Next gen DC secu - Cisco · Segmentation •Establish boundaries: network, compute, virtual...
Transcript of Next gen DC secu - Cisco · Segmentation •Establish boundaries: network, compute, virtual...
![Page 1: Next gen DC secu - Cisco · Segmentation •Establish boundaries: network, compute, virtual •Enforce policy by functions, devices, organizations, compliance •Control and prevent](https://reader034.fdocuments.in/reader034/viewer/2022052103/603e1bcd53d6cd2f31582f1c/html5/thumbnails/1.jpg)
![Page 2: Next gen DC secu - Cisco · Segmentation •Establish boundaries: network, compute, virtual •Enforce policy by functions, devices, organizations, compliance •Control and prevent](https://reader034.fdocuments.in/reader034/viewer/2022052103/603e1bcd53d6cd2f31582f1c/html5/thumbnails/2.jpg)
![Page 3: Next gen DC secu - Cisco · Segmentation •Establish boundaries: network, compute, virtual •Enforce policy by functions, devices, organizations, compliance •Control and prevent](https://reader034.fdocuments.in/reader034/viewer/2022052103/603e1bcd53d6cd2f31582f1c/html5/thumbnails/3.jpg)
Segmentation
• Establish boundaries: network, compute, virtual
• Enforce policy by functions, devices, organizations,
compliance
• Control and prevent unauthorized access to networks,
resources, applications
Threat Defense
• Stop internal and external attacks and interruption of
services
• Patrol zone and edge boundaries
• Control information access and usage, prevent data loss
and data modification
Visibility
• Provide transparency to usage
• Apply business context to network activity
• Simplify operations and compliance reporting
![Page 4: Next gen DC secu - Cisco · Segmentation •Establish boundaries: network, compute, virtual •Enforce policy by functions, devices, organizations, compliance •Control and prevent](https://reader034.fdocuments.in/reader034/viewer/2022052103/603e1bcd53d6cd2f31582f1c/html5/thumbnails/4.jpg)
Secure Internal Zone from External Zone
Secure Application Tiers
Secure Data for Compliance
Secure Multitenancy
1 2
3 4
vPC
Campus/Data Center
Internet
Cisco VXI
Front-End (Presentation)
Web Tier (Business Logic)
DB Tier (Data Access)
CTX2
CTX1
VDC1
VDC2
CTX1
CTX2
vPC
Vendor
Partner
Extranet
vPC
CTX1
CTX2
![Page 5: Next gen DC secu - Cisco · Segmentation •Establish boundaries: network, compute, virtual •Enforce policy by functions, devices, organizations, compliance •Control and prevent](https://reader034.fdocuments.in/reader034/viewer/2022052103/603e1bcd53d6cd2f31582f1c/html5/thumbnails/5.jpg)
![Page 6: Next gen DC secu - Cisco · Segmentation •Establish boundaries: network, compute, virtual •Enforce policy by functions, devices, organizations, compliance •Control and prevent](https://reader034.fdocuments.in/reader034/viewer/2022052103/603e1bcd53d6cd2f31582f1c/html5/thumbnails/6.jpg)
6
Aggregation Layer
Services Layer (option)
Virtual Network & Access
• Initial filter for all ingress and egress to DC services &
compute - “North-South” protection
• Stateful filtering and logging for all ingress and egress
traffic flows
• Physical appliances can be virtualized and applied to
server enclaves
• Virtual firewall, zone/enclave based filtering
• IP-Based Access Control Lists
• VM attribute-based policies – Should Follow VM
• “East-West” protection
Data Center Edge
• Physical Delineation for all ingress and egress into the
‘CORE’ of the DC – Traditional Security Models apply
to North-South Protection
• Additional services location for server farm specific
protection and other potential zones
Traditional Edge
Security
Internal
Zoning
![Page 7: Next gen DC secu - Cisco · Segmentation •Establish boundaries: network, compute, virtual •Enforce policy by functions, devices, organizations, compliance •Control and prevent](https://reader034.fdocuments.in/reader034/viewer/2022052103/603e1bcd53d6cd2f31582f1c/html5/thumbnails/7.jpg)
