Monetizing The Enterprise:Borderless Networks<br />Michael Geller – Architect, SP Chief Technology Office<br />Kevin Shatz...
Abstract<br />The impact of the consumerization of IT and mobility cannot be understated.  The impact that these two key b...
Visibility and Control<br />Building a Secure Infrastructure for Profitable Services<br />Total Visibilityin all aspects o...
Multi-Tenant Access and aggregation:<br /><ul><li>Session Border Controller
Firewall
IDS/IPS
IPSEC VPN
BNG (Subscriber Controls)
SSL VPN
Trust and Identity
Web/Content Security
Email Security
DLP</li></ul>Access and aggregation:<br /><ul><li>Basic infrastructure security role
Control Plane Security
Data Plane Security
Firewall
IDS/IPS
IPSEC VPN
DHCP—subscriber
SSL VPN
Trust and Identity
Web/Content Security
Email Security</li></ul>Full Service Branch <br /><ul><li>Firewall
IDS
Upcoming SlideShare
Loading in...5
×

Monetizing The Enterprise: Borderless Networks

1,704

Published on

The Cisco Borderless Network Architecture is the technical architecture that allows organizations to connect anyone, anywhere, anytime, and on any device - securely, reliably, and seamlessly. Learn more about an infrastructure of scalable and resilient hardware and software in this presentation.
Keywords: Service Provider, enterprise, Mobile Endpoint and CPE, Virtualized Network Edge/Data Center Edge, Cloud

Published in: Art & Photos, Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,704
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
106
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide
  • To combat these sophisticated and increasing global threats, organizations need global visibility. Cisco Security Intelligence Operations provides a global view into security events that are happening on a global basis, and provides actionable information to provide proactive control and response to threats as they emerge. Cisco has the industy’s largest threat analysis system that can deliver blended protection, across attack techniques and methods. It collects and analyses data from an extensive network of sensors and devices to gather and analyse threat information and provide the context that can stop and prevent new attacks. Cisco SIO collects real-time security information from over 700,000 sensors Cisco has deployed across the globe. Information is gathered in real time across a wide spectrum of data types, including over 5 billion email messages and 3 billion web requests a day, traffic collected from Cisco security and network devices located in Cisco locations and from thousands of customers who have opted to share relevant network data, and data collected from millions of endpoint devices that have also opted in to share information. This data is fed into Cisco’s twenty global security operations centers where is it collated and processed by a series of sophisticated algorithms and then analyzed by Cisco’s team of over 500 security analysts. This information is converted into actionable information (threat vectors, mitigation responses, data integrity, source reputation, etc.) that is pushed out dynamically to Cisco customer security devices to ensure that they are providing the most critical, up-to-date protections against real threats. This information is also provided to IT staff in the form of bulletins that provide detailed information on threats, trends, and appropriate protections and threat mitigation approaches that ought to be implemented.This data provide reputation data on email and web servers, classifies applications and web categories, and delivers this to the context aware enforcement points across the network. So not only are the Cisco devices acting as sensors for SIO (firewall/intrusion prevention system/email/web/AnyConnect), they act as the powerful enforcement points that can block blended threats. And because SIO relies on the power of global correlation of real time sensor data and provides timely updates, organizations are protected against new and fats moving threats well ahead of signature only based approaches or products that do not have the depth of threat intelligence that SIO provides. The results are impressive. For example, by analyzing the sources of dangerous or malicious traffic, Cisco SIO is able to add a reputation profile to the Cisco IPS device that is analyzing traffic on the customer network. When low-level threats are detected, and that information is combined with a reputation profile of the data source which indicates that the source is highly untrustworthy, the IPS device is better able to make a decision about whether or not to monitor or block traffic. With SIO Global Correlation on IPS, they are able to detect and prevent twice as many threats as traditional signature-only IPS. Global Correlation also reduces the window of exposure to threats by 99% with near real-time updates to deployed IPS that help automatically filter out known bad actors while enhancing detection capabilities with the latest information on evolving threats. The addition of reputation scoring has increased the accuracy of IPS analysis by over 300%, making it the most accurate and up-to-date IPS solution in the industry.
