Security at the Speed of the Network
-
Upload
hantzley-tauckoor -
Category
Technology
-
view
573 -
download
2
Transcript of Security at the Speed of the Network
![Page 1: Security at the Speed of the Network](https://reader033.fdocuments.in/reader033/viewer/2022042907/587d340c1a28ab2a448b59bb/html5/thumbnails/1.jpg)
Security at the Speed of the Network: Automating and Accelerating Security
Through SDN and NfVBRKSEC-2760
Hantzley Tauckoor – CISSP #472723, CCDE #2015::43
Consulting Systems Engineer – MANO & Programmability
Global Virtual Engineering, Cisco Systems
![Page 2: Security at the Speed of the Network](https://reader033.fdocuments.in/reader033/viewer/2022042907/587d340c1a28ab2a448b59bb/html5/thumbnails/2.jpg)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2760 2
./about_me
Hantzley TauckoorConsulting Systems Engineer – MANO & ProgrammabilityGlobal Virtual Engineering, Cisco Systems
linkedin.com/in/hantzley Twitter: @[email protected]
![Page 3: Security at the Speed of the Network](https://reader033.fdocuments.in/reader033/viewer/2022042907/587d340c1a28ab2a448b59bb/html5/thumbnails/3.jpg)
3© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2760
• Security from the Service Provider perspective
• Putting SDN/NFV to work – DDoS
• Automating Security in the SP Data Centre
• Generating new revenue streams with hosted security services
• SDN & NFV Infrastructure Security
• Summary
Agenda
![Page 4: Security at the Speed of the Network](https://reader033.fdocuments.in/reader033/viewer/2022042907/587d340c1a28ab2a448b59bb/html5/thumbnails/4.jpg)
4© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2760
• Security from the Service Provider perspective
• Putting SDN/NFV to work - DDoS
• Automating Security in the SP Data Centre
• Generating new revenue streams with hosted security services
• SDN & NFV Infrastructure Security
• Summary
Agenda
![Page 5: Security at the Speed of the Network](https://reader033.fdocuments.in/reader033/viewer/2022042907/587d340c1a28ab2a448b59bb/html5/thumbnails/5.jpg)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 5BRKSEC-2760
Security from the Service Provider Perspective
![Page 6: Security at the Speed of the Network](https://reader033.fdocuments.in/reader033/viewer/2022042907/587d340c1a28ab2a448b59bb/html5/thumbnails/6.jpg)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2760 6
Trends: New Opportunities …
The world has gone mobile Traffic growth, driven by video
Rise of cloud computing Machine-to-Machine
Changing Customer
Expectations Ubiquitous Access to Apps & Services
10X Mobile Traffic GrowthFrom 2013-2019
Changing Enterprise Business Models Efficiency & Capacity
Soon to Change SP
Architectures/ Service Delivery
Emergence of the Internet of Everything
Process ThingsPeople Data
Pet
abyt
es p
er M
onth
Other (43%, 25%)120,000
100,000
80,000
60,000
40,000
20,000
0
Internet Video (57%, 75%)
2013 2014 2015 2016 2017 2018
23% Global CAGR 2013-
2018
New Threats
Dynamic Threat Landscape
Increasing Threat Sophistication
Risks to Service Providersand Their Customers
![Page 7: Security at the Speed of the Network](https://reader033.fdocuments.in/reader033/viewer/2022042907/587d340c1a28ab2a448b59bb/html5/thumbnails/7.jpg)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2760 7
Your Customers Are Being Attacked By DDoS
![Page 8: Security at the Speed of the Network](https://reader033.fdocuments.in/reader033/viewer/2022042907/587d340c1a28ab2a448b59bb/html5/thumbnails/8.jpg)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2760 8
2015 Verizon Data Breach Investigations Report
Compromise
Detection
~ 84% of initial compromises completed within hours
~ 65% of initial compromises undetected for months
![Page 9: Security at the Speed of the Network](https://reader033.fdocuments.in/reader033/viewer/2022042907/587d340c1a28ab2a448b59bb/html5/thumbnails/9.jpg)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2760 9
Legacy Security: Costly & Complex
Siloed
Inefficient
Manual
Limited integration, security gaps
Hard-coded processes
Over-provisioned, static, and slow
Hinders realization of
open and programmable
networks
![Page 10: Security at the Speed of the Network](https://reader033.fdocuments.in/reader033/viewer/2022042907/587d340c1a28ab2a448b59bb/html5/thumbnails/10.jpg)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2760 10
SDN Automation: The Speed of The Network
AFTER DURINGThreatAnalytics
VisibilityControlBEFORE
![Page 11: Security at the Speed of the Network](https://reader033.fdocuments.in/reader033/viewer/2022042907/587d340c1a28ab2a448b59bb/html5/thumbnails/11.jpg)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2760 11
How Automated Are You Today?
