Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Simplifying the secure data center

612 views

Published on

Simplifying security in the data center

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Simplifying the secure data center

  1. 1. Benjamin Rossignol Security Consulting Systems Engineer berossig@cisco.com Simplifying Security in the Data Center
  2. 2. How do we Simplify the Secure Data Center?
  3. 3. • Introduction • Micro-Segmentation • Secure VDI • ACI-TrustSec Integration • Security Feedback Loop with Firepower Agenda
  4. 4. ACI Service Graphs Keep it Simple ACI Web Contract Consumer Provider Managed/Unmanaged Devices Client EPG Web EPG S ACI Allows for Easier Services Insertion
  5. 5. L4-L7 Service Automation: Support for All Devices Any Device and Cluster Manager Support L4-L7 Service Automation L4-L7 Services Cisco ACI™ Services Graph L4- L7 Device Package No Device Package Service Cluster Manager • Centralized L4-L7 service configuration and management • Full L4-L7 service automation (with device package) • Large ecosystem and investment protection • Security policy follows workload • Centralized security provisioning and visibility • Automated service insertion and chaining • Support for any L4-L7 device • New support for L4-L7 cluster managers Embedded Security Micro- Segmentation Security Automation Encryption Analytics
  6. 6. Same Policy Model across physical and any virtualization or cloud technology VM 1 VM 2 VM 1 VM 1 VM 2 KVM OpFlex Agent V(X)LAN Open vSwitch ESXi Cisco AVS V(X)LAN VMware DVS Hyper-V MSFT vSwitch V(X)LAN Docker OpFlex Agent V(X)LAN Open vSwitch VM 1 VM 1 VM 2 VM 1 Docker1 Docker2 Docker1 Docker2 OpFlex OpFlex OpFlex OpFlex Bare Metal VLAN
  7. 7. Can we use Micro Segmentation within ACI to effectively isolate application traffic? Using Micro Segmentation
  8. 8. Macro Segmentation Development Datacenter Production Campus The separation of Trusted and Untrusted environments. Examples: • Internet • Campus • Datacenter • Development • Production Service Graphs Firewalls ACLs EPGs Internet
  9. 9. Micro Segmentation Application Web Tier Database Campus Ring-fencing, or isolation application traffic to a specific set of servers within a datacenter. Examples: • Web Tier to Application • Application to Database Service Graphs EPGs Virtual Firewalls
  10. 10. vDS Cisco AVS IP/MAC EPG Hyper-V vSwitch Open vSwitch Open vSwitch VLAN VLAN or VXLAN VLAN or VXLAN VLANVLANVLAN Micro-Segmentation with ACI EPG-Web Micro-Segmentation Across any Workload Attributes Type MAC Address Filter Network IP Address Filter Network VNic Dn (vNIC domain name) VM VM Identifier VM VM Name VM Hypervisor Identifier VM VMM Domain VM Datacenter VM Custom Attribute (VMWare AVS/vDS only) VM Operating System VM opflex opflex opflex
  11. 11. vDS Cisco AVS IP/MAC EPG Hyper-V vSwitch Open vSwitch Open vSwitch VLAN VLAN or VXLAN VLAN or VXLAN VLANVLANVLAN MAC-EPG Support in ACI MAC-EPG-Web Micro-Segmentation Across any Workload Attributes Type MAC Address Filter Network IP Address Filter Network VNic Dn (vNIC domain name) VM VM Identifier VM VM Name VM Hypervisor Identifier VM VMM Domain VM Datacenter VM Custom Attribute (VMWare AVS/vDS only) VM Operating System VM
  12. 12. • MAC-EPG is a micro-segmented EPG with endpoint membership based on MAC address attribute list which is derived from endpoints of a Base EPG • Scoped at BD level • MAC-EPGs can have large mac-lists • Usecases: Migrations, Security Feedback Loop, etc … MAC-EPG (Micro-Segmentation) BD1/subnet1 Base EPG MAC-EPG-1 MAC-EPG-N Contract Within BD traffic is Bridged BD2/subnet2 Base EPG MAC-EPG-1 Inter BD traffic is Routed Contract
  13. 13. MicroSegmentation Demo with ACI
  14. 14. User Segmentation and VDI Campus PC PC PC Datacenter SalesIT HR VDI EPG Server EPG NGFW / NGIPS NGFW / NGIPSSolution provides: Next-Generation Security (NGFW, NGIPS, AMP) with Identity controls. VDI Farm is one big flat subnet, with lateral blocking. Need to provide secure access to Servers.
  15. 15. Secure VDI Usecase Flow: User-Identity Micro-Segmentation with FirePower + ACI Usecase 1 Usecase 2 Shipping
  16. 16. Consuming Micro-Segmentation User-Identity Micro-Segmentation with ACI Src-EPG Dest-EPG Contract Src-EPG Dest-EPG Contract AD based User Identify Policy Concept Solution Intra-EPG Isolation ACI Service Graph w/ Firepower Enforce User-Identity Based Network Access Control Policy Red User can only Access Red VMs Green User can only Access Green VMs ACI Policy Model Extension Shipping
  17. 17. Secure VDI Usecase: User-Identity Micro-Segmentation with FirePower + ACI Campus Network providerconsumer Firepower 4100 / 9300 FTD Image vPC Contract L3out service-graph with FirePower FMC Active Directory SF User Agent VDI EPG L3out Users Initiate VDI session VDI Farm - one big flat subnet but VMs isolated, blocking lateral User-Identity Network Access Control Policy Server EPG Users (AD Group: VDI Session) Destination Network (Server EPG) Group A 1.0.0.1 <= VDI IP 1.0.0.2 Destination Subnet 10.0.0.0/30 Group B 3.0.0.1 Destination 20.0.0.1 SourceFire Policy Shipping
