Next gen DC secu - Cisco · Segmentation •Establish boundaries: network, compute, virtual •Enforce policy by functions, devices, organizations, compliance •Control and prevent

Segmentation

• Establish boundaries: network, compute, virtual

• Enforce policy by functions, devices, organizations,

compliance

• Control and prevent unauthorized access to networks,

resources, applications

Threat Defense

• Stop internal and external attacks and interruption of

services

• Patrol zone and edge boundaries

• Control information access and usage, prevent data loss

and data modification

Visibility

• Provide transparency to usage

• Apply business context to network activity

• Simplify operations and compliance reporting

Secure Internal Zone from External Zone

Secure Application Tiers

Secure Data for Compliance

Secure Multitenancy

1 2

3 4

vPC

Campus/Data Center

Internet

Cisco VXI

Front-End (Presentation)

Web Tier (Business Logic)

DB Tier (Data Access)

CTX2

CTX1

VDC1

VDC2

CTX1

CTX2

vPC

Vendor

Partner

Extranet

vPC

CTX1

CTX2

6

Aggregation Layer

Services Layer (option)

Virtual Network & Access

• Initial filter for all ingress and egress to DC services &

compute - “North-South” protection

• Stateful filtering and logging for all ingress and egress

traffic flows

• Physical appliances can be virtualized and applied to

server enclaves

• Virtual firewall, zone/enclave based filtering

• IP-Based Access Control Lists

• VM attribute-based policies – Should Follow VM

• “East-West” protection

Data Center Edge

• Physical Delineation for all ingress and egress into the

‘CORE’ of the DC – Traditional Security Models apply

to North-South Protection

• Additional services location for server farm specific

protection and other potential zones

Traditional Edge

Security

Internal

Zoning

VIRTUAL ACCESS

DC Aggregation

DC Core

DC Access

DC Virtual Access

DC Edge

Layer 3

Layer 2 - 10GE

4/8 Gb FC

Internet Partners IP-NGN (BBG)

VRF-lite

VRF

Vlan/802.1q

Firewall/IDS Partitioning

FEX/A-FEX/VM-FEX

Virtual FW

Vlan/Pvlan

VXLAN

VDC

Compute Separation:

vNICs, VLANs, Port Profiles

Storage Separation:

VSAN, FC Zoning, LUN masking,

vFilers

Application Tier : logical and Physical

segmentation with L2/L3 firewalling

and security zoning

Network Separation:

Per-tenant routing and forwarding

tables (VRF)

VLAN IDs and 802.1 tag provide

isolation and identification of tenant

traffic across L2 domain

VRF-lite implemented at core and

aggregation layers provides per

tenant isolation at L3

VDC to segregate and virtualize the

equipment

Defense in Depth per consumer

(front end ASA, back end VSG)

8

Physical

Hosts

NGIPS ASA FW

• Control North/South traffic with ASA 5585

• Scale and HA with Clustering

• Inspect North/South traffic with NGIPS

• Segment and Protect virtual enclave with ASAv and vNGIPS

9

NGIPS

ASA FW

Clustering

NGA

Virtual FlowSensor

CTD : Cisco Thread Defense

Leverage your Cisco Infrastructure to fight Advanced Pervasive Threats

TrustSec with Security Group Tagging

SGT

SGT SGT

SGT SGT

SGT

SGT

SGT

ISE SGT

Simplify

Automate

Accelerate

Standardize

SGT

Users,

Device

Switch Router DC FW DC Switch

HR Servers

Enforcement

SGT Propagation

Fin Servers SGT = 4

SGT = 10

ISE Directory Classification

Data + SGT:5 SGT = 5

•

•

®

•

•

Clu

ste

r C

on

tro

l L

ink

Sourcefire on 5585-X

(Blade)

Sourcefire on 5500-X

(Software)

