Cisco Connect Ottawa 2018 data centre security

Cisco Connect Ottawa
Canada • 2nd October 2018
Global vision.
Local knowledge.

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Welcome!!

Benjamin Rossignol
Cybersecurity Systems Engineer, CCIE#23791
October 2018
Cisco’s Architectural Approach
Next-Generation
Datacenter Security

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Percentage of security team’s time
47%
Servers
29%
Customer data
23%
Endpoints
of the security team’s time
is spent on security in the data center76%

Data Center Security… It Takes an Architecture!
Threat
protection
“Stop the breach”
Segmentation
“Reduce the
attack surface”
Visibility
“See everything”
Threat intelligence - Talos
Intent-based
Automation
Analytics

Building a True
Data Center Security
Architecture

Cisco Datacenter Security Solutions –Focus Areas
Network & Application Analytics
• Stealthwatch
• Tetration
Visibility
Stop Attacks and Malware
• NGFW/NGIPS
• Advanced Malware
Protection (AMP)
Threat Prevention
Firewall and Access Control
• NGFW, ACI and Tetration
Policy Orchestration
• FMC and CloudCenter
• APIC and ISE
Segmentation
Integrated

Architecture
Integrated
Portfolio
Best of breed

It Takes an Integrated Architecture
pxGrid
Security
Group
Tag /
EPG
API
Intel
Sharing Automation
Analytics
(Stealthwatch, Tetration)
Advanced
Malware
Policy and Access
o ISE
o NGFW
o Tetration
o ACI
NGFW / NGIPS
Threat Protection
Visibility
Segmentation
Management
o CloudCenter
o APIC
o FMC
o Tetration

ISE
Switches Routers Wireless
EndpointsIOT PhonesPrinters
WSA ESAFMC SMC
TALOS AMP/TG UmbrellaCTA
SIEM
VMC
Net Protocols
pxGrid
AMP/TG API
Firepower API
Syslog
Talos API
Cloud Services
Infrastructure & Devices
pxGrid
Generic API
Radius
Netflow
DNS
Legend
10

Data Centers are Changing
Cisco Security Grows with You
Application Centric
Infrastructure
ACI Fabric
Virtualization
and Cloud
Traditional
Data Center

Segmentation

How well do you understand your applications?
Application
Relevant Policy
Perform
Application
Dependency
Mapping
Tested?
Existing
ACL?
Accurate?
Review
Trusted?
No
No
No
No
Yes
Yes
YesIt’s already out
of date
Yes

“I have no idea what my segmentation policy
needs to be at any given time!”

Cisco Tetration Connection Manager
Automated Security Policy Recommendation
Step2: Auto-Generation of Whitelist
Policies
Whitelist policy recommendation
• Identifies application intent
• Generates 4 tuple policies
Export into Cisco solutions
• Export in JSON, XML and YAML
• Import into ACI, ASA and NGFW
Step1: Behavior Analysis
Application conversations Conversation details/
process bindings

Automated Policy Discovery
Audit and Enforcement
• Zero Trust Enforcement
ASA
• Tetration-to-ASA Policy Conversion
• Lifecycle ACL Management
• ACL Audit
Tetration

Cisco Tetration Offerings
17
• VM Virtual Appliance
• DC, Amazon or Azure
• 3 Server Platform
• Turnkey Hadoop Appliances
• SW & HW Sensors
• Highest Performance
On-Prem Software OnlySaaS
• Tetration As A Service
• Cisco Hosted & Managed
• Cloud First Customers
1K to 25K+ Workloads 100 to 1000 Workloads
NEW NEW

DB Endpoint Group
NGFW ACI Tetration
Web EPG Database EPG
North / South Course Grain East / West
Fine Grain East / West
AKA Micro Segmentation

