Securing Cisco s Network

Transcription

1

2 Securing Cisco s Network Inside Cisco IT Simon Finn, Solutions Architect, Information Security Oisin MacAlasdair, Member of Technical Staff, Information Technology

3 Agenda Cisco Landscape Trends Changing the Security Landscape Architecture Overview Major Programs Data Center Security Application Centric Infrastructure (ACI) Context aware networking ISE

4 Cisco Enterprise and What We Must Protect 400+ cloud/asp providers used (officially) 294 partners using 547 IT extranet connections into Cisco 110k Workforce 165 Countries ~3M IP Addresses IT Applications 215,000 Infra Devices 275,000 Total Hosts 1820 Labs 160+ Acquisitions 312 sites, 450+ buildings 42 Data Centers 16 major Internet connections, ~32 TB bandwidth used daily ~3TB Network Data collected p/day 5,400 Routers, 5,300 Switches 27,000 Home routers 4

5 Trends Elevating the Importance of Security BYOD / Mobile SaaS / Cloud Externalizing Data & Apps Collaboration / Social / Data Analytics Advanced Threats Regulations 5

6 The Threats are Evolving Industry Posture BRKSEC Next Unprotected desktops Unmanaged desktops Malware Worms Rapidly changing and proliferating Network Behavior Disruptive Compromised hosts remotely controlled 2013 Cisco and/or its affiliates. All rights reserved. Proliferating device types Sophisticated Opaquely compromised hosts exfiltrate sensitive data Threat Depth Annoyance Individual host Sensitive infrastructure Industry Response Deploy AV 1) Deploy HIPS 2) Detect botnets via IDS 1) Detect via reputation 2) Automate prevention 3) Detect via behaviour Cisco Public Cloud-connected ecosystem Beyond Windows Hidden in and social networking Embedded 1) Augment detection with intel 2) Detect via precursors 3) Diversify intelligence and methods

7 Transformational Principles Perspectives about security have changed It s a roadblock Security enables the business It s not my problem Everyone needs to own security Technology metamorphoses Disjointed point solutions Integrated architectural play Physical infrastructure slow to change Virtual infrastructure flexible, dynamic, change-ready The office contains all my stuff My mobile devices are my office (Data, Apps, Voice) Video) Architecture approach has changed Perimeters as the control point Identity is the new perimeter Focus on protecting the infrastructure Focus on protecting the data Capabilities not tightly aligned Services, Service Categories, Service Offerings The threats have changed Individuals Hactivism Disparate groups Nation State Capture individual users data Gain access to your Data (and your customer s data)

8 Architecture driving current and future investments IT GOVERNANCE SECURITY OPERATIONS Service Security Prime Role Governance Decision Making Model Next Generation Policies GOVERNANCE Security-IT OM Integration Unified Security Metrics (USM) Operational Security Excellence Policy IDENTITY AND ACCESS Enforcement (Control) KEY CAPABILITIES AND SERVICES SECURE INFRA Compliance (Visibility) DATA SECURITY Foundational SSOT Identity Federated Identity Fine Grain Access Policy Mgmt Strong, Multifactor Authentication Device Profiling, Registration and Posture Assessment Contextual Network/App Access DC Zone Segmentation Data Inventory Data Ownership & Accountability Data Visibility and Control Data Monitoring CAPTURE, DETECT AND CONTAIN Data Collection Anomaly Detection Forensic Analysis 8

9 Security Accountability Metrics Model Service Security Accountability Service Owner Vulnerabilities & Performance Service Execs Unified Service Metrics CIO 99% of all Compromises required moderate-tolittle sophistication Verizon Breach Report Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9

10 Security Analytics Detect Detection Tools Collect Logs and Telemetry IDS Lancope Advanced Malware Blackhole ACL s Syslog DNS WSA Netflow Analyze Playbook Mitigate Remediate SDN Intelligence Industry Intelligence ACI Cisco Law Enforcement BRKRST-2640 Partners 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 10

11 Policy Managed Network BRKRST Cisco and/or its affiliates. All rights reserved. Cisco Public 11

12 Defining and Applying Network Policy: Today vs ACI App Sec Net Define policy Today ACI App Sec Net Controller Define policy Net Net Translate policy Instantiate policy } Weeks permit tcp host XX.XXX.X.XXX host XX.XX.XX.XX eq www permit tcp host XX.XXX.X.XXX host XX.XXX.X.XXX eq 443 permit tcp host XX.XXX.X.XXX host XX.XXX.X.XXX eq permit tcp host XX.XXX.X.XXX host XX.XXX.X.XXX eq www permit tcp host XX.XXX.X.XXX host XX.XXX.X.XXX eq 443 permit tcp host XX.XXX.X.XXX host XX.XXX.X.XXX eq permit tcp XX.XXX.X.XXX host XX.XXX.X.XXX eq www Minutes EPG: DB EPG: App Application-centric networking C } Faster Instantiation Better Visibility Tenant Application Network Profile Translate policy Instantiate policy C EPG: Web Portability Re-Usability 12