  • This diagram is based on common industry models used by analysts and security professionals. As you can see by the elements in blue, Cisco is uniquely able to leverage both security and network devices, services, and solutions to provide a level of visibility and control simply unmatched in the industry. It is important to recognize that security is far less effective when it exists within its own vacuum, and being able to leverage endpoints and the infrastructure (including mobile devices, virtualized environments, and the cloud) to provide both actionable, context-based intelligence as well as distributed enforcement provides a powerful integrated and collaborative approach to security. This approach is perfectly suited to address the issues and concerns being faced by IT administrators today, which are not about which firewall is best, but which are around how to I control access to my network? How do I secure mobile workers? And how do I securely add new critical services such as cloud, virtualization, and collaboration tools like voice and video to my network?
  • User might be mobile, in a branch, … linking ISR G2 as a CPE
  • For example, consider a scenario during the FIFA World Cup.there might be a sudden increase in requests for video highlights from people overseas trying to follow the games&lt;TALK TO SLIDE&gt;
  • Cloud Computing is Application-centric.Whilst your customers talk about Apps in the cloud and how to transfer workloads, it is essential to ‘talk their language’ but at the same time underpin the your competitive differentiators with your assets and heritage. Your infrastructure assets such as IP NGN and Data Center will allow you to do just that.
  • Monetizing The Enterprise: Borderless Networks

    1. 1. Monetizing The Enterprise:Borderless Networks<br />Michael Geller – Architect, SP Chief Technology Office<br />Kevin Shatzkamer – Distinguished Architect, Sales<br />September 27, 2011<br />
    2. 2. Abstract<br />The impact of the consumerization of IT and mobility cannot be understated.  The impact that these two key business elements have on the evolution of Enterprise Architecture and for Service Provider’s ability to offer services to Enterprises, Governments, and Consumers is addressed in this webinar.  The importance of the shift and movement of the secure network edge leads to a very close examination of the changing threat vectors and vulnerabilities impacting our businesses today.  Service delivery and consumption on the three “service horizons,” (Mobile Endpoint and CPE, Virtualized Network Edge/Data Center Edge, and the Cloud) is detailed.<br />
    3. 3. Visibility and Control<br />Building a Secure Infrastructure for Profitable Services<br />Total Visibilityin all aspects of your network.<br />Complete Control over all traffic in the network & cloud.<br />Guaranteed Availability of all services.<br />
    4. 4. Multi-Tenant Access and aggregation:<br /><ul><li>Session Border Controller
    5. 5. Firewall
    6. 6. IDS/IPS
    7. 7. IPSEC VPN
    8. 8. BNG (Subscriber Controls)
    9. 9. SSL VPN
    10. 10. Trust and Identity
    11. 11. Web/Content Security
    12. 12. Email Security
    13. 13. DLP</li></ul>Access and aggregation:<br /><ul><li>Basic infrastructure security role
