Monetizing The Enterprise: Borderless Networks
Upcoming SlideShare
Loading in...5
×
 

Monetizing The Enterprise: Borderless Networks

on

  • 2,016 views

The Cisco Borderless Network Architecture is the technical architecture that allows organizations to connect anyone, anywhere, anytime, and on any device - securely, reliably, and seamlessly. Learn ...

The Cisco Borderless Network Architecture is the technical architecture that allows organizations to connect anyone, anywhere, anytime, and on any device - securely, reliably, and seamlessly. Learn more about an infrastructure of scalable and resilient hardware and software in this presentation.
Keywords: Service Provider, enterprise, Mobile Endpoint and CPE, Virtualized Network Edge/Data Center Edge, Cloud

Statistics

Views

Total Views
2,016
Views on SlideShare
1,992
Embed Views
24

Actions

Likes
2
Downloads
100
Comments
0

7 Embeds 24

http://communities.cisco.com 7
http://cisco.ulitzer.com 5
http://clients.shoutlet.com 4
http://deborahstrickland.sys-con.com 3
http://paper.li 2
http://a0.twimg.com 2
http://us-w1.rockmelt.com 1
More...

Accessibility

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

CC Attribution License

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • To combat these sophisticated and increasing global threats, organizations need global visibility. Cisco Security Intelligence Operations provides a global view into security events that are happening on a global basis, and provides actionable information to provide proactive control and response to threats as they emerge. Cisco has the industy’s largest threat analysis system that can deliver blended protection, across attack techniques and methods. It collects and analyses data from an extensive network of sensors and devices to gather and analyse threat information and provide the context that can stop and prevent new attacks. Cisco SIO collects real-time security information from over 700,000 sensors Cisco has deployed across the globe. Information is gathered in real time across a wide spectrum of data types, including over 5 billion email messages and 3 billion web requests a day, traffic collected from Cisco security and network devices located in Cisco locations and from thousands of customers who have opted to share relevant network data, and data collected from millions of endpoint devices that have also opted in to share information. This data is fed into Cisco’s twenty global security operations centers where is it collated and processed by a series of sophisticated algorithms and then analyzed by Cisco’s team of over 500 security analysts. This information is converted into actionable information (threat vectors, mitigation responses, data integrity, source reputation, etc.) that is pushed out dynamically to Cisco customer security devices to ensure that they are providing the most critical, up-to-date protections against real threats. This information is also provided to IT staff in the form of bulletins that provide detailed information on threats, trends, and appropriate protections and threat mitigation approaches that ought to be implemented.This data provide reputation data on email and web servers, classifies applications and web categories, and delivers this to the context aware enforcement points across the network. So not only are the Cisco devices acting as sensors for SIO (firewall/intrusion prevention system/email/web/AnyConnect), they act as the powerful enforcement points that can block blended threats. And because SIO relies on the power of global correlation of real time sensor data and provides timely updates, organizations are protected against new and fats moving threats well ahead of signature only based approaches or products that do not have the depth of threat intelligence that SIO provides. The results are impressive. For example, by analyzing the sources of dangerous or malicious traffic, Cisco SIO is able to add a reputation profile to the Cisco IPS device that is analyzing traffic on the customer network. When low-level threats are detected, and that information is combined with a reputation profile of the data source which indicates that the source is highly untrustworthy, the IPS device is better able to make a decision about whether or not to monitor or block traffic. With SIO Global Correlation on IPS, they are able to detect and prevent twice as many threats as traditional signature-only IPS. Global Correlation also reduces the window of exposure to threats by 99% with near real-time updates to deployed IPS that help automatically filter out known bad actors while enhancing detection capabilities with the latest information on evolving threats. The addition of reputation scoring has increased the accuracy of IPS analysis by over 300%, making it the most accurate and up-to-date IPS solution in the industry.
  • This diagram is based on common industry models used by analysts and security professionals. As you can see by the elements in blue, Cisco is uniquely able to leverage both security and network devices, services, and solutions to provide a level of visibility and control simply unmatched in the industry. It is important to recognize that security is far less effective when it exists within its own vacuum, and being able to leverage endpoints and the infrastructure (including mobile devices, virtualized environments, and the cloud) to provide both actionable, context-based intelligence as well as distributed enforcement provides a powerful integrated and collaborative approach to security. This approach is perfectly suited to address the issues and concerns being faced by IT administrators today, which are not about which firewall is best, but which are around how to I control access to my network? How do I secure mobile workers? And how do I securely add new critical services such as cloud, virtualization, and collaboration tools like voice and video to my network?
  • User might be mobile, in a branch, … linking ISR G2 as a CPE
  • For example, consider a scenario during the FIFA World Cup.there might be a sudden increase in requests for video highlights from people overseas trying to follow the games
  • Cloud Computing is Application-centric.Whilst your customers talk about Apps in the cloud and how to transfer workloads, it is essential to ‘talk their language’ but at the same time underpin the your competitive differentiators with your assets and heritage. Your infrastructure assets such as IP NGN and Data Center will allow you to do just that.

