Segmentation. Threat Defense. Visibility

Similar documents
Data Center Security. Fuat KILIÇ Consulting Systems

Evolution of Data Center Security Automated Security for Today s Dynamic Data Centers

Cisco Application Centric Infrastructure and Microsoft SCVMM and Azure Pack

Virtual Security Gateway Overview

Cisco Virtual Security Gateway (VSG) Mohammad Salaheldin

Cisco HyperFlex Systems

Service Graph Design with Cisco Application Centric Infrastructure

"Charting the Course... Designing Cisco Data Center Infrastructure (DCID) Course Summary

Cisco Virtual Networking Solution Nexus 1000v and Virtual Services. Abhishek Mande Engineer

Evolution with End-to-End Data Center Virtualization

Migration from Classic DC Network to Application Centric Infrastructure

SDN Security BRKSEC Alok Mittal Security Business Group, Cisco

Cisco ACI Multi-Pod/Multi-Site Deployment Options Max Ardica Principal Engineer BRKACI-2003

Cisco ACI Multi-Pod and Service Node Integration

Security & Virtualization in the Data Center

Securing Containers Using a PNSC and a Cisco VSG

Securing Containers Using a PNSC and a Cisco VSG

Cisco ACI Virtual Machine Networking

Configuring Policy-Based Redirect

Cisco Application Centric Infrastructure

Multi-Site Use Cases. Cisco ACI Multi-Site Service Integration. Supported Use Cases. East-West Intra-VRF/Non-Shared Service

Service Oriented Virtual DC Design

Deploying Cloud Network Services Prime Network Services Controller (formerly VNMC)

Cisco Application Centric Infrastructure Roadshow. Wednesday, 2. April 14

Deploy Microsoft SQL Server 2014 on a Cisco Application Centric Infrastructure Policy Framework

Verified Scalability Guide for Cisco APIC, Release 3.0(1k) and Cisco Nexus 9000 Series ACI-Mode Switches, Release 13.0(1k)

Cisco SDN 解决方案 ACI 的基本概念

Cisco Next Generation Firewall and IPS. Dragan Novakovic Security Consulting Systems Engineer

Layer 4 to Layer 7 Design

Application Provisioning

Cisco ACI Virtual Machine Networking

Intuit Application Centric ACI Deployment Case Study

ACI Multi-Site Architecture and Deployment. Max Ardica Principal Engineer - INSBU

Question No: 3 Which configuration is needed to extend the EPG out of the Cisco ACI fabric?

Configuring Policy-Based Redirect

Cisco UCS Director and ACI Advanced Deployment Lab

Verified Scalability Guide for Cisco APIC, Release 3.0(1k) and Cisco Nexus 9000 Series ACI-Mode Switches, Release 13.0(1k)

Application Centric Infrastructure

Cisco Cloud Architecture with Microsoft Cloud Platform Peter Lackey Technical Solutions Architect PSOSPG-1002

MP-BGP VxLAN, ACI & Demo. Brian Kvisgaard System Engineer, CCIE SP #41039 November 2017

Design Guide for Cisco ACI with Avi Vantage

Cisco ACI Multi-Site Fundamentals Guide

Virtual Machine Manager Domains

Cisco Application Policy Infrastructure Controller Data Center Policy Model

Cisco Application Centric Infrastructure (ACI) - Endpoint Groups (EPG) Usage and Design

Running RHV integrated with Cisco ACI. JuanLage Principal Engineer - Cisco May 2018

The Next Opportunity in the Data Centre

ACI Terminology. This chapter contains the following sections: ACI Terminology, on page 1. Cisco ACI Term. (Approximation)

Service Insertion with ACI using F5 iworkflow

Integrating the Cisco ASA with Cisco Nexus 9000 Series Switches and the Cisco Application Centric Infrastructure

We re ready. Are you?

