New trends through time have changed the face of the data center. Each of these trends has built on the lower.Historically, the conversation in the data center has been dominated by scalability and simplicity. How fast does the data center move, and how easy is it to implement and operate.More recently, trends like outsourcing and partnerships has forced the traditionally closed data center to open. These new users of the network often need controlled access deep into the data center. This is changing traditional data center models.Virtualization and asset consolidation are also changing the data center. The cost benefit of virtualization are driving rapid adoption across verticals, fundamentally altering the face of the data center.Finally, as cloud computing begins to emerge as a viable architecture, it promises even higher cost advantages through scale and elasticity.
The virtual environment brings with it a host of new security problems. These problems can be divided into two groups:Security in the Server Access Layer: These are today’s largest pain pointsRegaining visibility in the access layer is the first step at securing it. Regaining inter-host visibility in the virtual world provides key security forensics intelligence – which hosts are communicating, and in the event of an outbreak, where did it originate.Securing the access layer from DCHP and ARP attacks such as eavesdropping and VLAN hopping.Security at Higher Layers: These are emerging pain points that we need to addressVirtual policy enforcement creates segmentation and separation in the virtual world similar to that available in the physical. Note that this can be provided either through fully virtual enforcement points, or physical enforcement points that are virtual awareFinally, the physical and virtual worlds need to be tied together in a common operational environment with a common policy infrastructure.
Overall picture: list of Cisco security solutions with perhaps the architecture as a backdrop.Cisco TrustSec, Cisco AnyConnect Secure Mobility, Cisco Virtual Office, PCI DSS Compliance, Threat Defense (Firewall, IPS), Cisco Content Security (email/web), Cisco Data Center Security, Cisco Virtualization and Cloud Security
Cisco’s vision in virtualization enables a seamless transition from physical to virtual enforcement. The vast majority of environments will be hybrid environments for years to come, and Cisco will provide a consistent solution across both.<Build>The Nexus 1000v provides critical Layer 2-4 security capabilities today, solving today’s largest virtualization pain points. By building on the Nexus software base, customers can share a common operational environment with their physical Nexus switches<Build>Cisco’s roadmap for Layer 4-7 security services involves two approaches. Cisco will use Service Chaining to connect the physical to the virtual. Cisco will also provide a fully virtual enforcement platform to provide L4-7 security inside the virtualization infrastructure itself.
Public and Private Clouds are an architecture that brings together all elements of Scale and Simplicity, Openness, and Virtualization into an elastic, on demand environment. This environment brings with it a new set of security concerns.First, the need to establish trust on the cloud infrastructure itself. How does one maintain the integrity of the cloud environment?Second, the need to connect users and internal networks into the cloud infrastructure. How do users get access to the cloud services?Third, how do I secure the applications in the cloud, whether in a public cloud or a private?
Today, flexibility is key as Cisco delivers common capabilities delivering consistent and therefore less complex operationsThree key form factors deliver this today:Appliance – with ASA and IPSModules – modules with Cat6k integrated service modules andVirtual – Supported today with physical form-factors via virtual context, allowing external security to be applied to virtualized applications, and leveraging the recently launched Nexus 1000v switch which provides switch services on the hypervisor and has ACL capabilities for segmentation todayNext steps for ASA – Spyker, multi-gig, multi-service platformIntegrated service modules, with Bennu as an immediate next step and 3xFWSM performance to Osiris a 40G service module for Nexus 7000And to virtual with extending contexts beyond current levels to support larger SP delpoyments and a virtual firewall which will service virtualized security needs as scale increases.All of which will also extend dc security into cloud modelsFinally as network performance demand grow both in the enterprise and the cloud, clustering support provides 100s of Gig of FW performance in multiple form factors.
Although we opened the network to external parties, we must continue to gain visibility and control. Focusing on both visibility into the threat environment and maintenance of the compliance environment from a segmentation and threat perspective is critical.This is where, User-awareness begins with directory services being tied to security, allowing for authentication and authorization of users so that we know the “who” in our formula.And Application awareness becomes the “what” as far leveraging domain names and identifying the applications inside the data center.Finally the “how” by Creating Zones of trust ties the “who” and “what” together in a logical manner that allow maintenance of segmentation in the new open DC.Delivering next steps based on this structure is control of SaaS applications, enabling access policies for any app, anywhere in the world with WSA.Along with Identity Firewall and Application Awareness, TrustSec brings next generation network segmentation based on domains of trust within the open data center infrastructure with seamless authorization for various access typesThis provides topology independent, role-based, dynamic policy provisioning.So now that we’ve talked about Scale and Openness, let’s talk about the next step toward the Borderless DC which is Virtualization….
We find the Secure Borderless Data Center Architecture of tomorrow.This will include some additional items above and beyond today’s requirements in the Enterprise. First, you will see the emergence of the cloud itself a an important security layer to the Enterprise. The cloud is secured for the Enterprise by Cisco in two ways. (1) at the cloud edge itself with Firewall and IPS services being delivered to protest the cloud infrastructure itself. (2) in the Cloud Services Security Layer, in which cloud provides can provide both a virtual and physical footprint to customers of IaaS and PaaS services to protect the applications running in the cloud. This would be delivered in a virtual firewall and virtual context form in the ASA.Secondly, we see the emergence of the Secure Virtual Access Layer. This layer in the data center grows out of the massive move from traditional deployments to virtualization in the DC. As the requirement for virtual security zones increases, the need for layer 2 through 7 security also emerges. This is where the virtual firewall becomes important, as the scale of the VMs grows larger and segmentation and security service needs grow with it.Concurrently, the physical firewall will always play a role in the DC as there are many applications that will not be virtualized and continue to require an external, performance guaranteed solutions.