From Physical to Virtual to Cloud

Mike Nielsen
Senior Director Security
February 7, 2012

© 2012 Cisco and/or its affiliates. All rights reserved. 1

Cisco Data Center Technology
Physical Deployment Use Cases
Virtual and Cloud Deployment Use Cases


NEARLY MORE THAN

2000% 50%
increase in application traffic of business-critical applications
and network connections per will be virtualized by 2013
second required for inspection
by 2015

Rapidly losing visibility of business-critical traffic


1. vMotion moves VMs across
physical ports—the network
policy must follow vMotion
(across racks, PODS, DCs)

2. Must view or apply
network/security policy to
Port locally switched traffic
Group

3. Need to maintain segregation
of duties while ensuring
Security non-disruptive operations
Admin
Server Admin

Network Admin


PHYSICAL VIRTUAL CLOUD
WORKLOAD WORKLOAD WORKLOAD

• One app per server • Many apps per server • Multi-tenant per server
• Static • Mobile • Elastic
• Manual provisioning • Dynamic provisioning • Automated scaling

HYPERVISOR
VDC-1 VDC-2

CONSISTENCY: Policy, Features, Security, Management

Switching Nexus 7K/5K/3K/2K Nexus 1000V, VM-FEX

Security ASA 5585, ASA SM, IPS VSG, ASA 1000V

Compute UCS for Bare Metal UCS for Virtualized Workloads

* Virtual only, ** Announced

Security needs to scale to the transaction
SCALABLE
or throughput requirements of today’s
SECURITY
applications

PHYSICAL & Security must provide consistent policy
VIRTUAL enforcement across hybrid environments

Security deployments must enable
BUSINESS business agility through the unification of
CONTEXT business and technology policies


Segment resources Ensure maximum
logically and CPU utilization
physically by tenant and VM mobility
or risk class


Firewall Segmentation Fabric Segmentation
Stateful/reflective ACL UCS Fabric Interconnect
Multi-context
VPN

TrustSec

Context-Aware
Segmentation Network Segmentation
Security Group Tags (SGT) Physical
Security Exchange Protocol (SXP) Virtual (VLAN, VRF)
Security Group ACL Virtualized (Zones)


ASA Firewall at Data Center Speeds ASA 5585-SSP60
80
40 Gbps Firewall
20 MM Connections
10
700,000
350,000 CPS

ASA 5585-SSP40

40
20 Gbps Firewall
ASA 5585-SSP20 8
4 MM Connections
20
10 Gbps Firewall 400,000 CPS
Connections
4 MM
2 200,000 CPS
ASA 5585-SSP10 Connections
8
4 Gbps Firewall 250,000
125,000 CPS
2
1 MM
ASA Services
Connections Module
100,000 CPS
50,000 CPS 80
20 Gbps Firewall
40
10 MM Connections
1.2 MM CPS
300,000CPS

Campus Data Center


Assured Protection for High-performance Data Centers

Next-generation firewall at

700%
Higher Performance
data center speeds
• Clusters managed as a
single logical device
Density • 320 Gbps firewall & 80
Gbps IPS throughput
• 1 million connections per
84%
Less Power
second
• 50 million concurrent
sessions
Consumption • Pay as you grow
Integrated identity, content

87%
Percent Less
and application security
Fully IPv6 compliant for
coming wave of mobile
Rack Space application access


Assured Protection for High-performance Data Centers

400%
Highest IPS performance
density
• 10 Gbps IPS throughput
Higher Performance
Density • 100,000 connections per
second

75%
Less Power
• Expandable 2RU chassis

Context-aware attacker,
Consumption victim,
and attack visibility

50%
Less Rack Space
Backed by Cisco Security
Intelligence Operation (SIO)
for the highest level of attack
identification and mitigation

Cisco® ASA 5585-X v9.0 with Clustering Capability*
• Two to eight ASAs supported per cluster (same
model and DRAM)
• Both routed (L3) and transparent (L2) firewall
modes supported
• Cluster performance = 60-70 percent of
combined throughput and connections (traffic-
dependent) ASA CLUSTERING AT CONTROL
PLANE
• One master syncs configuration to all members
• Minimum one cluster control interface for the
cluster control plane
• Site-to-site VPN support

Not supported in cluster mode: SSL/IPSEC RA VPN, VPN LB, Botnet Traffic
Filter, DHCP capabilities, WCCP, Unified Communications features, ASA-CX
SSP, specific applications inspection.