  18. 18. Secure VDI Demonstration
  19. 19. User Segmentation Campus Control of which systems or applications within a datacenter a user or group can connect to. PC PC PC 8 SGT / Sales 3 SGT/ HR 99 SGT / IT Trustsec / Security Group Tags VLAN Assignment Passive Identity from Active Directory Datacenter
  20. 20. Problem: Disjointed Identity & Security Policy Domains Between Campus and Data Center TrustSec domain Voice Employee Supplier BYOD Campus / Branch / Non-Fabric TrustSec Policy Domain Voic e VLA N Data VLAN Web App DB ACI Fabric Data Center APIC Policy Domain APIC WAN Disjoint: Identity, Grouping Policy Domains TrustSec Policy Domain APIC Policy Domain • Today customer has two disjointed identity and security policy domains in Campus and Data Center: • TrustSec User Identity, SGT and SGACL in Campus • APIC App Endpoint Identity, EPG and Contract in Data Center • Customer Requirement: • Need Common “Identity,” Tagging and “Security Policy” between TrustSec and ACI domains
  21. 21. TrustSec/ISE Policy Domain CMD/SGT ACI Policy Domain TrustSec Border Router (ASR1K Initially) Higher Scale Data Plane Solution SXP SGT <-> EPG translation WA N IPSec, DMVPN, GETVPN, OTP Policy Plane (REST API) Routing Plane (MP-BGP EVPN) “Trusted Mode” Data Plane (GBP VXLAN) ISE Builds Translation Table 1. GET: VRF-ID, Class-ID 2. SGT <==> VRF-ID, Class-ID Download Translation Table EPG Starts on ASR1k 2 3 4 Target Q2-CY17 1 ASR1k(config)# cts sg-epg translations Golf L3out Leaf: -EX only
  22. 22. TrustSec/ISE Policy Domain CMD/SGT ACI Policy Domain TrustSec Border Router (ASR1K Initially) Campus to ACI Flow SXP SGT <-> EPG translation WA N IPSec, DMVPN, GETVPN, OTP SGT-EPG iVXLAN Contract Applied on Leaf Lookup:s-class, d-class, policy APP-EPG Golf L3out Target Q2-CY17
  23. 23. TrustSec/ISE Policy Domain CMD/SGT ACI Policy Domain TrustSec Border Router (ASR1K Initially) ACI to Campus Flow SXP SGT <-> EPG translation WA N IPSec, DMVPN, GETVPN, OTP SGT-EPG iVXLAN VzAny Contract Permit-all or filter ports APP-EPG Golf L3out Target Q2-CY17 Per-Host Policy in ASR1k
  24. 24. TrustSec Domain Phase 1 Identity and Policy Propagation between ISE and APIC No SGT tags sent to ACI Enforcement at N9300 border leaf Leverage IP address as User identifier Scale: ~10k/Leaf Works with existing ACI infra: N9300 leafs and N9500 Spines Target Timeframe: Shipping now Solution: Normalize Identity and SGT/EPG Phase 2 Policy Mapping between ISE and APIC AND Data plane Integration (ASR1K or ACI Spine) ASR1K DCI translates SGT  EPG-Class-ID Enforcement at N9300 leaf Scale: SGT/ EPG namespace Works with existing N9300 leafs, requires upgrade of N9500 spines (line card/ fabric module available mid CY16) Target Timeframe: Q2 CY17 TrustSec Domain ACI Domain SGT  EPG SGT  EPG ACI Domain iVXLANSGT ASR1k Shipping Q2-CY17
  25. 25. Security Feedback Loop
  26. 26. Firepower, in all its forms, supports: Correlation Polices and Remediation Modules, allowing us to take a customized action based on defined behavior on the network. Example: If a server is attacked by host in my PCI network, I want to block the attacker. Security Feedback Loop
  27. 27. Consuming Micro-Segmentation ACI and SourceFire – Security Closed Feedback Loop CORP EPG FW NGIPS 10.1.0.234 Attack Web EPG REM EPG QUA EPG FW FireSIGHT Management Center REST Calls to APIC NB API Move VM To Quarantine Quarantine for RemediationPost Remediation Move Cleaned VM Status: 1. Cisco on Cisco solution (ACI + Security BU) 2. Remediation module in FMC used for security feedback loop (no, device package required) 3. Productization for VMware vDS, AVS and BM is shipping • Quarantine IP-EPG creation • Quarantine bad endpoints using IP- EPG only 4. Tested 150 IP-EPG creation and TBD endpoints 5. NGIPS stitching has no dependencies on Remediation module. NGIPS Stitching can we with device package or not. Both options supported. Demo Video: https://youtu.be/zSfDT1-47Hg
  28. 28. Security Feedback Loop, continued…
  29. 29. Security Feedback Loop, continued… Cisco has just released the new ACI Remediation Module for Firepower!
  30. 30. Security Feedback Loop, continued…
  31. 31. Security Feedback Loop Demonstration
  32. 32. • FMC Remediation Module for ACI Documentation http://www.cisco.com/c/dam/en/us/td/docs/security/asa/apic/quick-start/guide/fmc-rm-qsg1x.pdf • FMC Remediation Module for ACI YouTube Video https://www.youtube.com/watch?v=zSfDT1-47Hg&feature=youtu.be • Micro Segmentation Demo on YouTube https://youtu.be/EEs7B1dKVjE Additional Resources

×