Evolution of Data Center Security Automated Security for Today s Dynamic Data Centers Speaker: Mun Hossain Director of Product Management - Security Business Group Cisco Twitter: @CiscoDCSecurity
2
Any Device to Any Cloud PUBLIC CLOUD HYBRID CLOUD PRIVATE CLOUD 3
Enterprise Response Antivirus (Host-Based) IDS/IPS (Network Perimeter) Reputation (Global) and Sandboxing Intelligence and Analytics (Cloud) Worms and Viruses Spyware and Rootkits APTs and Cyberware Increased Attack Surface Threats 2000 2005 2010 Tomorrow 4
The Advanced Attack Lifecycle PLAN EXPLOIT / ATTACK INFECT / SPREAD STEAL / DISRUPT HACKER Attacker determines possible entry points, formulates a plan of attack Attacker exploits vulnerabilities and delivers its weapon Malware moves laterally through the internal network in search of additional resources and data Attacker takes action on its objectives and exfiltrates data or disrupts systems 5
Your Biggest Security Challenges Maintain Security and Compliance as business models change (Agility) Stay ahead of the threat landscape Reduce complexity and fragmentation of security solutions 6
Today s Security is Complex and Fragmented WWW CSR ASR SP-1 WWW Global Orchestration WWW CSR SP-2 Multiple Management Paradigms Multiple Identity Stores Isolated Threat Intelligence Inconsistent Enforcement 7
Implications for Security Process and Technology BEFORE See it, Control it DURING Intelligent & Context Aware AFTER Retrospective Security Defending Attacks Discovering/Catching Attacks Remediating Attacks Network Endpoint Mobile Virtual Cloud 8
Security Functions Mapped to Security Process BEFORE See it, Control it DURING Intelligent & Context Aware AFTER Retrospective Security Defending Attacks Discovering/Catching Attacks Remediating Attacks FIREWALL IPS MALWARE PROTECTION VPN WWW WEB NETWORK ANALYSIS CONTEXT EMAIL 9
Security Functions in the Data Center Traditional Firewall Functions VPN Functions Context Aware Functions IPS Functions Web Functions WWW 10
Key Trends for Security in the Data Center Scale: Need for policy enforcement for high speed networks Resiliency: High availability is imperative for applications Expanded Deployment Options: Policy enforcement on inter-dc traffic Segmentation: Policy between specific groups, users, or applications Contextual Analysis: Global and local threat correlation Virtualization: Security for east-west traffic in multi-hypervisor environments 11
Key Trends for Security in the Data Center Scale: Need for policy enforcement for high speed networks Resiliency: High availability is imperative for applications Expanded Deployment Options: Policy enforcement on inter-dc traffic Segmentation: Policy between specific groups, users, or applications Contextual Analysis: Global and local threat correlation Virtualization: Security for east-west traffic in multi-hypervisor environments 12
TOTAL THROUGHPUT CONCURRENT CONNECTIONS CONNECTIONS / SEC Data Center Scale POWER & SPACE 2013 Cisco and/or its affiliates. All rights reserved. 13
Key Trends for Security in the Data Center Scale: Need for policy enforcement for high speed networks Resiliency: High availability is imperative for applications Expanded Deployment Options: Policy enforcement on inter-dc traffic Segmentation: Policy between specific groups, users, or applications Contextual Analysis: Global and local threat correlation Virtualization: Security for east-west traffic in multi-hypervisor environments 14
Network Integrated Clustering & Resiliency Integration with DC Switches Technology Integration with VSS, vpc and Fabric Path Benefit Ease of Deployment Solves Asymmetric Traffic Clustered Security Services Using N+1 HA Consistent Scaling Factor Pay as You Grow FW, VPN, IPS Services Linear, Predictable Performance Increase Only Buy What You Need Compliance and Security 15
Key Trends for Security in the Data Center Scale: Need for policy enforcement for high speed networks Resiliency: High availability is imperative for applications Expanded Deployment Options: Policy enforcement on inter-dc traffic Segmentation: Policy between specific groups, users, or applications Contextual Analysis: Global and local threat correlation Virtualization: Security for east-west traffic in multi-hypervisor environments 16
Symmetric Traffic Patterns in the Data Center Inside Network Outside Network Client Server Security Services Cluster 17
Symmetric Traffic Patterns in the Data Center Inside Network Outside Network Client Server Security Services Cluster 18
Symmetric Traffic Patterns in the Data Center Inside Network Outside Network Client Server Security Services Cluster 19