* Clustering is supported on ASA 5585, 5580 and ASA SM
ASA Clustering at Data Plane

Cisco Catalyst 6500 as Services Switch
®

• ASA SM for Catalyst 6500

• Etherchannel Integration with
Cisco Nexus 7K/vPC ®

• 6500 supports Link Aggregation
Control Protocol (LACP), IEEE
802.3ad standard
• Traffic forwarded using service-
specific VLANs
• Each port-channel supports up
to eight active and eight standby
links


System Dashboard


Integrated Identity Security
Context AAA
Directory Infrastructure
Agent

Mark

Data Center and Cloud
AnyConnect

IDFW DMZ
John
ASA Identity Firewall


AD/LDAP Identity
• Non-auth-aware apps
NTLM • Any platform
Kerberos • AD/LDAP credential
TRUSTSEC
Network Identity
Secure Group Tags on ASA
User Authentication IP Surrogate
• Auth-Aware Apps AD Agent
• Mac, Windows, Linux
• AD/LDAP user credential


TrustSec lets you define policy in Context Classification
meaningful business terms
Business Policy

TAG Security Group Tag

Destination HR Database Prod CRM Storage
Source

VD HR Users X X Distributed Enforcement in DC

VPN HR User X X X
IT Ops
ASA DC Switch
Test Server Test-ACL X
Filtering Physical and Virtual
Servers in Data Center


Integrated Identity Security

SGT (6) mktg-servers
SGT (9) HR-servers ISE

SGT=06 Packet

SGT=09 Packet

Security Xchange Protocol


• Users assigned with a
security group tag
• Contextual access control is
now possible
• Cisco Nexus® 7000 enforces
group policy at the DC edge
• Cisco® ASA 5585-X v9.0
support SXP security group
tags in policy
• Example usage: access to
VDI service in DC


Delivers protections months ahead of the threat

0010 010 10010111001 10 100111 010 000100101 110011 01100111010000110000111000111010011101 1100001110001110 1001 1101 1110011 0110011 101000
0010 010 10010111001 10 100111 010 000100101 110011 01100111010000110000111000111010011101 1100001110001110 1001 1101 1110011 0110011 101000
Cisco SIO
WWW

Email Devices Web CWS IPS AnyConnect

Zero-day detection WWW

Actions
Information
IPS Networks Endpoints ESA ASA WSA
Reputation-based
Visibility protection Control
1.6M global sensors 3 to 5 minute updates
75TB data received per day Consistent 5,500+ IPS signatures produced
150M+ deployed endpoints 8M+ rules per day
enforcement
35% worldwide email traffic 200+ parameters tracked
13B web requests 70+ publications produced


Proving SIO - Global Correlation White Paper
http://www.cisco.com/en/US/products/ps12156/prod_white_papers_list.html

Figure 4. Sensor at Industrial Supplies Distributor (IND-2) Figure 2. Sensor at Bank (BNK-1)

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

Unified Firewall Policies in Virtual and Cloud Environments

Unmatched Deployment Consistent Policies
Flexibility • Common ASA configuration
for physical, virtual and
cloud deployments
Lowest Operational VM Firewall Scalability
Complexity • Single Instance secures up
to 64 ESX hosts
• Limitless VMs for SP and
Enterprise
Enhanced Network
Scalability Unified Fabric Security
• Integrates with the Nexus
1000V Series switch
• Complements zone-based
security capabilities of the
Cisco Virtual Security
Gateway)


Features and Capabilities

Built using Cisco ASA IPsec VPN (site to site)
infrastructure
NAT

Interoperability with Cisco VSG DHCP
through service chaining

Default gateway

VXLAN gateway Static routing

Stateful inspection
Multi-tenant management
Through Cisco VNMC IP audit


Zone 1 Zone 2
• The zones used define policy
enforcement
• Unique policies and traffic
decisions applied to each zone
• Physical infrastructure mapped Steer VM traffic to
virtual context
per zone:
• VRF
• Virtual context

• Merging physical and virtual vPath
Virtual Switch Segment pools of
vPath
Virtual Switch
infrastructure vSphere blade resources per
vSphere
zone


