Security for shared infrastructure in Cisco ONE Enterprise Cloud Suite BRKPCA-2040

Transcription

1

2 Security for shared infrastructure in Cisco ONE Enterprise Cloud Suite Roxana Diaz TSA, CCIE

3 Agenda Introduction Cisco VACS Overview VACS Configuration Security Use-cases Customers Conclusion

4 Agenda Introduction Cisco VACS Overview VACS Configuration Security Use-cases Customers Conclusion

5 Introduction

6 Journey to Cloud Virtualization Private Cloud Hybrid Cloud Enhanced virtual networking Segregation of duties Better visibility Automation Self Service Secure Segmentation Secure DC extension to public cloud Ecosystem of public clouds N1KV/VSG Standalone N1KV/VSG/CSR1KV VACS (in CECS) N1KV Cloud VEM/VSG/CSR1KV (in CECS) Cloud Services Platform DC and Cloud Network Function Virtualization Platform CECS Cisco Enterprise Cloud Suite / VSG Virtual Security Gateway N1KV Nexus1000v DVS / CSR1KV Cloud Services Router 1000v BRKPCA Cisco and/or its affiliates. All rights reserved. Cisco Public 6

7 Cisco Enterprise Cloud Suite Automate Compute, Network, ACI, Storage & Virtual (UCSD) Enterprise Data Center Infrastructure BRKPCA Cisco and/or its affiliates. All rights reserved. Cisco Public 7

8 Cisco Enterprise Cloud Suite Automate Compute, Network, ACI, Storage & Virtual (UCSD) WEB APP DB Enterprise Data Center Infrastructure BRKPCA Cisco and/or its affiliates. All rights reserved. Cisco Public 8

9 BRKPCA

10 Cisco Enterprise Cloud Suite Self-service Catalog (PSC) Dashboard (UCSD) Secure Application Segmentation (VACS) Automate Compute, Network, ACI, Storage & Virtual (UCSD) WEB APP DB Enterprise Data Center Infrastructure BRKPCA Cisco and/or its affiliates. All rights reserved. Cisco Public 10

11 Agenda Introduction Cisco VACS Overview VACS Configuration Security Use-cases Customers Conclusion

12 Cisco VACS Overview

13 Cisco Virtual Application Cloud Segmentation (VACS) Services Secure segmentation in minutes on shared infrastructure Simplified virtual networking and security Unified virtual services licensing: cost-effective solution BRKPCA Cisco and/or its affiliates. All rights reserved. Cisco Public 13

14 Secure Segmentation in Minutes on Shared Infrastructure Current physically segmented architecture Virtual segmentation with VACS Physical segmentation results in longer provisioning time and under-utilized resources Virtual segmentation independent of physical topology Procure, rack, stack and provision individual devices Enforced by best in class virtual networking and security services VACS VACS Secure segmentation in mins on shared infrastructure Vcenter Simplified virtual networking and security Unified virtual services licensing: cost-effective solution Vcenter BRKPCA Cisco and/or its affiliates. All rights reserved. Cisco Public 14

15 Simplified Virtual Networking and Security on Shared Infrastructure Current provisioning model VACS Provision subnet / NAT / Routing Provision VIP Provision FW rules / GW Vcenter BRKPCA Cisco and/or its affiliates. All rights reserved. Cisco Public 15

16 Simplified Virtual Networking and Security on Shared Infrastructure Current provisioning model Wizard based provisioning model with full life cycle mgmt. of virtual services No longer have to configure individual components. VACS does it for you. VACS VACS Provision subnet / NAT / Routing Provision VIP Provision FW rules / GW Vcenter Vcenter BRKPCA Cisco and/or its affiliates. All rights reserved. Cisco Public 16

17 Unified Virtual Services Licensing Per Server Based Current pricing schema makes virtual services cost prohibitive Every vendor has different licensing schema Per instance based Expensive as throughout increases BRKPCA Cisco and/or its affiliates. All rights reserved. Cisco Public 17

18 Unified Virtual Services Licensing Per Server Based Current pricing schema makes virtual services cost prohibitive Every vendor has different licensing schema Per instance based Expensive as throughout increases VACS Automated Provisioning and Orchestration Cisco UCS director Load-balancer HA Proxy Routing/Edge FW Cisco CSR 1000V Or Cisco ASAv Zone based FW Cisco Virtual Security Gateway Unified Licensing Per Server Based* Create as many instances as you need with up to 10G throughput!** Virtual Fabric Cisco Nexus 1000V Platform for Distribute FW BRKPCA Cisco and/or its affiliates. All rights reserved. Cisco Public 18