VIRTUAL ACCESS
DC Aggregation
DC Core
DC Access
DC Virtual Access
DC Edge
Layer 3
Layer 2 - 10GE
4/8 Gb FC
Internet Partners IP-NGN (BBG)
VRF-lite
VRF
Vlan/802.1q
Firewall/IDS Partitioning
FEX/A-FEX/VM-FEX
Virtual FW
Vlan/Pvlan
VXLAN
VDC
Compute Separation:
vNICs, VLANs, Port Profiles
Storage Separation:
VSAN, FC Zoning, LUN masking,
vFilers
Application Tier : logical and Physical
segmentation with L2/L3 firewalling
and security zoning
Network Separation:
Per-tenant routing and forwarding
tables (VRF)
VLAN IDs and 802.1 tag provide
isolation and identification of tenant
traffic across L2 domain
VRF-lite implemented at core and
aggregation layers provides per
tenant isolation at L3
VDC to segregate and virtualize the
equipment
Defense in Depth per consumer
(front end ASA, back end VSG)
![Page 8: Next gen DC secu - Cisco · Segmentation •Establish boundaries: network, compute, virtual •Enforce policy by functions, devices, organizations, compliance •Control and prevent](https://reader034.fdocuments.in/reader034/viewer/2022052103/603e1bcd53d6cd2f31582f1c/html5/thumbnails/8.jpg)
8
Physical
Hosts
NGIPS ASA FW
• Control North/South traffic with ASA 5585
• Scale and HA with Clustering
• Inspect North/South traffic with NGIPS
• Segment and Protect virtual enclave with ASAv and vNGIPS
![Page 9: Next gen DC secu - Cisco · Segmentation •Establish boundaries: network, compute, virtual •Enforce policy by functions, devices, organizations, compliance •Control and prevent](https://reader034.fdocuments.in/reader034/viewer/2022052103/603e1bcd53d6cd2f31582f1c/html5/thumbnails/9.jpg)
9
NGIPS
ASA FW
Clustering
NGA
Virtual FlowSensor
CTD : Cisco Thread Defense
Leverage your Cisco Infrastructure to fight Advanced Pervasive Threats
TrustSec with Security Group Tagging
SGT
SGT SGT
SGT SGT
SGT
SGT
SGT
ISE SGT
Simplify
Automate
Accelerate
Standardize
SGT
![Page 10: Next gen DC secu - Cisco · Segmentation •Establish boundaries: network, compute, virtual •Enforce policy by functions, devices, organizations, compliance •Control and prevent](https://reader034.fdocuments.in/reader034/viewer/2022052103/603e1bcd53d6cd2f31582f1c/html5/thumbnails/10.jpg)
Users,
Device
Switch Router DC FW DC Switch
HR Servers
Enforcement
SGT Propagation
Fin Servers SGT = 4
SGT = 10
ISE Directory Classification
Data + SGT:5 SGT = 5
![Page 11: Next gen DC secu - Cisco · Segmentation •Establish boundaries: network, compute, virtual •Enforce policy by functions, devices, organizations, compliance •Control and prevent](https://reader034.fdocuments.in/reader034/viewer/2022052103/603e1bcd53d6cd2f31582f1c/html5/thumbnails/11.jpg)
•
•
®
•
•
Clu
ste
r C
on
tro
l L
ink
![Page 12: Next gen DC secu - Cisco · Segmentation •Establish boundaries: network, compute, virtual •Enforce policy by functions, devices, organizations, compliance •Control and prevent](https://reader034.fdocuments.in/reader034/viewer/2022052103/603e1bcd53d6cd2f31582f1c/html5/thumbnails/12.jpg)
Sourcefire on 5585-X
(Blade)
Sourcefire on 5500-X
(Software)
Subscriptions: Threat: IPS, AVC, URL Filtering, AMP
![Page 13: Next gen DC secu - Cisco · Segmentation •Establish boundaries: network, compute, virtual •Enforce policy by functions, devices, organizations, compliance •Control and prevent](https://reader034.fdocuments.in/reader034/viewer/2022052103/603e1bcd53d6cd2f31582f1c/html5/thumbnails/13.jpg)
ASA 9.2 : INCREASED CLUSTERING SIZE AND PERFORMANCE
*Estimated Max with Jumbo frame no asymmetric traffic
![Page 14: Next gen DC secu - Cisco · Segmentation •Establish boundaries: network, compute, virtual •Enforce policy by functions, devices, organizations, compliance •Control and prevent](https://reader034.fdocuments.in/reader034/viewer/2022052103/603e1bcd53d6cd2f31582f1c/html5/thumbnails/14.jpg)
