Data center webinar_v2_1


Published on

Published in: Technology
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Data center webinar_v2_1

  1. 1. Securing the Data Center Matt Robertson - Lancope Technical Marketing Engineer David Anderson – Cisco Principal Solution Architect, Data Center Security
  2. 2. Defending Against Humans
  3. 3. Evolution of Cyber Conflict War Dialing, Phone Phreaking … Manual Attacks (1980s) Viruses, Worms … Mechanized Attacks (1988) Google, RSA … Talented Human / Mechanized Attackers (2009) Cyrptocurrency Ransoms, Store-bought Credentials ... DIY Human / Mechanized Attackers (2011) Intelligence Driven Human Defenders Manual Defenses Unplug Mechanized Defenses Firewall, IDS/IPS Targeted Human/Mechanized DefendersReputation, App-aware FirewallAPT, Multi-Step Attacks… Target, Neiman Marcus …
  4. 4. Security Buckets Segmentation • Establish boundaries: network, compute, virtual • Enforce policy by functions, devices, organizations, compliance • Control and prevent unauthorized access to networks, resources, applications Threat Defense • Stop internal and external attacks and interruption of services • Patrol zone and edge boundaries • Control information access and usage, prevent data loss and data modification Visibility • Provide transparency to usage • Apply business context to network activity • Simplify operations and compliance reporting
  5. 5. Internet Partners Application Software Virtual Machines VSwitch Access Aggregation and Services Core Edge IP-NGN Backbone Storage and SAN Compute IP-NGN Application Control (SLB+) Service Control Firewall Services Virtual Device Contexts Fibre Channel Forwarding Fabric Extension Fabric-Hosted Storage Virtualization Storage Media Encryption Virtual Contexts for FW & SLB Port Profiles & VN- Link Port Profiles & VN-Link Line-Rate NetFlow Virtual Device Contexts Secure Domain Routing Service Profiles Virtual Machine Optimization Virtual Firewall Edge and VM Intrusion Detection PhysicalVirtual Security As A System Unified Policy
  6. 6. UCSVirtual AccessStorage Data Center Security Control Framework Multi-Layer, Distributed Model Data Center Core Layer DC Service Layer DC Access Layer Services • Initial filter for DC ingress and egress traffic. Virtual Context used to split polices for server-to-server filtering • Additional firewall services for server farm specific protection Infrastructure Security • Infrastructure Security features are enabled to protect device, traffic plane and control plane • 802.1ae and vPC provides internal/external separation Services • IPS/IDS provide traffic analysis and forensics • Network Analysis provide traffic monitoring and data analysis • Server load balancing masks servers and applicationsData security authenticate & access control Port security authentication, QoS features Virtual Firewall Real-time Monitoring Firewall Rules ACLs, Port Security, VN Tag, Netflow, ERSPAN, QoS, CoPP, DHCP snooping Security Management • Visibility • Event correlation, syslog, centralized authentication • Forensics • Anomaly detection • Compliance AD, ASDM CSM, VNMC, ACS DC Aggregation Layer
  7. 7. Visibility Challenges in the Data Center High value assets and data Large, high volume throughput Multiple layers and levels of communication Virtual hosts
  8. 8. NetFlow 8 port 1024 port 80 eth0/1 eth0/2 Start Time Interface Src IP Src Port Dest IP Dest Port Proto Pkts Sent Bytes Sent TCP Flags 10:20:12.221 eth0/1 1024 80 TCP 5 1025 SYN,ACK,PSH 10:20:12.871 eth0/2 80 1024 TCP 17 28712 SYN,ACK,FIN Start Time Interface Src IP Src Port Dest IP Dest Port Proto Pkts Sent Bytes Sent TCP Flags 10:20:12.221 eth0/1 1024 80 TCP 5 1025 SYN,ACK,PSH
  9. 9. Network Devices StealthWatch FlowCollector StealthWatch Management Console NetFlow Users/Devices Cisco ISE NBAR NSEL StealthWatch Solution Components StealthWatch FlowSensor StealthWatch FlowSensor VE NetFlow StealthWatch FlowReplicator Other tools/collectors
  10. 10. 10 Behavior Based Analysis
  11. 11. Behavior-Based Attack Detection High Concern Index indicates a significant number of suspicious events that deviate from established baselines
  12. 12. StealthWatch: Alarms 12 Alarms • Indicate significant behavior changes and policy violations • Known and unknown attacks generate alarms • Activity that falls outside the baseline, acceptable behavior or established policies
