Segmentation Threat Defense Visibility Establish boundaries: network, compute, virtual Enforce policy by functions, devices, organizations, compliance Control and prevent unauthorized access to networks, resources, applications Stop internal and external attacks and interruption of services Patrol zone and edge boundaries Control information access and usage, prevent data loss and data modification Provide transparency to usage Apply business context to network activity Simplify operations and compliance reporting
1 Secure Internal Zone from External Zone 2 Secure Data for Compliance Internet CTX1 VDC1 CTX2 VDC2 vpc Cisco VXI Campus/Data Center vpc 3 Secure Application Tiers 4 Secure Multitenancy CTX1 CTX2 Front-End (Presentation) Web Tier (Business Logic) CTX1 CTX2 Extranet Vendor Partner DB Tier (Data Access) vpc
6 Data Center Edge Physical Delineation for all ingress and egress into the CORE of the DC Traditional Security Models apply to North-South Protection Aggregation Layer Initial filter for all ingress and egress to DC services & compute - North-South protection Stateful filtering and logging for all ingress and egress traffic flows Physical appliances can be virtualized and applied to server enclaves Services Layer (option) Additional services location for server farm specific protection and other potential zones Traditional Edge Security Internal Zoning Virtual Network & Access Virtual firewall, zone/enclave based filtering IP-Based Access Control Lists VM attribute-based policies Should Follow VM East-West protection
DC Edge Internet IP-NGN (BBG) Partners VRF-lite VRF-lite implemented at core and aggregation layers provides per tenant isolation at L3 VDC to segregate and virtualize the equipment DC Core DC Aggregation VDC VRF Vlan/802.1q Firewall/IDS Partitioning Network Separation: Per-tenant routing and forwarding tables (VRF) VLAN IDs and 802.1 tag provide isolation and identification of tenant traffic across L2 domain Defense in Depth per consumer (front end ASA, back end VSG) DC Access Vlan/Pvlan VIRTUAL ACCESS FEX/A- FEX/VM-FEX Compute Separation: vnics, VLANs, Port Profiles DC Virtual Access VXLAN Storage Separation: VSAN, FC Zoning, LUN masking, vfilers Layer 3 Layer 2-10GE 4/8 Gb FC Virtual FW Application Tier : logical and Physical segmentation with L2/L3 firewalling and security zoning
ASA FW NGIPS Control North/South traffic with ASA 5585 Scale and HA with Clustering Inspect North/South traffic with NGIPS Segment and Protect virtual enclave with ASAv and vngips Physical Hosts
CTD : Cisco Thread Defense Leverage your Cisco Infrastructure to fight Advanced Pervasive Threats Clustering NGIPS SGT SGT SGT ASA FW SGT TrustSec with Security Group Tagging NGA SGT SGT Simplify Accelerate SGT SGT Virtual FlowSensor Automate ISE SGT SGT Standardize
Users, Device Classification ISE Directory Enforcement Fin Servers SGT = 4 SGT = 5 Data + SGT:5 HR Servers SGT = 10 Switch Router DC FW DC Switch SGT Propagation
Cluster Control Link
Sourcefire on 5500-X (Software) Sourcefire on 5585-X (Blade) Subscriptions: Threat: IPS, AVC, URL Filtering, AMP
ASA 9.2 : INCREASED CLUSTERING SIZE AND PERFORMANCE *Estimated Max with Jumbo frame no asymmetric traffic
Dark Fiber could be connected to Core / Aggregation or to a dedicated Services layer. Each has pros and cons based upon environment DCI With Dark Fiber RTT <10ms + <100Km DC Edge Internal DC Zone(s) Nexus 7000 Nexus 7000 Nexus 7000 Nexus 7000 DC Core VDC (Routed) Nexus 7000 Nexus 7000 Double-Sided vpc over Dark Fiber 10G-400G Nexus 7000 Nexus 7000 ASA5585-X vp C Nexus 5000 vp C vp C vp C FW CLUST ER ASA5585-X C CL Inter-DC FW CLUSTER ASA5585-X vp C Nexus 5000 vp C vp C vp C FW CLUST ER ASA5585-X DC Aggregation Layer VDC Nexus 2000 Nexus 2000 Nexus 1000v Nexus 1000v Cisco UCS Cisco UCS VSG ASA1000 v 10Gig Server Rack VSG ASA1000 v 10Gig Server Rack Compute Access Layer
DCI (OTV) Extranet RTT <10ms + <100Km DC Edge Internal DC Zone(s) Nexus 7000 OTV VDC Layer 2 Extension (OTV) OTV VDC Nexus 7000 DC Core VDC (Routed) Nexus 7000 Nexus 7000 CCL Nexus 7000 Nexus 7000 ASA5585-X vp C Nexus 5000 vp C vp C vp C ASA5585-X Inter-DC FW CLUSTER ASA5585-X vp C Nexus 5000 vp C vp C vp C FW CLUST ER ASA5585-X DC Aggregation Layer VDC Nexus 2000 Nexus 2000 Nexus 1000v Nexus 1000v Cisco UCS Cisco UCS VSG ASA1000 v 10Gig Server Rack VSG ASA1000 v 10Gig Server Rack Compute Access Layer
Interconne ct L2 or L3 RTT <10ms + <100Km Data Center A Data Center B FabricPath Spine FabricPath Leaf ASA Cluster Pod A3 Pod B3 Pod A1 Pod A2 Pod B2 Pod B1 Compute Access Layer
- - - - Data Center Design Zone : http://www.cisco.com/go/vmdc