    14. 14. Control Plane Security
    15. 15. Data Plane Security
    16. 16. Firewall
    17. 17. IDS/IPS
    18. 18. IPSEC VPN
    19. 19. DHCP—subscriber
    20. 20. SSL VPN
    21. 21. Trust and Identity
    22. 22. Web/Content Security
    23. 23. Email Security</li></ul>Full Service Branch <br /><ul><li>Firewall
    24. 24. IDS
    25. 25. Encryption (IPSEC & SSL)
    26. 26. Trust & Identity
    27. 27. Email Security
    28. 28. Web/Content Security
    29. 29. NAC
    30. 30. WAN Optimization</li></ul>CPE:<br /><ul><li>Firewall
    31. 31. IDS
    32. 32. IPSEC & SSL VPN
    33. 33. Host Security
    34. 34. Control Plane Security
    35. 35. Forwarding Plane Security
    36. 36. Email Security
    37. 37. Web/Content Security
    38. 38. NAC</li></ul>Visibility & Posture<br />Endpt / CPE<br />DC/CLOUD<br />ACCESS/AGGREGATION<br />CORE<br />Public, Private & Hybrid Clouds<br />PE(s)<br />Mobility<br />L2 Agg.<br />P<br />P<br />PE<br />Internet &<br />Peering Edge<br />P<br />DSL<br />P<br />P<br />P<br />P<br />P<br />Fixed Wireless<br />Security Operations and Services<br />DataCenter/Cloud<br />Data/Service Center<br />Cable<br />Security Monitoring & Management<br />VA<br />PT<br />Web Assessment & SSO<br />MNAC<br />Telstra Cloud:<br /><ul><li>Nexus 1kV (Netflow/VSG)
    39. 39. UCS: Software based Security Services (FW, VPN, …)
    40. 40. Nexus 7k Security Services Mod
    41. 41. vWAAS
    42. 42. Enterprise-Hosted Ironport Web/Content/Email Security/DLP
    43. 43. Scansafe Web Security
    44. 44. Identity/Policy Service Control</li></ul>Service Center:<br /><ul><li>Remediation (quarantine)
    45. 45. Intrusion Detection/Prevention
    46. 46. VM Security & Nexus 1000V
    47. 47. Anomaly detection/Scrubbing
    48. 48. Policy Control Plane
    49. 49. Firewall & XML Firewall
    50. 50. Web/Content/Email Security</li></ul>One Time Services<br />Security Operations Center<br />Enterprise<br />Security Experts<br />SOC Processes<br />SOC Toolsets<br />SIO, Platform Telemetry, 3rd party rules and systems, Regulatory Policy & Influence<br />
    51. 51. Operator Portal Capabilities<br />SP Operator Portal<br /><ul><li>Single pane of glass for all mgmt functions
    52. 52. White label logo and style branding
    53. 53. RBAC – Role-based-access-control
    54. 54. Customizable dashboard for different roles
    55. 55. Share information between SP & customers
    56. 56. Services catalogue
    57. 57. Knowledge base
    58. 58. Real-time threat dashboard
    59. 59. SLA tracking dashboard
    60. 60. Forensic
    61. 61. Historical reporting</li></ul>Consolidated Views: Risk Score, Alerts, Top Ten Events, Virus & Compliance Status<br />Events View: Customized view based on need. More focused approached: Online Events & Forensic view<br />
    62. 62. Threat IntelligenceGlobal Visibility<br />SIO<br />GLOBAL INTELLIGENCE<br />Researchers, Analysts, Developers<br />ISPs, Partners, Sensors<br />Researchers, Analysts, Developers<br />Applied Mitigation Bulletins<br />ESA<br />ESA<br />WSA<br />IPS<br />ASA<br />Cisco AnyConnect<br />CISCO SOLUTION<br />Largest Threat Analysis System - Blended Threat Protection<br />700K+ Global Sensors<br />5 Billion Web Requests/Day<br />35% Of Global Email Traffic <br />Endpoint Threat Telemetry<br />Reputation, Spam, Malware and Web Category Analysis, and Applications Classification<br />