19 VACS Delivering Secure Virtual Network aas (SvNaaS) Virtual Secure Network aas with complete Automation and Life-Cycle- Management Load Balancer aas Out-of-Box HA Proxy Integration VACS Routing aas Out-of-Box CSR1000Vor ASAv routes and GW Edge Firewall aas Out-of-Box ASAv or CSR1000V IOS XE FW Web application Web-1 w w w w w w Web application Web-2 Web-1 zone Web-2 zone Public Design App-1 (VM3) App-1 zone App-2 zone Confidential Design App-2 (VM4) Micro Segmentation aas Create Security Group VXLAN or VLAN based BRKPCA Cisco and/or its affiliates. All rights reserved. Cisco Public 19

20 Agenda Introduction Cisco VACS Overview VACS Configuration Security Use-cases Customers Conclusion

21 VACS Configuration

22 Deeper View: VACS Containers 3-Tier (Internal) Template Upstream Router Routing EIGRP or Static VACS 3 Tier App Container (Internal) CSR 1000V VLAN 10/ VXLAN 101 VSG Zone-based FW HA Proxy HTTP(s) LB Web Zone App Zone DB Zone BRKPCA Cisco and/or its affiliates. All rights reserved. Cisco Public 22

23 Deeper View: VACS Containers 3-Tier (Internal) Template Upstream Router Routing EIGRP or Static VACS 3 Tier App Container (Internal) CSR 1000V VLAN 10/ VXLAN G Throughput NAT (Optional) L3 Routing EIGRP or Static Edge FW Monitoring Features Permit VSG Zone-based FW Deny HA Proxy HTTP(s) LB Web Zone App Zone DB Zone BRKPCA Cisco and/or its affiliates. All rights reserved. Cisco Public 23

24 Deeper View: VACS Containers 3-Tier (External) Template Upstream Router Routing EIGRP or Static VACS 3 Tier App Container (External) CSR 1000V VLAN 10/ VXLAN 101 VSG Zone-based FW HA Proxy HTTP(s) LB Web Zone App Zone DB Zone BRKPCA Cisco and/or its affiliates. All rights reserved. Cisco Public 24

25 Deeper View: VACS Containers 3-Tier (External) Template Upstream Router Routing EIGRP or Static VACS 3 Tier App Container (External) CSR 1000V VLAN 10/ VXLAN 101 VSG Zone-based FW 10G Throughput NAT (Optional) L3 Routing EIGRP or Static Edge FW Monitoring Features HA Proxy HTTP(s) LB Web Zone App Zone DB Zone BRKPCA Cisco and/or its affiliates. All rights reserved. Cisco Public 25

26 Custom VACS Containers Template Upstream Router Routing EIGRP or OSPF or Static VACS Custom Container CSR 1000V VLAN 10/ VXLAN 101 VSG Zone-based FW NAT (Optional) L3 Routing EIGRP or OSPF (P2) Edge FW Monitoring Features HA Proxy Any Zone LB Zone 1 Zone 2 BRKPCA Cisco and/or its affiliates. All rights reserved. Cisco Public 26

27 Gateway choices with VACS Flexibility in combining VACS services with user-deployed services Built-In Virtual GW Physical Gateway Other Virtual Gateway V M V M V M V M V M V M V M V M V M VACS VACS VACS OR CSR 1000v ASAv Physical GW ASA/Checkpoint, PAN External Virtual GW vpan, vgw Full firewall capabilities via ASAv integration with up to 2Gbps throughput BYOL license for ASAv BRKPCA Cisco and/or its affiliates. All rights reserved. Cisco Public 27

28 VACS Holistic Approach to Workload Segmentation Rich Ecosystem with Simple Setup Based on UCS Director (included with Cisco Enterprise Cloud Suite license) Nexus 1000V, Virtual Security Gateway, ASAv, CSR1000v ASA, FirePOWER Threat Defense roadmap items BRKPCA Cisco and/or its affiliates. All rights reserved. Cisco Public 28

29 How to Segment the Virtual Switch Wizard Driven with Template Based Policy Definitions BRKPCA Cisco and/or its affiliates. All rights reserved. Cisco Public 29

30 How to Segment the Virtual Switch Wizard Driven with Template Based Policy Definitions BRKPCA Cisco and/or its affiliates. All rights reserved. Cisco Public 30

31 Completed VACS Template Summary BRKPCA Cisco and/or its affiliates. All rights reserved. Cisco Public 31

32 Auto-Documentation Dynamically Track Services and Virtual Machines Real-time Report of Container Configuration Organized by Policy, Per VM Mapping/Tracking BRKPCA Cisco and/or its affiliates. All rights reserved. Cisco Public 32

33 Holistic Environment Control Simplified Day-2 Operations Spin Environment Up/Down Reclaim Resources Seamlessly Add VM s to Tiers (Tie VM into Services) Manage Firewall Rules from Same Console BRKPCA Cisco and/or its affiliates. All rights reserved. Cisco Public 33

34 Agenda Introduction Cisco VACS Overview VACS Configuration Security Use-cases Customers Conclusion

35 Security Use-cases

36 Traditional approach to Security o Traditional firewalls designed to keep threats out of the network o Virtualization lateral movement 1 Public Web application Web-1 Public DB (DB-1) o M&M model Once across the perimeter firewall, malware is essentially free to propagate across the entire data center o Hackers are increasingly piggybacking malicious payloads atop legitimate traffic. Bob Alice www www Confidential Web application Web-2 Confidential DB (DB-2) Physical Infrastructure o Need for double protection strategy make security ubiquitous BRKPCA Cisco and/or its affiliates. All rights reserved. Cisco Public 36

37 Introducing Micro-segmentation Web application VM1 ww w www Public DB (VM3) Granular Control + Operationally Simpler Web application VM2 Confidential DB (VM4) = micro-segmentation strategy Prevent Lateral (server-server/ VM - VM) threat movement BRKPCA Cisco and/or its affiliates. All rights reserved. Cisco Public 37

38 Micro-segmentation with VACS Micro-segmentation in a few Clicks Web application Web-1 ww w Web-1 zone Public DB DB-1 (VM3) DB-1 zone Define Zones Add VMs www Web-2 zone DB-2 zone Apply zone based policies Web application Web-2 Confidential DB DB-2 (VM4) Source Destinatio n Policy Web-1 DB-1 Allow Web-2 DB-2 Allow Web-1 DB-2 Drop Web-2 DB-1 Allow BRKPCA Cisco and/or its affiliates. All rights reserved. Cisco Public 38

39 Demo

40 BRKPCA

41 ASAv Support in VACS Upstream Router VACS 3 Tier App Container (Custom) ASAv Up to 2G Throughput L3 Routing Edge FW VLAN 10/VXLAN 101 VSG Zone-based FW HA Proxy HTTP(s) LB Web Zone App Zone DB Zone All ASAv Day 0 operations supported with VACS Custom containers Support for all ASAv license levels (ASAv5, ASAv10, ASAv30) BRKPCA Cisco and/or its affiliates. All rights reserved. Cisco Public 41

42 CSR1Kv vs ASAv Gateway features CSR1Kv ASAv License Included as part of VACS license BYOL Smart License, not included as part of VACS Throughput 10 Gbps Up to 2Gbps based on ASAv license Features All IP features Basic Security featurs : ACL, AAA, RADIUS, and TACACS+, ZBFW, ALG High Availability Using HSRP Stateful HA VACS container support Internal, External, Custom Custom Full-feature ASAv with complete perimeter firewall functionality VACS Container Sizing N/A Depends on ASAv license level o Small ASAv5 o Medium ASAv10 o Large ASAv30 Default ALG support Supported only in non-ha mode Default : HTTP, HTTPS, FTP, DNS, ICMP Additional : SQLNET, MSSQL, LDAP Default : FTP, DNS, SQLNET, H323 H225, H323 RAS, IP-OPTIONS, NETBIOS, RSH, RTSP, SKINNY, ESMTP, SUNRPC, TFTP, SIP, XDMCP Additional : ICMP, HTTP, IPv6, MGCP and more BRKPCA Cisco and/or its affiliates. All rights reserved. Cisco Public 42

43 Evolution of truly Secure Segmentation VACS domain + physical ( mixed environment) Existing customer base with TrustSec (Cisco ISE) focused on Physical Network Elements (NX7k/6k/5k, Catalyst) Extend the segmentation to virtualized applications Why Secure Group Tags are not effective with virtualization Physical segmentation will reach to Presentation Tier Physical segmentation extended across all Application Tiers is NOT secure from folks like Bob BRKPCA Cisco and/or its affiliates. All rights reserved. Cisco Public 46

44 Extend Cisco TrustSEC to Virtual Infrastructure with VACS Security Group Combined Virtual & Physical Micro Segmentation defined in a simple policy table or matrix automated with VACS or ISE Scalable architecture w/out increase in operational complexity Applied across Catalyst (Campus and Branch) and Nexus (Data Center) with VACS independent of the topology Security Firewalling with ASA or ASAv Segmentation defined in a simple VACS Integration with Cisco policy table TrustSEC or matrix Applied across Nexus VACS can Consume or Create 7000/5500/2000/ the SecureGroupTags VACS independent of the topology deployed on the switches through ISE ASAv is aware of all the zones Stop attack at the virtual perimeter SGACL enabled Device Virtual Enforcement w/ VACS Physical Servers Data Center Core Layer DC Access Layer DC Aggregation Layer DC Service Layer SGACL enabled Device SG Firewall enabled Device BRKPCA Cisco and/or its affiliates. All rights reserved. Cisco Public 47

45 Extending micro-segmentation to physical domain 1. VACS creates a container with Web application VM1 App VM3 Public Design DB (DB1) Web and App Tiers www 2. Get the Zone to IP mapping for both zones from VSG www 3. Program the NX1kV with IP to Web application VM2 App VM4 SecureGroupTag mapping Confidential Design DB (DB2) 4. Program the Bare Metal DB zone SecureGroupTags on N5K to be granular 5. Program firewall rules (ACLs) VACS on N5K ASAv Nexus 5000 SXP Cisco ISE ( Identity Services Engine) BRKPCA Cisco and/or its affiliates. All rights reserved. Cisco Public 48

46 Agenda Introduction Cisco VACS Overview VACS Configuration Security Use-cases Customers Conclusion

47 VACS Customers

48 Cedacri Cloud service provider in Italy VACS through Cisco Enterprise Cloud Suite enabled Cedacri to onboard new customers 90 percent faster while ensuring security compliance Cisco VACS gives us the speed and agility we need to stay ahead in a competitive cloud market. Customer benefits: Multi-tenancy in minutes Zero trust security using microsegmentation Differentiating the service provider cloud - Alessandro Spigaroli, Head of Architecture & Innovation, Cedacri BRKPCA Cisco and/or its affiliates. All rights reserved. Cisco Public 51

49 Lightedge Solutions IT service provider to businesses in United States With UCSD + VACS we were able to take a complex, multi-zone IT platform with over 20 unique security zones and deploy a fully functional replica of this environment in hours. Prior to UCSD+VACS this same deployment, using manual procedures and physical security devices, took well over 60 days to deliver to our customer Customer benefits: Building a custom cloud environment with self-service capabilities Secure Segmentation for their business customers Security policy compliance - Mike McHenry VP Cloud and Cloud Architecture, LightEdge BRKPCA Cisco and/or its affiliates. All rights reserved. Cisco Public 52

50 Agenda Introduction Cisco VACS Overview VACS Configuration Security Use-cases Customers Conclusion

51 Conclusion

52 Summary VACS is the security pillar of the Cisco Enterprise Cloud Suite VACS provides micro-segmentation today across a common hypervisor environment (Cisco NX1kV) VACS is the most Effective Tool to achieve Secure Segmentation and enhanced automation in a journey to ITaaS Reach out to your Cisco account team for further assistance! Try it out in dcloud (access available to those with a cisco.com login) BRKPCA Cisco and/or its affiliates. All rights reserved. Cisco Public 55

53 Q & A

54 Complete Your Online Session Evaluation Please complete your Online Session Evaluations after each session Complete 4 Session Evaluations & the Overall Conference Evaluation (available from Thursday) to receive your Cisco Live T-shirt All surveys can be completed via the Cisco Live Mobile App or the Communication Stations Don t forget: Cisco Live sessions will be available for viewing on-demand after the event at CiscoLive.com/Online BRKPCA Cisco and/or its affiliates. All rights reserved. Cisco Public 57

55 There has never been a better time to effectively segment workloads Thankyou

56