Source: Cisco Global Cloud Index 2012
Proven Cisco security: virtualized physical and virtual consistency Collaborative security model Cisco Virtual Secure Gateway (VSG) for intra-tenant secure zones Tenant A VDC Tenant B VDC Cisco ASA 1000V for tenant edge controls Transparent integration Cisco VSG Cisco VSG vapp vapp Cisco VSG With Cisco Nexus 1000V Switch and Cisco vpath Cisco VSG Scale flexibility to meet cloud demand Cisco ASA 1000V Cisco ASA 1000V Multi-instance deployment for scaleout deployment across the data center
Parity to physical form-factor feature-set Scaling through virtualization Up to 10 vnic interfaces Crypto in software SDN and traditional management tools Scales to 4 vcpus and 8 GB of memory Ability to manage one policy on both physical and virtual ASAs Removed clustering and multiple context mode
ASA OPEN SECURITY PLATFORM Hypervisor Support Orchestration Frameworks System Management CSM PNSC READ / WRITE SOUTHBOUND API MULTI-TENANT AND APPLICATION AWARE ASA PUBLISHED DEVICE MGMT PACKAGE FOR ACI STANDARDS COMPLIANT MONITORING FEATURES
ASAv (Active) ASAv (Standby)
2 Routed Firewall Routing traffic between vnics Maintains ARP and routing table Tenant edge firewall Transparent Firewall VLAN or VxLAN Bridging / Switching Maintains MAC-address tables Non-disruptive to L3 designs Service Tag Switching Applies inspection between service tags No network participation Fabric integration mode
9.2.1 9.3.1/9.3.2
ASAv PHASED RELEASE
Cloud Cloud Admin Application Admin Web Tier External Zone App Tier APPLICATION DB Tier Security Admin DMZ Trusted Zone SECURITY DB Tier Network Admin INFRASTRUCTURE
Cloud Cloud Admin Application Admin APPLICATION External Zone Security Admin DMZ Trusted Zone SECURITY DB Tier Network Admin COMMON POOL OF RESOURCES
Flat Hardware Accelerated Network Full abstraction, de-coupled from VLANs and Dynamic Routing, low latency, built-in QoS Intelligent Fabric Cisco Nexus 9000 Flexible Insertion Every device is one hop away, microsecond latency, no power or port availability constraints, ease of scaling Fabric Port Services Hardware filtering and bridging; seamless service insertion, service farm aggregation Unified Management and Visibility ACI Controller manages all participating devices, change control and audit capabilities Apps Users Logical Endpoint Groups by Role Heterogeneous clients, servers, external clouds; fabric controls communication
ACI Fabric Spine Nodes Leaf Nodes Virtual Leaf EPG Internet Service Producers EPG apps EPG Users Service Consumers
Hypervisor Management Automation Tools Orchestration Frameworks System Management READ / WRITE ALL FABRIC INFO APIC TENANT AND APPLICATION AWARE Security ASA PUBLISHED DATA MODEL OPEN SOURCE A Platform approach to Data Centre infrastructure Industry Standard Compliant
Single Point of Management Different administrative groups use same interface, high level of object sharing Application Policy Infrastructure Controller (APIC) Policy Contract Users Apps Define Contracts Between Endpoint Groups Port-level rules: drop, prioritize, push to service chain; reusable templates ACI Fabric Ingress Fabric Rules Programmed from Contract Hardware rules on each port, security in depth, embedded QoS Single Pass Firewalling with Flow-Specific Policy Define Endpoint Groups Security administrator defines generic templates in APIC, availed to contract creation Apps Users Any endpoints anywhere within the fabric, virtual or physical
provider End points in group WEB can access end-points in group APP SERVER according to rules specified in the contract EPG APP SERVER Contract specifies rules and policies on groups of physical or virtual end-points without understanding of specific identifiers and regardless of physical location. consumer EPG WEB EP EP EP... identifies what traffic L4 port ranges TCP options identifies actions applied QoS Log Redirect into SVC graph defined bi-directionally in the provider centric way
Permit Deny Redirect Log Copy Packet There are six policy options supported: Permit the traffic Block the traffic Redirect the traffic Log the traffic Copy the traffic Mark the traffic (DSCP/CoS) Mark Packet DSCP Policy encompasses traffic handling, quality of service, security monitoring and logging.
Application Container Web Application Container "Database 192.168.1.0/24 Policy Contract Web Database EPG Web EPG Database Service Chain Web Database
FW_ADC 1 Application Admin Policybased Redirection Service Admin ASA 5585 Netscaler VPX
Graph Logical Physical Nexus 7000 - ACI Fabric - - -
ACI Fabric - Physical - - - Graph - Logical