Your SlideShare is downloading. ×
0
From Physical to Virtual to Cloud
From Physical to Virtual to Cloud
From Physical to Virtual to Cloud
From Physical to Virtual to Cloud
From Physical to Virtual to Cloud
From Physical to Virtual to Cloud
From Physical to Virtual to Cloud
From Physical to Virtual to Cloud
From Physical to Virtual to Cloud
From Physical to Virtual to Cloud
From Physical to Virtual to Cloud
From Physical to Virtual to Cloud
From Physical to Virtual to Cloud
From Physical to Virtual to Cloud
From Physical to Virtual to Cloud
From Physical to Virtual to Cloud
From Physical to Virtual to Cloud
From Physical to Virtual to Cloud
From Physical to Virtual to Cloud
From Physical to Virtual to Cloud
From Physical to Virtual to Cloud
From Physical to Virtual to Cloud
From Physical to Virtual to Cloud
From Physical to Virtual to Cloud
From Physical to Virtual to Cloud
From Physical to Virtual to Cloud
From Physical to Virtual to Cloud
From Physical to Virtual to Cloud
From Physical to Virtual to Cloud
From Physical to Virtual to Cloud
From Physical to Virtual to Cloud
From Physical to Virtual to Cloud
From Physical to Virtual to Cloud
From Physical to Virtual to Cloud
From Physical to Virtual to Cloud
From Physical to Virtual to Cloud
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

From Physical to Virtual to Cloud

1,143

Published on

Take a deep dive into 3 important deployment types for Cisco Security.

Take a deep dive into 3 important deployment types for Cisco Security.

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,143
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
0
Comments
0
Likes
1
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • As they grow to the next level, data centers have the following security requirements, to support their changing needs:Scalable Security: The amount of data and transactions moving through most data centers requires ever-increasing levels of performance. Security must have the ability to scale to meet these seemingly insatiable performance requirements, while ensuring the highest levels of security.Physical & Virtual: Modern-day data centers are no longer comprised solely of physical deployments. Instead, they are a mixture of physical, virtual, and cloud infrastructures – built to solve the business’ specific needs. Security policies must have the ability work consistently across hybrid environments.Business Integration: While security is certainly important to data center administrators, it isn’t their only concern. They must also focus on maintaining business/IT alignment and avoiding chokepoints that can degrade performance and jeopardize their SLAs. Security needs to be an integral part of the network architecture, so that it can help maintain business/IT alignment, avoid performance chokepoints, and enable business flexibility.
  • The ASA 5585-X is available at four performance levels ...
  • Now for some of the new products we’re announcing today …ASA 9.0 is a major release of our core operating system, which powers the entire line of ASA security appliances.One of the most significant improvements in this release is its ability to cluster up to eight of our highest performing firewall appliances to produce the fastest firewall in the worldIt also integrates Cisco TrustSec security group tags (SGTs); along with Identity Firewall capabilities (for active and passive authentication) introduced in our previous release, we are the only security provider with the ability to deliver next-generation firewall capabilities at data center speedsIntegrates with Cisco Cloud Web Security (formerly ScanSafe) to enable administrators to perform deep content scanning on a subset of traffic, without degrading performanceIPv6 support with a minimal performance degradation from IPv4 traffic (15% vs 80% for competitors)[!-- Explanation of the blue “Data Boxes”: --!]700% Higher Performance Density: ASA 5585-X delivers the performance in 2RU that Juniper requires 16RU to match … the math holds up in a clustered environment as well on the firewall side – and adds 60 Gbps IPS throughput (Juniper is limited to 10 Gbps IPS when colocated with the firewall)84% Less Power Consumption: we require less than 400 watts of power, compared to ~5100 watts with Juniper87% Less Rack Space: this is tied to the first point – we use 1/8 the rack space
  • The industry’s first IPS that is fit to handle data center workflows10 Gbps in a single blade – expandable to two blades in the near futureIntelligent and context-aware for the most effective, proactive IPS in the industry[!-- Explanation of the blue “Data Boxes”: --!]400% Higher Performance Density: IPS 4520 delivers the IPS throughput in 1 blade that Juniper requires 4 blades to match …75% Less Power Consumption: due to the 1:4 hardware ratio discussed above50% Less Rack Space: due to the fact that we can do it with a 2RU unit, vs4RU
  • CPU and Memory for any unit within the cluster. When you click on environment status button, you can see exact what has failed on the specific cluster node
  • Identity repository is AD based at phase 1 and is forward compatible with Identity Services Engine.User Logs into ADAD Agent retrieves IP information from ADASA retrieves IP-User mapping from AD AgentPermit/Deny based on Policy
  • Technology trends such as cloud computing, proliferation of personal devices, and collaboration are enabling more efficient business practices, but they are also putting a strain on the data center and adding new security risks. As technology becomes more sophisticated, so are targeted attacks, and these security breaches, as a result, are far more costly. Many security breaches are caused by external forces such as hackers, organized crime and cybercriminals, and internally, disgruntled employees pose a threat. Businesses must be protected from these threats. Cisco offers two key threat defense options and then supports these with Cisco’s Security Intelligence Operations (SIO).
