Your SlideShare is downloading. ×

Monetizing The Enterprise: Borderless Networks

1,604
views

Published on

The Cisco Borderless Network Architecture is the technical architecture that allows organizations to connect anyone, anywhere, anytime, and on any device - securely, reliably, and seamlessly. Learn …

The Cisco Borderless Network Architecture is the technical architecture that allows organizations to connect anyone, anywhere, anytime, and on any device - securely, reliably, and seamlessly. Learn more about an infrastructure of scalable and resilient hardware and software in this presentation.
Keywords: Service Provider, enterprise, Mobile Endpoint and CPE, Virtualized Network Edge/Data Center Edge, Cloud

Published in: Art & Photos, Technology

0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,604
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
105
Comments
0
Likes
2
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • To combat these sophisticated and increasing global threats, organizations need global visibility. Cisco Security Intelligence Operations provides a global view into security events that are happening on a global basis, and provides actionable information to provide proactive control and response to threats as they emerge. Cisco has the industy’s largest threat analysis system that can deliver blended protection, across attack techniques and methods. It collects and analyses data from an extensive network of sensors and devices to gather and analyse threat information and provide the context that can stop and prevent new attacks. Cisco SIO collects real-time security information from over 700,000 sensors Cisco has deployed across the globe. Information is gathered in real time across a wide spectrum of data types, including over 5 billion email messages and 3 billion web requests a day, traffic collected from Cisco security and network devices located in Cisco locations and from thousands of customers who have opted to share relevant network data, and data collected from millions of endpoint devices that have also opted in to share information. This data is fed into Cisco’s twenty global security operations centers where is it collated and processed by a series of sophisticated algorithms and then analyzed by Cisco’s team of over 500 security analysts. This information is converted into actionable information (threat vectors, mitigation responses, data integrity, source reputation, etc.) that is pushed out dynamically to Cisco customer security devices to ensure that they are providing the most critical, up-to-date protections against real threats. This information is also provided to IT staff in the form of bulletins that provide detailed information on threats, trends, and appropriate protections and threat mitigation approaches that ought to be implemented.This data provide reputation data on email and web servers, classifies applications and web categories, and delivers this to the context aware enforcement points across the network. So not only are the Cisco devices acting as sensors for SIO (firewall/intrusion prevention system/email/web/AnyConnect), they act as the powerful enforcement points that can block blended threats. And because SIO relies on the power of global correlation of real time sensor data and provides timely updates, organizations are protected against new and fats moving threats well ahead of signature only based approaches or products that do not have the depth of threat intelligence that SIO provides. The results are impressive. For example, by analyzing the sources of dangerous or malicious traffic, Cisco SIO is able to add a reputation profile to the Cisco IPS device that is analyzing traffic on the customer network. When low-level threats are detected, and that information is combined with a reputation profile of the data source which indicates that the source is highly untrustworthy, the IPS device is better able to make a decision about whether or not to monitor or block traffic. With SIO Global Correlation on IPS, they are able to detect and prevent twice as many threats as traditional signature-only IPS. Global Correlation also reduces the window of exposure to threats by 99% with near real-time updates to deployed IPS that help automatically filter out known bad actors while enhancing detection capabilities with the latest information on evolving threats. The addition of reputation scoring has increased the accuracy of IPS analysis by over 300%, making it the most accurate and up-to-date IPS solution in the industry.
  • This diagram is based on common industry models used by analysts and security professionals. As you can see by the elements in blue, Cisco is uniquely able to leverage both security and network devices, services, and solutions to provide a level of visibility and control simply unmatched in the industry. It is important to recognize that security is far less effective when it exists within its own vacuum, and being able to leverage endpoints and the infrastructure (including mobile devices, virtualized environments, and the cloud) to provide both actionable, context-based intelligence as well as distributed enforcement provides a powerful integrated and collaborative approach to security. This approach is perfectly suited to address the issues and concerns being faced by IT administrators today, which are not about which firewall is best, but which are around how to I control access to my network? How do I secure mobile workers? And how do I securely add new critical services such as cloud, virtualization, and collaboration tools like voice and video to my network?
  • User might be mobile, in a branch, … linking ISR G2 as a CPE
  • For example, consider a scenario during the FIFA World Cup.there might be a sudden increase in requests for video highlights from people overseas trying to follow the games<TALK TO SLIDE>
  • Cloud Computing is Application-centric.Whilst your customers talk about Apps in the cloud and how to transfer workloads, it is essential to ‘talk their language’ but at the same time underpin the your competitive differentiators with your assets and heritage. Your infrastructure assets such as IP NGN and Data Center will allow you to do just that.