    63. 63. Security Services Delivered To The Enterprise<br />Remote Access<br />Collaboration<br />Virtualization<br />Mobility<br />SECURESYSTEMS<br />Cloud<br />DEVICE <br />FORENSICS<br />Asset Mgmt<br />DEVICE SECURITY<br />Lock/Wipe<br />Zero Day<br />AV<br />Encryption<br />AUDIT<br />APPLICATION SECURITY<br />Web Application<br />Coding/Hardening<br />Penetration<br />SERVICE MGMT.<br />Encryption<br />CONTENT/ DATA SECURITY<br />Email<br />Web<br />DLP<br />DATA GOV.<br />NETWORK/ SYSTEMMANAGEMENT<br />IDENTITY<br />Alerting<br />Logging<br />Monitoring<br />Directories<br />POLICY<br />VPN<br />Firewall<br />IDS/IPS<br />NETWORK SECURITY<br />APIs<br />TRUSTED SYSTEM<br />INFRASTRUCTURE<br />Device<br />Compute<br />Storage<br />Network<br />Physical<br />* Based on common industry models by Gartner, SANs Institute and various customer interviews <br />
    64. 64. Anyconnect Secure Mobility (Enterprise)<br />Branch Office<br />Corporate Office<br />IronPort WSA<br />ASA<br />Cisco IntegratedServices Routers<br />ISE<br />TrustSec<br />
    65. 65. 3<br />1<br />2<br />Secure GW + Network + DC<br />Enhanced Customer Experience via End-to-End Seamless Security & Assurance<br />Multi-Tenant Edge Services Gateway<br />VPN, FW, SBC, Visibility, DPI<br />Web/Email Security From The CloudScan Safe<br />AnyConnectSecure Mobility Client<br />Email/Web Security from the Cloud<br />Cloud Offering Per<br />Customer Application <br />Experience with SLA<br />Policy + Identity<br /><ul><li>Unified Anywhere+/AnyConnect
    66. 66. Simplified remote access
    67. 67. Connection and app persistence
    68. 68. Always-on VPN enforcement
    69. 69. Location-aware policy
    70. 70. Application controls
    71. 71. SaaS Access Control
    72. 72. Per User Subscription Model
    73. 73. Portal for Provisioning/Forensics</li></ul>AnyConnect<br />Cius / SmartPhone<br />Smart Branch<br />vOptimization<br />vLoad Balancing<br />HCS & IaaS<br />Anyconnect Secure Mobility-SP Mgd.<br />
    74. 74. Security Services<br /><ul><li>Firewall& IPS
    75. 75. VPN (IPSEC & SSL)
    76. 76. Trust & Identity
    77. 77. Email Security
    78. 78. Web/Content Security
    79. 79. Anti-Malware
    80. 80. WAN Optimization
    81. 81. SBC (CUBE Ent.)
    82. 82. WaaS
    83. 83. DPI</li></ul>Secure Places In The Network: Summary<br />Anyconnect<br />(Policy)<br />Private Cloud<br />Mobility<br />Mobile<br />Endpoint &<br />CPE<br />Internet &<br />Inter-Cloud<br />Virtualized<br />Network/DC<br />Edge<br />DSL<br />Public <br />& Partner Cloud<br />SP <br />DC/Cloud<br />Fixed Wireless<br />Cable<br />Security Infrastructure<br />Policy, Trust & Identity Services<br />Consumer/SoHo<br />Enterprise<br />Defense In Depth - Common ASA Code Base<br />SIO, SecOps (SmartOps, Tools, Ecosystem)<br />
    84. 84. Security Services<br /><ul><li>Firewall& IPS
    85. 85. VPN (IPSEC & SSL)
    86. 86. Trust & Identity
    87. 87. Email Security
    88. 88. Web/Content Security
    89. 89. Anti-Malware
    90. 90. WAN Optimization
    91. 91. SBC (CUBE Ent.)