11
AFTER DURINGThreatAnalytics
VisibilityControlBEFORE
Automated Manual
![Page 12: Security at the Speed of the Network](https://reader033.fdocuments.in/reader033/viewer/2022042907/587d340c1a28ab2a448b59bb/html5/thumbnails/12.jpg)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2760 12
Managing The Threat LifecycleProtecting the Infrastructure and Offering Elastic Managed Services
12
OrchestrationVMS
Cloud Services Orchestration
Real Time application of the right service, in the right place, at the right
time
Quantum WAVEWAN Orchestration
Real time topology and service health information
BEFOREControlEnforceHarden
DURING AFTERDetectBlock
Defend
ScopeContain
Remediate
Attack Continuum
Firewall
NGFW
NAC + Identity Services
VPN
UTM
NGIPS
Web Security
Email Security
Advanced Malware Protection
Network Behaviour Analysis
Visibility, Context, Autonomics and BCPs
DDoS Visibility/Mitigation Services
Forensic Analytics
HSSUBIqube – MS Activator
Security Domain Management
![Page 13: Security at the Speed of the Network](https://reader033.fdocuments.in/reader033/viewer/2022042907/587d340c1a28ab2a448b59bb/html5/thumbnails/13.jpg)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2760 13
Anatomy of the SP networkAccess Service Edge
Mobile
Residential
Business
Aggregation/ Transport CoreData Center
Enterprise WAN
CMTS, DSLAM
Cell Site Router
Video Dist
MACsecVolumetric DDoSVPN
FW, VPN, CGNAT, NGIPS, AMPMobile Inspection
SecurityFeatures
MACsec, FW, VPN, NGIPS, AMPApp DDoS
FW, VPN, NGIPS, AMP, Volumetric DDoSApp DDoS
SP Security Best Practices - http://tools.cisco.com/security/center/serviceProviders.x?i=76
![Page 14: Security at the Speed of the Network](https://reader033.fdocuments.in/reader033/viewer/2022042907/587d340c1a28ab2a448b59bb/html5/thumbnails/14.jpg)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2760 14
Security for Open & Programmable Networks
Applications& Services
Evolved Programmable Network
Cisco Services
Storage NetworkCompute
Service Broker
SMARTSERVICE
CAPABILITIES
OP
EN
AP
IsO
PE
N A
PIs
OP
EN
AP
IsO
PE
N A
PIs
Security
Evolved Services Platform Orchestration
Engine
Catalog of Virtual Functions
Service Profile
Benefits:• New Revenue Streams• Increased Business Agility• Lower Operating Costs
Cisco Service Provider Architecture
![Page 15: Security at the Speed of the Network](https://reader033.fdocuments.in/reader033/viewer/2022042907/587d340c1a28ab2a448b59bb/html5/thumbnails/15.jpg)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2760 15
Network Programmability
Controller
NetworkMonitoring
BandwidthManagement
LoadBalancing
ProgrammaticInterface
Netconf
OpenFlow
Topological awareness
Policy resolution
:-)
CLI
REST APIs
![Page 16: Security at the Speed of the Network](https://reader033.fdocuments.in/reader033/viewer/2022042907/587d340c1a28ab2a448b59bb/html5/thumbnails/16.jpg)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2760 16
Programmability Across Multiple Controllers
App
APIC Controller
App
Data Centre
APIC-EM / WAE Controller
Threat DefenseSecurity Policy
Service OrchestratorCampus / WAN
![Page 17: Security at the Speed of the Network](https://reader033.fdocuments.in/reader033/viewer/2022042907/587d340c1a28ab2a448b59bb/html5/thumbnails/17.jpg)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2760 17
A Plethora of Controllers
APIC
Cloud OrchestrationObjective: Extend OpenStack Neutron’s networking model with new policy APIs
Openstack “Sister-project” to group based policy in OpenDaylight
SDN ControllerUnder Linux FoundationSecurity extensionsCommon vendor supported framework
WAE
Traffic Optimization
Monitor for path constraint violations
Automate network changes to ensure path compliance
Service Chaining
Application Network Flow Profile
SLA, Security, QoS, Load Balancing
User/Things Network Profile
QoS, Security, SLA, Device, Location, Role
Open Source Projects Data Center Campus WAN
VTS
Overlay Automation
![Page 18: Security at the Speed of the Network](https://reader033.fdocuments.in/reader033/viewer/2022042907/587d340c1a28ab2a448b59bb/html5/thumbnails/18.jpg)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2760 18
Offering
Service
System
Product
HW Appliance Virtualise existing functions SAAS-basedsolutions
Implementation
Can be leveraged to offer SAAS
SP infrastructure services transitioning to
NFV
SP Video
GWs
CPE
Mobile services
Ent Managed Services
IAAS
Transition to All-virtualised Services?
