Defending the Data Center: Managing Users from the Edge to the Application
Report
Share
•0 likes•1,088 views
Defending the Data Center: Managing Users from the Edge to the Application
•0 likes•1,088 views
Report
Share
Simplify your network security and engineering through Cisco’s TrustSec for the Data Center.
Recommended
More Related Content
What's hot
What's hot(20)
![[Cisco Connect 2018 - Vietnam] Rajinder singh cisco sd-wan-next generation ...](https://cdn.slidesharecdn.com/ss_thumbnails/rajindersingh-ciscosd-wan-nextgenerationwantopoweryourdigitalbusiness-180504042420-thumbnail.jpg?width=768&fit=bounds)
Viewers also liked
Viewers also liked(19)
Similar to Defending the Data Center: Managing Users from the Edge to the Application
Similar to Defending the Data Center: Managing Users from the Edge to the Application(20)
More from Cisco Security
More from Cisco Security(15)
Recently uploaded
Recently uploaded(20)
Defending the Data Center: Managing Users from the Edge to the Application
- 1. MANAGING USERS FROM THE EDGE TO THE APPLICATION Russell Rice Senior Director Product Management Dec 5, 2012 © 2012 Cisco and/or its affiliates. All rights reserved. 1
- 2. 7.7 Billion In next 5 Years Accessing Application and Data Wi-Fi devices © 2012 Cisco and/or its affiliates. All rights reserved. 2
- 3. • How do I classify so many devices coming onto my network every hour? • Do we have any visibility on those devices connecting to our application & data in DC? • Virtual Machine Sprawl! How should I manage security for all of those VMs we are being asked to provision everyday? • My critical services are still running on physical servers. Do I maintain separate policies? © 2012 Cisco and/or its affiliates. All rights reserved. 3
- 4. Simplifying network security and engineering • Secure Embeds security within the infrastructure Enforcement based on rich contextual identify of users and systems Solution simplicity enables end-to-end approach • Efficient Simplifies implementation of security policy Highly scalable & Inline rate Simplifies Data Center network design • Demonstrable ROI Reduces ACL and VLAN complexity & maintenance Can automate Firewall policy administration Can improve both performance & availability © 2012 Cisco and/or its affiliates. All rights reserved. 4
- 5. Translating Business Policy to the Network TrustSec lets you define policy Context Classification in meaningful business terms Business Policy TAG Security Group Tag Destination HR Database Prod HRMS Storage Source Exec BYOD X X X Distributed Enforcement throughout Network Exec PC X X Prod HRMS X Switch Router DC FW DC Switch HR Database © 2012 Cisco and/or its affiliates. All rights reserved. 5
- 6. Device Type: Apple iPAD Classification Result: User: Mary Group: Employee Personal Asset SGT Corporate Asset: No ISE Profiling Along with authentication, various data is sent to ISE for device profiling ISE (Identity Services Engine) SGT Profiling Data ID & Security Group Policy DC Resource Company asset NetFlow DCHP Access DNS HTTP OUI RADIUS NMAP SNMP AP Wireless LAN Controller Restricted Employee Internet Only Personal asset Distributed Enforcement based on Security Group © 2012 Cisco and/or its affiliates. All rights reserved. 6
- 7. Classification ISE Directory Fin Servers SGT = 4 Users, Device Enforcement SGT:5 HR Servers SGT = 10 Switch Router DC FW DC Switch SGT Propagation TrustSec SGA is a context-based firewall or access control solution: • Classification of systems/users based on context (user role, device, location, access method) • The context-based classification propagates using SGT • SGT used by firewalls, routers and switches to make intelligent forwarding or blocking decisions in the DC © 2012 Cisco and/or its affiliates. All rights reserved. 7
- 8. Data Center Core Layer Stateful Firewalling Initial filter for all ingress and egress DC Aggregation Layer Stateful Firewalling Additional Firewall Services for server DC Service farm specific protection Layer DC Access Layer Server Segmentation IP-Based Access Control Lists VLANs, Private VLANs Virtual Access Physical Servers Virtual Servers © 2012 Cisco and/or its affiliates. All rights reserved. 8
- 9. NY 10.2.34.0/24 10.2.35.0/24 10.2.36.0/24 NY 10.3.102.0/24 DC-MTV (SRV1) VPN 10.3.152.0/24 DC-MTV (SAP1) UK 10.4.111.0/24 DC-RTP (SCM2) …. SJC DC-RTP (ESXix) Traditional ACL or Source Destination FW Rules permit NY to SRV1 for HTTPS deny NY to SAP2 for SQL deny NY to SCM2 forGlobal bank dedicates 24 global resources A SSH permit VPN to SRV1 for HTTPS deny VPN to SAP1 for SQL to manage for 3 source objects & 3 destination objects ACL Firewall rules currently deny VPN to SCM2 for SSH permit UK to SRV1 for HTTPS deny UK to SAP1 for SQL deny Permit UK SJC Complex Task and High OPEX Continues to to SAP for SSH SRV1 for HTTPS deny SJC to SAP1 for SQL Adding source Object deny SJC to SCM2 permit NY to ESXis for RDP deny VPN to ESXis for RDP Adding destination Object deny UK to ESXis for RDP deny SJC to ESXis for RDP © 2012 Cisco and/or its affiliates. All rights reserved. 9