    92. 92. WaaS
    93. 93. DPI</li></ul>Platform/Area of Interest<br /><ul><li>MDM and Partners
    94. 94. Evolution of The ISR G2
    95. 95. Connecting the CPE to the cloud
    96. 96. ASA & Identity FW
    97. 97. IronportESA/WSA
    98. 98. DPI & Visibility
    99. 99. Identity Services & Policy</li></ul>Secure Places In The Network: Horizon 1Mobile Endpoint & CPE<br />Anyconnect<br />(Policy)<br />Mobility<br />Mobile<br />Endpoint &<br />CPE<br />DSL<br />Fixed Wireless<br />Cable<br />Consumer/SoHo<br />Enterprise<br />
    100. 100. Connecting the CPE To The CloudLeveraging Cisco Product Multi-service capability<br />Service Virtualization -UCS Express<br />App Visibility & Optimization (WaaS)<br />Threat Protection Security Services<br />Lowering Capex / Opex for on premise application services<br /><ul><li>Mission critical on-premise application hosting
    101. 101. Integration into IaaS Service Orchestration
    102. 102. Optimized experience for the Application Consumer</li></ul>End to end security service via optimized hybrid on-premise / cloud services<br /><ul><li>On-Premise encryption, Firewall, intrusion protection
    103. 103. Hosted Web content protection (ScanSafe) & Email Protection …
    104. 104. Managed Identity Services</li></ul>Improving end user quality of experience<br /><ul><li>End to end application visibility & SLA
    105. 105. Focus on Application Optimization …
    106. 106. Security services upsell opportunity</li></ul>WAAS Express<br />Dedicated Router Module <br />DC + vWaaS<br />
    107. 107. Connecting the CPE To The Cloud - 2Leveraging Cisco Product Multi-service capability<br />Services Led Selling<br />Video<br />Energy Wise<br />Removing NOC /SOC complexity and allocation of people, process and tools –GTM acceleration<br /><ul><li>SmartOps for Security – SOC BOT Models
    108. 108. SmartOps for CPE – NOC White labeling or BOT Models
    109. 109. Testing and validation</li></ul>Minimize energy consumption and costs of delivered Managed Services<br /><ul><li>The “Green WAN / LAN” Service
    110. 110. The “Energy Optimized” Data Center</li></ul>Providing End to End Video Service insurance<br /><ul><li>IPSLA Video Probe for Video SLA
    111. 111. Video Optimized ISR G2 Bundle
    112. 112. Integration of ISR G2 into Video Architectures like Telepresence
    113. 113. Optimized delivery of Video
    114. 114. ISR G2 ad-hoc video conferencing</li></li></ul><li>Aspiration: Policy Governed Networks<br />Policy Teams<br />Security<br />Business<br />Compliance<br />Policy Governed Networks<br />IT Systems Mgmt, Cisco Network Mgmt Policy & Rules<br />Centralized Policy Platform<br />Customer Data<br />Context awareness <br />Business Relevance<br />Product Bookings<br />MPLS<br />Identity Services Engine (ISE)<br />Corporate Laptop<br />Visibility and Control<br />Full<br />Encrypt<br />Application, Context<br />Device, Location<br />Service, Context<br />User, Role<br />SalesForce.com<br />Centralized View<br />Restricted<br />iPad<br />Applications in Data Center or Cloud<br />ASR/ISR/ASA<br />Router/Switch<br />Central Dashboard, Reports, Measurements, Troubleshooting<br />Third-Party Applications<br />
    115. 115. Phased ExecutionCentralized Policy Platform<br />Identity Services Engine (ISE)<br />Policy Use Case<br />Security<br />TrustSecISE<br />CCN<br />VXIVDS/ISE<br />Branch Office<br />Optimize Virtual Desktop Service Delivery<br />Provide predictable quality for audio, video on virtual desktop(VDI)<br />Context-Based Security Services<br />Prevent uncontrolled mobile devices from accessing servers with confidential information<br />Authenticated &Authorized Access<br />Authenticate Guests and <br />provide only Internet access<br />Prioritized Branch Service Delivery<br />Prioritize point-of-sale transactions over Video (YouTube …)<br />Agile Virtual Service Delivery<br />Move WebEx from RTP DC to SP US Cloud with Premium Service Level<br /><ul><li>Media Actors
    116. 116. E2E Flow Characteristics
    117. 117. Real-Time Metering
    118. 118. User
    119. 119. Device
    120. 120. Health
    121. 121. Location
    122. 122. Reputation (future)
    123. 123. Application
    124. 124. Network Services
    125. 125. Server
    126. 126. DC Resources
    127. 127. Service Level
    128. 128. Virtual Desktop</li></ul>+<br />+<br />+<br />+<br />
    129. 129. Security Services<br /><ul><li>Firewall& IPS
    130. 130. VPN (IPSEC & SSL)
    131. 131. Trust & Identity
    132. 132. Email Security
    133. 133. Web/Content Security
    134. 134. Anti-Malware
    135. 135. WAN Optimization
    136. 136. SBC (CUBE Ent.)