DB Endpoint Group
•
•
•
•
•
•
NGFW ACI Tetration
Web EPG Database EPG
•
•
•
•

APIC configures FMC 6.2.3, using REST-APIs to manage the following devices:
 Pre-registered FTD devices in either Stand-alone, HA or Cluster mode
APIC configures the following features:
• Interfaces in Routed, Switched, or Inline mode. Defines VLAN sub-interfaces
(including Port-Channels) for Routed and Transparent firewall mode, including IRB.
Static routes can be added under interface configuration.
• Security Zones, Interface Names, Inline Sets, as specified in function profile
parameters. FMC names are prefixed with APIC Tenant and registered FTD device
name. EPG learning feature is supported with FMC.
• Assignment of the Security Zones to pre-configured ACP Rule(s).
FTD FI Device Package Version 1.0.3

FTD FI Device Package for ACI
Policy Creation:
Security Admin uses FMC to create an appropriate policy
Fabric Insertion:
Network Admin uses APIC to program Fabric Insertion of FTD
Security team configures via FMC
SECURITY NETWORK
DBApp
FMC 6.2
FMC GUI API API / GUI
Firepower NGFW
(FTD 6.2.3 image)
Registered to FMC
APIC Imports
FTD Device Package
To Program FMC
Managed Service Graph
Hybrid – Service Manager Model

Data Center Security Working Together
CloudCenter
Tetration
ISE
AMP
Tetration
sensor
EPG
App
AMP
FTD
External Internal
FMC Manager
fire
EPG
DB
Tetration
sensor

Simplifying Security
Orchestration
• Automated workload deployment
• Hybrid Cloud
CloudCenter
• Deploy EPG and contract
• Deploy service graph
ACI
• Deploy AMP for Endpoints
• Deploy Tetration Software Sensor
• Deploy ASA Firewall
Security Solutions

Consistent access
policy from users to
servers
• pxGrid
ISE/TrustSec
• Contextual awareness
ACI/Endpoint Group
• Group based policy
NGFW

From Campus to Data Center
ACI Policy DomainTrustSec Policy Domain
Switch Router Router Firewall Nexus9000 Nexus9000 ServersUser
SGT
over
Ethernet
IPSec / DMVPN /
GETVPN / SXP
Classification
ISE creates matching SGTs for EPGs
ISE exchanges IP-SGT/EPG ‘Name bindings’
IP-ClassId, VNI bindings
IP-Security Group bindings
exchanged with network
Spine Leaf
Cisco ISE Cisco APIC-DC
Security Groups End Point Groups
ACI: Application Centric Infrastructure
WAN
(GETVPN
DMVPN IPSEC)
ASR 1K
Policy plane integration
Firewall

Advanced
Threat Protection

Applications and services
Mitigating threats, risks and vulnerabilities
Users zone Server zone 1 Server zone 2 Outside world
business partners
Perimeter
firewall
Segment Datacenter Architecture

The Need for Advanced Threat Protection
TECDCT-2609
Segmentation
Threat

Cisco Advanced Threat solutions
• DNS Security
• Command and
Control and
Malware Blocking
• Content Control
• Protection against
exploitation of app
vulnerabilities
• Impact-assessment
and IoC
• Auto-tuning of policy
• File based malware
protection
• Sandboxing to find
zero-day malware
• Retrospective
remediation of malware
Umbrella NGFW/NGIPS AMP
TECDCT-2609

96.8%
100%
90.1%
0.6%
67%
6.5%
2.9%
91.8%
17.1%
6.5%
96.3%
27%
Cisco:
Undisputed Leader in Stopping Threats Fast
-------Efficacy-------
--------------Time-----------------
74.7%
95.3% 97.1%
18.5%
39.9%
70.8%

What is a Quarantine?