13 Why Single Fabric? Save on capital and operational costs of physically separate DC environments for DMZ and internal (and potentially other security perimeters) Enable automation and other benefits across the board that ACI is attempting to bring Faster application deployment Application health score Lower complexity for orchestration Larger resource pools Spare resources available to me moved to where its needed irrespective of domain Greater flexibility Some application architecture visibility enhancements Service chains Application health scores

14 Single Fabric Risks Large fault domain Resilience in product architecture Potential impact from less trusted zones on trusted zones Fabric needs to protect itself from errant nodes/leafs Logical controls being bypassed (previously physical controls) User error, use limited fabric consumer privileges via ARBAC Administrator access too broad, use granular administrative controls Malicious user, need trust in logical controls, auditing

15 The Context Aware Network

16 Why now? Evolution of the borderless enterprise 400 Cisco sites => 29,000+ (including CVO) Persistent endpoint connectivity with AnyConnect Work is no longer somewhere you go. It s something you do Emergence of cloud computing Location of data no longer fixed Mixture of internal & external cloud services & data repositories BYOD & proliferation/commoditization of endpoints

17 Cisco s current device landscape (Dec 31, 2013) 122,694 79,969 7,943 34,782 Corporate Provided Laptops (CYOD) 67,663 Personally Owned Mobile Devices 16,688 35,251 14,309 4, Other 894 (BYOD)

18 Identity and Context Identity Context Access + Device = Location Job Role

19 Why the Context Aware Network? Identity is the new perimeter and Device is the new office Old model relying upon hardened and clearly defined perimeter no longer viable or secure Users are productive based on their endpoint, not only their location No access layer security on our LAN Particularly concerning in IP Control Zones (ICZ); ie, heightened risk geographies No visibility of users or devices No ability to confirm compliance ( posture validation ) ISE allows us to manage access to Network via 802.1X (ie, user s identity) Locations or zones via Secure Group Access (ie, user s role) Data or applications Enables entire future network access strategy Trusted Device Standard etc

20 The four stages of the journey Identity of a device on the network Quantify the risk 1. Profiling 2. Authentication User and end device attribution Identification of end points on Wireless connections Device security posture identification Allows for better policy & security decisions 3. Posture 4. Enforcement Ability to enforce policy decisions based on context Untrusted devices have restricted access ISE 1.2 Profiling ISE X ISE X Auth Mode MDM ISE X Auth Mode MDM FY13/14 FY14 FY15 FY16

21 Cisco IT are delivering multiple capabilities with ISE ION Restrict unauthorized devices & users to Internet access only Profiling Ability to identify users and devices on our network Endpoint Protection Protect the network from infected devices Access Control Authentication on wired & wireless networks BYOD Support Trusted Device Standard and enable BYOD

22 Cisco IT deployment lessons learned Avoid the Big Bang Too many new capabilities to enable in a single deployment. ISE Deployment Bundle model Capabilities have been grouped into bundles to enable targeted & manageable deployments Multiple clusters consolidated Partner with the business and tailor deployment to use single cluster where possible Start with one cluster and add more if necessary Global Infrastructure Foundation Deploy global VM infrastructure and ISE servers first Enable features (based on ISE Deployment Bundles ) theatre by theatre ION enabled and deployed globally

23 Q2 FY14 Q3 FY14 Q4 FY14 Q1 FY15 Q2 FY15 Q3 FY15 Q4 FY15 Nov Dec Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec Jan Feb Mar Apr May Jun Jul ION EPS Pilot (China ICZ, EIC) Global Profiling (Global) 802.1X Monitor Mode (Global) 802.1X Auth Mode (Global Wireless) 802.1X Auth Mode (ICZ s) 802.1X Auth Mode (ROW) CVO Auth on ISE (Global) Current Challenges Platform OS support Scalability MDM integration Upcoming enhancements Scalability improvements Guest enhancements REST API enhancements

24 Q & A

25 Complete Your Online Session Evaluation Give us your feedback and receive a Cisco Live 2014 Polo Shirt! Complete your Overall Event Survey and 5 Session Evaluations. Directly from your mobile device on the Cisco Live Mobile App By visiting the Cisco Live Mobile Site Visit any Cisco Live Internet Station located throughout the venue Polo Shirts can be collected in the World of Solutions on Friday 21 March 12:00pm - 2:00pm Don t forget to activate your Cisco Live 365 account for access to all session material, communities, and on-demand and live activities throughout the year. Log into your Cisco Live portal and click the "Enter Cisco Live 365" button. 25

26