    137. 137. WaaS
    138. 138. DPI</li></ul>Platform/Area of Interest-2<br /><ul><li>MDDC & CCN
    139. 139. ASR 1k – Multitenancy and DC Edge
    140. 140. IOS-XE on a VM
    141. 141. Virtual Appliance + Physical Application
    142. 142. Hosted Content, Email, Web Security
    143. 143. DPI & Visibility</li></ul>Platform/Area of Interest-3<br /><ul><li>Nexus 1kV
    144. 144. VSG and vASA
    145. 145. IOS-XE on a VM
    146. 146. vWaaS
    147. 147. CCN & Service Orchestration
    148. 148. vESA/vWSA
    149. 149. DPI & Visibility
    150. 150. Network Proximity
    151. 151. Partner Ecosystem</li></ul>Secure Places In The Network: Horizon 2&3Network and DC Edge + DC/Cloud<br />Private Cloud<br />Mobility<br />Internet &<br />Inter-Cloud<br />Virtualized<br />Network/DC<br />Edge<br />DSL<br />Public <br />& Partner Cloud<br />SP <br />DC/Cloud<br />Fixed Wireless<br />Cable<br />Consumer/SoHo<br />Enterprise<br />
    152. 152. Cisco Products<br />Cisco VXI:Virtualized End-to-End System<br />Virtualized<br />Data Center<br />Virtualized Collaborative Workspace<br />Generic VDI<br />No support for UC or Rich Media<br />Desktop Virtualization Software<br />Cisco Clients<br />WAAS<br />Applications /Desktop OS<br />AnyConnect<br />MS Office<br />Hypervisor<br />Cisco Collaboration<br />Applications<br />Cius Business Tablets<br />Virtualization-Aware <br />Borderless Network<br />Virtual Security Gateway<br />Routing <br />ASA<br />Cisco Virtualization Experience Clients<br />Unified <br />CM<br />Nexus 1000v<br />ACE<br />Thin Client Ecosystem<br />WAAS<br />UCS<br /> Quad<br />Storage<br />Hypervisor<br />Compute<br />PoE<br />Switching<br />End-to-End Security, Management and Automation<br />CDN<br />
    153. 153. Borderless Network VXI Components<br />Access Security<br />Data Center<br />VXI Network<br /><ul><li>ASA and Anyconnect provide single secure remote access solution for large device footprint
    154. 154. Device profiling and posture assessment using ISE ensures conformance
    155. 155. UPoE and PoE+ provide de-cluttered and energy efficient virtual workspace
    156. 156. 802.1x based device and user authentication
    157. 157. Trustsec allows policy based access to specific applications in Data Center
    158. 158. Unmanaged devices (BYOD) only allowed access to specific Virtual desktop pools and applications
    159. 159. DMVPN allows secure, dynamic and direct branch to branch collaboration
    160. 160. WAAS and ISR together accelerate performance</li></ul>Secure VXI Data Center<br />Remote/Home User<br />N1K<br />N1K<br />Internet<br />Anyconnectw/ Split Tunnel<br />SecureDisplay Traffic <br />VSG<br />VSG<br />Campus<br />ASA<br />Contractor<br />Finance<br />Data Base<br />Web<br />Cat4K<br />Employee<br />App<br />Dot1x/MAB<br />DC Network<br />Dot1x/MAB<br />WAAS DC<br />Campus<br />UPoE/PoE+<br />Branch One<br />DMVPN<br />WAE<br />Display Traffic<br />Voice/Video<br />ISR-G2<br />Branch Two <br />DMVPN<br />WAAS Express<br />McAfee MOVE-AV <br />Cisco ACE<br />
    161. 161. From Router to vRouter<br />Secure Connectivity from Premise to Cloud<br /><ul><li>Extend enterprise VPN infrastructure into cloud via cloud-based virtual VPN appliance
    162. 162. Enable secure split tunneling, bypassing expensive MPLS/ private IP network backhauling
    163. 163. Provide end-to-end security – access control, DAR encryption, app/ user/ content visibility, IPS, web security – and unified mgmt