  • The Cisco ASA 1000V Cloud Firewall uses the same base ASA code that runs our physical appliances, but is optimized for virtual and cloud environments. That provides some key advantages over “virtual firewalls”, which negate most of the reasons for virtualizing in the first place!Consistent security across hybrid infrastructures – single policy can span physical, virtual, and cloudFlexibility – can secure multiple ESX hosts and can span multiple virtual datacenters; supports VMOTION, so applications can be moved without breaking security policies [!-- Explanation of the blue “Data Boxes”: --!]Unmatched Deployment Flexibility: ASA code – consistency across hybrid infrastructure. Also, ASA 1000V supports VMOTION, so when applications and workloads are moved, security policies move with them – enabling ongoing infrastructure flexibility, without having to re-work security.Lowest Operational Complexity: Unlike “virtual firewalls”, a single instance of ASA 1000V can secure multiple ESX hosts and span multiple virtual datacenters. Also works in conjunction with Nexus 1000V and VSG (using a common management tool for all three) for an end-to-end virtual/cloud solutionEnhanced Network Scalability: Rather than ~4,000 VLANs that are possible in the physical world, Virtual Extensible LAN (VXLAN) can manage 16 million segments.
  • For the multi tenant DC sometimes there need to clone a specific set of machines so we want to clone a complete tenant. We will have the same IP address with clone. To avoid overlap and collision we can take advantage of the NAT address translation functionality that’s built into Nexus 1K with ASA 1K
  • Virtual machines are quickly brought up and down in virtual environments. These virtual machines need dynamic IP address assignment. ASA 1000V acts as a DHCP server and allocates IP addresses when a request is received from any of the virtual machines in the tenant.When new virtual machines are instantiated we need to assign them with the appropriate IP addresses and the ASA 1000V has built in DHCP capability so it will assign the IP and will keep those IP in the right network segments as the policy dictates
  • In conclusion, Cisco enables consistent security across physical, virtual, and cloud environments – with flexible, comprehensive security solutions that:Maintain business/IT alignmentEnable one layer of security policies to work throughout your hybrid environmentAvoid chokepoints that can degrade performance and jeopardize SLAsDeliver context-aware access control by leveraging the entire network… therefore, we  enable security decisions to be made using the same flexibility and fluidity you employ for your network implementation decisions – for a high level of security with operational consistency
  • Transcript

    • 1. Mike NielsenSenior Director SecurityFebruary 7, 2012© 2012 Cisco and/or its affiliates. All rights reserved. 1
    • 2. Cisco Data Center Technology Physical Deployment Use Cases Virtual and Cloud Deployment Use Cases© 2012 Cisco and/or its affiliates. All rights reserved. 2
    • 3. NEARLY MORE THAN 2000% 50% increase in application traffic of business-critical applications and network connections per will be virtualized by 2013 second required for inspection by 2015 Rapidly losing visibility of business-critical traffic© 2012 Cisco and/or its affiliates. All rights reserved. 3
    • 4. 1. vMotion moves VMs across physical ports—the network policy must follow vMotion (across racks, PODS, DCs) 2. Must view or apply network/security policy to Port locally switched traffic Group 3. Need to maintain segregation of duties while ensuring Security non-disruptive operations Admin Server Admin Network Admin© 2012 Cisco and/or its affiliates. All rights reserved. 4
