Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Monetizing The Enterprise: Borderless Networks

2,118 views

Published on

The Cisco Borderless Network Architecture is the technical architecture that allows organizations to connect anyone, anywhere, anytime, and on any device - securely, reliably, and seamlessly. Learn more about an infrastructure of scalable and resilient hardware and software in this presentation.
Keywords: Service Provider, enterprise, Mobile Endpoint and CPE, Virtualized Network Edge/Data Center Edge, Cloud

Published in: Art & Photos, Technology
  • Be the first to comment

Monetizing The Enterprise: Borderless Networks

  1. 1. Monetizing The Enterprise:Borderless Networks<br />Michael Geller – Architect, SP Chief Technology Office<br />Kevin Shatzkamer – Distinguished Architect, Sales<br />September 27, 2011<br />
  2. 2. Abstract<br />The impact of the consumerization of IT and mobility cannot be understated.  The impact that these two key business elements have on the evolution of Enterprise Architecture and for Service Provider’s ability to offer services to Enterprises, Governments, and Consumers is addressed in this webinar.  The importance of the shift and movement of the secure network edge leads to a very close examination of the changing threat vectors and vulnerabilities impacting our businesses today.  Service delivery and consumption on the three “service horizons,” (Mobile Endpoint and CPE, Virtualized Network Edge/Data Center Edge, and the Cloud) is detailed.<br />
  3. 3. Visibility and Control<br />Building a Secure Infrastructure for Profitable Services<br />Total Visibilityin all aspects of your network.<br />Complete Control over all traffic in the network & cloud.<br />Guaranteed Availability of all services.<br />
  4. 4. Multi-Tenant Access and aggregation:<br /><ul><li>Session Border Controller
  5. 5. Firewall
  6. 6. IDS/IPS
  7. 7. IPSEC VPN
  8. 8. BNG (Subscriber Controls)
  9. 9. SSL VPN
  10. 10. Trust and Identity
  11. 11. Web/Content Security
  12. 12. Email Security
  13. 13. DLP</li></ul>Access and aggregation:<br /><ul><li>Basic infrastructure security role
  14. 14. Control Plane Security
  15. 15. Data Plane Security
  16. 16. Firewall
  17. 17. IDS/IPS
  18. 18. IPSEC VPN
  19. 19. DHCP—subscriber
  20. 20. SSL VPN
  21. 21. Trust and Identity
  22. 22. Web/Content Security
  23. 23. Email Security</li></ul>Full Service Branch <br /><ul><li>Firewall
  24. 24. IDS
  25. 25. Encryption (IPSEC & SSL)
  26. 26. Trust & Identity
  27. 27. Email Security
  28. 28. Web/Content Security
  29. 29. NAC
  30. 30. WAN Optimization</li></ul>CPE:<br /><ul><li>Firewall
  31. 31. IDS
  32. 32. IPSEC & SSL VPN
  33. 33. Host Security
  34. 34. Control Plane Security
  35. 35. Forwarding Plane Security
  36. 36. Email Security
  37. 37. Web/Content Security
  38. 38. NAC</li></ul>Visibility & Posture<br />Endpt / CPE<br />DC/CLOUD<br />ACCESS/AGGREGATION<br />CORE<br />Public, Private & Hybrid Clouds<br />PE(s)<br />Mobility<br />L2 Agg.<br />P<br />P<br />PE<br />Internet &<br />Peering Edge<br />P<br />DSL<br />P<br />P<br />P<br />P<br />P<br />Fixed Wireless<br />Security Operations and Services<br />DataCenter/Cloud<br />Data/Service Center<br />Cable<br />Security Monitoring & Management<br />VA<br />PT<br />Web Assessment & SSO<br />MNAC<br />Telstra Cloud:<br /><ul><li>Nexus 1kV (Netflow/VSG)
  39. 39. UCS: Software based Security Services (FW, VPN, …)
  40. 40. Nexus 7k Security Services Mod
  41. 41. vWAAS
  42. 42. Enterprise-Hosted Ironport Web/Content/Email Security/DLP
  43. 43. Scansafe Web Security
  44. 44. Identity/Policy Service Control</li></ul>Service Center:<br /><ul><li>Remediation (quarantine)
  45. 45. Intrusion Detection/Prevention
  46. 46. VM Security & Nexus 1000V
  47. 47. Anomaly detection/Scrubbing