Monetizing The Enterprise: Borderless Networks Monetizing The Enterprise: Borderless Networks Presentation Transcript

  • Monetizing The Enterprise:Borderless Networks
    Michael Geller – Architect, SP Chief Technology Office
    Kevin Shatzkamer – Distinguished Architect, Sales
    September 27, 2011
  • Abstract
    The impact of the consumerization of IT and mobility cannot be understated.  The impact that these two key business elements have on the evolution of Enterprise Architecture and for Service Provider’s ability to offer services to Enterprises, Governments, and Consumers is addressed in this webinar.  The importance of the shift and movement of the secure network edge leads to a very close examination of the changing threat vectors and vulnerabilities impacting our businesses today.  Service delivery and consumption on the three “service horizons,” (Mobile Endpoint and CPE, Virtualized Network Edge/Data Center Edge, and the Cloud) is detailed.
  • Visibility and Control
    Building a Secure Infrastructure for Profitable Services
    Total Visibilityin all aspects of your network.
    Complete Control over all traffic in the network & cloud.
    Guaranteed Availability of all services.
  • Multi-Tenant Access and aggregation:
    • Session Border Controller
    • Firewall
    • IDS/IPS
    • IPSEC VPN
    • BNG (Subscriber Controls)
    • SSL VPN
    • Trust and Identity
    • Web/Content Security
    • Email Security
    • DLP
    Access and aggregation:
    • Basic infrastructure security role
    • Control Plane Security
    • Data Plane Security
    • Firewall
    • IDS/IPS
    • IPSEC VPN
    • DHCP—subscriber
    • SSL VPN
    • Trust and Identity
    • Web/Content Security
    • Email Security
    Full Service Branch
    • Firewall
    • IDS
    • Encryption (IPSEC & SSL)
    • Trust & Identity
    • Email Security
    • Web/Content Security
    • NAC
    • WAN Optimization
    CPE:
    • Firewall
    • IDS
    • IPSEC & SSL VPN
    • Host Security
    • Control Plane Security
    • Forwarding Plane Security
    • Email Security
    • Web/Content Security
    • NAC
    Visibility & Posture
    Endpt / CPE
    DC/CLOUD
    ACCESS/AGGREGATION
    CORE
    Public, Private & Hybrid Clouds
    PE(s)
    Mobility
    L2 Agg.
    P
    P
    PE
    Internet &
    Peering Edge
    P
    DSL
    P
    P
    P
    P
    P
    Fixed Wireless
    Security Operations and Services
    DataCenter/Cloud
    Data/Service Center
    Cable
    Security Monitoring & Management
    VA
    PT
    Web Assessment & SSO
    MNAC
    Telstra Cloud:
    • Nexus 1kV (Netflow/VSG)
    • UCS: Software based Security Services (FW, VPN, …)
    • Nexus 7k Security Services Mod
    • vWAAS
    • Enterprise-Hosted Ironport Web/Content/Email Security/DLP
    • Scansafe Web Security
    • Identity/Policy Service Control
    Service Center:
    • Remediation (quarantine)
    • Intrusion Detection/Prevention
    • VM Security & Nexus 1000V
    • Anomaly detection/Scrubbing
    • Policy Control Plane
    • Firewall & XML Firewall
    • Web/Content/Email Security
    One Time Services
    Security Operations Center
    Enterprise
    Security Experts
    SOC Processes
    SOC Toolsets
    SIO, Platform Telemetry, 3rd party rules and systems, Regulatory Policy & Influence
  • Operator Portal Capabilities
    SP Operator Portal
    • Single pane of glass for all mgmt functions
    • White label logo and style branding
    • RBAC – Role-based-access-control
    • Customizable dashboard for different roles