  • Transcript

    • 1. Monetizing The Enterprise:Borderless Networks
      Michael Geller – Architect, SP Chief Technology Office
      Kevin Shatzkamer – Distinguished Architect, Sales
      September 27, 2011
    • 2. Abstract
      The impact of the consumerization of IT and mobility cannot be understated.  The impact that these two key business elements have on the evolution of Enterprise Architecture and for Service Provider’s ability to offer services to Enterprises, Governments, and Consumers is addressed in this webinar.  The importance of the shift and movement of the secure network edge leads to a very close examination of the changing threat vectors and vulnerabilities impacting our businesses today.  Service delivery and consumption on the three “service horizons,” (Mobile Endpoint and CPE, Virtualized Network Edge/Data Center Edge, and the Cloud) is detailed.
    • 3. Visibility and Control
      Building a Secure Infrastructure for Profitable Services
      Total Visibilityin all aspects of your network.
      Complete Control over all traffic in the network & cloud.
      Guaranteed Availability of all services.
    • 4. Multi-Tenant Access and aggregation:
      Access and aggregation:
      Full Service Branch
      CPE:
      Visibility & Posture
      Endpt / CPE
      DC/CLOUD
      ACCESS/AGGREGATION
      CORE
      Public, Private & Hybrid Clouds
      PE(s)
      Mobility
      L2 Agg.
      P
      P
      PE
      Internet &
      Peering Edge
      P
      DSL
      P
      P
      P
      P
      P
      Fixed Wireless
      Security Operations and Services
      DataCenter/Cloud
      Data/Service Center
      Cable
      Security Monitoring & Management
      VA
      PT
      Web Assessment & SSO
      MNAC
      Telstra Cloud:
      • Nexus 1kV (Netflow/VSG)
      • 39. UCS: Software based Security Services (FW, VPN, …)
      • 40. Nexus 7k Security Services Mod
      • 41. vWAAS
      • 42. Enterprise-Hosted Ironport Web/Content/Email Security/DLP
      • 43. Scansafe Web Security
      • 44. Identity/Policy Service Control
      Service Center:
      • Remediation (quarantine)
      • 45. Intrusion Detection/Prevention
      • 46. VM Security & Nexus 1000V
      • 47. Anomaly detection/Scrubbing
      • 48. Policy Control Plane
      • 49. Firewall & XML Firewall
      • 50. Web/Content/Email Security
      One Time Services
      Security Operations Center
      Enterprise
      Security Experts
      SOC Processes
      SOC Toolsets
      SIO, Platform Telemetry, 3rd party rules and systems, Regulatory Policy & Influence
    • 51. Operator Portal Capabilities
      SP Operator Portal
      • Single pane of glass for all mgmt functions
      • 52. White label logo and style branding
      • 53. RBAC – Role-based-access-control
      • 54. Customizable dashboard for different roles
      • 55. Share information between SP & customers
      • 56. Services catalogue
      • 57. Knowledge base
      • 58. Real-time threat dashboard
      • 59. SLA tracking dashboard
      • 60. Forensic
      • 61. Historical reporting
      Consolidated Views: Risk Score, Alerts, Top Ten Events, Virus & Compliance Status
      Events View: Customized view based on need. More focused approached: Online Events & Forensic view
    • 62. Threat IntelligenceGlobal Visibility
      SIO
      GLOBAL INTELLIGENCE
      Researchers, Analysts, Developers
      ISPs, Partners, Sensors
      Researchers, Analysts, Developers
      Applied Mitigation Bulletins
      ESA
      ESA
      WSA
      IPS
      ASA
      Cisco AnyConnect
      CISCO SOLUTION
      Largest Threat Analysis System - Blended Threat Protection
      700K+ Global Sensors
      5 Billion Web Requests/Day
      35% Of Global Email Traffic
      Endpoint Threat Telemetry
      Reputation, Spam, Malware and Web Category Analysis, and Applications Classification
    • 63. Security Services Delivered To The Enterprise
      Remote Access
      Collaboration
      Virtualization
      Mobility
      SECURESYSTEMS
      Cloud
      DEVICE
      FORENSICS
      Asset Mgmt
      DEVICE SECURITY
      Lock/Wipe
      Zero Day
      AV
      Encryption
      AUDIT
      APPLICATION SECURITY
      Web Application
      Coding/Hardening
      Penetration
      SERVICE MGMT.