  48. 48. Policy Control Plane
  49. 49. Firewall & XML Firewall
  50. 50. Web/Content/Email Security</li></ul>One Time Services<br />Security Operations Center<br />Enterprise<br />Security Experts<br />SOC Processes<br />SOC Toolsets<br />SIO, Platform Telemetry, 3rd party rules and systems, Regulatory Policy & Influence<br />
  51. 51. Operator Portal Capabilities<br />SP Operator Portal<br /><ul><li>Single pane of glass for all mgmt functions
  52. 52. White label logo and style branding
  53. 53. RBAC – Role-based-access-control
  54. 54. Customizable dashboard for different roles
  55. 55. Share information between SP & customers
  56. 56. Services catalogue
  57. 57. Knowledge base
  58. 58. Real-time threat dashboard
  59. 59. SLA tracking dashboard
  60. 60. Forensic
  61. 61. Historical reporting</li></ul>Consolidated Views: Risk Score, Alerts, Top Ten Events, Virus & Compliance Status<br />Events View: Customized view based on need. More focused approached: Online Events & Forensic view<br />
  62. 62. Threat IntelligenceGlobal Visibility<br />SIO<br />GLOBAL INTELLIGENCE<br />Researchers, Analysts, Developers<br />ISPs, Partners, Sensors<br />Researchers, Analysts, Developers<br />Applied Mitigation Bulletins<br />ESA<br />ESA<br />WSA<br />IPS<br />ASA<br />Cisco AnyConnect<br />CISCO SOLUTION<br />Largest Threat Analysis System - Blended Threat Protection<br />700K+ Global Sensors<br />5 Billion Web Requests/Day<br />35% Of Global Email Traffic <br />Endpoint Threat Telemetry<br />Reputation, Spam, Malware and Web Category Analysis, and Applications Classification<br />
  63. 63. Security Services Delivered To The Enterprise<br />Remote Access<br />Collaboration<br />Virtualization<br />Mobility<br />SECURESYSTEMS<br />Cloud<br />DEVICE <br />FORENSICS<br />Asset Mgmt<br />DEVICE SECURITY<br />Lock/Wipe<br />Zero Day<br />AV<br />Encryption<br />AUDIT<br />APPLICATION SECURITY<br />Web Application<br />Coding/Hardening<br />Penetration<br />SERVICE MGMT.<br />Encryption<br />CONTENT/ DATA SECURITY<br />Email<br />Web<br />DLP<br />DATA GOV.<br />NETWORK/ SYSTEMMANAGEMENT<br />IDENTITY<br />Alerting<br />Logging<br />Monitoring<br />Directories<br />POLICY<br />VPN<br />Firewall<br />IDS/IPS<br />NETWORK SECURITY<br />APIs<br />TRUSTED SYSTEM<br />INFRASTRUCTURE<br />Device<br />Compute<br />Storage<br />Network<br />Physical<br />* Based on common industry models by Gartner, SANs Institute and various customer interviews <br />
  64. 64. Anyconnect Secure Mobility (Enterprise)<br />Branch Office<br />Corporate Office<br />IronPort WSA<br />ASA<br />Cisco IntegratedServices Routers<br />ISE<br />TrustSec<br />
  65. 65. 3<br />1<br />2<br />Secure GW + Network + DC<br />Enhanced Customer Experience via End-to-End Seamless Security & Assurance<br />Multi-Tenant Edge Services Gateway<br />VPN, FW, SBC, Visibility, DPI<br />Web/Email Security From The CloudScan Safe<br />AnyConnectSecure Mobility Client<br />Email/Web Security from the Cloud<br />Cloud Offering Per<br />Customer Application <br />Experience with SLA<br />Policy + Identity<br /><ul><li>Unified Anywhere+/AnyConnect
  66. 66. Simplified remote access
  67. 67. Connection and app persistence
  68. 68. Always-on VPN enforcement
  69. 69. Location-aware policy
  70. 70. Application controls
  71. 71. SaaS Access Control
  72. 72. Per User Subscription Model
  73. 73. Portal for Provisioning/Forensics</li></ul>AnyConnect<br />Cius / SmartPhone<br />Smart Branch<br />vOptimization<br />vLoad Balancing<br />HCS & IaaS<br />Anyconnect Secure Mobility-SP Mgd.<br />
  74. 74. Security Services<br /><ul><li>Firewall& IPS
  75. 75. VPN (IPSEC & SSL)
  76. 76. Trust & Identity
  77. 77. Email Security
  78. 78. Web/Content Security
  79. 79. Anti-Malware
  80. 80. WAN Optimization
  81. 81. SBC (CUBE Ent.)