Nexus 7000 Nexus 7000
Nexus
2000
Nexus
5000
10Gig Server Rack
vP
C
ASA5585-X
vP
C
Cisco
UCS
vP
C
vP
C
ASA5585-X
DC Edge
Internal DC
Zone(s)
DCI With
Dark Fiber
DC Core VDC
(Routed) Nexus 7000 Nexus 7000
DC Aggregation
Layer VDC
Compute Access
Layer
Nexus
1000v
VSG ASA1000
v
FW
CLUST
ER
Nexus 7000 Nexus 7000
Nexus
2000
Nexus
5000
10Gig Server Rack
vP
C
ASA5585-X
vP
C
Cisco
UCS
vP
C
vP
C
ASA5585-X
Nexus 7000 Nexus 7000
Nexus
1000v
VSG ASA1000
v
FW
CLUST
ER
RTT <10ms +
<100Km
Double-Sided vPC over Dark Fiber
10G-400G
Dark Fiber could be
connected to Core /
Aggregation or to a
dedicated Services
layer. Each has pros
and cons based
upon environment
Inter-DC FW
CLUSTER
C
CL
![Page 15: Next gen DC secu - Cisco · Segmentation •Establish boundaries: network, compute, virtual •Enforce policy by functions, devices, organizations, compliance •Control and prevent](https://reader034.fdocuments.in/reader034/viewer/2022052103/603e1bcd53d6cd2f31582f1c/html5/thumbnails/15.jpg)
Nexus 7000
Nexus 7000
Nexus
2000
Nexus
5000
10Gig Server Rack
vP
C
ASA5585-X
vP
C
Cisco
UCS
vP
C
vP
C
ASA5585-X
DC Edge
Internal DC
Zone(s)
DCI (OTV)
Extranet
DC Core VDC
(Routed) Nexus 7000
DC Aggregation
Layer VDC
Compute Access
Layer
Nexus
1000v
VSG ASA1000
v
Inter-DC FW
CLUSTER
Nexus 7000
Nexus 7000
Nexus
2000
Nexus
5000
10Gig Server Rack
vP
C
ASA5585-X
vP
C
Cisco
UCS
vP
C
vP
C
ASA5585-X
Nexus 7000
Nexus
1000v
VSG ASA1000
v
FW
CLUST
ER
OTV VDC OTV VDC
Layer 2
Extension (OTV)
CCL
RTT <10ms +
<100Km
![Page 16: Next gen DC secu - Cisco · Segmentation •Establish boundaries: network, compute, virtual •Enforce policy by functions, devices, organizations, compliance •Control and prevent](https://reader034.fdocuments.in/reader034/viewer/2022052103/603e1bcd53d6cd2f31582f1c/html5/thumbnails/16.jpg)
FabricPath Spine
Compute Access
Layer
Pod A3
Pod B2 Pod B1 Pod A1 Pod A2
Data Center A
Interconne
ct
L2 or L3
Data Center B
Pod B3
FabricPath Leaf
RTT <10ms +
<100Km
ASA
Cluster
![Page 17: Next gen DC secu - Cisco · Segmentation •Establish boundaries: network, compute, virtual •Enforce policy by functions, devices, organizations, compliance •Control and prevent](https://reader034.fdocuments.in/reader034/viewer/2022052103/603e1bcd53d6cd2f31582f1c/html5/thumbnails/17.jpg)
•
-
-
-
-
•
•
•
•
•
•
Data Center Design Zone : http://www.cisco.com/go/vmdc
![Page 18: Next gen DC secu - Cisco · Segmentation •Establish boundaries: network, compute, virtual •Enforce policy by functions, devices, organizations, compliance •Control and prevent](https://reader034.fdocuments.in/reader034/viewer/2022052103/603e1bcd53d6cd2f31582f1c/html5/thumbnails/18.jpg)
![Page 19: Next gen DC secu - Cisco · Segmentation •Establish boundaries: network, compute, virtual •Enforce policy by functions, devices, organizations, compliance •Control and prevent](https://reader034.fdocuments.in/reader034/viewer/2022052103/603e1bcd53d6cd2f31582f1c/html5/thumbnails/19.jpg)
Source: Cisco® Global Cloud Index 2012
![Page 20: Next gen DC secu - Cisco · Segmentation •Establish boundaries: network, compute, virtual •Enforce policy by functions, devices, organizations, compliance •Control and prevent](https://reader034.fdocuments.in/reader034/viewer/2022052103/603e1bcd53d6cd2f31582f1c/html5/thumbnails/20.jpg)
• Proven Cisco® security: virtualized
physical and virtual consistency
• Collaborative security model
Cisco Virtual Secure Gateway (VSG)
for intra-tenant secure zones
Cisco ASA 1000V for tenant edge
controls
• Transparent integration
With Cisco Nexus® 1000V Switch and
Cisco vPath
• Scale flexibility to meet cloud
demand
Multi-instance deployment for scale-
out deployment across the data
center
Tenant B Tenant A VDC
vApp
vApp
VDC
Cisco
VSG Cisco