      Encryption
      CONTENT/ DATA SECURITY
      Email
      Web
      DLP
      DATA GOV.
      NETWORK/ SYSTEMMANAGEMENT
      IDENTITY
      Alerting
      Logging
      Monitoring
      Directories
      POLICY
      VPN
      Firewall
      IDS/IPS
      NETWORK SECURITY
      APIs
      TRUSTED SYSTEM
      INFRASTRUCTURE
      Device
      Compute
      Storage
      Network
      Physical
      * Based on common industry models by Gartner, SANs Institute and various customer interviews
    • 64. Anyconnect Secure Mobility (Enterprise)
      Branch Office
      Corporate Office
      IronPort WSA
      ASA
      Cisco IntegratedServices Routers
      ISE
      TrustSec
    • 65. 3
      1
      2
      Secure GW + Network + DC
      Enhanced Customer Experience via End-to-End Seamless Security & Assurance
      Multi-Tenant Edge Services Gateway
      VPN, FW, SBC, Visibility, DPI
      Web/Email Security From The CloudScan Safe
      AnyConnectSecure Mobility Client
      Email/Web Security from the Cloud
      Cloud Offering Per
      Customer Application
      Experience with SLA
      Policy + Identity
      • Unified Anywhere+/AnyConnect
      • 66. Simplified remote access
      • 67. Connection and app persistence
      • 68. Always-on VPN enforcement
      • 69. Location-aware policy
      • 70. Application controls
      • 71. SaaS Access Control
      • 72. Per User Subscription Model
      • 73. Portal for Provisioning/Forensics
      AnyConnect
      Cius / SmartPhone
      Smart Branch
      vOptimization
      vLoad Balancing
      HCS & IaaS
      Anyconnect Secure Mobility-SP Mgd.
    • 74. Security Services
      Secure Places In The Network: Summary
      Anyconnect
      (Policy)
      Private Cloud
      Mobility
      Mobile
      Endpoint &
      CPE
      Internet &
      Inter-Cloud
      Virtualized
      Network/DC
      Edge
      DSL
      Public
      & Partner Cloud
      SP
      DC/Cloud
      Fixed Wireless
      Cable
      Security Infrastructure
      Policy, Trust & Identity Services
      Consumer/SoHo
      Enterprise
      Defense In Depth - Common ASA Code Base
      SIO, SecOps (SmartOps, Tools, Ecosystem)
    • 84. Security Services
      Platform/Area of Interest
      • MDM and Partners
      • 94. Evolution of The ISR G2
      • 95. Connecting the CPE to the cloud
      • 96. ASA & Identity FW
      • 97. IronportESA/WSA
      • 98. DPI & Visibility
      • 99. Identity Services & Policy
      Secure Places In The Network: Horizon 1Mobile Endpoint & CPE
      Anyconnect
      (Policy)
      Mobility
      Mobile
      Endpoint &
      CPE
      DSL
      Fixed Wireless
      Cable
      Consumer/SoHo
      Enterprise
    • 100. Connecting the CPE To The CloudLeveraging Cisco Product Multi-service capability
      Service Virtualization -UCS Express
      App Visibility & Optimization (WaaS)
      Threat Protection Security Services
      Lowering Capex / Opex for on premise application services
      • Mission critical on-premise application hosting
      • 101. Integration into IaaS Service Orchestration
      • 102. Optimized experience for the Application Consumer
      End to end security service via optimized hybrid on-premise / cloud services
      • On-Premise encryption, Firewall, intrusion protection
      • 103. Hosted Web content protection (ScanSafe) & Email Protection …
      • 104. Managed Identity Services
      Improving end user quality of experience
      • End to end application visibility & SLA
      • 105. Focus on Application Optimization …
      • 106. Security services upsell opportunity
      WAAS Express
      Dedicated Router Module
      DC + vWaaS
    • 107. Connecting the CPE To The Cloud - 2Leveraging Cisco Product Multi-service capability
      Services Led Selling
      Video
      Energy Wise
      Removing NOC /SOC complexity and allocation of people, process and tools –GTM acceleration
      • SmartOps for Security – SOC BOT Models
      • 108. SmartOps for CPE – NOC White labeling or BOT Models
      • 109. Testing and validation
      Minimize energy consumption and costs of delivered Managed Services
      • The “Green WAN / LAN” Service
      • 110. The “Energy Optimized” Data Center
      Providing End to End Video Service insurance
