dc2013_day2-05-ozgur-danisman-next-generation-dc-security by saad alshammari

Next Generation DC Security Ozgur Danisman, MBA, CISSP odanisma@cisco.com Kuwait, 4 June 2013

Cisco Confidential

• Introduction • Inserting Firewalls into a state-of-art Data Center • Next Generation Firewall features in Data Center

• Virtualization Security

Cisco Confidential

Keep Bad Stuff Out of the Environment

Keep Critical Services Running and Protected

Keep Good Stuff Protected

Enable Security Productivity and Innovation

Be Compliant

Practical Challenges • Protect data center from internal and

external threats • Secure application delivery and eCommerce • Secure data for compliance • Secure virtualization, multitenancy, and cloud

Cisco Confidential

• Existing and new vulnerabilities Infrastructure, applications, and now virtualization

• Industrialization of hackers Financially motivated; sophisticated

• Risks on internal networks Many security breaches started on the internal networks

Cisco Confidential

Main Reasons for Data Center Technology Investment Increase Security Incease Security

76%

Decrease Downtime Decrease Downtime

70%

Data Storage/Backup

69%

Drivers

Decrease Operating Decrease Operating Cost Costs

68%

Virtualization

66%

Improve Management Capability

66%

Consolidate Data Centers

65%

Improve Scalability Iimprove Scalability

62%

Consolidate Equipment

59%

Centralize IT Services

58%

Enable a New Application

55%

Higher Energy Efficiency/Green Initiatives

50%

0% 10% 20% 30% 40% 50% 60% 70% 80% Percent of Respondents Rating 6 or 7 Source: Data Center Deployment Strategies: North American Enterprise Survey, Infonetics, February 2011.

• At the Internet Edge?

• At the Branch Office?

• At the Data Center Services layer?

• In the virtual (hypervisor) world?

Cisco Confidential

THROUGHPUT

59 78 9

MultiScale™ CONNECTIONS PER SECOND

# OF CONCURRENT CONNECTIONS

Cisco Confidential

Rich Services

IPS

ContextAware

VPN

TrustSec

Cisco Confidential

• Introduction • Inserting Firewalls into a state-of-art Data Center

• Next Generation Firewall features in Data Center • Virtualization Security

Cisco Confidential

• “I manage security policies.. I don’t want to care about network

cabling…”

Cisco Confidential

• “I manage security policies.. I don’t want to care about network cabling…”

• Understanding Firewall interaction with network infrastructure is paramount

to decrease downtime and operating cost and improve scalability in Data Center. Decrease Downtime

Decrease Operating Cost

Improve Scalability

• Once designed properly, we don’t have to care any more (we can focus on

managing security policies) 

Cisco Confidential

= Compute = Network

Internet Edge

= Security

CORE

DISTRIBUTION

VDC Nexus 7018

Nexus 7018

SAN ASA 5585-X

VPC

ASA 5585-X

VPC

Nexus 5000 Series Nexus 7000 Series

Nexus 2100 Series

Zone

VPC

Catalyst 6500

VSS VSS

SERVICES

Unified Computin g System Nexus 1000V

Firewall

ACE

NAM

IPS

VSG

Multizone

10G Server Rack

10 G Server Rack

Unified Compute

Unified Access

• Layer 2 has some advantages Plug&Play, no ip addressing L2 adjacency required by some data center applications

• Layer 2 has some risks Scalability Layer 2 loops are disastrous… Spanning Tree Protocol (STP) needs to create loopfree topology by blocking ports STP convergence times… Mistakes/bugs in STP implementations still disastrous STP Domain

STP Blocking



Cisco Confidential

• vPC is a Port-channeling

concept extending link aggregation to two separate physical switches Physical Topology

Logical Topology

• Allows the creation of

resilient L2 topologies based on Link Aggregation.