VSG

Zone-based intratenant
Cisco Nexus 1000V
® segmentation of VMs

Cisco ASA 1000V
®

Virtual Service Nodes
vPATH
Nexus 1000V

Hypervisor
Ingress/egress multitenant
edge deployment
vCenter Nexus 1 KV VNMC

Server Network Security
Admin Admin Admin

Virtual Security Gateway: Zone Firewall for
Cisco Nexus® 1000V

• Control inter-VM traffic to address new blind
spot
• Support dynamic VM provisioning
VM-to-VM traffic VM-to-VM traffic
• Transparent VM mobility enforcement

• Policy based VLAN-agnostic operation

• Administrative separation of duties;
App App App App
server, network, and security`
OS OS OS OS


SECURING VM-VM TRAFFIC

Aggregation
ERSPAN DST
IDS ID:2
Virtual Sensor 1

IDS ID:1
Virtual Sensor 2

Zone B Zone C
monitor session 1 type erspan-source VDC VDC
description N1k ERSPAN – session 1 vApp
monitor session 3 type erspan-destination
description N1k ERSPAN to IDS Virtual
Sensor 1 VSG
VSG
vApp

monitor session 2 type erspan-source
description N1k ERSPAN –session 2
monitor session 4 type erspan-destination
description N1k ERSPAN to IDS Virtual
Sensor 2 vPath
Cisco® Nexus 1000V

© 2012 Cisco and/or its affiliates. All rights reserved.
vSphere 29

Tenant A Tenant A’ (clone)

VM 1 VM 2 VM 1 VM 1 VM 2 VM 1

VM 3 VM 1 VM 3 VM 1

ASA 1000V ASA 1000V
Virtualized Servers

External Network

• Multizone tenant cloning while keeping overlapping IP addresses
• Isolate overlap IPs with dynamic Network Address Translation (NAT)
while connected to the external network


Proven Cisco Security…Virtualized vCenter

• Physical – virtual consistency Virtual Network Management Center (VNMC)

Tenant B
Collaborative Security Model Tenant A
VDC VDC

• VSG for intra-tenant secure zones vApp

• ASA 1000V for tenant edge controls
VSG VSG VSG
vApp
Seamless Integration
• With Nexus 1000V & vPath VSG

ASA 1000V ASA 1000V
Scales with Cloud Demand
vPath
• Multi-instance deployment for Nexus 1000V
horizontal scale-out deployment Hypervisor


Tenant A Tenant B

VM 1 VM 2 VM 1 VM 1 VM 2 VM 1

VM 3 VM 1 VM 3 VM 1

ASA 1000V ASA 1000V
Virtualized Servers

• VMs are quickly brought up and down in virtual environments
• ASA 1000V DHCP capability used to assigns dynamic IPs to new VMs


Physical Data Center
DC Security Cisco
Validated Designs

Virtual Data Center
Virtualized Multiservice
Data Center (VMDC)


End-to-End Security for Hybrid Infrastructure

Physical Virtual and Cloud
Physical Appliances and Modules
Cloud Firewall
Cisco Multi-Scale™ data center-class
Enhanced cloud security
Cisco® ASA devices

Cisco ASA Cisco Catalyst® 6500 Cisco VSG Cisco ASA 1000V
5585-X Series ASA Services Cloud Firewall
Module
• Scalable in-line performance • Proven firewall to secure your cloud
• Data center-edge security policies • Policies specific to the tenant edge to
the virtual machine
• Flexible deployment options • Automated, policy-based provisioning


• Always-on, security that is
integrated into the network fabric
• End-to-end security solutions for
Physical physical and virtual environments
• Context-aware security to
Cloud differentiate risk from random
• Services to enable pervasive
security across the infrastructure,
within, and between clouds
Virtual


Thank you.


From Physical to Virtual to Cloud

From Physical to Virtual to Cloud

Recommended

More Related Content

What's hot

What's hot(20)

Viewers also liked

Viewers also liked(18)

Similar to From Physical to Virtual to Cloud

Similar to From Physical to Virtual to Cloud(20)

More from Cisco Security

More from Cisco Security(15)

Recently uploaded

Recently uploaded(20)

From Physical to Virtual to Cloud

Editor's Notes