  82. 82. WaaS
  83. 83. DPI</li></ul>Secure Places In The Network: Summary<br />Anyconnect<br />(Policy)<br />Private Cloud<br />Mobility<br />Mobile<br />Endpoint &<br />CPE<br />Internet &<br />Inter-Cloud<br />Virtualized<br />Network/DC<br />Edge<br />DSL<br />Public <br />& Partner Cloud<br />SP <br />DC/Cloud<br />Fixed Wireless<br />Cable<br />Security Infrastructure<br />Policy, Trust & Identity Services<br />Consumer/SoHo<br />Enterprise<br />Defense In Depth - Common ASA Code Base<br />SIO, SecOps (SmartOps, Tools, Ecosystem)<br />
  84. 84. Security Services<br /><ul><li>Firewall& IPS
  85. 85. VPN (IPSEC & SSL)
  86. 86. Trust & Identity
  87. 87. Email Security
  88. 88. Web/Content Security
  89. 89. Anti-Malware
  90. 90. WAN Optimization
  91. 91. SBC (CUBE Ent.)
  92. 92. WaaS
  93. 93. DPI</li></ul>Platform/Area of Interest<br /><ul><li>MDM and Partners
  94. 94. Evolution of The ISR G2
  95. 95. Connecting the CPE to the cloud
  96. 96. ASA & Identity FW
  97. 97. IronportESA/WSA
  98. 98. DPI & Visibility
  99. 99. Identity Services & Policy</li></ul>Secure Places In The Network: Horizon 1Mobile Endpoint & CPE<br />Anyconnect<br />(Policy)<br />Mobility<br />Mobile<br />Endpoint &<br />CPE<br />DSL<br />Fixed Wireless<br />Cable<br />Consumer/SoHo<br />Enterprise<br />
  100. 100. Connecting the CPE To The CloudLeveraging Cisco Product Multi-service capability<br />Service Virtualization -UCS Express<br />App Visibility & Optimization (WaaS)<br />Threat Protection Security Services<br />Lowering Capex / Opex for on premise application services<br /><ul><li>Mission critical on-premise application hosting
  101. 101. Integration into IaaS Service Orchestration
  102. 102. Optimized experience for the Application Consumer</li></ul>End to end security service via optimized hybrid on-premise / cloud services<br /><ul><li>On-Premise encryption, Firewall, intrusion protection
  103. 103. Hosted Web content protection (ScanSafe) & Email Protection …
  104. 104. Managed Identity Services</li></ul>Improving end user quality of experience<br /><ul><li>End to end application visibility & SLA
  105. 105. Focus on Application Optimization …
  106. 106. Security services upsell opportunity</li></ul>WAAS Express<br />Dedicated Router Module <br />DC + vWaaS<br />
  107. 107. Connecting the CPE To The Cloud - 2Leveraging Cisco Product Multi-service capability<br />Services Led Selling<br />Video<br />Energy Wise<br />Removing NOC /SOC complexity and allocation of people, process and tools –GTM acceleration<br /><ul><li>SmartOps for Security – SOC BOT Models
  108. 108. SmartOps for CPE – NOC White labeling or BOT Models
  109. 109. Testing and validation</li></ul>Minimize energy consumption and costs of delivered Managed Services<br /><ul><li>The “Green WAN / LAN” Service
  110. 110. The “Energy Optimized” Data Center</li></ul>Providing End to End Video Service insurance<br /><ul><li>IPSLA Video Probe for Video SLA
  111. 111. Video Optimized ISR G2 Bundle
  112. 112. Integration of ISR G2 into Video Architectures like Telepresence
  113. 113. Optimized delivery of Video
  114. 114. ISR G2 ad-hoc video conferencing</li></li></ul><li>Aspiration: Policy Governed Networks<br />Policy Teams<br />Security<br />Business<br />Compliance<br />Policy Governed Networks<br />IT Systems Mgmt, Cisco Network Mgmt Policy & Rules<br />Centralized Policy Platform<br />Customer Data<br />Context awareness <br />Business Relevance<br />Product Bookings<br />MPLS<br />Identity Services Engine (ISE)<br />Corporate Laptop<br />Visibility and Control<br />Full<br />Encrypt<br />Application, Context<br />Device, Location<br />Service, Context<br />User, Role<br />SalesForce.com<br />Centralized View<br />Restricted<br />iPad<br />Applications in Data Center or Cloud<br />ASR/ISR/ASA<br />Router/Switch<br />Central Dashboard, Reports, Measurements, Troubleshooting<br />Third-Party Applications<br />
  115. 115. Phased ExecutionCentralized Policy Platform<br />Identity Services Engine (ISE)<br />Policy Use Case<br />Security<br />TrustSecISE<br />CCN<br />VXIVDS/ISE<br />Branch Office<br />Optimize Virtual Desktop Service Delivery<br />Provide predictable quality for audio, video on virtual desktop(VDI)<br />Context-Based Security Services<br />Prevent uncontrolled mobile devices from accessing servers with confidential information<br />Authenticated &Authorized Access<br />Authenticate Guests and <br />provide only Internet access<br />Prioritized Branch Service Delivery<br />Prioritize point-of-sale transactions over Video (YouTube …)<br />Agile Virtual Service Delivery<br />Move WebEx from RTP DC to SP US Cloud with Premium Service Level<br /><ul><li>Media Actors
  116. 116. E2E Flow Characteristics
  117. 117. Real-Time Metering
  118. 118. User
  119. 119. Device
  120. 120. Health
  121. 121. Location
  122. 122. Reputation (future)
  123. 123. Application
  124. 124. Network Services
  125. 125. Server
  126. 126. DC Resources
  127. 127. Service Level
  128. 128. Virtual Desktop</li></ul>+<br />+<br />+<br />+<br />
  129. 129. Security Services<br /><ul><li>Firewall& IPS
  130. 130. VPN (IPSEC & SSL)
  131. 131. Trust & Identity
  132. 132. Email Security
  133. 133. Web/Content Security
  134. 134. Anti-Malware
  135. 135. WAN Optimization
  136. 136. SBC (CUBE Ent.)