L2 Si

• Provides increased

bandwidth All links are actively forwarding Non-vPC

vPC

Cisco Confidential

Core IP1

•ASA supports Link Aggregation Control Protocol (LACP), IEEE 802.3ad standard

Core IP2

vPC Peer-link

Active S1

vPC

S3 vApp

S4 vApp

vApp

Zone/Multi-Tennant

Active or Standby

• Etherchannel ports are treated just like physical and logical interfaces on ASA

L3 Switch

10.1.1.x /24

Vlan 10 (Inside)

VServers: 10.1.1.1-99

Vlan 20 (Outside) ASA HA Pair

BVI: 10.1.1.100

vlan 20 VIP: 10.1.1.254

• ASAs in transparent mode with L3 gateway in Aggregation

layer • Server gateway on outside of firewall

•

Routing protocols can establish adjacencies through the firewall

•

Protocols such as HSRP, VRRP, GLBP can cross the firewall

•

Multicast streams can traverse the firewall

•

Non-IP traffic can be allowed (IPX, MPLS, BPDUs)

•

Deploy where IP address schemes can not be modified

Core IP1

Core IP2

VLAN 20

Active VLAN 10 S1

vPC Peer-link

vPC

S3 vApp

S4 vApp

vApp

Zone/Multi-Tennant

Active or Standby

•ASA supports VLAN rewrite in L2 (transparent) mode

•Allows on-astick: FW does not have to be inline for all traffic

• Cluster up to 8 ASA

appliances managed as ONE Cluster Control Link

• Load Balancing Approach Stateless load balancing by external switch(ECLB) or Router(ECMP, PBR)

• In-Cluster High

Availability • Hitless Upgrade

Cisco Confidential

• Introduction • Inserting Firewalls into a state-of-art Data Center

• Next Generation Firewall features in Data Center • Virtualization Security

Cisco Confidential

Source

Destination

InsideNets100

FinanceServers

10.1.1.0/24 10.1.9.0/24 192.168.3.0/24

172.16.2.0/24 172.16.9.0/24 172.16.15.0/24

Service

Action

HTTPS

PERMIT

â&#x20AC;˘ Firewall Rules based on IP addresses no knowledge of identity

firewall ruleset changes when network grows/changes

Cisco Confidential

Source

Destination

Finance

Finance Servers 172.16.2.0/24 172.16.15.0/24

ANY

Finance Servers 172.16.2.0/24 172.16.15.0/24

Application

Action

HTTPS

PERMIT

SSH

PERMIT

ANY

DENY

• Firewall Ruleset Leverages Active Directory Source independent of IP addressing works for users logged into Active Directory Domain does not convey identity for iPADs, IP phones etc. does not convey other context such as posture, location... © 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

Source Action

TAG

Finance

CleanMachine

Any

financeIPAD

IP Phones

Destination

FinanceServers

FinanceVDI

Phone Servers

Application

HTTPS

PERMIT

ICA

PERMIT

SIP

PERMIT

• Ruleset can utilize Security Group TAGs (SGTs) info on who, what device, posture, where

also works for devices outside of AD domain also works for destinations/servers

Cisco Confidential

• TrustSec tags every packet from identified sources with

an “SGT” Security Group Tag. • SGTs identify logical groups of users and/or servers

sharing similar sets of privileges or roles • SGTs are 16-Bits (2-bytes) supporting up to 64K

(65536) logical groups Individual Servers Data Center

Individuals Sample Logical Security Groups

Employee

In this simple example source entities are reduced from 46 to 4

Partner

Contractor

Tagged Traffic evaluated against SG-ACL on Egress

Sample Logical Security Groups

Company Confidential

NDA Confidential

In this simple example destination entities are reduced from 60 to 4

Sensitive

Example Access Policy Simplification Guest Unknown

General Access

Before - 46 (source IPs) x 60 (dest IPs) x 4 TCP/UDP Port Permissions = 11040 ACE/ACLs After - 4 (source SGTs) x 4 (dest SGs) x 4 TCP/UDP Port Permissions = 64 SGACLs

I’m a contractor My AD group is IT Admin Using a iPAD managed by MDM

SGT = 10

HR Database (SGT=4)

IT Server (SGT=10)