Drivers:
• Reducing total OpEx and CapEx
• Increased service velocity and agility
• Increasing revenue
SP Video
GWs
CPE
Mobile services
Ent Managed Services
L2 / L3 VPN
IAAS
All SP services are virtualising …
Some services move straight to SAAS
HCS
Scansafe
Webex2SDVPN
SP Video
HCS
![Page 19: Security at the Speed of the Network](https://reader033.fdocuments.in/reader033/viewer/2022042907/587d340c1a28ab2a448b59bb/html5/thumbnails/19.jpg)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2760 19
Network Function Virtualization• Movement of Network functions to the cloud
• Control, services and data plane components
• NFV is not applicable to all network applications• However most service functions are in the frame• High performance plumbing is not at the moment
• NFV is an architecture rather than simply virtualizing functions• Virtual services, compute• service chaining, overlays• Orchestration and redirection
• Covered a number of use cases
See also: http://www.etsi.org/deliver/etsi_gs/NFV/001_099/002/01.01.01_60/gs_NFV002v010101p.pdf
![Page 20: Security at the Speed of the Network](https://reader033.fdocuments.in/reader033/viewer/2022042907/587d340c1a28ab2a448b59bb/html5/thumbnails/20.jpg)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2760 20
Evolving The Network Software Stack
…ApplicationSoftware
InfrastructureSoftware
EmbeddedSoftware
Network OS: IOS-XE, NX-OS, …
Plugins:Puppet, Guest shell,…
Orchestration:NSO, ..
Management:Prime, ..
Optimization:WAE, ..
Base OS: Linux, …
Base Control Infrastructure
virtual physical Protocols: IETF, IEEE, …
Unified Communications
…
CCSEvolved VPN:CloudVPN,…
CustomApps
![Page 21: Security at the Speed of the Network](https://reader033.fdocuments.in/reader033/viewer/2022042907/587d340c1a28ab2a448b59bb/html5/thumbnails/21.jpg)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2760 21
Summary: The Building Blocks
ServiceOrchestration
Traditional
OrchestrationAutomation, provisioning and
interworking of physical and virtual resources
NFVSDN
SDNSeparation of control and data plane,
controllers
NFVNetwork functions and software
running on any open standards-based hardware
Traditional Distributed control plane
components, physical entities
![Page 22: Security at the Speed of the Network](https://reader033.fdocuments.in/reader033/viewer/2022042907/587d340c1a28ab2a448b59bb/html5/thumbnails/22.jpg)
22© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2760
• Security from the Service Provider perspective
• Putting SDN/NFV to work - DDoS
• Automating Security in the SP Data Centre
• Generating new revenue streams with hosted security services
• SDN & NFV Infrastructure Security
• Summary
Agenda
![Page 23: Security at the Speed of the Network](https://reader033.fdocuments.in/reader033/viewer/2022042907/587d340c1a28ab2a448b59bb/html5/thumbnails/23.jpg)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 23BRKSEC-2760
Putting SDN/NFV to Work: Security Services Virtualization
& SDN DDoS Mitigation
