

Policy

Simulation

and Impact

Assessment

Automated

Whitelist

Policy

Generation

Forensics:

Every Packet,

Every Flow,

Every Speed

Policy

Compliance

and

Auditability

Cisco Tetration Analytics

Cisco Tetration Analytics ArchitectureOverview

Analytics Engine

Cisco Tetration

Analytics™

Platform

Visualization and

Reporting

Web GUI

REST API

Push Events

Cisco Confidential-NDA Required

Data Collection

Host Sensors

Network Sensors

Third-Party

Metadata Sources

Tetration

Telemetry

Configuration

Data

Cisco Nexus®

92160YC-X

Cisco Nexus

93180YC-EX

VM

Pervasive VisibilityFlow Search and Forensics

Information

about Consumer

– Provider and

type of traffic

Detail

information

about the flow

Datacenter Wide Traffic Flow Visibility

Visual Query with Flow Exploration

Replay flow details like a DVR

Information mapped across 25 different dimensions

• Thick lines indicate common flows

• Faint lines indicate uncommon flows

Policy Simulation and Compliance

What was seen

on the network

that was out of

Policy

Permitted Traffic

Seen on the

network

Policy Compliance Verification & Simulation

Policy Compliance

• Identify policy deviations

in real-time

• Review and update

whitelist policy with one click

• Policy lifecycle

management

VM BM

VMVM

BM VM

VMVM

VM BM

VMVM

VM

Cisco Tetration

Analytics™

PlatformVM

BM

VM

Policy Enforcement

Get To Zero-Trust Model

APICApplication Policy

Recommendation

Import Policy using ACI

Toolkit

Automatic creation of EPGs

and Contracts

Real

Time

DataNetwork

Policy

App PolicyTetration

Analytics

UCS

Cisco Nexus 9000 Series

UCS

Enforcement Anywhere

Cisco

Tetration

Analytics™

Cisco ACI™ and Cisco Nexus® 9000 Series

Standalone

Linux and Microsoft Windows

Servers and VM

PublicCloud

Data

Whitelist policyWhitelist policy{

"src_name": "App",

"dst_name": "Web",

"whitelist": [

{"port": [ 0, 0 ],"proto": 1,"action": "ALLOW"},

{"port": [ 80, 80 ],"proto": 6,"action": "ALLOW"},

{"port": [ 443, 443 ],"proto": 6,"action":

"ALLOW"}

]

}

• Cisco ACI EGP/Contract Integration via Cisco ACI Toolkit

• Traditional Network ACL

• Firewall Rules

• Host Firewall Rules

Amazon

Web

Services

Microsoft

Azure

Google

Cloud

Better together: CliQr | ACI | Tetration

App Level Policy

Enforcement / Visibility

Self-documenting Network

Real time detection &

closed loop automation

Real

Time

DataApp

Policy

App Policy

10101101

01010011

10101010

10001011

Tetration

Analytics

Nexus 9K

Amazon

Web

Services

Microsoft

Azure

Google

Cloud

Agenda

48

Introduction

Policy driven Datacenter

Segmentation

Visibility

Conclusion / Discussion

1. “Let my app servers talk to my web servers.”

2. There is no step 2. Go do something interesting.

1. “Trunk VLAN 112 to switch 22.”

2. “Add route….”

3. “Plumb ports 7-12…”

4. Break for snack. See if there’s any leftover cake in the coffee room.

5. “Configure ACL…”

6. “Apply QoS…”

7. Repeat.

Two Operational ModelsWhich do you want your network admin using?

With ACI: Without ACI:

ACI is for Micro Segmentation

Micro Segmentation works for all workloads (bare metal, virtual, containers, management, backup …)

Same policy-model for vSphere, Hyper-V, OpenStack, Containers and Bare Metal.

With ACI 1.2 support for up to 10 vCenter (supports 5.1, 5.5 and 6.0) and up to 10,000 servers.

Works with standard virtual switch offerings, including VMware VDS, OVS, MSFT vSwitch (AVS is optional for vSphere)

Stateful firewall when using Cisco AVS on vSphere at no extra cost with better performance at the VMware environment

ACI Security Certifications

Certification ACI

Done

Target Q4 CY 16

Target Q3 CY 16

Target Q4 CY 16

Planning

ACI SecurityAutomated Security With Built In Multi-Tenancy

Security AutomationEmbedded Security

• White-list Firewall Policy Model

• RBAC rules

• Hardened CentOS 7.2

• Authenticated Northbound API (X.509)

• Encrypted Intra-VLAN (TLS 1.2)

• Secure Key-store for Image Verification

• Dynamic Service Insertion and Chaining

• Closed Loop Feedback for Remediation

• Centralized Security Provisioning & Visibility

• Security Policy Follows Workloads

Distributed Stateless Firewall

Line Rate Security Enforcement

Open: Integrate Any Security Device

PCI, FIPS, CC, UC-APL, USG-v6

ACI Services

Graph

Micro-Segmentation

• Hypervisor Agnostic (ESX, Hyper-V, KVM*)

• Physical, Virtual Machine, Container

• Attribute Based Isolation/Quarantine

• Point and Click Micro-segmentation

• TrustSec-ACI Integration

Encryption

• Link MACSEC

• INS-SEC Overlay Encryption