  13. 13. 13© 2013 Lancope, Inc. All rights reserved. Suspect Data Hoarding Unusually large amount of data inbound from other hosts Default Policy
  14. 14. 14© 2013 Lancope, Inc. All rights reserved. Target Data Hoarding Unusually large amount of data outbound from a host to multiple hosts Default Policy
  15. 15. Custom Security Events Time range Object conditions Peer conditions Connection conditions
  16. 16. Custom Security Events High Level Use cases: • Check policy • Check for known bad conditions Examples: • IOC specific to environment • Audit compliance (ex. Users to PCI servers) • VM-to-VM communication • Inappropriate access or applications
  17. 17. 17 Cisco Cyber Threat Defense Solution for the Data Center Design
  18. 18. About this section
  19. 19. CTD Data Center Validated Architecture Nexus 1000v Nexus 7000 StealthWatch FlowCollector StealthWatch Management Console https NetFlow Cisco NGACisco NGA Cisco ASA SPAN SPAN
  20. 20. Edge: ASA 20 NetFlow Security Event Logging: • Provides visualization into policy enforcement points Monitor communication between branches • Efficient event reporting mechanism: • Syslog - Verbose, text based, single event per packet: ~30% processing overhead • NetFlow - Compact, binary, multiple events per packet: ~7-10% processing overhead • Context rich: • Event driven: Flow Created, Denied, tear-down • Network Address Translations • User-ID
  21. 21. ASA NSEL Configuration 21 ! flow-export destination management <ip-address> 2055 ! policy-map global_policy class class-default flow-export event-type all destination <ip-address> ! flow-export template timeout-rate 2 logging flow-export syslogs disable !
  22. 22. ASA Flow Table 22 Inside local Outside global Server User
  23. 23. Core: Nexus 7000 & NGA 23 Nexus 7000 Cisco NGA SPAN NetFlow Generation Appliance: • 4x10 G monitoring interfaces • Non-performance impacting 1:1 NetFlow generation • NetFlow version 5, 9 and IPFIX • 80M Active Flow Cache • 200K NetFlow record export per sec
  24. 24. Nexus 7004 Configuration 24 ! interface port-channel8 description <<** NGA SPAN PORTS **>> switchport mode trunk switchport monitor ! monitor session 1 description SPAN ASA Data Traffic from Po20 source interface port-channel20 rx destination interface port-channel8 no shut
  25. 25. NGA Config 25
  26. 26. Alternative: Physical FlowSensor 26 Nexus 7000 StealthWatch FlowSensor SPAN StealthWatch FlowSensor • Multiple hardware platforms up to 20 Gbps throughout • Non-performance impacting 1:1 NetFlow generation • Recognition of over 900 Applications • URL capture • Additional statistics: • Server Response Time • Round Trip Time
  27. 27. Access: Nexus 1000v 27 Nexus 1000v Nexus 1000v: • NetFlow as close to access as possible: complete visibility • Visibility into VM-to-VM communication (across the 1000v) • Up to 256 NetFlow interfaces; one flow monitor per interface, per direction • Cache: 256 to 16384 entries - default is 4096.
  28. 28. Nexus 1000v NetFlow Config 28 feature netflow ! flow exporter nf-export-1 description <<** SEA Lancope Flow Collector **>> destination use-vrf management transport udp 2055 source mgmt0 version 9 option exporter-stats timeout 300 option interface-table timeout 300 ! flow monitor sea-enclaves record netflow-original exporter nf-export-1 timeout active 60 timeout inactive 15 ! port-profile type vethernet enc1-3001 ip flow monitor sea-enclaves input
  29. 29. 29 Optional: StealthWatch FlowSensor VE capture SERVICE CONSOLEVM VM lightweight packet capture and IPFIX generation Visibility & Context: • Flow records include: • VM name • VM server name • VM State • vMotion aware • Host Profiled in terms of VM name • Application, SRT, RRT (same as physical)
  30. 30. 30 FlowSensor VE: VM Visbility
  31. 31. 31 FlowSensor VE: VM Visbility Provide VM-to-VM Policy Monitoring within the same VMware server
  32. 32. Summary 32 More Information: • • • NetFlow and the Lancope StealthWatch System provide actionable security intelligence in data centers Visibility into Data Center traffic has historically been difficult
  33. 33. THANK YOU 33© 2013 Lancope, Inc. All rights reserved.