VSG
Cisco
VSG
Cisco ASA
1000V
Cisco ASA
1000V
Cisco
VSG
![Page 21: Next gen DC secu - Cisco · Segmentation •Establish boundaries: network, compute, virtual •Enforce policy by functions, devices, organizations, compliance •Control and prevent](https://reader034.fdocuments.in/reader034/viewer/2022052103/603e1bcd53d6cd2f31582f1c/html5/thumbnails/21.jpg)
Removed clustering and
multiple context mode
• Parity to physical form-factor feature-set
• Scaling through virtualization
• Up to 10 vNIC interfaces
• Crypto in software
• SDN and traditional management tools
• Scales to 4 vCPUs and 8 GB of memory
• Ability to manage one policy on both physical
and virtual ASAs
![Page 22: Next gen DC secu - Cisco · Segmentation •Establish boundaries: network, compute, virtual •Enforce policy by functions, devices, organizations, compliance •Control and prevent](https://reader034.fdocuments.in/reader034/viewer/2022052103/603e1bcd53d6cd2f31582f1c/html5/thumbnails/22.jpg)
MULTI-TENANT AND APPLICATION AWARE
READ / WRITE SOUTHBOUND API
PUBLISHED DEVICE MGMT PACKAGE FOR
ACI
STANDARDS COMPLIANT
MONITORING FEATURES
Hypervisor Support
Orchestration Frameworks
ASA OPEN SECURITY PLATFORM
System Management
CSM
PNSC
ASA
![Page 23: Next gen DC secu - Cisco · Segmentation •Establish boundaries: network, compute, virtual •Enforce policy by functions, devices, organizations, compliance •Control and prevent](https://reader034.fdocuments.in/reader034/viewer/2022052103/603e1bcd53d6cd2f31582f1c/html5/thumbnails/23.jpg)
ASAv
(Active) ASAv
(Standby)
![Page 24: Next gen DC secu - Cisco · Segmentation •Establish boundaries: network, compute, virtual •Enforce policy by functions, devices, organizations, compliance •Control and prevent](https://reader034.fdocuments.in/reader034/viewer/2022052103/603e1bcd53d6cd2f31582f1c/html5/thumbnails/24.jpg)
2
4
Routed Firewall • Routing traffic between vNICs
• Maintains ARP and routing table
• Tenant edge firewall
Transparent Firewall
• VLAN or VxLAN Bridging / Switching
• Maintains MAC-address tables
• Non-disruptive to L3 designs
Service Tag Switching
• Applies inspection between service tags
• No network participation
• Fabric integration mode
![Page 25: Next gen DC secu - Cisco · Segmentation •Establish boundaries: network, compute, virtual •Enforce policy by functions, devices, organizations, compliance •Control and prevent](https://reader034.fdocuments.in/reader034/viewer/2022052103/603e1bcd53d6cd2f31582f1c/html5/thumbnails/25.jpg)
®
®
![Page 26: Next gen DC secu - Cisco · Segmentation •Establish boundaries: network, compute, virtual •Enforce policy by functions, devices, organizations, compliance •Control and prevent](https://reader034.fdocuments.in/reader034/viewer/2022052103/603e1bcd53d6cd2f31582f1c/html5/thumbnails/26.jpg)
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
9.2.1 9.3.1/9.3.2
![Page 27: Next gen DC secu - Cisco · Segmentation •Establish boundaries: network, compute, virtual •Enforce policy by functions, devices, organizations, compliance •Control and prevent](https://reader034.fdocuments.in/reader034/viewer/2022052103/603e1bcd53d6cd2f31582f1c/html5/thumbnails/27.jpg)
ASAv PHASED RELEASE
![Page 28: Next gen DC secu - Cisco · Segmentation •Establish boundaries: network, compute, virtual •Enforce policy by functions, devices, organizations, compliance •Control and prevent](https://reader034.fdocuments.in/reader034/viewer/2022052103/603e1bcd53d6cd2f31582f1c/html5/thumbnails/28.jpg)
![Page 29: Next gen DC secu - Cisco · Segmentation •Establish boundaries: network, compute, virtual •Enforce policy by functions, devices, organizations, compliance •Control and prevent](https://reader034.fdocuments.in/reader034/viewer/2022052103/603e1bcd53d6cd2f31582f1c/html5/thumbnails/29.jpg)
APPLICATION
SECURITY
INFRASTRUCTURE
Web
Tier App
Tier
DB
Tier
Trusted
Zone DB
Tier
DMZ
External
Zone
Cloud
Application Admin
Security Admin
Network Admin
Cloud Admin
![Page 30: Next gen DC secu - Cisco · Segmentation •Establish boundaries: network, compute, virtual •Enforce policy by functions, devices, organizations, compliance •Control and prevent](https://reader034.fdocuments.in/reader034/viewer/2022052103/603e1bcd53d6cd2f31582f1c/html5/thumbnails/30.jpg)
Application Admin
Security Admin
Network Admin
SECURITY
Trusted
Zone DB
Tier
DMZ
External
Zone
APPLICATION
COMMON POOL OF RESOURCES
Cloud Admin
Cloud
![Page 31: Next gen DC secu - Cisco · Segmentation •Establish boundaries: network, compute, virtual •Enforce policy by functions, devices, organizations, compliance •Control and prevent](https://reader034.fdocuments.in/reader034/viewer/2022052103/603e1bcd53d6cd2f31582f1c/html5/thumbnails/31.jpg)
“Users” “Apps”
Intelligent Fabric
Logical Endpoint
Groups by Role
Heterogeneous clients, servers,
external clouds; fabric controls
communication
Every device is one hop away,
microsecond latency, no power or
port availability constraints, ease of
scaling
Flexible Insertion
ACI Controller manages all
participating devices, change
control and audit capabilities
Unified Management
and Visibility
Fabric Port Services
Hardware filtering and bridging;
seamless service insertion, “service
farm” aggregation
Flat Hardware
Accelerated Network
Full abstraction, de-coupled
from VLANs and Dynamic
Routing, low latency, built-in
QoS
Cisco Nexus 9000
![Page 32: Next gen DC secu - Cisco · Segmentation •Establish boundaries: network, compute, virtual •Enforce policy by functions, devices, organizations, compliance •Control and prevent](https://reader034.fdocuments.in/reader034/viewer/2022052103/603e1bcd53d6cd2f31582f1c/html5/thumbnails/32.jpg)
Service Producers EPG “Users” EPG “apps”
Leaf Nodes
Spine Nodes
ACI Fabric
EPG “Internet”
Virtual Leaf
Service Consumers
![Page 33: Next gen DC secu - Cisco · Segmentation •Establish boundaries: network, compute, virtual •Enforce policy by functions, devices, organizations, compliance •Control and prevent](https://reader034.fdocuments.in/reader034/viewer/2022052103/603e1bcd53d6cd2f31582f1c/html5/thumbnails/33.jpg)
TENANT AND APPLICATION AWARE
READ / WRITE ALL FABRIC INFO
PUBLISHED DATA MODEL
OPEN SOURCE
APIC
Hypervisor Management
Automation Tools
Orchestration Frameworks
System Management
Security
ASA
Industry Standard Compliant
A Platform approach to Data Centre infrastructure
![Page 34: Next gen DC secu - Cisco · Segmentation •Establish boundaries: network, compute, virtual •Enforce policy by functions, devices, organizations, compliance •Control and prevent](https://reader034.fdocuments.in/reader034/viewer/2022052103/603e1bcd53d6cd2f31582f1c/html5/thumbnails/34.jpg)
“Users” “Apps”
Policy Contract
“Users → Apps”
ACI Fabric
Define Endpoint Groups
Any endpoints anywhere within
the fabric, virtual or physical
Ingress Fabric Rules
Programmed from Contract
Hardware rules on each port, security in
depth, embedded QoS
Single Pass Firewalling
with Flow-Specific Policy
Security administrator
defines generic templates in
APIC, availed to contract
creation
Single Point of
Management
Different administrative
groups use same interface,
high level of object sharing
Application Policy
Infrastructure Controller (APIC) Define Contracts Between
Endpoint Groups
Port-level rules: drop, prioritize, push
to service chain; reusable templates
![Page 35: Next gen DC secu - Cisco · Segmentation •Establish boundaries: network, compute, virtual •Enforce policy by functions, devices, organizations, compliance •Control and prevent](https://reader034.fdocuments.in/reader034/viewer/2022052103/603e1bcd53d6cd2f31582f1c/html5/thumbnails/35.jpg)
EP
.