    • Share information between SP & customers
    • Services catalogue
    • Knowledge base
    • Real-time threat dashboard
    • SLA tracking dashboard
    • Forensic
    • Historical reporting
    Consolidated Views: Risk Score, Alerts, Top Ten Events, Virus & Compliance Status
    Events View: Customized view based on need. More focused approached: Online Events & Forensic view
  • Threat IntelligenceGlobal Visibility
    SIO
    GLOBAL INTELLIGENCE
    Researchers, Analysts, Developers
    ISPs, Partners, Sensors
    Researchers, Analysts, Developers
    Applied Mitigation Bulletins
    ESA
    ESA
    WSA
    IPS
    ASA
    Cisco AnyConnect
    CISCO SOLUTION
    Largest Threat Analysis System - Blended Threat Protection
    700K+ Global Sensors
    5 Billion Web Requests/Day
    35% Of Global Email Traffic
    Endpoint Threat Telemetry
    Reputation, Spam, Malware and Web Category Analysis, and Applications Classification
  • Security Services Delivered To The Enterprise
    Remote Access
    Collaboration
    Virtualization
    Mobility
    SECURESYSTEMS
    Cloud
    DEVICE
    FORENSICS
    Asset Mgmt
    DEVICE SECURITY
    Lock/Wipe
    Zero Day
    AV
    Encryption
    AUDIT
    APPLICATION SECURITY
    Web Application
    Coding/Hardening
    Penetration
    SERVICE MGMT.
    Encryption
    CONTENT/ DATA SECURITY
    Email
    Web
    DLP
    DATA GOV.
    NETWORK/ SYSTEMMANAGEMENT
    IDENTITY
    Alerting
    Logging
    Monitoring
    Directories
    POLICY
    VPN
    Firewall
    IDS/IPS
    NETWORK SECURITY
    APIs
    TRUSTED SYSTEM
    INFRASTRUCTURE
    Device
    Compute
    Storage
    Network
    Physical
    * Based on common industry models by Gartner, SANs Institute and various customer interviews
  • Anyconnect Secure Mobility (Enterprise)
    Branch Office
    Corporate Office
    IronPort WSA
    ASA
    Cisco IntegratedServices Routers
    ISE
    TrustSec
  • 3
    1
    2
    Secure GW + Network + DC
    Enhanced Customer Experience via End-to-End Seamless Security & Assurance
    Multi-Tenant Edge Services Gateway
    VPN, FW, SBC, Visibility, DPI
    Web/Email Security From The CloudScan Safe
    AnyConnectSecure Mobility Client
    Email/Web Security from the Cloud
    Cloud Offering Per
    Customer Application
    Experience with SLA
    Policy + Identity
    • Unified Anywhere+/AnyConnect
    • Simplified remote access
    • Connection and app persistence
    • Always-on VPN enforcement
    • Location-aware policy
    • Application controls
    • SaaS Access Control
    • Per User Subscription Model
    • Portal for Provisioning/Forensics
    AnyConnect
    Cius / SmartPhone
    Smart Branch
    vOptimization
    vLoad Balancing
    HCS & IaaS
    Anyconnect Secure Mobility-SP Mgd.
  • Security Services
    • Firewall& IPS
    • VPN (IPSEC & SSL)
    • Trust & Identity
    • Email Security
    • Web/Content Security
    • Anti-Malware
    • WAN Optimization
    • SBC (CUBE Ent.)
    • WaaS
    • DPI
    Secure Places In The Network: Summary
    Anyconnect
    (Policy)
    Private Cloud
    Mobility
    Mobile
    Endpoint &
    CPE
    Internet &
    Inter-Cloud
    Virtualized
    Network/DC
    Edge
    DSL
    Public
    & Partner Cloud
    SP
    DC/Cloud
    Fixed Wireless
    Cable
    Security Infrastructure
    Policy, Trust & Identity Services
    Consumer/SoHo
    Enterprise
    Defense In Depth - Common ASA Code Base
    SIO, SecOps (SmartOps, Tools, Ecosystem)
  • Security Services
    • Firewall& IPS
