Data Center Security. Fuat KILIÇ Consulting Systems

Transcription

1

2 Data Center Security Fuat KILIÇ Consulting Systems

3 Data Center Evolution WHERE ARE YOU NOW? WHERE DO YOU WANT TO BE? Traditional Data Center Virtualized Data Center (VDC) Virtualized Desktops Internal, Private Clouds Virtual Private Clouds (VPC) Public Clouds Consolidate Assets Virtualize the Environment Standardize Operations Automate Service Delivery Virtualization Cloud

4 Data Center Security Requirements Virtualization: Security for east-west traffic in multi-hypervisor environments Scalability: Need for policy enforcement for high speed networks Resiliency: High availability is imperative for applications Expanded Deployment Options: Policy enforcement on inter-dc traffic Segmentation: Policy between specific groups, users, or applications Threat Management: Threat correlation with contextual analysis

5 Edge Security NOT Designed for the DC Internet Edge Security Data Center Security Only sees symmetric traffic Mostly sees Internet apps and micro-apps Static scalability for predictable data volume, limited by edge data connection Monitors Ingress and Egress traffic. Only requires a physical appliance. Virtual devices (if any) limited to one hypervisor Standard deployment takes days or weeks Vendor support focused on traditional network deployments Must manage asymmetric traffic Sees customized and home-grown applications Requires dynamic scalability to secure high volume data bursts Security needs to be integrated in-line (East/West) Requires both a physical and a virtual solution. 42% of DCs have multiple hypervisors Must be deployed in hours or minutes The DC requires specialized support for planning, design, and implementation

6 1. Security Must Be Designed for the DC Network Integration Optimum Performance Threat-Based Security Must be deployed dynamically and quickly Ties data center and security policy together Gives the right tool to the right team Optimized for DC data bursts Highly available and resilient Matches security performance to network performance Supports asymmetric traffic. North-south and East-west protection Signature and signatureless protection Reputation-based protection Custom application inspection

7 2. Security Must Address The DC Architecture 76% 17% 7% East West Traffic North South Traffic Inter-DC Traffic 7

8 3. Security Must Adapt As The DC Evolves Changing business models and competitive environments are driving IT organizations down a DC evolutionary path: Virtualization, SDN, NFV, ACI, Cloud But what about security? 8

9 4. Security Must Be Threat Oriented Attack Continuum Before Control Enforce Harden During Detect Block Defend After Scope Contain Remediate Network Endpoint Mobile Virtual Cloud Point in Time Continuous

10 5. Data Centers Don t Exist In A Vacuum Data and threats flow horizontally across a network

11 NSS Labs NGFW Security Effectiveness Source: NSS Labs 2014

12 NSS Labs Next-Generation Firewall Security Value Map The NGFW Security Value Map shows the placement of Cisco ASA with FirePOWER Services and the FirePOWER 8350 as compared to other vendors. All three products achieved 99.2 percent in security effectiveness and now all can be confident that they will receive the best protections possible regardless of deployment. Source: NSS Labs 2014

13 NSS Labs NGFW Throughput Source: NSS Labs 2014

14 NSS Labs NGFW Connection Per Second Source: NSS Labs 2014

15 Security Designed for the Data Center ASAv and ASA 5585-X Cisco ASA Virtual Firewall Full ASA Feature Set Hypervisor Independent vswitch Agnostic Dynamic Scalability Cisco ASA 5585-X Series New: Now with FirePOWER NGIPS services Up to 640 Gbps throughput 16-node, multi-site clustering Clusters managed as a single device Load balancing between physical and virtual ASAs Support Traditional and Next-Gen Data Centers (SDN, NFV, ACI) Fully integrated into ACI APIC-based provisioning, orchestration, and management

16 Secure Data Center for the Enterprise Capabilities Necessary to Defend the Modern Data Center Cisco Collective Security Intelligence Enabled Clustering and High Availability Intrusion Prevention (Subscription) FireSIGHT Analytics and Automation Advanced Malware Protection (Subscription) WWW URL Filtering (Subscription) World s most widely deployed, enterprise-class Cisco ASA stateful firewall Cisco Application Visibility and Control (AVC) with detailed control Network Firewall Routing Switching Application Visibility and Control Built-in Network Profiling Identity-Policy Control and VPN Industry-leading Cisco FirePOWER nextgeneration IPS (NGIPS) Cisco ASA Reputation- and category-based URL filtering Cisco Advanced Malware Protection (AMP)