    • 5. PHYSICAL VIRTUAL CLOUD WORKLOAD WORKLOAD WORKLOAD • One app per server • Many apps per server • Multi-tenant per server • Static • Mobile • Elastic • Manual provisioning • Dynamic provisioning • Automated scaling HYPERVISOR VDC-1 VDC-2 CONSISTENCY: Policy, Features, Security, ManagementSwitching Nexus 7K/5K/3K/2K Nexus 1000V, VM-FEX Security ASA 5585, ASA SM, IPS VSG, ASA 1000VCompute UCS for Bare Metal UCS for Virtualized Workloads * Virtual only, ** Announced © 2012 Cisco and/or its affiliates. All rights reserved. 5
    • 6. Security needs to scale to the transaction SCALABLE or throughput requirements of today’s SECURITY applications PHYSICAL & Security must provide consistent policy VIRTUAL enforcement across hybrid environments Security deployments must enable BUSINESS business agility through the unification of CONTEXT business and technology policies© 2012 Cisco and/or its affiliates. All rights reserved. 6
    • 7. Segment resources Ensure maximum logically and CPU utilization physically by tenant and VM mobility or risk class© 2012 Cisco and/or its affiliates. All rights reserved. 7
    • 8. Firewall Segmentation Fabric Segmentation Stateful/reflective ACL UCS Fabric Interconnect Multi-context VPN TrustSec Context-Aware Segmentation Network Segmentation Security Group Tags (SGT) PhysicalSecurity Exchange Protocol (SXP) Virtual (VLAN, VRF) Security Group ACL Virtualized (Zones)© 2012 Cisco and/or its affiliates. All rights reserved. 8
    • 9. © 2012 Cisco and/or its affiliates. All rights reserved. 9
    • 10. ASA Firewall at Data Center Speeds ASA 5585-SSP60 80 40 Gbps Firewall 20 MM Connections 10 700,000 350,000 CPS ASA 5585-SSP40 40 20 Gbps Firewall ASA 5585-SSP20 8 4 MM Connections 20 10 Gbps Firewall 400,000 CPS Connections 4 MM 2 200,000 CPS ASA 5585-SSP10 Connections 8 4 Gbps Firewall 250,000 125,000 CPS 2 1 MM ASA Services Connections Module 100,000 CPS 50,000 CPS 80 20 Gbps Firewall 40 10 MM Connections 1.2 MM CPS 300,000CPS Campus Data Center© 2012 Cisco and/or its affiliates. All rights reserved. 10
    • 11. Assured Protection for High-performance Data Centers Next-generation firewall at 700% Higher Performance data center speeds • Clusters managed as a single logical device Density • 320 Gbps firewall & 80 Gbps IPS throughput • 1 million connections per 84% Less Power second • 50 million concurrent sessions Consumption • Pay as you grow Integrated identity, content 87% Percent Less and application security Fully IPv6 compliant for coming wave of mobile Rack Space application access© 2012 Cisco and/or its affiliates. All rights reserved. 11
    • 12. Assured Protection for High-performance Data Centers 400% Highest IPS performance density • 10 Gbps IPS throughput Higher Performance Density • 100,000 connections per second 75% Less Power • Expandable 2RU chassis Context-aware attacker, Consumption victim, and attack visibility 50% Less Rack Space Backed by Cisco Security Intelligence Operation (SIO) for the highest level of attack identification and mitigation© 2012 Cisco and/or its affiliates. All rights reserved. 12
    • 13. Cisco® ASA 5585-X v9.0 with Clustering Capability* • Two to eight ASAs supported per cluster (same model and DRAM) • Both routed (L3) and transparent (L2) firewall modes supported • Cluster performance = 60-70 percent of combined throughput and connections (traffic- dependent) ASA CLUSTERING AT CONTROL PLANE • One master syncs configuration to all members • Minimum one cluster control interface for the cluster control plane • Site-to-site VPN support Not supported in cluster mode: SSL/IPSEC RA VPN, VPN LB, Botnet Traffic Filter, DHCP capabilities, WCCP, Unified Communications features, ASA-CX SSP, specific applications inspection. * Clustering is supported on ASA 5585, 5580 and ASA SM ASA Clustering at Data Plane© 2012 Cisco and/or its affiliates. All rights reserved. 13
    • 14. Cisco Catalyst 6500 as Services Switch ®• ASA SM for Catalyst 6500• Etherchannel Integration with Cisco Nexus 7K/vPC ®• 6500 supports Link Aggregation Control Protocol (LACP), IEEE 802.3ad standard• Traffic forwarded using service- specific VLANs• Each port-channel supports up to eight active and eight standby links© 2012 Cisco and/or its affiliates. All rights reserved. 14