Security and Virtualisation in the Data Centre

Cisco Virtual Security Gateway Deployment Guide VSG 1.4

F5 BIG-IP Local Traffic Manager Service Insertion with Cisco Application Centric Infrastructure

Integration of Hypervisors and L4-7 Services into an ACI Fabric. Azeem Suleman, Principal Engineer, Insieme Business Unit

Huawei CloudFabric and VMware Collaboration Innovation Solution in Data Centers

Cisco ACI vcenter Plugin

Data Center and Cloud Automation

Layer-4 to Layer-7 Services

Policy Driven Data Centre with ACI

Configuring Policy-Based Redirect

Configure. Background. Register the FTD Appliance

Cisco Designing Cisco Data Center Unified Fabric (DCUFD) v5.0. Download Full Version :

Enterprise. Nexus 1000V. L2/L3 Fabric WAN/PE. Customer VRF. MPLS Backbone. Service Provider Data Center-1 Customer VRF WAN/PE OTV OTV.

MAKING THE CLOUD A SECURE EXTENSION OF YOUR DATACENTER

Cisco Application Centric Infrastructure (ACI) Simulator

Cisco ACI Terminology ACI Terminology 2

Principles of Application Centric Infrastructure

Designing Cisco Data Center Unified Computing

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

Cisco ACI Virtual Machine Networking

Cisco CloudCenter Solution with Cisco ACI: Common Use Cases

Real World ACI Deployment and Migration

F5 Demystifying Network Service Orchestration and Insertion in Application Centric and Programmable Network Architectures

New and Changed Information

DevNet Technical Breakout: Introduction to ACI Programming and APIs.

Q&As DCID Designing Cisco Data Center Infrastructure

Cisco ACI and Cisco AVS

Network Services in Virtualized Data Center

Real World ACI Deployment and Migration Kannan Ponnuswamy, Solutions Architect BRKACI-2601

Tenant Onboarding. Tenant Onboarding Overview. Tenant Onboarding with Virtual Data Centers

Quick Start Guide (SDN)

Creating Application Containers

Automate Application Deployment with F5 Local Traffic Manager and Cisco Application Centric Infrastructure

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

Key Security Measures to Enable Next-Generation Data Center Transformation

Building NFV Solutions with OpenStack and Cisco ACI

Layer 4 to Layer 7 Service Insertion, page 1

DELL EMC VSCALE FABRIC

IBM Cloud for VMware Solutions NSX Edge Services Gateway Solution Architecture

2018 Cisco and/or its affiliates. All rights reserved.

Integrating Cisco UCS with Cisco ACI

Hierarchical Fabric Designs The Journey to Multisite. Lukas Krattiger Principal Engineer September 2017

Nevrijeme u oblacima i kako se zaštititi

Cisco CCIE Data Center Written Exam v2.0. Version Demo

Configuring Layer 4 to Layer 7 Resource Pools

Hybrid Cloud Solutions

Integrating NetScaler ADCs with Cisco ACI

Design Guide to run VMware NSX for vsphere with Cisco ACI

Cisco ACI - Application Policy Enforcement Using APIC

Transcription:

Segmentation Threat Defense Visibility Establish boundaries: network, compute, virtual Enforce policy by functions, devices, organizations, compliance Control and prevent unauthorized access to networks, resources, applications Stop internal and external attacks and interruption of services Patrol zone and edge boundaries Control information access and usage, prevent data loss and data modification Provide transparency to usage Apply business context to network activity Simplify operations and compliance reporting

1 Secure Internal Zone from External Zone 2 Secure Data for Compliance Internet CTX1 VDC1 CTX2 VDC2 vpc Cisco VXI Campus/Data Center vpc 3 Secure Application Tiers 4 Secure Multitenancy CTX1 CTX2 Front-End (Presentation) Web Tier (Business Logic) CTX1 CTX2 Extranet Vendor Partner DB Tier (Data Access) vpc

6 Data Center Edge Physical Delineation for all ingress and egress into the CORE of the DC Traditional Security Models apply to North-South Protection Aggregation Layer Initial filter for all ingress and egress to DC services & compute - North-South protection Stateful filtering and logging for all ingress and egress traffic flows Physical appliances can be virtualized and applied to server enclaves Services Layer (option) Additional services location for server farm specific protection and other potential zones Traditional Edge Security Internal Zoning Virtual Network & Access Virtual firewall, zone/enclave based filtering IP-Based Access Control Lists VM attribute-based policies Should Follow VM East-West protection