• Leveraging Cisco ISE taking into account identity, device type, posture, location, access method (VPN, wireless…) • Static assignment (port, subnet, vlan, ip range also possible)

Assigning TAGs (Servers)

SGT = 10

HR Database (SGT=4)

IT Server (SGT=10)

• Nexus 1000V integration with vSphere, • Static assignment (port, subnet, vlan, ip range also possible)

• Introduction • Inserting Firewalls into a state-of-art Data Center • Next Generation Firewall features in Data Center

• Virtualization Security

Cisco Confidential

1. VMware vMotion moves virtual machines across physical ports, and the network policy must follow this migration (across racks, pods, and data centers) 2. Administrators must view or apply network and security policy to locally switched traffic Port Group

3. Administrators need to maintain segregation of duties while helping ensure nondisruptive operations 4. Organizations need a VLANagnostic solution to decrease complexity and enhance scalability

Security Administration

Server Administration Network Administration

Cisco Confidential

• Proven Cisco® security: virtualized physical and virtual consistency • Collaborative security model ̶ Cisco Virtual Secure Gateway (VSG) for intra-tenant secure zones

VMware vCenter Cisco® Virtual Network Management Center (VNMC) Tenant B

Tenant A VDC

VDC vApp

̶ Cisco ASA 1000V for tenant edge controls

Cisco VSG

• Transparent integration

Cisco VSG

̶ With Cisco Nexus® 1000V Switch and Cisco vPath

vApp

Cisco VSG

Cisco ASA 1000V

Cisco ASA 1000V Cisco vPath Cisco Nexus® 1000V

Hypervisor Cisco Confidential

• No need to deploy virtual services on every host • Multi-hypervisor support

• Policies follow vMotion • vCenter Integration

vPath: Virtual Service Datapath VXLAN: Virtual Extensible LAN

VEM vPath

VXLAN

ESX

VEM

vPath

Win8 Hyper-V*

VXLAN

VEM

vPath

VXLAN

XenServer*

* Target: 1H CY13

vPath

VXLAN

NX-OS Data Plane

KVM**

** Target: 2HCY13 Cisco Confidential

VNMC

VM VM

Nexus 1000V Distributed Virtual Switch

vPath

Initial Packet Flow

Decision Caching

Flow Access Control

VSG

Log/Audit Cisco Confidential

VNMC

VM VM

Nexus 1000V Distributed Virtual Switch

vPath

VSG ACL Offloaded to Nexus 1000V

Remaining Packets from Flow

Log/Audit Cisco Confidential

Secure Internal Zone from External Zone

Internet

vPC

Secure Data for Compliance

CTX1

VDC1

CTX2

VDC2

Cisco VXI

vPC

Campus/Data Center

Secure Application Tiers

CTX1

Secure Multitenancy

Front-End (Presentation)

Extranet Vendor

CTX1 CTX2

Web Tier (Business Logic) DB Tier (Data Access)

Partner

CTX2

vPC

Cisco Confidential

MultiScale™ Performance Superior Protection at Data Center Speeds

ASA 5585-SSP60 40 Gbps Firewall 10 MM Connections 350,000 CPS

ASA 5585-SSP40 ASA 5585-SSP20

ASA 5585-SSP10 4 Gbps Firewall 1 MM Connections 50,000 CPS

10 Gbps Firewall 2 MM Connections 125,000 CPS

20 Gbps Firewall 4 MM Connections 200,000 CPS

ASA Services Module 16 Gbps Firewall 10 MM Connections 300,000 CPS

Data Center Cisco Confidential

5000 + CUSTOMERS

800,000+ End to End Management at Scale GLOBALLY DEPLOYED DEVICES Policy Optimization and Analysis @ no additional cost

80%

FORTUNE 100

4.28 CSAT SCORE

Events, reports and close investigative workflows

135+ Granular RBAC and Change COUNTRIES

Management

Cisco Confidential

Trusted Partner Committed to Customer Success Policy Consistency and Operational Excellence for Customers

Deployment Options Broad Range of Choices for Customers: Appliances, Modules and Cloud

Industry Excellence Proven Firewall Track Record for 15 Years Delivering Measurable Risk Reduction

Strong Industry Alliances Secure Multitenancy: VMware and NetApp vBlock: the VCE Company OpenStack Participant

Cisco Confidential

Thank you.