    • VPN (IPSEC & SSL)
    • Trust & Identity
    • Email Security
    • Web/Content Security
    • Anti-Malware
    • WAN Optimization
    • SBC (CUBE Ent.)
    • WaaS
    • DPI
    Platform/Area of Interest
    • MDM and Partners
    • Evolution of The ISR G2
    • Connecting the CPE to the cloud
    • ASA & Identity FW
    • IronportESA/WSA
    • DPI & Visibility
    • Identity Services & Policy
    Secure Places In The Network: Horizon 1Mobile Endpoint & CPE
    Anyconnect
    (Policy)
    Mobility
    Mobile
    Endpoint &
    CPE
    DSL
    Fixed Wireless
    Cable
    Consumer/SoHo
    Enterprise
  • Connecting the CPE To The CloudLeveraging Cisco Product Multi-service capability
    Service Virtualization -UCS Express
    App Visibility & Optimization (WaaS)
    Threat Protection Security Services
    Lowering Capex / Opex for on premise application services
    • Mission critical on-premise application hosting
    • Integration into IaaS Service Orchestration
    • Optimized experience for the Application Consumer
    End to end security service via optimized hybrid on-premise / cloud services
    • On-Premise encryption, Firewall, intrusion protection
    • Hosted Web content protection (ScanSafe) & Email Protection …
    • Managed Identity Services
    Improving end user quality of experience
    • End to end application visibility & SLA
    • Focus on Application Optimization …
    • Security services upsell opportunity
    WAAS Express
    Dedicated Router Module
    DC + vWaaS
  • Connecting the CPE To The Cloud - 2Leveraging Cisco Product Multi-service capability
    Services Led Selling
    Video
    Energy Wise
    Removing NOC /SOC complexity and allocation of people, process and tools –GTM acceleration
    • SmartOps for Security – SOC BOT Models
    • SmartOps for CPE – NOC White labeling or BOT Models
    • Testing and validation
    Minimize energy consumption and costs of delivered Managed Services
    • The “Green WAN / LAN” Service
    • The “Energy Optimized” Data Center
    Providing End to End Video Service insurance
    • IPSLA Video Probe for Video SLA
    • Video Optimized ISR G2 Bundle
    • Integration of ISR G2 into Video Architectures like Telepresence
    • Optimized delivery of Video
    • ISR G2 ad-hoc video conferencing
  • Aspiration: Policy Governed Networks
    Policy Teams
    Security
    Business
    Compliance
    Policy Governed Networks
    IT Systems Mgmt, Cisco Network Mgmt Policy & Rules
    Centralized Policy Platform
    Customer Data
    Context awareness
    Business Relevance
    Product Bookings
    MPLS
    Identity Services Engine (ISE)
    Corporate Laptop
    Visibility and Control
    Full
    Encrypt
    Application, Context
    Device, Location
    Service, Context
    User, Role
    SalesForce.com
    Centralized View
    Restricted
    iPad
    Applications in Data Center or Cloud
    ASR/ISR/ASA
    Router/Switch
    Central Dashboard, Reports, Measurements, Troubleshooting
    Third-Party Applications
  • Phased ExecutionCentralized Policy Platform
    Identity Services Engine (ISE)
    Policy Use Case
    Security
    TrustSecISE
    CCN
    VXIVDS/ISE
    Branch Office
    Optimize Virtual Desktop Service Delivery
    Provide predictable quality for audio, video on virtual desktop(VDI)
    Context-Based Security Services
    Prevent uncontrolled mobile devices from accessing servers with confidential information
    Authenticated &Authorized Access
    Authenticate Guests and
    provide only Internet access
    Prioritized Branch Service Delivery
    Prioritize point-of-sale transactions over Video (YouTube …)
    Agile Virtual Service Delivery
    Move WebEx from RTP DC to SP US Cloud with Premium Service Level
    • Media Actors
    • E2E Flow Characteristics
    • Real-Time Metering
    • User
    • Device
    • Health
    • Location
    • Reputation (future)
    • Application
    • Network Services
    • Server
    • DC Resources
    • Service Level
    • Virtual Desktop
    +
    +
    +
    +
  • Security Services
    • Firewall& IPS
    • VPN (IPSEC & SSL)
    • Trust & Identity
    • Email Security
    • Web/Content Security
    • Anti-Malware
    • WAN Optimization
    • SBC (CUBE Ent.)
    • WaaS
    • DPI
    Platform/Area of Interest-2
    • MDDC & CCN
    • ASR 1k – Multitenancy and DC Edge
    • IOS-XE on a VM
    • Virtual Appliance + Physical Application
    • Hosted Content, Email, Web Security
    • DPI & Visibility
    Platform/Area of Interest-3
    • Nexus 1kV
    • VSG and vASA
    • IOS-XE on a VM
    • vWaaS
    • CCN & Service Orchestration
    • vESA/vWSA
    • DPI & Visibility
    • Network Proximity
    • Partner Ecosystem
    Secure Places In The Network: Horizon 2&3Network and DC Edge + DC/Cloud
    Private Cloud
    Mobility
    Internet &
    Inter-Cloud
    Virtualized
    Network/DC
    Edge
    DSL
    Public
    & Partner Cloud
    SP
    DC/Cloud
    Fixed Wireless
    Cable
    Consumer/SoHo
    Enterprise
  • Cisco Products
    Cisco VXI:Virtualized End-to-End System
    Virtualized
    Data Center
    Virtualized Collaborative Workspace
    Generic VDI
    No support for UC or Rich Media
    Desktop Virtualization Software
    Cisco Clients
    WAAS
    Applications /Desktop OS
    AnyConnect
    MS Office
    Hypervisor
    Cisco Collaboration
    Applications
    Cius Business Tablets
    Virtualization-Aware
    Borderless Network
    Virtual Security Gateway
    Routing
    ASA
    Cisco Virtualization Experience Clients
    Unified
    CM
    Nexus 1000v
    ACE
    Thin Client Ecosystem
    WAAS
    UCS
    Quad
    Storage
    Hypervisor
    Compute
    PoE
    Switching
    End-to-End Security, Management and Automation
    CDN
  • Borderless Network VXI Components
    Access Security
    Data Center
    VXI Network
    • ASA and Anyconnect provide single secure remote access solution for large device footprint
    • Device profiling and posture assessment using ISE ensures conformance
    • UPoE and PoE+ provide de-cluttered and energy efficient virtual workspace
    • 802.1x based device and user authentication
    • Trustsec allows policy based access to specific applications in Data Center
    • Unmanaged devices (BYOD) only allowed access to specific Virtual desktop pools and applications
    • DMVPN allows secure, dynamic and direct branch to branch collaboration
    • WAAS and ISR together accelerate performance
    Secure VXI Data Center
    Remote/Home User
    N1K
    N1K
    Internet
    Anyconnectw/ Split Tunnel
    SecureDisplay Traffic
    VSG
    VSG
    Campus
    ASA
    Contractor
    Finance
    Data Base
    Web
    Cat4K
    Employee
    App
    Dot1x/MAB
    DC Network
    Dot1x/MAB
    WAAS DC
    Campus
    UPoE/PoE+
    Branch One
    DMVPN
    WAE
    Display Traffic
    Voice/Video
    ISR-G2
    Branch Two
    DMVPN
    WAAS Express
    McAfee MOVE-AV
    Cisco ACE
  • From Router to vRouter
    Secure Connectivity from Premise to Cloud
    • Extend enterprise VPN infrastructure into cloud via cloud-based virtual VPN appliance