DC Edge Internet IP-NGN (BBG) Partners VRF-lite VRF-lite implemented at core and aggregation layers provides per tenant isolation at L3 VDC to segregate and virtualize the equipment DC Core DC Aggregation VDC VRF Vlan/802.1q Firewall/IDS Partitioning Network Separation: Per-tenant routing and forwarding tables (VRF) VLAN IDs and 802.1 tag provide isolation and identification of tenant traffic across L2 domain Defense in Depth per consumer (front end ASA, back end VSG) DC Access Vlan/Pvlan VIRTUAL ACCESS FEX/A- FEX/VM-FEX Compute Separation: vnics, VLANs, Port Profiles DC Virtual Access VXLAN Storage Separation: VSAN, FC Zoning, LUN masking, vfilers Layer 3 Layer 2-10GE 4/8 Gb FC Virtual FW Application Tier : logical and Physical segmentation with L2/L3 firewalling and security zoning

ASA FW NGIPS Control North/South traffic with ASA 5585 Scale and HA with Clustering Inspect North/South traffic with NGIPS Segment and Protect virtual enclave with ASAv and vngips Physical Hosts

CTD : Cisco Thread Defense Leverage your Cisco Infrastructure to fight Advanced Pervasive Threats Clustering NGIPS SGT SGT SGT ASA FW SGT TrustSec with Security Group Tagging NGA SGT SGT Simplify Accelerate SGT SGT Virtual FlowSensor Automate ISE SGT SGT Standardize

Users, Device Classification ISE Directory Enforcement Fin Servers SGT = 4 SGT = 5 Data + SGT:5 HR Servers SGT = 10 Switch Router DC FW DC Switch SGT Propagation

Cluster Control Link

Sourcefire on 5500-X (Software) Sourcefire on 5585-X (Blade) Subscriptions: Threat: IPS, AVC, URL Filtering, AMP

ASA 9.2 : INCREASED CLUSTERING SIZE AND PERFORMANCE *Estimated Max with Jumbo frame no asymmetric traffic

Dark Fiber could be connected to Core / Aggregation or to a dedicated Services layer. Each has pros and cons based upon environment DCI With Dark Fiber RTT <10ms + <100Km DC Edge Internal DC Zone(s) Nexus 7000 Nexus 7000 Nexus 7000 Nexus 7000 DC Core VDC (Routed) Nexus 7000 Nexus 7000 Double-Sided vpc over Dark Fiber 10G-400G Nexus 7000 Nexus 7000 ASA5585-X vp C Nexus 5000 vp C vp C vp C FW CLUST ER ASA5585-X C CL Inter-DC FW CLUSTER ASA5585-X vp C Nexus 5000 vp C vp C vp C FW CLUST ER ASA5585-X DC Aggregation Layer VDC Nexus 2000 Nexus 2000 Nexus 1000v Nexus 1000v Cisco UCS Cisco UCS VSG ASA1000 v 10Gig Server Rack VSG ASA1000 v 10Gig Server Rack Compute Access Layer

DCI (OTV) Extranet RTT <10ms + <100Km DC Edge Internal DC Zone(s) Nexus 7000 OTV VDC Layer 2 Extension (OTV) OTV VDC Nexus 7000 DC Core VDC (Routed) Nexus 7000 Nexus 7000 CCL Nexus 7000 Nexus 7000 ASA5585-X vp C Nexus 5000 vp C vp C vp C ASA5585-X Inter-DC FW CLUSTER ASA5585-X vp C Nexus 5000 vp C vp C vp C FW CLUST ER ASA5585-X DC Aggregation Layer VDC Nexus 2000 Nexus 2000 Nexus 1000v Nexus 1000v Cisco UCS Cisco UCS VSG ASA1000 v 10Gig Server Rack VSG ASA1000 v 10Gig Server Rack Compute Access Layer

Interconne ct L2 or L3 RTT <10ms + <100Km Data Center A Data Center B FabricPath Spine FabricPath Leaf ASA Cluster Pod A3 Pod B3 Pod A1 Pod A2 Pod B2 Pod B1 Compute Access Layer

- - - - Data Center Design Zone : http://www.cisco.com/go/vmdc

Source: Cisco Global Cloud Index 2012

Proven Cisco security: virtualized physical and virtual consistency Collaborative security model Cisco Virtual Secure Gateway (VSG) for intra-tenant secure zones Tenant A VDC Tenant B VDC Cisco ASA 1000V for tenant edge controls Transparent integration Cisco VSG Cisco VSG vapp vapp Cisco VSG With Cisco Nexus 1000V Switch and Cisco vpath Cisco VSG Scale flexibility to meet cloud demand Cisco ASA 1000V Cisco ASA 1000V Multi-instance deployment for scaleout deployment across the data center