.
.
EP
EP
EPG WEB
EPG APP SERVER
provider
consumer
Contract specifies rules and policies on groups
of physical or virtual end-points without
understanding of specific identifiers and
regardless of physical location. … …
…
identifies what
traffic
L4 port ranges
TCP options
…
identifies actions
applied
QoS
Log
Redirect into SVC graph
…
End points in group
WEB can access end-points in
group APP SERVER according
to rules specified in the contract
defined bi-directionally in the “provider” centric way
![Page 36: Next gen DC secu - Cisco · Segmentation •Establish boundaries: network, compute, virtual •Enforce policy by functions, devices, organizations, compliance •Control and prevent](https://reader034.fdocuments.in/reader034/viewer/2022052103/603e1bcd53d6cd2f31582f1c/html5/thumbnails/36.jpg)
Permit
Deny
Redirect
Log … …
Copy Packet
Mark Packet DSCP
There are six policy options supported: Permit the traffic Block the traffic Redirect the traffic Log the traffic Copy the traffic Mark the traffic (DSCP/CoS)
Policy encompasses traffic handling, quality of service, security monitoring and logging.
![Page 37: Next gen DC secu - Cisco · Segmentation •Establish boundaries: network, compute, virtual •Enforce policy by functions, devices, organizations, compliance •Control and prevent](https://reader034.fdocuments.in/reader034/viewer/2022052103/603e1bcd53d6cd2f31582f1c/html5/thumbnails/37.jpg)
EPG
“Web”
Application Container
“Web”
EPG
“Database”
Application Container
"Database”
Policy Contract “Web → Database”
Service Chain
“Web →
Database”
192.168.1.0/24
![Page 38: Next gen DC secu - Cisco · Segmentation •Establish boundaries: network, compute, virtual •Enforce policy by functions, devices, organizations, compliance •Control and prevent](https://reader034.fdocuments.in/reader034/viewer/2022052103/603e1bcd53d6cd2f31582f1c/html5/thumbnails/38.jpg)
FW
_A
DC
1
Application
Admin
Service
Admin
ASA
5585
Netscaler
VPX
Policy-
based
Redirection
•
•
•
•
![Page 39: Next gen DC secu - Cisco · Segmentation •Establish boundaries: network, compute, virtual •Enforce policy by functions, devices, organizations, compliance •Control and prevent](https://reader034.fdocuments.in/reader034/viewer/2022052103/603e1bcd53d6cd2f31582f1c/html5/thumbnails/39.jpg)
Nexus 7000
•
•
-
-
-
-
ACI Fabric
Graph Physical Logical
![Page 40: Next gen DC secu - Cisco · Segmentation •Establish boundaries: network, compute, virtual •Enforce policy by functions, devices, organizations, compliance •Control and prevent](https://reader034.fdocuments.in/reader034/viewer/2022052103/603e1bcd53d6cd2f31582f1c/html5/thumbnails/40.jpg)
•
-
-
•
-
-
-
ACI Fabric
Graph
Physical
Logical
![Page 41: Next gen DC secu - Cisco · Segmentation •Establish boundaries: network, compute, virtual •Enforce policy by functions, devices, organizations, compliance •Control and prevent](https://reader034.fdocuments.in/reader034/viewer/2022052103/603e1bcd53d6cd2f31582f1c/html5/thumbnails/41.jpg)