    • 15. System Dashboard© 2012 Cisco and/or its affiliates. All rights reserved. 15
    • 16. Integrated Identity Security Context AAA Directory Infrastructure Agent Mark Data Center and Cloud AnyConnect IDFW DMZ John ASA Identity Firewall© 2012 Cisco and/or its affiliates. All rights reserved. 16
    • 17. AD/LDAP Identity • Non-auth-aware apps NTLM • Any platform Kerberos • AD/LDAP credential TRUSTSEC Network Identity Secure Group Tags on ASA User Authentication IP Surrogate • Auth-Aware Apps AD Agent • Mac, Windows, Linux • AD/LDAP user credential© 2012 Cisco and/or its affiliates. All rights reserved. 17
    • 18. TrustSec lets you define policy in Context Classification meaningful business terms Business Policy TAG Security Group Tag Destination HR Database Prod CRM Storage Source VD HR Users X X Distributed Enforcement in DC VPN HR User X X X IT Ops ASA DC Switch Test Server Test-ACL X Filtering Physical and Virtual Servers in Data Center© 2012 Cisco and/or its affiliates. All rights reserved. 18
    • 19. Integrated Identity Security SGT (6) mktg-servers SGT (9) HR-servers ISE SGT=06 Packet SGT=09 Packet Security Xchange Protocol© 2012 Cisco and/or its affiliates. All rights reserved. 19
    • 20. • Users assigned with a security group tag• Contextual access control is now possible• Cisco Nexus® 7000 enforces group policy at the DC edge• Cisco® ASA 5585-X v9.0 support SXP security group tags in policy• Example usage: access to VDI service in DC© 2012 Cisco and/or its affiliates. All rights reserved. 20
    • 21. Delivers protections months ahead of the threat0010 010 10010111001 10 100111 010 000100101 110011 01100111010000110000111000111010011101 1100001110001110 1001 1101 1110011 0110011 1010000010 010 10010111001 10 100111 010 000100101 110011 01100111010000110000111000111010011101 1100001110001110 1001 1101 1110011 0110011 101000 Cisco SIO WWW Email Devices Web CWS IPS AnyConnect Zero-day detection WWW Actions Information IPS Networks Endpoints ESA ASA WSA Reputation-based Visibility protection Control 1.6M global sensors 3 to 5 minute updates 75TB data received per day Consistent 5,500+ IPS signatures produced 150M+ deployed endpoints 8M+ rules per day enforcement 35% worldwide email traffic 200+ parameters tracked 13B web requests 70+ publications produced © 2012 Cisco and/or its affiliates. All rights reserved. 21
    • 22. Proving SIO - Global Correlation White Paper http://www.cisco.com/en/US/products/ps12156/prod_white_papers_list.html Figure 4. Sensor at Industrial Supplies Distributor (IND-2) Figure 2. Sensor at Bank (BNK-1)© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
    • 23. © 2012 Cisco and/or its affiliates. All rights reserved. 23
    • 24. Unified Firewall Policies in Virtual and Cloud Environments Unmatched Deployment Consistent Policies Flexibility • Common ASA configuration for physical, virtual and cloud deployments Lowest Operational VM Firewall Scalability Complexity • Single Instance secures up to 64 ESX hosts • Limitless VMs for SP and Enterprise Enhanced Network Scalability Unified Fabric Security • Integrates with the Nexus 1000V Series switch • Complements zone-based security capabilities of the Cisco Virtual Security Gateway)© 2012 Cisco and/or its affiliates. All rights reserved. 24
    • 25. Features and CapabilitiesBuilt using Cisco ASA IPsec VPN (site to site)infrastructure NATInteroperability with Cisco VSG DHCPthrough service chaining Default gatewayVXLAN gateway Static routing Stateful inspectionMulti-tenant managementThrough Cisco VNMC IP audit© 2012 Cisco and/or its affiliates. All rights reserved. 25
    • 26. Zone 1 Zone 2• The zones used define policy enforcement• Unique policies and traffic decisions applied to each zone• Physical infrastructure mapped Steer VM traffic to virtual context per zone: • VRF • Virtual context• Merging physical and virtual vPath Virtual Switch Segment pools of vPath Virtual Switch infrastructure vSphere blade resources per vSphere zone© 2012 Cisco and/or its affiliates. All rights reserved. 26
    • 27. VSG Zone-based intratenant Cisco Nexus 1000V ® segmentation of VMs Cisco ASA 1000V ® Virtual Service Nodes vPATH Nexus 1000V Hypervisor Ingress/egress multitenant edge deployment vCenter Nexus 1 KV VNMC Server Network Security Admin Admin Admin© 2012 Cisco and/or its affiliates. All rights reserved. 27
    • 28. Virtual Security Gateway: Zone Firewall forCisco Nexus® 1000V• Control inter-VM traffic to address new blind spot• Support dynamic VM provisioning VM-to-VM traffic VM-to-VM traffic• Transparent VM mobility enforcement• Policy based VLAN-agnostic operation• Administrative separation of duties; App App App App server, network, and security` OS OS OS OS© 2012 Cisco and/or its affiliates. All rights reserved. 28
    • 29. SECURING VM-VM TRAFFIC Aggregation ERSPAN DST IDS ID:2 Virtual Sensor 1 IDS ID:1 Virtual Sensor 2 Zone B Zone C monitor session 1 type erspan-source VDC VDC description N1k ERSPAN – session 1 vApp monitor session 3 type erspan-destination description N1k ERSPAN to IDS Virtual Sensor 1 VSG VSG vApp monitor session 2 type erspan-source description N1k ERSPAN –session 2 monitor session 4 type erspan-destination description N1k ERSPAN to IDS Virtual Sensor 2 vPath Cisco® Nexus 1000V© 2012 Cisco and/or its affiliates. All rights reserved. vSphere 29
    • 30. Tenant A Tenant A’ (clone) VM 1 VM 2 VM 1 VM 1 VM 2 VM 1 VM 3 VM 1 VM 3 VM 1 ASA 1000V ASA 1000V Virtualized Servers External Network• Multizone tenant cloning while keeping overlapping IP addresses• Isolate overlap IPs with dynamic Network Address Translation (NAT) while connected to the external network© 2012 Cisco and/or its affiliates. All rights reserved. 30
    • 31. Proven Cisco Security…Virtualized vCenter • Physical – virtual consistency Virtual Network Management Center (VNMC) Tenant BCollaborative Security Model Tenant A VDC VDC • VSG for intra-tenant secure zones vApp • ASA 1000V for tenant edge controls VSG VSG VSG vAppSeamless Integration• With Nexus 1000V & vPath VSG ASA 1000V ASA 1000VScales with Cloud Demand vPath • Multi-instance deployment for Nexus 1000V horizontal scale-out deployment Hypervisor© 2012 Cisco and/or its affiliates. All rights reserved. 31
    • 32. Tenant A Tenant B VM 1 VM 2 VM 1 VM 1 VM 2 VM 1 VM 3 VM 1 VM 3 VM 1 ASA 1000V ASA 1000V Virtualized Servers• VMs are quickly brought up and down in virtual environments• ASA 1000V DHCP capability used to assigns dynamic IPs to new VMs© 2012 Cisco and/or its affiliates. All rights reserved. 32
    • 33. Physical Data Center DC Security Cisco Validated Designs Virtual Data Center Virtualized Multiservice Data Center (VMDC)© 2012 Cisco and/or its affiliates. All rights reserved. 33
    • 34. End-to-End Security for Hybrid Infrastructure Physical Virtual and Cloud Physical Appliances and Modules Cloud Firewall Cisco Multi-Scale™ data center-class Enhanced cloud security Cisco® ASA devices Cisco ASA Cisco Catalyst® 6500 Cisco VSG Cisco ASA 1000V 5585-X Series ASA Services Cloud Firewall Module • Scalable in-line performance • Proven firewall to secure your cloud • Data center-edge security policies • Policies specific to the tenant edge to the virtual machine • Flexible deployment options • Automated, policy-based provisioning© 2012 Cisco and/or its affiliates. All rights reserved. 34
    • 35. • Always-on, security that is integrated into the network fabric • End-to-end security solutions for Physical physical and virtual environments • Context-aware security to Cloud differentiate risk from random • Services to enable pervasive security across the infrastructure, within, and between clouds Virtual© 2012 Cisco and/or its affiliates. All rights reserved. 35
    • 36. Thank you.© 2012 Cisco and/or its affiliates. All rights reserved. 36

    ×