Parity to physical form-factor feature-set Scaling through virtualization Up to 10 vnic interfaces Crypto in software SDN and traditional management tools Scales to 4 vcpus and 8 GB of memory Ability to manage one policy on both physical and virtual ASAs Removed clustering and multiple context mode

ASA OPEN SECURITY PLATFORM Hypervisor Support Orchestration Frameworks System Management CSM PNSC READ / WRITE SOUTHBOUND API MULTI-TENANT AND APPLICATION AWARE ASA PUBLISHED DEVICE MGMT PACKAGE FOR ACI STANDARDS COMPLIANT MONITORING FEATURES

ASAv (Active) ASAv (Standby)

2 Routed Firewall Routing traffic between vnics Maintains ARP and routing table Tenant edge firewall Transparent Firewall VLAN or VxLAN Bridging / Switching Maintains MAC-address tables Non-disruptive to L3 designs Service Tag Switching Applies inspection between service tags No network participation Fabric integration mode

9.2.1 9.3.1/9.3.2

ASAv PHASED RELEASE

Cloud Cloud Admin Application Admin Web Tier External Zone App Tier APPLICATION DB Tier Security Admin DMZ Trusted Zone SECURITY DB Tier Network Admin INFRASTRUCTURE

Cloud Cloud Admin Application Admin APPLICATION External Zone Security Admin DMZ Trusted Zone SECURITY DB Tier Network Admin COMMON POOL OF RESOURCES

Flat Hardware Accelerated Network Full abstraction, de-coupled from VLANs and Dynamic Routing, low latency, built-in QoS Intelligent Fabric Cisco Nexus 9000 Flexible Insertion Every device is one hop away, microsecond latency, no power or port availability constraints, ease of scaling Fabric Port Services Hardware filtering and bridging; seamless service insertion, service farm aggregation Unified Management and Visibility ACI Controller manages all participating devices, change control and audit capabilities Apps Users Logical Endpoint Groups by Role Heterogeneous clients, servers, external clouds; fabric controls communication

ACI Fabric Spine Nodes Leaf Nodes Virtual Leaf EPG Internet Service Producers EPG apps EPG Users Service Consumers

Hypervisor Management Automation Tools Orchestration Frameworks System Management READ / WRITE ALL FABRIC INFO APIC TENANT AND APPLICATION AWARE Security ASA PUBLISHED DATA MODEL OPEN SOURCE A Platform approach to Data Centre infrastructure Industry Standard Compliant

Single Point of Management Different administrative groups use same interface, high level of object sharing Application Policy Infrastructure Controller (APIC) Policy Contract Users Apps Define Contracts Between Endpoint Groups Port-level rules: drop, prioritize, push to service chain; reusable templates ACI Fabric Ingress Fabric Rules Programmed from Contract Hardware rules on each port, security in depth, embedded QoS Single Pass Firewalling with Flow-Specific Policy Define Endpoint Groups Security administrator defines generic templates in APIC, availed to contract creation Apps Users Any endpoints anywhere within the fabric, virtual or physical

provider End points in group WEB can access end-points in group APP SERVER according to rules specified in the contract EPG APP SERVER Contract specifies rules and policies on groups of physical or virtual end-points without understanding of specific identifiers and regardless of physical location. consumer EPG WEB EP EP EP... identifies what traffic L4 port ranges TCP options identifies actions applied QoS Log Redirect into SVC graph defined bi-directionally in the provider centric way

Permit Deny Redirect Log Copy Packet There are six policy options supported: Permit the traffic Block the traffic Redirect the traffic Log the traffic Copy the traffic Mark the traffic (DSCP/CoS) Mark Packet DSCP Policy encompasses traffic handling, quality of service, security monitoring and logging.

Application Container Web Application Container "Database 192.168.1.0/24 Policy Contract Web Database EPG Web EPG Database Service Chain Web Database

FW_ADC 1 Application Admin Policybased Redirection Service Admin ASA 5585 Netscaler VPX

Graph Logical Physical Nexus 7000 - ACI Fabric - - -

ACI Fabric - Physical - - - Graph - Logical

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback