Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Cisco connect montreal 2018 secure dc

175 views

Published on

Securité : La Sécurité du centre de données

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Cisco connect montreal 2018 secure dc

  1. 1. Cisco Connect Montreal Canada • 20th November 2018 Global vision. Local knowledge.
  2. 2. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Bienvenue!! Welcome!!
  3. 3. Benjamin Rossignol Cybersecurity Systems Engineer, CCIE#23791 November 2018 Cisco’s Architectural Approach Next-Generation Datacenter Security
  4. 4. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Percentage of security team’s time 47% Servers 29% Customer data 23% Endpoints of the security team’s time is spent on security in the data center76%
  5. 5. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5PSOSEC-2559 Roadblocks to Security Success • More than half of attacks result in damages over $500k • More devices and Greater Threat Complexity • Budget constraints and lack of trained personnel • Security product overload! Nearly half of the security risk organizations face stems from having multiple security vendors and products. Of organizations using 1 to 5 vendors, 28 percent said they had to manage public scrutiny after a breach; that number rose to 80 percent for organizations using more than 50 vendors. -- Cisco 2018 Security Capability Benchmark Study
  6. 6. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Data Center Security… It Takes an Architecture! Threat protection “Stop the breach” Segmentation “Reduce the attack surface” Visibility “See everything” Threat intelligence - Talos Intent-based Automation Analytics
  7. 7. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Building a True Data Center Security Architecture
  8. 8. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Cisco Datacenter Security Solutions –Focus Areas Network & Application Analytics • Stealthwatch • Tetration Visibility Stop Attacks and Malware • NGFW/NGIPS • Advanced Malware Protection (AMP) Threat Prevention Firewall and Access Control • NGFW, ACI and Tetration Policy Orchestration • FMC and CloudCenter • APIC and ISE Segmentation Integrated
  9. 9. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Architecture Integrated Portfolio Best of breed
  10. 10. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential It Takes an Integrated Architecture pxGrid Security Group Tag / EPG API Intel Sharing Automation Analytics (Stealthwatch, Tetration) Advanced Malware Policy and Access o ISE o NGFW o Tetration o ACI NGFW / NGIPS Threat Protection Visibility Segmentation Management o CloudCenter o APIC o FMC o Tetration
  11. 11. © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public ISE Switches Routers Wireless EndpointsIOT PhonesPrinters WSA ESAFMC SMC TALOS AMP/TG UmbrellaCTA SIEM VMC Net Protocols pxGrid AMP/TG API Firepower API Syslog Talos API Cloud Services Infrastructure & Devices pxGrid Generic API Radius Netflow DNS Legend 11
  12. 12. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Data Centers are Changing Cisco Security Grows with You Application Centric Infrastructure ACI Fabric Virtualization and Cloud Traditional Data Center
  13. 13. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Segmentation
  14. 14. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential “I have no idea what my segmentation policy needs to be at any given time!”
  15. 15. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential How well do you understand your applications? Application Relevant Policy Perform Application Dependency Mapping Tested? Existing ACL? Accurate? Review Trusted? No No No No Yes Yes YesIt’s already out of date Yes
  16. 16. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Cisco Tetration Connection Manager Automated Security Policy Recommendation Step2: Auto-Generation of Whitelist Policies Whitelist policy recommendation • Identifies application intent • Generates 4 tuple policies Export into Cisco solutions • Export in JSON, XML and YAML • Import into ACI, ASA and NGFW Step1: Application Behavior Analysis Application conversations Conversation details/ process bindings
  17. 17. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Automated Policy Discovery Audit and Enforcement • Zero Trust Enforcement ASA • Tetration-to-ASA Policy Conversion • Lifecycle ACL Management • ACL Audit Tetration
  18. 18. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Cisco Tetration Offerings 18 • VM Virtual Appliance • DC, Amazon or Azure • 3 Server Platform • Turnkey Hadoop Appliances • SW & HW Sensors • Highest Performance On-Prem Software OnlySaaS • Tetration As A Service • Cisco Hosted & Managed • Cloud First Customers 1K to 25K+ Workloads 100 to 1000 Workloads NEW NEW
  19. 19. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential DB Endpoint Group NGFW ACI Tetration Web EPG Database EPG North / South Course Grain East / West Fine Grain East / West AKA Micro Segmentation
  20. 20. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential APIC configures FMC 6.2.3, using REST-APIs to manage the following devices:  Pre-registered FTD devices in either Stand-alone, HA or Cluster mode APIC configures the following features: • Interfaces in Routed, Switched, or Inline mode. Defines VLAN sub-interfaces (including Port-Channels) for Routed and Transparent firewall mode, including IRB. Static routes can be added under interface configuration. • Security Zones, Interface Names, Inline Sets, as specified in function profile parameters. FMC names are prefixed with APIC Tenant and registered FTD device name. EPG learning feature is supported with FMC. • Assignment of the Security Zones to pre-configured ACP Rule(s). FTD FI Device Package Version 1.0.3
  21. 21. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential FTD FI Device Package for ACI Policy Creation: Security Admin uses FMC to create an appropriate policy Fabric Insertion: Network Admin uses APIC to program Fabric Insertion of FTD Security team configures via FMC SECURITY NETWORK DBApp FMC 6.2 FMC GUI API API / GUI Firepower NGFW (FTD 6.2.3 image) Registered to FMC APIC Imports FTD Device Package To Program FMC Managed Service Graph Hybrid – Service Manager Model
  22. 22. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Data Center Security Working Together CloudCenter Tetration ISE AMP Tetration sensor EPG App AMP FTD External Internal FMC Manager fire EPG DB Tetration sensor
  23. 23. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Simplifying Security Orchestration • Automated workload deployment • Hybrid Cloud CloudCenter • Deploy EPG and contract • Deploy service graph ACI • Deploy AMP for Endpoints • Deploy Tetration Software Sensor • Deploy ASA Firewall Security Solutions
  24. 24. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Consistent access policy from users to servers • pxGrid ISE/TrustSec • Contextual awareness ACI/Endpoint Group • Group based policy NGFW
  25. 25. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential From Campus to Data Center ACI Policy DomainTrustSec Policy Domain Switch Router Router Firewall Nexus9000 Nexus9000 ServersUser SGT over Ethernet IPSec / DMVPN / GETVPN / SXP Classification ISE creates matching SGTs for EPGs ISE exchanges IP-SGT/EPG ‘Name bindings’ IP-ClassId, VNI bindings IP-Security Group bindings exchanged with network Spine Leaf Cisco ISE Cisco APIC-DC Security Groups End Point Groups ACI: Application Centric Infrastructure APIC WAN (GETVPN DMVPN IPSEC) ASR 1K Policy plane integration Firewall
  26. 26. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Advanced Threat Protection
  27. 27. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Applications and services Mitigating threats, risks and vulnerabilities Users zone Server zone 1 Server zone 2 Outside world business partners Perimeter firewall Segment Datacenter Architecture
  28. 28. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential The Need for Advanced Threat Protection TECDCT-2609 Segmentation Threat
  29. 29. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Cisco Advanced Threat solutions • DNS Security • Command and Control and Malware Blocking • Content Control • Protection against exploitation of app vulnerabilities • Impact-assessment and IoC • Auto-tuning of policy • File based malware protection • Sandboxing to find zero-day malware • Retrospective remediation of malware Umbrella NGFW/NGIPS AMP TECDCT-2609
  30. 30. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 96.8% 99.7% 90.1% 0.6% 67% 6.5% 2.9% 91.8% 17.1% 6.5% 96.3% 27% Cisco: Undisputed Leader in Stopping Threats Fast -------Efficacy------- --------------Time----------------- 74.7% 95.3% 97.1% 18.5% 39.9% 70.8%
  31. 31. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential What is a Quarantine?
  32. 32. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Rapid Threat Containment (RTC) Initial compromise Detection Protect critical data, by stopping attacks faster, based on real-time threat intelligence Internet Enterprise Network Monetize theft Problem Infection spread Data hoarding Data exfiltration 100 – 200 days Initial compromise Containment Internet Solution PxGrid Enterprise Network Sensor - AMP/ - NGIPS/ - ASA (wFirePOWER) EPS: Quarantine (over PxGrid) COA Minutes FMC ISE TrustSec segmentation
  33. 33. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Firepower Remediation Subsystem Components
  34. 34. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Tetration Inventory – Contextual Visibility and Policy App Server 10.66.237.5 ISE/PxGrid CMDB CI IPAM/DNS Hypervisor/Cloud Security Ecosystem Network ISE Integration via PxGrid - Beta
  35. 35. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Multi-Layered threat prevention architecture in action • Command & Control prevention • Rapid threat containment NGFW/NGIPS • Tetration software sensor enforcement • Automation NGFW to Tetration Tetration • Zero Day Protection • Malware protection – from network, to endpoint, to cloud AMP
  36. 36. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Rapid threat containment with ACI micro- segmentation • Indicators of compromise • Rapid threat containment NGFW/NGIPS • Micro-segmentation/uEPG • Automation NGFW to APIC ACI • Network AMP • Malware protection – from network, to endpoint, to cloud AMP
  37. 37. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential FMC to APIC Rapid Threat Containment FMC Remediation Module for APIC DB EPG ACI Fabric App EPG Infected App1 Step 4: APIC Quarantines infected App1 workload into an isolated uSeg EPG Step 1: Infected End Point launches an attack that NGFW(v), FirePOWER Services in ASA, or FirePOWER appliance blocks the attack Step 2: Event is generated to FMC about an attack blocked from infected host Step 3: Attack event is configured to trigger remediation module for APIC and quarantine infected host using APIC NB API 1 FMC App2 2 34 See demo on http://cs.co/rtc-with-apic
  38. 38. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential FMC Remediation Module for ACI on Cisco.com TECDCT-2609
  39. 39. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Visibility & Analytics
  40. 40. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential • Comprehensive, contextual network flow visibility • Real-time situational awareness of traffic Monitor • Detect anomalous network behavior • Detect network behaviors indicative of threats: worms, insider threats, DDoS and malware Detect • Quickly scope an incident • Network troubleshooting • One click quarantine Respond See and detect more threats in your DC Cisco Stealthwatch Analyze • Holistic network audit trail • Threat hunting and forensic investigations Switch Router Router Firewall Data Center Switch ServerUser WAN ServerDevice End-to- End Network Visibility
  41. 41. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Threat detection and hunting Application traffic modeling & visibility Access control policy and audit Anomalous behavior Integrated with other security solutions 1+1=3 Greater Visibility and Security Together Cisco Tetration and Stealthwatch
  42. 42. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Monitoring Unified SGT-ACI Policy TrustSec Domain ACI Domain pci_users SGT: 16 EV_appProfile_LOB2_App1EPG SGT: 10005 ACI Domain Stealthwatch Deployment Cisco ISE APIC-DC syslog NetFlow SGT Definitions EPG Definitions Policy Plane Integration Tetration Analytics SPAN Policy Push Tetration Telemetry
  43. 43. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Summary
  44. 44. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Cisco Data Center Security Visibility “See Everything” Complete visibility of users, devices, networks, applications, workloads and processes Threat Protection “Stop the Breach” Quickly detect, block, and respond to attacks before hackers can steal data or disrupt operations Segmentation “Reduce the Attack Surface” Prevent attackers from moving laterally east-west within the DC with application whitelisting
  45. 45. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Questions?
  46. 46. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Merci!! Thank you!!

×