Subscriptions: Threat: IPS, AVC, URL Filtering, AMP

ASA 9.2 : INCREASED CLUSTERING SIZE AND PERFORMANCE

*Estimated Max with Jumbo frame no asymmetric traffic

Nexus 7000 Nexus 7000

Nexus

2000

Nexus

5000

10Gig Server Rack

vP

C

ASA5585-X

vP

C

Cisco

UCS

vP

C

vP

C

ASA5585-X

DC Edge

Internal DC

Zone(s)

DCI With

Dark Fiber

DC Core VDC

(Routed) Nexus 7000 Nexus 7000

DC Aggregation

Layer VDC

Compute Access

Layer

Nexus

1000v

VSG ASA1000

v

FW

CLUST

ER

Nexus 7000 Nexus 7000

Nexus

2000

Nexus

5000

10Gig Server Rack

vP

C

ASA5585-X

vP

C

Cisco

UCS

vP

C

vP

C

ASA5585-X

Nexus 7000 Nexus 7000

Nexus

1000v

VSG ASA1000

v

FW

CLUST

ER

RTT <10ms +

<100Km

Double-Sided vPC over Dark Fiber

10G-400G

Dark Fiber could be

connected to Core /

Aggregation or to a

dedicated Services

layer. Each has pros

and cons based

upon environment

Inter-DC FW

CLUSTER

C

CL

Nexus 7000

Nexus 7000

Nexus

2000

Nexus

5000

10Gig Server Rack

vP

C

ASA5585-X

vP

C

Cisco

UCS

vP

C

vP

C

ASA5585-X

DC Edge

Internal DC

Zone(s)

DCI (OTV)

Extranet

DC Core VDC

(Routed) Nexus 7000

DC Aggregation

Layer VDC

Compute Access

Layer

Nexus

1000v

VSG ASA1000

v

Inter-DC FW

CLUSTER

Nexus 7000

Nexus 7000

Nexus

2000

Nexus

5000

10Gig Server Rack

vP

C

ASA5585-X

vP

C

Cisco

UCS

vP

C

vP

C

ASA5585-X

Nexus 7000

Nexus

1000v

VSG ASA1000

v

FW

CLUST

ER

OTV VDC OTV VDC

Layer 2

Extension (OTV)

CCL

RTT <10ms +

<100Km

FabricPath Spine

Compute Access

Layer

Pod A3

Pod B2 Pod B1 Pod A1 Pod A2

Data Center A

Interconne

ct

L2 or L3

Data Center B

Pod B3

FabricPath Leaf

RTT <10ms +

<100Km

ASA

Cluster

•

-

-

-

-

•

•

•

•

•

•

Data Center Design Zone : http://www.cisco.com/go/vmdc

Source: Cisco® Global Cloud Index 2012

• Proven Cisco® security: virtualized

physical and virtual consistency

• Collaborative security model

Cisco Virtual Secure Gateway (VSG)

for intra-tenant secure zones

Cisco ASA 1000V for tenant edge

controls

• Transparent integration

With Cisco Nexus® 1000V Switch and

Cisco vPath

• Scale flexibility to meet cloud

demand

Multi-instance deployment for scale-

out deployment across the data

center

Tenant B Tenant A VDC

vApp

vApp

VDC

Cisco

VSG Cisco

VSG

Cisco

VSG

Cisco ASA

1000V

Cisco ASA

1000V

Cisco

VSG

Removed clustering and

multiple context mode

• Parity to physical form-factor feature-set

• Scaling through virtualization

• Up to 10 vNIC interfaces

• Crypto in software

• SDN and traditional management tools

• Scales to 4 vCPUs and 8 GB of memory

• Ability to manage one policy on both physical

and virtual ASAs

MULTI-TENANT AND APPLICATION AWARE

READ / WRITE SOUTHBOUND API

PUBLISHED DEVICE MGMT PACKAGE FOR

ACI

STANDARDS COMPLIANT

MONITORING FEATURES

Hypervisor Support

Orchestration Frameworks

ASA OPEN SECURITY PLATFORM

System Management

CSM

PNSC

ASA

ASAv

(Active) ASAv

(Standby)