Rapid Threat Containment (RTC)
Initial compromise Detection
Protect critical data, by stopping attacks faster, based on real-time threat intelligence
Internet
Enterprise
Network
Monetize theft
Problem
Infection spread
Data hoarding
Data exfiltration
100 – 200 days Initial compromise Containment
Internet
Solution
PxGrid
Enterprise
Network
Sensor
- AMP/
- NGIPS/
- ASA
(wFirePOWER)
EPS: Quarantine
(over PxGrid)
COA
Minutes
FMC
ISE
TrustSec
segmentation

Firepower Remediation Subsystem Components

Tetration Inventory – Contextual Visibility and
Policy
App Server
10.66.237.5
ISE/PxGrid
CMDB CI
IPAM/DNS
Hypervisor/Cloud
Security Ecosystem
Network
ISE Integration via PxGrid - Beta

Multi-Layered
threat prevention
architecture in
action
• Command & Control prevention
• Rapid threat containment
NGFW/NGIPS
• Tetration software sensor enforcement
• Automation NGFW to Tetration
Tetration
• Zero Day Protection
• Malware protection – from network, to
endpoint, to cloud
AMP

Rapid threat
containment with
ACI micro-
segmentation
• Indicators of compromise
• Rapid threat containment
NGFW/NGIPS
• Micro-segmentation/uEPG
• Automation NGFW to APIC
ACI
• Network AMP
• Malware protection – from network, to
endpoint, to cloud
AMP

FMC to APIC Rapid Threat Containment
FMC Remediation Module for APIC
DB EPG
ACI Fabric
App EPG
Infected App1
Step 4: APIC Quarantines infected App1
workload into an isolated uSeg EPG
Step 1: Infected End Point launches an attack
that NGFW(v), FirePOWER Services in ASA,
or FirePOWER appliance blocks the attack
Step 2: Event is generated to FMC about an
attack blocked from infected host
Step 3: Attack event is configured to trigger
remediation module for APIC and quarantine
infected host using APIC NB API
1
FMC
App2
2
34
See demo on http://cs.co/rtc-with-apic

FMC Remediation Module for ACI on Cisco.com
TECDCT-2609

Visibility
& Analytics

• Comprehensive,
contextual network flow
visibility
• Real-time situational
awareness of traffic
Monitor
• Detect anomalous
network behavior
• Detect network
behaviors indicative of
threats: worms, insider
threats, DDoS and
malware
Detect
• Quickly scope an incident
• Network troubleshooting
• One click quarantine
Respond
See and detect more threats in your DC
Cisco Stealthwatch
Analyze
• Holistic network audit trail
• Threat hunting and
forensic investigations
Switch Router Router Firewall Data Center
Switch
ServerUser
WAN
ServerDevice
End-to-
End
Network
Visibility

Threat
detection and hunting
Application traffic
modeling &
visibility
Access control
policy and audit
Anomalous
behavior
Integrated with other security solutions 1+1=3
Greater Visibility and Security Together
Cisco Tetration and Stealthwatch

42TECDCT-2609
Forensic Search
Flow Search by any attribute

Monitoring Unified SGT-ACI Policy
TrustSec Domain
ACI Domain
pci_users
SGT: 16
EV_appProfile_LOB2_App1EPG
SGT: 10005
ACI Domain
Stealthwatch Deployment
Cisco ISE
APIC-DC
syslog
NetFlow
SGT
Definitions
EPG
Definitions
Policy Plane
Integration
Tetration
Analytics
SPAN
Policy
Push
Tetration
Telemetry

Behavior and app
modeling and
threat analytics
• Threat detection
• Data exfiltration protection
• Tetration integration
Stealthwatch
• Security policy analysis
• Network flow to server process
Tetration

Summary

Cisco Data Center Security
Visibility
“See Everything”
Complete visibility of users,
devices, networks, applications,
workloads and processes
Threat Protection
“Stop the Breach”
Quickly detect, block, and respond to
attacks before hackers can steal data
or disrupt operations
Segmentation
“Reduce the Attack Surface”
Prevent attackers from moving
laterally east-west within the DC
with application whitelisting

Cisco Connect Ottawa 2018 data centre security

Cisco Connect Ottawa 2018 data centre security

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Cisco Connect Ottawa 2018 data centre security

Similar to Cisco Connect Ottawa 2018 data centre security (20)

More from Cisco Canada

More from Cisco Canada (20)

Recently uploaded

Recently uploaded (20)

Cisco Connect Ottawa 2018 data centre security