Asymmetric Traffic Patterns in the Data Center Owner Inside Network Outside Network Client Director Server Forwarder Security Services Cluster 20
Asymmetric Traffic Patterns in the Data Center Owner Inside Network Outside Network Client Director Server Forwarder Security Services Cluster 21
EXPANDING SECURITY BETWEEN DATA CENTERS Use Cases Disaster Recovery Power outage, catastrophic failure Follow the sun operations Optimization of resources Dynamic Load Distribution Dealing with traffic bursts
EXPANDING SECURITY BETWEEN DATA CENTERS Infrastructure Demands Traditional Approach Optimized Approach Simplicity Over- provisioned HW Workload mobility Low Latency High Scale High Availability Manual traffic engineering Static, external stateless LB Siloed HA at different sites no sharing of info Optimize traffic flows to minimize latency Security state maintained with application mobility via CCL Persistent security HA across DC
Key Trends for Security in the Data Center Scale: Need for policy enforcement for high speed networks Resiliency: High availability is imperative for applications Expanded Deployment Options: Policy enforcement on inter-dc traffic Segmentation: Policy between specific groups, users, or applications Contextual Analysis: Global and local threat correlation Virtualization: Security for east-west traffic in multi-hypervisor environments 24
Unified Context & Network Control TrustSec +ASA TrustSec Overview TrustSec lets you define policy in meaningful business terms Context Classification Business Policy TAG Security Group Tag Destination Source Exec PC Prod HRMS HR Database HR Database Prod HRMS Storage Exec BYOD X X X X X X Distributed Enforcement throughout Network Switch Router DC FW DC Switch 25
Key Trends for Security in the Data Center Scale: Need for policy enforcement for high speed networks Resiliency: High availability is imperative for applications Expanded Deployment Options: Policy enforcement on inter-dc traffic Segmentation: Policy between specific groups, users, or applications Contextual Analysis: Global and local threat correlation Virtualization: Security for east-west traffic in multi-hypervisor environments 26
Turning Big Data into Threat Intelligence SECURITY SENSOR BASE Broadest range of threat & vulnerability data sources THREAT ANALYTICS Global and local correlation through analytics and human intelligence INTELLIGENCE DELIVERED Contextual Policy with Distributed Enforcement 100TB Context for Data Common Filtration Security Intelligence Policy 150M Faster Heuristics Deployed Threat Engines Detection Endpoints Global Real 13B Time & Local Appliance Data Web Updates Correlation Requests 14M Self- Remediate Learning Deployed Dynamically Algorithms Access Gateways 93B Threat Trust Prevention Daily Modeling Email By Messages Network 1.6M Perimeter Deployed Human & Cloud Research Delivered Security Devices 27
Key Trends for Security in the Data Center Scale: Need for policy enforcement for high speed networks Resiliency: High availability is imperative for applications Expanded Deployment Options: Policy enforcement on inter-dc traffic Segmentation: Policy between specific groups, users, or applications Contextual Analysis: Global and local threat correlation Virtualization: Security for east-west traffic in multi-hypervisor environments 28
TRAFFIC TRENDS IN DATA CENTER 76 % 17 % 7% East West Traffic North South Traffic Inter-DC Traffic Source: Cisco Global Cloud Index 2012 by destination
TRADITIONAL APPROACH TO TRAFFIC TRENDS DC Core DC Aggregation DC Access Infrastructure Traditional Demands Policy for North-South Approach traffic enforced by firewalls Insert East-West Services Need for Scale Diverse Users/Devices Rapid Provisioning Traffic Hairpinning Over-provision HW Inspection of inter-vm Rules East-West traffic Explosion requires complex traffic steering Manual & Fragmented VM VM VM VM VM VM VM VM
APPLICATION TRENDS IN DATA CENTER DYNAMIC WORKLOADS Dynamic Instantiation/Removal Decommission Instantiate Migrate existing new VM HETERGENEOUS IMPLEMENTATION Physical & Virtual DISTRIBUTED DEPLOYMENTS On-Demand Scaling INFRASTRUCTURE INDEPENDENT Transparent to Underlying Network CLOUD-AWARE Migration across public/private clouds
APPLICATION TRENDS IN DATA CENTER DYNAMIC WORKLOADS Dynamic Instantiation/Removal Applications on both physical & virtual HETERGENEOUS IMPLEMENTATION Physical & Virtual DISTRIBUTED DEPLOYMENTS On-Demand Scaling INFRASTRUCTURE INDEPENDENT Transparent to Underlying Network CLOUD-AWARE Migration across public/private clouds The adoption rate of server virtualization will reach 21.3% of total servers in 2016.