17 ASA Cluster Scalability A 16 node ASA 5585-X cluster* can deliver up to: Layer-2 Deployment Data Plane 1 2 ASA 5585-X Cluster Master Slave 256Gps of real-world mixed traffic throughput (640Gbps Max) 50M concurrent connections Nexus 7Ks are vpc Peers 3 4 Slave Slave Consistent scaling factor regardless of units in cluster Nexus 7K #1 5 Slave Nexus 7K #2 Handles the expected asymmetric traffic flows found in a modern data centers PC-1 6 Slave PC-1 Integrates with FirePOWER Appliances and Services Modules for AVC and NextGen IPS Slaves 16 Slave *Cisco ASA Software release 9.2 +

18 Cisco ASA Clustering Correct Asynchronous Flows ASA / FirePOWER Appliance Set #1 ASA-1 (5585-X) Inside Firewall Policy Outside Inside Firewall Policy Outside Destination DATA Cluster lookup of flow owner Inside South Context ASA / FirePOWER Appliance Set #2 Firewall Policy South Context Outside Flow Inspection Inside North Context Firewall Policy North Context NGIPS-1 ASA-2 (5585-X) Outside NGIPS-2 CCL DATA Request Reply Source LACP chooses ASA to send packet to Flow Inspection ASA Clustering eliminates the need for a statefull load-balancer in the data center to scale security services performance

19 Redundancy and Scalability Network Integration Performance Redundancy and Scalability Link Device Site

20 Link Scalability Full Flow Asymmetry Support Multiple Uplink Routers Equal Cost Multipath (ECMP) OSPF/BGP routing for rapid failure detection Multiple Physical Links Port Aggregation (EtherChannel) LACP for dynamic bundling and failure detection

21 Device Scalability Redundant Firewalls Cluster Single Logical Firewall Clustering with full state backup Redundant Switches vpc/vss Complete Fault Tolerance Spanned Etherchannel with LACP for ports Non-Stop Forwarding (NSF) for OSPF/BGP Single Virtual Switch Virtual PortChannel (vpc) on Nexus Virtual Switch System (VSS) on Catalyst

22 Site Scalability Site A Site B Local Traffic Processing Inter-site Clustering Clustering with full state backup Site-specific switch connections Endpoint Mobility VLAN Segment Extension Overlay Transport Virtualiation (OTV) Clustering retains connection state

23 Security & Threat Operations Management 1 NetOPS Workflows - CSM 4.6 or ASDM-ASA-On-Box 2 SecOPS Workflows -FireSIGHT Management Center FireAMP Connector (Managed by FMC) NGFW/NGIPS Management Forensics / Log Management Network AMP / Trajectory Vulnerability Management¹ Incident Control System¹ Adaptive Security Policy Retrospective Analysis Correlated SIEM Eventing² Network-Wide / Client Visibility 1 Passive Vulnerability Management and Basic ICS Customer may still choose to invest in a commercial product 2 FMC is NOT a SIEM, while it does provide Correlated SIEM eventing and integrates natively into the SIEM used by the customer Visibility Categories Threats Users Web Applications Application Protocols File Transfers Malware Command & Control Servers Client Applications Network Servers Operating Systems Routers & Switches Mobile Devices Printers VoIP Phones Virtual Machines

24 Simplifying Security Across the Enterprise End-to-End Cisco TrustSec Security vsphere vsphere Data Center WiF i Remote VPN User IT Managed Devices Wireless User Personal Devices Wired User Campus and Mobile Workers User Identity Authorized Users Guest Access Devices ASA firewall learns when new a workload is provisioned and automatic applies security policy Identity Services Engine Allow Limited Access Deny Roles-Based Policies Allow Limited Access Deny Cisco Nexus 7000 Administrator assigns workload to proper group. Switches send update to devices for policy maps. Cisco Security Manager Cisco UCS Director Policies SG Tags Allow Limited Access Deny Slaves Master Cisco ASA 5585-X Firewall Cluster Storage Converged Network Stack Physical Access Compute App O App O App O App O S S S S Cisco Nexus 1000V Tier 1 App O App O App O App O S S S S Cisco Nexus 1000V Tier 2 App O App O App O App O S S S S Cisco Nexus 1000V Tier N Vblocks/ FlexPods