- 10. NY DC-MTV (SRV1) VPN DC-MTV (SAP1) UK DC-RTP (SCM2) CA DC-RTP (ESXix) Security Group Filtering Source SGT: Destination SGT: Employee (10) Production Server (50) permit from Employee / Server regardless of topology Policy stays with User to Production Server eq HTTPS deny Simpler Auditing Processto Lower OperationalServer eq SQL from Employee Production Cost deny from Employee to Production Server eq SSH Simpler Security Operation Resource Optimization (e.g. Global bank estimates 6 global resources with SGFW/SGACL) Clear ROI in OPEX © 2012 Cisco and/or its affiliates. All rights reserved. 10
- 11. Legacy Emerging Accidental Architectures Data Center and Server Consolidation Applications deployed in fixed Server Virtualization positions (ex. multi-tier deployment) “Any workload on any server” Predictable traffic flows Unpredictable traffic flows as Security often deployed workloads migrate to each pod or silo © 2012 Cisco and/or its affiliates. All rights reserved. 11
- 12. Physical and Virtual Servers SegmentedVLAN? VLAN App using Policy Stays with VLAN or IP address, Not with Servers Which Policy? Web Servers Network Ops, Server Ops, and Security Ops are App Servers Database Web Server VLAN App VLAN involved in Operation Cluster Database VLAN DR As the number of server grows… Complexity and OPEX follow © 2012 Cisco and/or its affiliates. All rights reserved. 12
- 13. Web Server SGT (10) Application Server SGT (20) Database Server SGT (30) Server, Network, and Security Team share common security object Policy Stays with Servers, Not based on Topology Web Web App App DB DB Works for both Physical and Virtual Servers Production Server VLAN DR Cluster permit tcp from src Web to dst App eq HTTPS permit tcp from src App to dst DB eq SQL deny any from src Web to dst grows… As the number of serversDB eq SQL Management complexity and OPEX do not © 2012 Cisco and/or its affiliates. All rights reserved. 13
- 14. • Supports VXI use case SGACL enabled Device with Nexus 1000v SG Firewall enabled Device VDI Connection • Common classification Broker and enforcement for Physical Servers physical & virtual Campus Network environment VDI Endpoint • Simpler security management for Nexus 1000v Virtual Servers frequent VM Virtual Access Hosted Virtual provisioning Desktop (HVD) • SGT assigned to vEthernet port UCS © 2012 Cisco and/or its affiliates. All rights reserved. 14
- 15. Data Center Core Layer Security Group Firewalling Firewall rule automation using Security Group (ASA) DC Aggregation Layer Security Group Firewalling Firewall rule automation DC Service using Security Group (ASA) Layer DC Access Layer Security Group ACLs • Segmentation defined in a simple policy table or matrix Virtual Access • Applied across Nexus 7000/5500/2000 independent of the topology Physical Servers Virtual Servers SGACL enabled Device SG Firewall enabled Device © 2012 Cisco and/or its affiliates. All rights reserved. 15
- 16. DEPLOYMENT USE CASES Healthcare: Ensure Privacy of Patient Data by Enforcing Roles Based Access and Segmentation Across the Network Retail: Intra Store Communication for Networked Devices While Ensuring . That Only Authorized Users and Devices Have Access to PCI Data Technology: Allowing Approved Employee-Owned Tablets Access to Internal Portals and Corporate App Store Manufacturing: Marking Extranet Traffic to Allow PLC Vendor Remote Access to Specific Manufacturing Zone Only, and Offshore Development Partners Access to Development Servers Only © 2012 Cisco and/or its affiliates. All rights reserved. 16
- 17. Classification Policy Management Catalyst 2K Catalyst 4K WLC (7.2) Nexus 7000 Nexus 1000v Catalyst 3K Catalyst 6K Nexus 5000 (Q4CY12) Identity Services Engine Enforcement N7K / N5K Cat6K Cat3K-X ASA (SGFW) ASR1K/ISRG2 WLAN LAN Remote (SGACL) (SGACL) (SGACL) (SGFW) Access (roadmap) Transport Cat 2K-S (SXP) N7K (SXP/SGT) ASR1K (SXP/SGT) Cat 3K (SXP) N5K (SGT) ISR G2 (SXP) AnyConnect Cat 3K-X (SXP/SGT) N1Kv (SXP) - Q4CY12 ASA (SXP) (Attribute provider) Cat 4K (SXP) Cat 6K Sup2T (SXP/SGT) © 2012 Cisco and/or its affiliates. All rights reserved. 17
- 18. Secure Efficient Demonstrable ROI Embed security within Simplifies implementation Reduces ACL and VLAN the infra of security policy complexity & maintenance Enforcement based on Highly scalable Automates FW policy rich context & Inline rate Improve both performance Solution simplicity Simplifies Data Center & availability enables end-to-end network design approach © 2012 Cisco and/or its affiliates. All rights reserved. 18
- 19. Thank you. © 2012 Cisco and/or its affiliates. All rights reserved. 19