2

4

Routed Firewall • Routing traffic between vNICs

• Maintains ARP and routing table

• Tenant edge firewall

Transparent Firewall

• VLAN or VxLAN Bridging / Switching

• Maintains MAC-address tables

• Non-disruptive to L3 designs

Service Tag Switching

• Applies inspection between service tags

• No network participation

• Fabric integration mode

®

®

•

•

•

•

•

•

•

•

•

•

•

•

•

•

•

•

9.2.1 9.3.1/9.3.2

ASAv PHASED RELEASE

APPLICATION

SECURITY

INFRASTRUCTURE

Web

Tier App

Tier

DB

Tier

Trusted

Zone DB

Tier

DMZ

External

Zone

Cloud

Application Admin

Security Admin

Network Admin

Cloud Admin

Application Admin

Security Admin

Network Admin

SECURITY

Trusted

Zone DB

Tier

DMZ

External

Zone

APPLICATION

COMMON POOL OF RESOURCES

Cloud Admin

Cloud

“Users” “Apps”

Intelligent Fabric

Logical Endpoint

Groups by Role

Heterogeneous clients, servers,

external clouds; fabric controls

communication

Every device is one hop away,

microsecond latency, no power or

port availability constraints, ease of

scaling

Flexible Insertion

ACI Controller manages all

participating devices, change

control and audit capabilities

Unified Management

and Visibility

Fabric Port Services

Hardware filtering and bridging;

seamless service insertion, “service

farm” aggregation

Flat Hardware

Accelerated Network

Full abstraction, de-coupled

from VLANs and Dynamic

Routing, low latency, built-in

QoS

Cisco Nexus 9000

Service Producers EPG “Users” EPG “apps”

Leaf Nodes

Spine Nodes

ACI Fabric

EPG “Internet”

Virtual Leaf

Service Consumers

TENANT AND APPLICATION AWARE

READ / WRITE ALL FABRIC INFO

PUBLISHED DATA MODEL

OPEN SOURCE

APIC

Hypervisor Management

Automation Tools

Orchestration Frameworks

System Management

Security

ASA

Industry Standard Compliant

A Platform approach to Data Centre infrastructure

“Users” “Apps”

Policy Contract

“Users → Apps”

ACI Fabric

Define Endpoint Groups

Any endpoints anywhere within

the fabric, virtual or physical

Ingress Fabric Rules

Programmed from Contract

Hardware rules on each port, security in

depth, embedded QoS

Single Pass Firewalling

with Flow-Specific Policy

Security administrator

defines generic templates in

APIC, availed to contract

creation

Single Point of

Management

Different administrative

groups use same interface,

high level of object sharing

Application Policy

Infrastructure Controller (APIC) Define Contracts Between

Endpoint Groups

Port-level rules: drop, prioritize, push

to service chain; reusable templates

EP

.

.

.

EP

EP

EPG WEB

EPG APP SERVER

provider

consumer

Contract specifies rules and policies on groups

of physical or virtual end-points without

understanding of specific identifiers and

regardless of physical location. … …

…

identifies what

traffic

L4 port ranges

TCP options

…

identifies actions

applied

QoS

Log

Redirect into SVC graph

…

End points in group

WEB can access end-points in

group APP SERVER according

to rules specified in the contract

defined bi-directionally in the “provider” centric way

Permit

Deny

Redirect

Log … …

Copy Packet

Mark Packet DSCP

There are six policy options supported: Permit the traffic Block the traffic Redirect the traffic Log the traffic Copy the traffic Mark the traffic (DSCP/CoS)

Policy encompasses traffic handling, quality of service, security monitoring and logging.

EPG

“Web”

Application Container

“Web”

EPG

“Database”

Application Container

"Database”

Policy Contract “Web → Database”

Service Chain

“Web →

Database”

192.168.1.0/24

FW

_A

DC

1

Application

Admin

Service

Admin

ASA

5585

Netscaler

VPX

Policy-

based

Redirection

•

•

•

•

Nexus 7000

•

•

-

-

-

-

ACI Fabric

Graph Physical Logical

•

-

-

•

-

-

-

ACI Fabric

Graph

Physical

Logical