  137. 137. WaaS
  138. 138. DPI</li></ul>Platform/Area of Interest-2<br /><ul><li>MDDC & CCN
  139. 139. ASR 1k – Multitenancy and DC Edge
  140. 140. IOS-XE on a VM
  141. 141. Virtual Appliance + Physical Application
  142. 142. Hosted Content, Email, Web Security
  143. 143. DPI & Visibility</li></ul>Platform/Area of Interest-3<br /><ul><li>Nexus 1kV
  144. 144. VSG and vASA
  145. 145. IOS-XE on a VM
  146. 146. vWaaS
  147. 147. CCN & Service Orchestration
  148. 148. vESA/vWSA
  149. 149. DPI & Visibility
  150. 150. Network Proximity
  151. 151. Partner Ecosystem</li></ul>Secure Places In The Network: Horizon 2&3Network and DC Edge + DC/Cloud<br />Private Cloud<br />Mobility<br />Internet &<br />Inter-Cloud<br />Virtualized<br />Network/DC<br />Edge<br />DSL<br />Public <br />& Partner Cloud<br />SP <br />DC/Cloud<br />Fixed Wireless<br />Cable<br />Consumer/SoHo<br />Enterprise<br />
  152. 152. Cisco Products<br />Cisco VXI:Virtualized End-to-End System<br />Virtualized<br />Data Center<br />Virtualized Collaborative Workspace<br />Generic VDI<br />No support for UC or Rich Media<br />Desktop Virtualization Software<br />Cisco Clients<br />WAAS<br />Applications /Desktop OS<br />AnyConnect<br />MS Office<br />Hypervisor<br />Cisco Collaboration<br />Applications<br />Cius Business Tablets<br />Virtualization-Aware <br />Borderless Network<br />Virtual Security Gateway<br />Routing <br />ASA<br />Cisco Virtualization Experience Clients<br />Unified <br />CM<br />Nexus 1000v<br />ACE<br />Thin Client Ecosystem<br />WAAS<br />UCS<br /> Quad<br />Storage<br />Hypervisor<br />Compute<br />PoE<br />Switching<br />End-to-End Security, Management and Automation<br />CDN<br />
  153. 153. Borderless Network VXI Components<br />Access Security<br />Data Center<br />VXI Network<br /><ul><li>ASA and Anyconnect provide single secure remote access solution for large device footprint
  154. 154. Device profiling and posture assessment using ISE ensures conformance
  155. 155. UPoE and PoE+ provide de-cluttered and energy efficient virtual workspace
  156. 156. 802.1x based device and user authentication
  157. 157. Trustsec allows policy based access to specific applications in Data Center
  158. 158. Unmanaged devices (BYOD) only allowed access to specific Virtual desktop pools and applications
  159. 159. DMVPN allows secure, dynamic and direct branch to branch collaboration
  160. 160. WAAS and ISR together accelerate performance</li></ul>Secure VXI Data Center<br />Remote/Home User<br />N1K<br />N1K<br />Internet<br />Anyconnectw/ Split Tunnel<br />SecureDisplay Traffic <br />VSG<br />VSG<br />Campus<br />ASA<br />Contractor<br />Finance<br />Data Base<br />Web<br />Cat4K<br />Employee<br />App<br />Dot1x/MAB<br />DC Network<br />Dot1x/MAB<br />WAAS DC<br />Campus<br />UPoE/PoE+<br />Branch One<br />DMVPN<br />WAE<br />Display Traffic<br />Voice/Video<br />ISR-G2<br />Branch Two <br />DMVPN<br />WAAS Express<br />McAfee MOVE-AV <br />Cisco ACE<br />
  161. 161. From Router to vRouter<br />Secure Connectivity from Premise to Cloud<br /><ul><li>Extend enterprise VPN infrastructure into cloud via cloud-based virtual VPN appliance
  162. 162. Enable secure split tunneling, bypassing expensive MPLS/ private IP network backhauling
  163. 163. Provide end-to-end security – access control, DAR encryption, app/ user/ content visibility, IPS, web security – and unified mgmt