APPLICATION TRENDS IN DATA CENTER DYNAMIC WORKLOADS Dynamic Instantiation/Removal New Applications, Devices & Users HETERGENEOUS IMPLEMENTATION Physical & Virtual DISTRIBUTED DEPLOYMENTS On-Demand Scaling INFRASTRUCTURE INDEPENDENT Transparent to Underlying Network CLOUD-AWARE Migration across public/private clouds
APPLICATION TRENDS IN DATA CENTER DYNAMIC WORKLOADS Dynamic Instantiation/Removal oversubscribed underutilized Dynamically Shared Resource Pools HETERGENEOUS IMPLEMENTATION Physical & Virtual Silioed Resources DISTRIBUTED DEPLOYMENTS On-Demand Scaling INFRASTRUCTURE INDEPENDENT Transparent to Underlying Network optimized CLOUD-AWARE Migration across public/private clouds Shared Resource Pools
APPLICATION TRENDS IN DATA CENTER DYNAMIC WORKLOADS Dynamic Instantiation/Removal Secure Multi-tenant aware HETERGENEOUS IMPLEMENTATION Physical & Virtual DISTRIBUTED DEPLOYMENTS On-Demand Scaling INFRASTRUCTURE INDEPENDENT CLOUD-AWARE Transparent to Underlying Network Migration across public/private clouds Inter-DC By 2016, 66% of all workloads will be processed in the cloud CISCO GLOBAL CLOUD INDEX
KEY REQUIREMENTS TO ADDRESS DC TRENDS Simplified Provisioning Dynamic workloads Centralized Management Physical/Virtual agnostic Dynamic Scaling Dynamic On-Demand Physical + Virtual Location independent Centralized Management Centralized policy for network & security Rapid instantiation based on resource availability Automated Policy Management Dynamic ACL insertion / removal Open Architecture Hypervisor agnostic vswitch compatible Programmable API Multi-tenant aware Application aware 36
APPLICATION CENTRIC INFRASTRUCTURE ENABLING APPLICATION VELOCITY Nexus 9500 APIC Nexus 9300 and 9500 Physical Networking Hypervisors and Virtual Networking Compute L4 L7 Services Storage Multi DC WAN and Cloud Nexus 7K ASA Nexus 2K Integrated WAN Edge 37
CISCO S APPLICATION CENTRIC INFRASTRUCTURE SECURITY SOLUTION Transparent Integration of Security into Cisco s Application Centric Infrastructure Centralized Infrastructure with Automated Security Policy Management Elastic Scalability across Virtual and Physical Environments 38
ACI SECURITY SOLUTION STARTS WITH CISCO ASA VIRTUAL ASA PHYSICAL ASAv Full ASA Feature Set Hypervisor Independent Virtual Switch Agnostic Dynamic Scalability ASA 5585-X 16 Way Clustering with State Synchronization Scalable to 640Gbps 39
Application Centric Infrastructure Security Solution AUTOMATED PROVISIONING ASA WEB APP LB ASA LB LB APP APP APP DB Extensible Scripting Model CONNECTIVIT Y POLICY SLA QoS APIC SECURITY POLICIES Security Load Balancing QOS APPLICATIO N L4..7 SERVICES STORAGE AND COMPUTE APP PROFILE ASA HYPERVISOR HYPERVISOR HYPERVISOR ASA ASAv ASAv APP ASAv APP
Application Centric Infrastructure Security Solution DYNAMIC SCALING ASAv enforcing policy between App Tier & Web Tier ASAv enforcing policy between Apps inter-vm ASAv enforcing policy across web resource pool
Application Centric Infrastructure Security Solution AUTOMATED POLICY LIFECYCLE MANAGEMENT Marketing Connection accesses to App1 ACL for Firewall connection ACLs App Decommissioned 12 in Data Center Dynamically Connection Removed to App 12 Clients from Marketing Endpoint Group App Tier in DC permit tcp host 192.168.1.100 host 10.1.1.1 eq 80 permit tcp host 192.168.1.100 host 10.1.1.1 eq 443 permit tcp host 192.168.1.100 host 172.16.1.1 eq 80 permit tcp host 192.168.1.100 host 172.16.1.1 eq 443 permit tcp host 192.168.1.101 host 10.1.1.1 eq 80 permit tcp host 192.168.1.101 host 10.1.1.1 eq 443 permit tcp host 192.168.1.101 host 172.16.1.1 eq 80 permit tcp host 192.168.1.101 host 172.16.1.1 eq 443 192.168.1.0/24 (client 192.168.1.100) HTTP/HTTPS Servers (10.1.1.1, 172.16.1.1)
EVOLUTION OF VPN IN THE DATA CENTER Deployment Traditional Agility using HW VPN based in VPN ASAv SSL to Public Cloud Operational Impact MED IPSec to Data Center SSL to Private Cloud Deployment Complexity $$ IPSec to Teleworker IPSec to Remote Office Deployment Cost Wk Enterprises should expect an average yearly increase of ~20% in SSL traffic NSS Clientless SSL to Handheld Deployment Time
Application Centric Infrastructure Security Solution OPEN ARCHITECTURE Hypervisor Support Orchestration Frameworks Management System CSM PNSC READ / WRITE SOUTHBOUND API MULTI-TENANT AND APPLICATION AWARE PUBLISHED DEVICE MGMT PACKAGE FOR ACI STANDARDS COMPLIANT MONITORING FEATURES Built on top of Industry Leading Data Center Security Platform
CISCO SECURITY INTEGRATED INTO ACI PROVISIONING Simplified Service Chaining Dynamic Policy Management Rapid Instantiation PERFORMANCE On Demand Scalability Increased Clustering Size Multi-Site Clustering PROTECTION Integrated Security and Consistent Policy Enforcement (Physical & Virtual) Active Monitoring & Comprehensive Diagnostics for Threat Mitigation 45
The Network and Security: Synergies Drive Value Scales Enforcement Consistent, End-to-end Security Policy Enforcement Mobility and BYOD Accelerator / Enabler Network Accelerates Detection Security Aggregates Unique Context Data Center Service Clustering Delivers Unmatched Scale Automated Network Re-direction Rich Data Sets Accelerate Threat Detection 46
Twitter: @CiscoDCSecurity