How a Programmable Network and SDN Help Solve Critical Security Infrastructure Requirements

Transcription

1

2 How a Programmable Network and SDN Help Solve Critical Security Infrastructure Requirements Session ID 18PT John Manville, SVP Global Infrastructure Services Steve Martino, VP Chief Information Security Officer Liz Kiewiet, Network Engineer IT Infrastructure

3 Cisco Enterprise and What We Must Protect 100k Workforce 400+ cloud/asp providers used (officially) 294 partners using 547 IT extranet connections into Cisco 165 Countries ~3M IP Addresses IT Applications 215,000 Infra Devices 275,000 Total Hosts 1820 Labs 150+ Acquisitions 16 major Internet connections ~32 TB bandwidth used daily ~3TB Network Data collected p/day

4 Pervasive Security: A Journey Not a Destination Consumerization Any Application Device Vulnerability Any Mobile Place Device Management Access Control Point IT Social Video Access Control Point Service Providers Transport Data Loss Prevention XaaS Identity Federation Any Firewalls Time Social Enterprise ACL Management Filtering Data Video External Threats DDoS IPS/IDS Hobbyist Activist Criminal Sponsored

5 Cisco s Pervasive Security: Top-Level Architecture View IT GOVERNANCE Service Security Prime Role Governance Decision Making Model Next Generation Policies GOVERNANCE SECURITY OPERATIONS Security-IT OM Integration Unified Security Metrics (USM) Operational Security Excellence Policy Enforcement (Control) Compliance (Visibility) KEY CAPABILITIES AND SERVICES IDENTITY AND ACCESS Foundational SSOT Identity Federated Identity (inbound/outbound) Fine Grain Access Policy Management Strong, Multifactor Authentication SECURE PATH Device Profiling, Registration and Posture Assessment Contextual Network Access DC Zone Segmentation DATA SECURITY Data Inventory Data Ownership & Accountability Data Visibility and Control Data Collection CAPTURE, DETECT AND CONTAIN Anomaly Detection Forensic Analysis

6 Expanding Accountability Service Security Primes CSO of the Service Single point of accountability Increase communication and awareness around security Partner Security Architect Security SMEs Security architecture reviews Trusted advisors Service Security Prime 1 or more Primes Service Executive Service Owner GOVERNANCE InfoSec Team Establishes security technology baselines Formal approval for exceptions Establishes corporate security policies and guidelines

7 Expanding Visibility - Unified Security Metrics IT Service Owners and Security Primes IT Service Executives Service Review Service Security Score Cards, Pending Mitigation Vulnerability-Performance Metric and Trending, Top 10 Vs. Bottom 10 Ensuring Consistency Across All Reporting Areas GOVERNANCE Performance Metric ( Aging ) and Trending

8 Identity Is The New Perimeter Manager Trusted Device Trusted Connection Full Access No Restrictions Engineer Semi-trusted Devices Trusted Connection Policy Decision Point ISE Limited Access No HR & Finance Internet Only Access IT Analyst Untrusted Devices Untrusted Connection IDENTITY AND ACCESS

9 Contextual Policy - The New Control Algorithm People Roles Who are you and privileges BYOD Profile, Posture = Trust LOCATION Trusted, VPN, Untrusted WHAT DO YOU WANT Where do you want to put it What You Get, When You Get It, From Where and On What SECURE PATH

10 Data Governance Security Framework Governance Foundational Data How data is governed Laws, contracts, and policies impose requirements on the data Roles, responsibilities, ownership, etc. sets the accountability Training, awareness, and metrics manages behavior Securing the foundation System security Monitoring and response Risk management Protect the core Manage use of data throughout the life cycle (i.e. collection disposal) Access and rights management Masking and redaction Encryption DATA SECURITY

11 Are You Protecting 100% of Your Assets 5% Security Challenges Managed/Unmanaged Desktops Spam/Malware DDoS Compromised Hosts Remotely Controlled Rapidly Changing Environment 95% 95% Foundational Solutions Anti-virus Firewalls IDS/IPS IronPort WSA/ESA Host Based IDS Log Capture/Analysis Incident Response Team CAPTURE, DETECT AND CONTAIN

12 Are You Protecting 100% of Your Assets Advanced Threats Targeted Spear Phishing Trojans Watering Hole Attacks Social Networking Attacks Nation State Attacks Security Challenges Managed/Unmanaged Desktops Spam/Malware DDoS Compromised Hosts Remotely Controlled Rapidly Changing Environment 5% 95% 95% Evolving Solutions Expanded Data Collection Netflow, IP-Attribution, DNS Big Data Analysis & Playbooks DNS/RPZ, Quarantine Dedicated APT Team Advanced Malware Detection On-line Host Based Forensics Foundational Solutions Anti-virus Firewalls IDS/IPS IronPort WSA/ESA Host Based IDS Log Capture/Analysis Incident Response Team CAPTURE, DETECT AND CONTAIN

13 Key Takeaways Expanded accountability is a must need everyone to own security and do their part (Security Primes) Expanded visibility on true risk and impact motivates people to do their part (Unified Security Metrics) Identity is the new perimeter; hence policy management must be scalable and agile (ISE) The endpoint is the new office focus protection and control (ISE) Data is the holy grail must have ownership, accountability and visibility Detection and mitigation capabilities must keep pace

14 Future Investments Emerging Challenges Cloud-connected Ecosystem Encrypted Protocols SSL Malware Evolving to Avoid Network Detection Insider Threats (partners and employees) Developing Solutions Federated Identity & Behavioral Based Monitoring Bigger Data Analytics Software Defined Networking (SDN)

15 DEMO

16 DEMO Credits: Michael Anderson Manny Garcia Joris Roovers Michael Scheck

17 Cisco Approach to Programmable Networking Approach 1 Approach 2 Approach 3 Apps Apps Apps APIs Controller Other Agents Virtual Overlays Physical and Virtual Network Tightly-Coupled Hardware and Software OpenFlow Device Device with OpenFlow Device Loosely-Coupled Hardware and Software Network Logical/Overlay Networks

18 Network Programmability Standards are Critical Technical Advisory Group Chair, ONF Working Groups: Configuration, Hybrid, Extensibility, Futures/FPMOD/OF2.0 Openstack Overlay Networking Projects, Cisco Innovations: FEX Architecture Organization IETF Open Source Cloud Computing project OpenDaylight Cisco Leadership/Contributions for Open and Programmable Networking Harden OpenFlow spec Technical Advisory Group Chair Hybrid Group Chair Major contributions to Quantum networking APIs Open Network Research Center at Stanford University Note: Very little standardization in hypervisor technologies (live migration, config, APIs) Working Groups: Quantum API Donabe Cisco Innovations: OpenStack API for Nexus OpenStack Extensions Overlay protocols LISP, OTV, VXLAN Overlay Working Groups: NVO3, L2VPN, TRILL, L3VPN, LISP, PWE3 Donated our core Cisco ONE controller code; official open sourcing of API Working Groups: code under the Eclipse Public License NETCONF, ALTO, CDNI, XMPP, SDNP, I2AEX Controller Working Groups: PCE, FORCES

19 Network Evolution, Not Revolution What s Working Today Evolving for Emerging Requirements Resiliency Scale Rich feature set Operational simplicity Cohesive architecture for programmability Automated deployment Software upgrades on existing network devices Dynamic changes Application awareness Real-time visibility to network intelligence

20 Example: Evolution of Branch Offices Current 450+ Offices; 25,000 Employees Future Ship It, Rack It, Auto-Configure It Manual device configuration Static policies No application awareness Limited, reactive network metrics Standardized infrastructure components Zero-touch deployment Lower skilled staff on site Dynamic policy based on application awareness Rich network metrics to influence policy Network programmed to optimize user experience Significant deployment cost savings Network TAP capability

21 Journey to Network Programmability/SDN Standardization Flexible bandwidth provisioning Pervasive IPv6 Integrated wired and wireless management Automation User policy and profiling Self-registration guest networking Zero-touch deployment Hitless upgrades inside and outside data center Application Awareness End-to-end media control Dynamic quality of service Network customization Virtual application overlay Internetwork Programmability Internet of Things (IoT) Stateful Intercloud application mobility Rich media traffic steering WE ARE HERE PHASE 1 PHASE 2 PHASE 3 PHASE 4

22 Some Non-technical Implications of SDN Equipment Talent and Organization Structure Ecosystem Budget SDN feature set addition mainly done via software upgrade Skillset will evolve more computer science professionals and leaner teams Multiple companies will have opportunities to develop feature rich capabilities on top of existing platforms SDN is another way to keep responding to TCO pressure

23 Cisco IT s Use Case Inventory Platform API Traffic Steering Threat Detection and Mitigation Enterprise Tap Deep Packet Inspector Dynamic ACL Management Cloud Identity Connector (Security Identity) Controllers & Agents Network Tap Aggregator OF Based GSLB/OF Based Site Selection Source and Destination Based Routing Video Video Resource Control Reservation Enterprise Tap Video Resource Control at Session Initiation Video Resource Control Mid- Session Network Feedback to Video Endpoint Automated Decision Making for Video Streaming; Bit Rate and Unicast versus Multicast SBC Traffic Steering Traffic Steering for UCV Service Infrastructure Mobile Device Network Selection Session based Dynamic Network QoS B2B and B2C Connectivity Dynamic Queue Resizing Security Operational Excellence as Related to Security Events Mapping the Network Management of ACLs Across Platforms Flexible Network Monitoring Traffic Capture, Filtering, and Distribution Network-Based Threat Mitigation Management of Distributed IDS/IPS Network Tap Aggregator Distributed Compute in Branch Offices or IDCs Management of Cloud Connectors Flexible Encryption SGA/SGT Tagging and Action Data Protection via Automated Classification of Data Types Dynamic Queue Resizing Insertion of Man in the Middle for Monitoring Purposes Business Applications DevOps Automation As a Service Context Aware Network Fraud Detection Multi-Channel Campaign Context-Aware Ads and Displays Contextual Ads through intelligent IP Set-Top Boxes Video Social Graph WPR Automated IP Camera Provisioning and Maintenance Many of Cisco IT s use cases not only require programming the network to the desired or optimal behavior but also seek to extract the enormous amount of information and intelligence contained in the network infrastructure.

24 Use Case: Traffic Steering for Branch Offices Scenario 0: Default Network Behavior Only Primary Policy Data Center PC Backup Secondary path only used if primary path fails Route Policy Engine Primary Path Enterprise Network Secondary Path WAN GW 1 WAN GW 2 Presentation Engine Cisco OnePK Application Structure Voice/Video/Data Clients

25 Please visit the Cisco Live IT booth #1552 SDN Focus Session: 3-5 pm, Wednesday, June 26th

26 Q&A

27