25 Simplified Matrix of Policies Increases Security Destination SGT Source SGT Public Portal (SGT 8) Internal Portal (SGT 9) IT Portal (SGT 4) Patient Record DB (SGT 10) Doctor (SGT 7) Web Web No Access Web File Share HR DB (SGT 5) SQL SSL Web SSH RDP File Share Full Access Simplified policies eases auditability for addressing the compliance challenges of today SQL

26 Capabilities Flow Diagram Malware Flow From User to Server Asset Protections Along the Way Device Posturing FireAMP for file analysis User Logging SGACL Enforcement NetFlow Analysis SGACL Enforcement TrustSec SXP Data Black hole Prevention Operational Efficiency Policy Consolidation Traffic Normalization Asymmetric Traffic Flow Redundancy ASA Cluster Intrusion Prevention Network AMP Application Detection Application Control Indicators of Compromise Retrospection Connection Intelligence File Trajectory Network Trajectory FireAMP on Servers Secure Application Tiering Port Profile SGT Assignments East-West Protection 1 ISE User Identity AD User Identity 5 Mgmt. Defense Center 2 SXP & SGACLs 3 4 SXP 6 On Campus User Campus Core DC Core/Agg ASA D8250 Cluster Mobile User Data Center Servers/Assets

27 Radius HTTPS Cyber Threat Defense for Data Center Global view of infrastructure threats OOB management infrastructure supports relevant traffic flows StealthWatch Management Console VE ISE Policy Manager Cisco ASA cluster monitored from the Cisco Nexus 7000 NetFlow Sources SMC HTTPS NetFlow Security Event Logging (NSEL) on the ASA is optional and complementary NSEL monitors flow creation, flow teardown, and flow denial by ACLs SPAN Sources StealthWatch FlowCollector(s) FC FC FC NSEL was not validated NetFlow Generation Appliance(s) (NGA) Cisco Nexus 1000v Virtual Services Module (VSM)

28 Application Centric Infrastructure (ACI) Flat Hardware Accelerated Network Full abstraction, de-coupled from VLANs and Dynamic Routing, low latency, built-in QoS Flexible Insertion Every device is one hop away, microsecond latency, no power or port availability constraints, ease of scaling Intelligent Fabric Fabric Port Services Hardware filtering and bridging; seamless service insertion, service farm aggregation Unified Management and Visibility ACI Controller manages all participating devices, change control and audit capabilities Files Users Logical Endpoint Groups by Role Heterogeneous clients, servers, external clouds; fabric controls communication

29 Traditional ASA Policy Set Complication Network Admin Add client , call Security Admin to enable access 1 30 ACL Rules Remove client , no other action necessary Clients 2 Add ASA rules for client Security Admin access-list OUT permit tcp host host eq 80 access-list OUT permit tcp host host eq 443 [ ] access-list OUT permit icmp host host Servers HTTP (TCP/80) HTTPS (TCP/443) SSH (TCP/22) SMTP (TCP/25) ICMP 215 ACL Rules access-list OUT permit tcp host host eq 80 access-list OUT permit tcp host host eq 443 [ ] access-list OUT permit icmp host host Original ASA rules never change 4 45 ACL Rules

30 Distributed Port Level Filtering with ACI Network Admin Source Leaf 1, port 1 Leaf 1, port 10 Leaf 2, port 12 EPG Users Users Users Remove client Add client , use standard ASA template Destination Leaf 3, port 2 Leaf 4, port 8 Leaf 5, port 12 Clients Port Rules EPG Servers Servers Servers Service TCP/80 TCP/443 TCP/22 TCP/25 ICMP Advanced policies, limited ACL rules Action Redirect, ASA1 Redirect, ASA1 Redirect, ASA1 Redirect, ASA1 Redirect, ASA1 ASA1 Same 5 port level service rules and actions Create standard ASA advanced policy templates in IFC Servers Security Admin HTTP (TCP/80) HTTPS (TCP/443) SSH (TCP/22) SMTP (TCP/25) ICMP

31 Cisco Secure Data Center Enterprise Cisco Validated Designs that include Scalable performance Simplified policy management Intrusion protection and application visibility Recommended architecture based on best practices

32 Combined Overview of CVD Architecture Enterprise Core Storage SAN Data Cisco Nexus 1000v Virtual Supervisor Module Threat Management with NextGen IPS ASA Clustering with FirePOWER Services CCL Active Directory Identity Services Engine Cisco Security Manager NetFlow Generation Appliances Cyber Threat Defense Secure Enclave Architecture (SEA) FlexPod Four solutions jointly validated to create a complete portfolio

33