Cisco Confidential

High-Performance Data Center Today



ASA 8.4.1 64-Bit

ASA 8.4.2 Dual Blade

ASA 9.0 Clustering

5X Capacity

2X Performance

5-7X Scale

80 Gbps 700K CPS 20 million connections

300 Gbps 1.5 million CPS 50 million connections

64-Bit 10 million connections 250 contexts 1000 VLANs

Cisco Confidential

Nexus 7000 ASA SM (Osiris) ASA Services Module for the Nexus 7000 • Improved features, performance

• 8x Clustering Support • Clustering across a vPC pair • Leverages the 5585-X SSP60/ASA SM

architecture x2 • Flexible hardware design supports

multiple services on a single blade

Cisco Confidential

Perf

Chassis Performance

250 Gbps+

Blade Single Single Blade

and capabilities

Metric

Performance

40 Gbps

Concurrent Sessions

20M+

New Connections /Second

500K

Security Contexts

500

VLANs

2,000

MultiScale™ Performance with Clustering

Clustering: $0.00 SKU

1.5M+ CPS 50M+ Conns 320 Gbps Max 1.5M CPS 50M Conns 300 Gbps Max x8

1.2M CPS 50M Conns 160 Gbps Max

5585-X x8

Cisco Confidential

N7K ASASM (Osiris)

Linear Scaling with ASA Clustering

Integration with Nexus 7K vPC and Fabric Path Nexus with vPC

Linear Cluster Scaling

ASA Clustered

Asymmetric Traffic Support with Clustering Multi-site Clustering (future)

Cisco Confidential

3 ASA 5585-X IO Modules* New!

• Half-slot IO modules • Max ASA 5585-X port density

• 20x10G ports or 50x1G ports in ASA 5585-X chassis Module Description

Number of Dual 10G/1G SFP+/SFP ports

Number of 1G SFP ports

Number of 1G RJ45 ports

4-port 1G/10G SFP/SFP+ module

8-port 1G/10G SFP/SFP+ module

20-port 1G module

Cisco Confidential

• Introduction • Inserting Firewalls into a state-of-art Data Center • Next Generation Firewall features in Data Center

• Virtualization Security • Competitive Analysis

Cisco Confidential

Cisco ASA 5585-S60 vs Juniper SRX 5800

Clustering Performance

Cisco ASA 5585-X 4 unit Cluster

Juniper SRX 5800

EMIX Throughput

60 Gbps

37.5 Gbps (IMIX)

Connections Per Second

750,000

380,000

List Price

$899,980

$1,200,000

Cisco Confidential

Cisco ASA 5585 vs Check Point 61000

Clustering Performance

Cisco ASA 5585-X Cluster

Check Point 61000

EMIX Throughput

120 Gbps

30 Gbps*

Connections Per Second

1.5 million

600,000

Cisco Confidential

Cisco ASA 5585 vs Fortinet 5140B

Clustering Performance

Cisco ASA 5585-X 8-units

Fortinet 5140B*

EMIX Throughput (clustered)

120 Gbps

2.8 million (non-clustered)

3.29 million (non-clustered)

$1,799,960

$2,060,000

Connections Per Second

For graceful upgrade, require 2 Fortinets

Cisco Confidential

Cisco ASA 5585 S40 vs Palo Alto 5000

Performance

Cisco ASA 5585-X S40

Palo Alto 5060

Max Throughput

20 Gbps

Connections Per Second

200,000

120,000

Max connections

4,000,000

IPS (server side inspection on)

5 Gbps

SSL

4 Gbps

626 Mbps

Palo Alto 5060 does not work with Nexus vPC Palo Alto 5060 architecture has security vulnerabilities http://www.youtube.com/watch?v=riVqLQWfDlw ÂŠ 2012 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

Thank you.

Cisco Confidential