![Page 24: Security at the Speed of the Network](https://reader033.fdocuments.in/reader033/viewer/2022042907/587d340c1a28ab2a448b59bb/html5/thumbnails/24.jpg)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2760 24
Distributed Denial of Service Attack Mitigation
Controller
![Page 25: Security at the Speed of the Network](https://reader033.fdocuments.in/reader033/viewer/2022042907/587d340c1a28ab2a448b59bb/html5/thumbnails/25.jpg)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2760 25
Distributed Denial of Service Attack Mitigation
Controller
Traffic Statistics
![Page 26: Security at the Speed of the Network](https://reader033.fdocuments.in/reader033/viewer/2022042907/587d340c1a28ab2a448b59bb/html5/thumbnails/26.jpg)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2760 26
Distributed Denial of Service Attack Mitigation
ControllerDoS
Traffic Statistics
![Page 27: Security at the Speed of the Network](https://reader033.fdocuments.in/reader033/viewer/2022042907/587d340c1a28ab2a448b59bb/html5/thumbnails/27.jpg)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2760 27
Distributed Denial of Service Attack Mitigation
ControllerDoS
Traffic Statistics Traffic
Redirection
![Page 28: Security at the Speed of the Network](https://reader033.fdocuments.in/reader033/viewer/2022042907/587d340c1a28ab2a448b59bb/html5/thumbnails/28.jpg)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2760 28
Distributed Denial of Service Attack Mitigation
ControllerDoS
Traffic Statistics Traffic
Redirection
![Page 29: Security at the Speed of the Network](https://reader033.fdocuments.in/reader033/viewer/2022042907/587d340c1a28ab2a448b59bb/html5/thumbnails/29.jpg)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2760 29
Cisco ASR 9000 vDDoS Protection
Arbor Networks Threat Management System (TMS)
ASR 9000 with Virtual Services Module (VSM)
Cisco ASR 9000 vDDoS Protection
“Powered By Arbor Networks”
=
Architectural Superiority
Unified Management
Scalable Performance
Reduced OPEX
Flexible Deployment
![Page 30: Security at the Speed of the Network](https://reader033.fdocuments.in/reader033/viewer/2022042907/587d340c1a28ab2a448b59bb/html5/thumbnails/30.jpg)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2760 30
ASR 9000 vDDoS Solution Components
Virtualized Arbor Peakflow SP
ASR 9000
ASR 9000
VSM running vDDoS SW
Licenses
Netflow stats
Netflow statsNetflow stats
• Virtualized Peakflow SP Collects Flow records Detects abnormal network behavior
and trigger alerts Can influence the routing, injecting
BGP routes in the network Supports BGP FlowSpec as a
Controller Sets up and monitors the TMS
remotely
• Virtual DDoS SW (running on A9K VSM) Configured by SP, receives diverted
traffic and proceeds to in-depth packet analysis
Discards the attack packets and transmits the legit ones
Provides real-time monitoring info to operators
DDoSDetection
DDoSMitigation
![Page 31: Security at the Speed of the Network](https://reader033.fdocuments.in/reader033/viewer/2022042907/587d340c1a28ab2a448b59bb/html5/thumbnails/31.jpg)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2760
How Peakflow works?
31
PeeringPoint
Core Router
PE
Enterprise A
Enterprise B
Arbor Peakflow SP6000
PE
PeeringPoint
ASR 9KACL
ACL
2 – Volumetric DDoS: ACL, BGP FlowSpec
1 – Anomaly detection
3 – L4-L7 DDoS: redirect to ASR 9K for intelligent mitigation
4 – Identify and filter the malicious requests
5 – Forward the legitimate traffic: GRE, MPLS, …
Enterprise C
![Page 32: Security at the Speed of the Network](https://reader033.fdocuments.in/reader033/viewer/2022042907/587d340c1a28ab2a448b59bb/html5/thumbnails/32.jpg)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2760 32
Integrated Security Services “at Scale”
![Page 33: Security at the Speed of the Network](https://reader033.fdocuments.in/reader033/viewer/2022042907/587d340c1a28ab2a448b59bb/html5/thumbnails/33.jpg)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2760 33
Legacy Security: Siloed, Inefficient & Expensive
10010001011110001011
10
10010001011110001011
10
10010001011110001011
10
10010001011110001011
10
10010001011110001011
10
Data Packet
10010001011110001011
10
/
10010001011110001011
10
DDoS Platform
SSL Platform FW Platform
WAF Platform
IPS Platform
Sandbox Platform
SSL
DDoS WAF
FW IPS
Sandbox
Reduced Effectiveness Increased Latency Slows Network Static & Manual
![Page 34: Security at the Speed of the Network](https://reader033.fdocuments.in/reader033/viewer/2022042907/587d340c1a28ab2a448b59bb/html5/thumbnails/34.jpg)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2760 34
Cisco Transforms Security Service IntegrationData Packet
10010001011110001011
10
DDoS Platform
SSL Platform FW Platform
WAF Platform
IPS Platform
Sandbox
SSL
DDoS WAF
FW IPS
Sandbox
Limited effectiveness Increased latency Slows network Static & ManualUnified Platform
Data Packet
100100010111100010
1110DDoS FW WAF NGIPSSSL AMP
Inte
grat
ed
Maximum protection Highly efficient Scalable processing Dynamic
Silo
ed
Key:Cisco Service
3rd Party Service
![Page 35: Security at the Speed of the Network](https://reader033.fdocuments.in/reader033/viewer/2022042907/587d340c1a28ab2a448b59bb/html5/thumbnails/35.jpg)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2760 35
Carrier-Class
Firepower 9300 PlatformHigh-Speed, Scalable Security
ModularMulti-Service Security
Benefits• Integration of best-of-breed security• Dynamic service stitching
Features*• ASA container• Firepower Threat Defense containers
• NGIPS, AMP, URL, AVC• 3rd Party containers
• Radware DDoS• Other ecosystem partners
Benefits• Standards and interoperability• Flexible Architecture
Features• Template driven security• Secure containerization for customer
apps• Restful/JSON API• 3rd party orchestration/management
Benefits• Industry Leading Performance / RU
• 600% Higher Performance• 30% higher port density
Features• Compact, 3RU form factor• 10G/40G I/O; 100G ready• Terabit backplane• Low latency, Intelligent fastpath• NEBS ready
NEW
![Page 36: Security at the Speed of the Network](https://reader033.fdocuments.in/reader033/viewer/2022042907/587d340c1a28ab2a448b59bb/html5/thumbnails/36.jpg)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2760 36
Security Services Architecture
Supervisor
Ethernet 1/1-8 Ethernet 2/1-4
ASA Cluster
Security Module 1
Ethernet 3/1-4
Security Module 2 Security Module 3
Application Image Storage
PortChannel1
DDoS DDoS DDoS
Ethernet1/7(Management)
Data Inside
Logical Device
Logical Device Unit
Link Decorator
Application Connector
External Connector
Primary Application
Decorator Application
On-board 8x10GE
interfaces
4x40GE NMSlot 1
4x40GE NMSlot 2
Logical Packet Flow
PortChannel1
ASA ASA ASA
Data Outside
Radware Vision Manager
Chassis Manager& ASDM
![Page 37: Security at the Speed of the Network](https://reader033.fdocuments.in/reader033/viewer/2022042907/587d340c1a28ab2a448b59bb/html5/thumbnails/37.jpg)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2760 37
Cisco DDoS Positioning
SP
SP
Radware Defense Pro
Threat Defense
Firepower 9300
Radware Vision
SP Scrubbing CenterVarious 3rd Party Options for Hosted : Arbor Cloud, Radware Cloud, Prolexic /Akamai
Radware Defense Pipe
• Complete DDoS system can be complemented w/Cisco Lancope Threat Defense
SP Edge Router Based DDoS with ASR – • (Volumetric) on ASR 9K + VSM+ Arbor TMS Peak
Flow . SP Backbone detection and mitigation
SP ASR PE w/PeakFlow
MSSP Services • Various 3rd Party Options for Hosted Services
Firepower 9300
Mobile users