    164. 164. This will enable enterprises to move mission-critical data to the cloud, retain control and meet compliance requirements </li></ul>PHASE 1<br />Networking Services from the Cloud<br /><ul><li>Provide routing, switching, WAN accel, end-to-end secy, perfmonitoring, traff prioritization/ QoS, etc via cloud-based virtual router
    165. 165. Enables SPs and Cloud Providers to offer value-added pay-for-use services – networking, security – in virtualized form factor to their customers
    166. 166. Enables SPs to move services away from CPE ISRs to the cloud/ provider edgeand minimizing/ simplifying mgmt</li></ul>PHASE 2<br />
    167. 167. Network Positioning System<br />1<br />Capacity at Multiple DCs<br />3<br />National<br />Data Center<br />National<br />Data Center<br />NPS<br />Orchestration System Requests Capacity - available at Multiple DCs<br />1<br />National<br />Data Center<br />Core<br />2<br />Insufficient Bandwidth and / or sub-optimal location to meet SLA<br />2<br />NPS informs bestlocation(s) / PE Routers<br />3<br />Improves Experiences, Reduces Operational and Network Costs<br />Phase II – Distributed Placement<br />
    168. 168. Using Security Conductor for DDoS Attack Mitigation<br />Forensics<br />SECOPS, NETOPS<br />SECOPS<br />Monitoring Info: Netflow, MIBs, Logs for Baselining, Forensics and Planning<br />4<br />Security Apps<br />Visibility<br />Logging & <br />Forensics<br />Incident Control<br />2<br />3<br />1<br />Access / Aggregation Network<br />DC Control Point<br />8<br />Visibility Apps Gather Physical and Virtual Interface traffic information<br />Visibility Apps builds a Network Baseline and monitors and traffic anomalies <br />In case of an anomaly it transfer information to Security Incident Control Application<br />Incident Control Apps informs SECOPS<br />Incident Control performs a RTBH using BGP route insertion at SP DC PE router. <br />“Sinkhole” Apps VMs assigned for analysis<br />Using the Security Conductor, security mitigation policies (ACL, QoSPolicers, etc) are downloaded in the network<br />All Visibility and Mitigation information is sent for Forensic analysis<br />5<br />Policy Engine<br />Capabilities Directory<br />Resource Manager<br />Dependency Tracker<br />IP/MPLS Network<br />Security Policy Conductor<br />7<br />6<br />Peering<br />RTBH configured <br />Sinkhole Apps activated on VMs<br />Attack Analysis<br />Other SPs<br />CPE<br />Attack Mitigation Policies are downloaded in all applicable routers<br />
    169. 169. Cloud Security solution focusMapping<br /><ul><li>Policy based control for ID, Data Confidentiality
    170. 170. Visbility, Forensics, Governance
    171. 171. VM-VM security, Routing policies in VM
    172. 172. VPATH to stitch and control VMotion</li></ul>Loss of Control<br />Secure Cloud Services<br />Scansafe (SAML), DLP, Cisco ID Connect<br />Business Needs<br />Data-in-flight security<br />Data-at-rest security<br />Anyconnect: VDI/VXI<br />VDC, DCI (OTV), VPLS/ VRF …..<br />Services: Virtual LB, FW<br />Multi-tenant<br />Reference Architecture<br />VN-Link, LISP, SIA tags w/HW assist, N1k, VSG<br />PortProfile, vNetFlow, SAN<br />
    173. 173. Putting It All Together: HCS<br />Unified Communications and Collaboration<br />ESX Server<br />ESX Server<br />ESX Server<br />Customer 1<br />Customer 2<br />Customer 3<br />Customer 4<br />Customer 5<br />Pure Hosted <br />Remote Managed On Prem<br />Hybrid<br />Dedicated / Private Network<br />
    1. A particular slide catching your eye?

      Clipping is a handy way to collect important slides you want to go back to later.

    ×