      • IPSLA Video Probe for Video SLA
      • 111. Video Optimized ISR G2 Bundle
      • 112. Integration of ISR G2 into Video Architectures like Telepresence
      • 113. Optimized delivery of Video
      • 114. ISR G2 ad-hoc video conferencing
    • Aspiration: Policy Governed Networks
      Policy Teams
      Security
      Business
      Compliance
      Policy Governed Networks
      IT Systems Mgmt, Cisco Network Mgmt Policy & Rules
      Centralized Policy Platform
      Customer Data
      Context awareness
      Business Relevance
      Product Bookings
      MPLS
      Identity Services Engine (ISE)
      Corporate Laptop
      Visibility and Control
      Full
      Encrypt
      Application, Context
      Device, Location
      Service, Context
      User, Role
      SalesForce.com
      Centralized View
      Restricted
      iPad
      Applications in Data Center or Cloud
      ASR/ISR/ASA
      Router/Switch
      Central Dashboard, Reports, Measurements, Troubleshooting
      Third-Party Applications
    • 115. Phased ExecutionCentralized Policy Platform
      Identity Services Engine (ISE)
      Policy Use Case
      Security
      TrustSecISE
      CCN
      VXIVDS/ISE
      Branch Office
      Optimize Virtual Desktop Service Delivery
      Provide predictable quality for audio, video on virtual desktop(VDI)
      Context-Based Security Services
      Prevent uncontrolled mobile devices from accessing servers with confidential information
      Authenticated &Authorized Access
      Authenticate Guests and
      provide only Internet access
      Prioritized Branch Service Delivery
      Prioritize point-of-sale transactions over Video (YouTube …)
      Agile Virtual Service Delivery
      Move WebEx from RTP DC to SP US Cloud with Premium Service Level
      +
      +
      +
      +
    • 129. Security Services
      Platform/Area of Interest-2
      • MDDC & CCN
      • 139. ASR 1k – Multitenancy and DC Edge
      • 140. IOS-XE on a VM
      • 141. Virtual Appliance + Physical Application
      • 142. Hosted Content, Email, Web Security
      • 143. DPI & Visibility
      Platform/Area of Interest-3
      Secure Places In The Network: Horizon 2&3Network and DC Edge + DC/Cloud
      Private Cloud
      Mobility
      Internet &
      Inter-Cloud
      Virtualized
      Network/DC
      Edge
      DSL
      Public
      & Partner Cloud
      SP
      DC/Cloud
      Fixed Wireless
      Cable
      Consumer/SoHo
      Enterprise
    • 152. Cisco Products
      Cisco VXI:Virtualized End-to-End System
      Virtualized
      Data Center
      Virtualized Collaborative Workspace
      Generic VDI
      No support for UC or Rich Media
      Desktop Virtualization Software
      Cisco Clients
      WAAS
      Applications /Desktop OS
      AnyConnect
      MS Office
      Hypervisor
      Cisco Collaboration
      Applications
      Cius Business Tablets
      Virtualization-Aware
      Borderless Network
      Virtual Security Gateway
      Routing
      ASA
      Cisco Virtualization Experience Clients
      Unified
      CM
      Nexus 1000v
      ACE
      Thin Client Ecosystem
      WAAS
      UCS
      Quad
      Storage
      Hypervisor
      Compute
      PoE
      Switching
      End-to-End Security, Management and Automation
      CDN
    • 153. Borderless Network VXI Components
      Access Security
      Data Center
      VXI Network
      • ASA and Anyconnect provide single secure remote access solution for large device footprint
      • 154. Device profiling and posture assessment using ISE ensures conformance
      • 155. UPoE and PoE+ provide de-cluttered and energy efficient virtual workspace
      • 156. 802.1x based device and user authentication
      • 157. Trustsec allows policy based access to specific applications in Data Center
      • 158. Unmanaged devices (BYOD) only allowed access to specific Virtual desktop pools and applications
      • 159. DMVPN allows secure, dynamic and direct branch to branch collaboration
      • 160. WAAS and ISR together accelerate performance
      Secure VXI Data Center
      Remote/Home User
      N1K
      N1K
      Internet
      Anyconnectw/ Split Tunnel
      SecureDisplay Traffic
      VSG
      VSG
      Campus
      ASA