  164. 164. This will enable enterprises to move mission-critical data to the cloud, retain control and meet compliance requirements </li></ul>PHASE 1<br />Networking Services from the Cloud<br /><ul><li>Provide routing, switching, WAN accel, end-to-end secy, perfmonitoring, traff prioritization/ QoS, etc via cloud-based virtual router
  165. 165. Enables SPs and Cloud Providers to offer value-added pay-for-use services – networking, security – in virtualized form factor to their customers
  166. 166. Enables SPs to move services away from CPE ISRs to the cloud/ provider edgeand minimizing/ simplifying mgmt</li></ul>PHASE 2<br />
  167. 167. Network Positioning System<br />1<br />Capacity at Multiple DCs<br />3<br />National<br />Data Center<br />National<br />Data Center<br />NPS<br />Orchestration System Requests Capacity - available at Multiple DCs<br />1<br />National<br />Data Center<br />Core<br />2<br />Insufficient Bandwidth and / or sub-optimal location to meet SLA<br />2<br />NPS informs bestlocation(s) / PE Routers<br />3<br />Improves Experiences, Reduces Operational and Network Costs<br />Phase II – Distributed Placement<br />
  168. 168. Using Security Conductor for DDoS Attack Mitigation<br />Forensics<br />SECOPS, NETOPS<br />SECOPS<br />Monitoring Info: Netflow, MIBs, Logs for Baselining, Forensics and Planning<br />4<br />Security Apps<br />Visibility<br />Logging & <br />Forensics<br />Incident Control<br />2<br />3<br />1<br />Access / Aggregation Network<br />DC Control Point<br />8<br />Visibility Apps Gather Physical and Virtual Interface traffic information<br />Visibility Apps builds a Network Baseline and monitors and traffic anomalies <br />In case of an anomaly it transfer information to Security Incident Control Application<br />Incident Control Apps informs SECOPS<br />Incident Control performs a RTBH using BGP route insertion at SP DC PE router. <br />“Sinkhole” Apps VMs assigned for analysis<br />Using the Security Conductor, security mitigation policies (ACL, QoSPolicers, etc) are downloaded in the network<br />All Visibility and Mitigation information is sent for Forensic analysis<br />5<br />Policy Engine<br />Capabilities Directory<br />Resource Manager<br />Dependency Tracker<br />IP/MPLS Network<br />Security Policy Conductor<br />7<br />6<br />Peering<br />RTBH configured <br />Sinkhole Apps activated on VMs<br />Attack Analysis<br />Other SPs<br />CPE<br />Attack Mitigation Policies are downloaded in all applicable routers<br />
  169. 169. Cloud Security solution focusMapping<br /><ul><li>Policy based control for ID, Data Confidentiality
  170. 170. Visbility, Forensics, Governance
  171. 171. VM-VM security, Routing policies in VM
  172. 172. VPATH to stitch and control VMotion</li></ul>Loss of Control<br />Secure Cloud Services<br />Scansafe (SAML), DLP, Cisco ID Connect<br />Business Needs<br />Data-in-flight security<br />Data-at-rest security<br />Anyconnect: VDI/VXI<br />VDC, DCI (OTV), VPLS/ VRF …..<br />Services: Virtual LB, FW<br />Multi-tenant<br />Reference Architecture<br />VN-Link, LISP, SIA tags w/HW assist, N1k, VSG<br />PortProfile, vNetFlow, SAN<br />
  173. 173. Putting It All Together: HCS<br />Unified Communications and Collaboration<br />ESX Server<br />ESX Server<br />ESX Server<br />Customer 1<br />Customer 2<br />Customer 3<br />Customer 4<br />Customer 5<br />Pure Hosted <br />Remote Managed On Prem<br />Hybrid<br />Dedicated / Private Network<br />

×