    • Enable secure split tunneling, bypassing expensive MPLS/ private IP network backhauling
    • Provide end-to-end security – access control, DAR encryption, app/ user/ content visibility, IPS, web security – and unified mgmt
    • This will enable enterprises to move mission-critical data to the cloud, retain control and meet compliance requirements
    PHASE 1
    Networking Services from the Cloud
    • Provide routing, switching, WAN accel, end-to-end secy, perfmonitoring, traff prioritization/ QoS, etc via cloud-based virtual router
    • Enables SPs and Cloud Providers to offer value-added pay-for-use services – networking, security – in virtualized form factor to their customers
    • Enables SPs to move services away from CPE ISRs to the cloud/ provider edgeand minimizing/ simplifying mgmt
    PHASE 2
  • Network Positioning System
    1
    Capacity at Multiple DCs
    3
    National
    Data Center
    National
    Data Center
    NPS
    Orchestration System Requests Capacity - available at Multiple DCs
    1
    National
    Data Center
    Core
    2
    Insufficient Bandwidth and / or sub-optimal location to meet SLA
    2
    NPS informs bestlocation(s) / PE Routers
    3
    Improves Experiences, Reduces Operational and Network Costs
    Phase II – Distributed Placement
  • Using Security Conductor for DDoS Attack Mitigation
    Forensics
    SECOPS, NETOPS
    SECOPS
    Monitoring Info: Netflow, MIBs, Logs for Baselining, Forensics and Planning
    4
    Security Apps
    Visibility
    Logging &
    Forensics
    Incident Control
    2
    3
    1
    Access / Aggregation Network
    DC Control Point
    8
    Visibility Apps Gather Physical and Virtual Interface traffic information
    Visibility Apps builds a Network Baseline and monitors and traffic anomalies
    In case of an anomaly it transfer information to Security Incident Control Application
    Incident Control Apps informs SECOPS
    Incident Control performs a RTBH using BGP route insertion at SP DC PE router.
    “Sinkhole” Apps VMs assigned for analysis
    Using the Security Conductor, security mitigation policies (ACL, QoSPolicers, etc) are downloaded in the network
    All Visibility and Mitigation information is sent for Forensic analysis
    5
    Policy Engine
    Capabilities Directory
    Resource Manager
    Dependency Tracker
    IP/MPLS Network
    Security Policy Conductor
    7
    6
    Peering
    RTBH configured
    Sinkhole Apps activated on VMs
    Attack Analysis
    Other SPs
    CPE
    Attack Mitigation Policies are downloaded in all applicable routers
  • Cloud Security solution focusMapping
    • Policy based control for ID, Data Confidentiality
    • Visbility, Forensics, Governance
    • VM-VM security, Routing policies in VM
    • VPATH to stitch and control VMotion
    Loss of Control
    Secure Cloud Services
    Scansafe (SAML), DLP, Cisco ID Connect
    Business Needs
    Data-in-flight security
    Data-at-rest security
    Anyconnect: VDI/VXI
    VDC, DCI (OTV), VPLS/ VRF …..
    Services: Virtual LB, FW
    Multi-tenant
    Reference Architecture
    VN-Link, LISP, SIA tags w/HW assist, N1k, VSG
    PortProfile, vNetFlow, SAN
  • Putting It All Together: HCS
    Unified Communications and Collaboration
    ESX Server
    ESX Server
    ESX Server
    Customer 1
    Customer 2
    Customer 3
    Customer 4
    Customer 5
    Pure Hosted
    Remote Managed On Prem
    Hybrid
    Dedicated / Private Network