      Contractor
      Finance
      Data Base
      Web
      Cat4K
      Employee
      App
      Dot1x/MAB
      DC Network
      Dot1x/MAB
      WAAS DC
      Campus
      UPoE/PoE+
      Branch One
      DMVPN
      WAE
      Display Traffic
      Voice/Video
      ISR-G2
      Branch Two
      DMVPN
      WAAS Express
      McAfee MOVE-AV
      Cisco ACE
    • 161. From Router to vRouter
      Secure Connectivity from Premise to Cloud
      • Extend enterprise VPN infrastructure into cloud via cloud-based virtual VPN appliance
      • 162. Enable secure split tunneling, bypassing expensive MPLS/ private IP network backhauling
      • 163. Provide end-to-end security – access control, DAR encryption, app/ user/ content visibility, IPS, web security – and unified mgmt
      • 164. This will enable enterprises to move mission-critical data to the cloud, retain control and meet compliance requirements
      PHASE 1
      Networking Services from the Cloud
      • Provide routing, switching, WAN accel, end-to-end secy, perfmonitoring, traff prioritization/ QoS, etc via cloud-based virtual router
      • 165. Enables SPs and Cloud Providers to offer value-added pay-for-use services – networking, security – in virtualized form factor to their customers
      • 166. Enables SPs to move services away from CPE ISRs to the cloud/ provider edgeand minimizing/ simplifying mgmt
      PHASE 2
    • 167. Network Positioning System
      1
      Capacity at Multiple DCs
      3
      National
      Data Center
      National
      Data Center
      NPS
      Orchestration System Requests Capacity - available at Multiple DCs
      1
      National
      Data Center
      Core
      2
      Insufficient Bandwidth and / or sub-optimal location to meet SLA
      2
      NPS informs bestlocation(s) / PE Routers
      3
      Improves Experiences, Reduces Operational and Network Costs
      Phase II – Distributed Placement
    • 168. Using Security Conductor for DDoS Attack Mitigation
      Forensics
      SECOPS, NETOPS
      SECOPS
      Monitoring Info: Netflow, MIBs, Logs for Baselining, Forensics and Planning
      4
      Security Apps
      Visibility
      Logging &
      Forensics
      Incident Control
      2
      3
      1
      Access / Aggregation Network
      DC Control Point
      8
      Visibility Apps Gather Physical and Virtual Interface traffic information
      Visibility Apps builds a Network Baseline and monitors and traffic anomalies
      In case of an anomaly it transfer information to Security Incident Control Application
      Incident Control Apps informs SECOPS
      Incident Control performs a RTBH using BGP route insertion at SP DC PE router.
      “Sinkhole” Apps VMs assigned for analysis
      Using the Security Conductor, security mitigation policies (ACL, QoSPolicers, etc) are downloaded in the network
      All Visibility and Mitigation information is sent for Forensic analysis
      5
      Policy Engine
      Capabilities Directory
      Resource Manager
      Dependency Tracker
      IP/MPLS Network
      Security Policy Conductor
      7
      6
      Peering
      RTBH configured
      Sinkhole Apps activated on VMs
      Attack Analysis
      Other SPs
      CPE
      Attack Mitigation Policies are downloaded in all applicable routers
    • 169. Cloud Security solution focusMapping
      • Policy based control for ID, Data Confidentiality
      • 170. Visbility, Forensics, Governance
      • 171. VM-VM security, Routing policies in VM
      • 172. VPATH to stitch and control VMotion
      Loss of Control
      Secure Cloud Services
      Scansafe (SAML), DLP, Cisco ID Connect
      Business Needs
      Data-in-flight security
      Data-at-rest security
      Anyconnect: VDI/VXI
      VDC, DCI (OTV), VPLS/ VRF …..
      Services: Virtual LB, FW
      Multi-tenant
      Reference Architecture
      VN-Link, LISP, SIA tags w/HW assist, N1k, VSG
      PortProfile, vNetFlow, SAN
    • 173. Putting It All Together: HCS
      Unified Communications and Collaboration
      ESX Server
      ESX Server
      ESX Server
      Customer 1
      Customer 2
      Customer 3
      Customer 4
      Customer 5
      Pure Hosted
      Remote Managed On Prem
      Hybrid
      Dedicated / Private Network