SP Mobility Edge w/FP 9300 and Radware DDoS Applications,
Services & Databases
Data Center
Data Center FW Based DDoS with Firepower 9300 • Firepower 9300 + SM running Radware Defense Pro• Application Attack detection and mitigation
![Page 38: Security at the Speed of the Network](https://reader033.fdocuments.in/reader033/viewer/2022042907/587d340c1a28ab2a448b59bb/html5/thumbnails/38.jpg)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2760 38
Recap - Cisco DDoS Offerings for Service Provider
• DDoS target is bandwidth
• Volumetric attacks
• Part of SP Clean Pipes solution
• Traffic diverted to scrubber within router backplane
• Clean traffic reinjected locally
• Additional Arbor products can protect enterprise assets
• DDoS target is firewall and devices behind it, NOT bandwidth
• vDP sits inline and sees all traffic going to firewall
• Other Radware capabilities in the cloud can help with bandwidth-based attacks
Arbor TMS on ASR9k Radware vDP on FP9300
![Page 39: Security at the Speed of the Network](https://reader033.fdocuments.in/reader033/viewer/2022042907/587d340c1a28ab2a448b59bb/html5/thumbnails/39.jpg)
39© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2760
• Security from the Service Provider perspective
• Putting SDN/NFV to work - DDoS
• Automating Security in the SP Data Centre
• Generating new revenue streams with hosted security services
• SDN & NFV Infrastructure Security
• Summary
Agenda
![Page 40: Security at the Speed of the Network](https://reader033.fdocuments.in/reader033/viewer/2022042907/587d340c1a28ab2a448b59bb/html5/thumbnails/40.jpg)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 40BRKSEC-2760
Automating Security in the SP Data Centre
![Page 41: Security at the Speed of the Network](https://reader033.fdocuments.in/reader033/viewer/2022042907/587d340c1a28ab2a448b59bb/html5/thumbnails/41.jpg)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2760
Programmable NetworkProgrammable FabricApplication Centric Infrastructure
DB DB
Web Web App Web App
VxLAN-BGP EVPN standard-based
3rd party controller support
Modern NX-OS with enhanced NX-APIs
Automation Ecosystem (Puppet, Chef, Ansible etc.)
Common NX-API across N2K-N9K
Turnkey integrated solution with security, centralized management,
compliance and scale
Automated application centric-policy model with embedded
security
Broad and deep ecosystem
Cisco SDN: Providing Choice in Automation and Programmability
Mass Market (commercial, enterprises, public sector)
Service Providers Mega Scale Datacenters
VTS for software overlay provisioning and management
across N2K-N9K
41
![Page 42: Security at the Speed of the Network](https://reader033.fdocuments.in/reader033/viewer/2022042907/587d340c1a28ab2a448b59bb/html5/thumbnails/42.jpg)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2760 42
Introducing Application Centric Infrastructure
Application Network Profile
Orchestration Frameworks
Hypervisor Management
OVM
Systems Management
Centralized Policy ManagementOpen APIs, Open Source, Open StandardsAPIC
Fabric
Automation Enterprise MonitoringACI
Ecosystem Partners
End PointsPhysical &
Virtual
Physical Networking
Nexus 2K
Nexus 7K
Hypervisors and Virtual Networking
Compute L4–L7Services
Storage Multi DC WAN and Cloud
Integrated WAN Edge
![Page 43: Security at the Speed of the Network](https://reader033.fdocuments.in/reader033/viewer/2022042907/587d340c1a28ab2a448b59bb/html5/thumbnails/43.jpg)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2760
Typical Service Chain• Full abstraction within the service chain
• Every device only knows its function and exchanges packets with the fabric as instructed• High degree of modularity with low coupling, specific devices are interchangeable
• ACI maintains flow symmetry through the same device instance
SSL Firewall
Policy rules, NAT, Inspection IPS
Analyzer
EPG “Users”
EPG “Web”
EPG “Files”
![Page 44: Security at the Speed of the Network](https://reader033.fdocuments.in/reader033/viewer/2022042907/587d340c1a28ab2a448b59bb/html5/thumbnails/44.jpg)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2760
ACI and OpenStack
OpenStack Orchestration
Cisco ACI
Controller 1 Controller 2 Controller 3
Hypervisor
Multi-vendorOpen SourceAPIC Plugins
APICNexus 9000
Open vSwitchOpFlex
Project 2v
mvm
vm
vm
Hypervisor
vm4
Project 1
Project 2
Project 3
vm5vm6
vm3
vm4 vm4vm5vm6
Hypervisor
vm4
Project 1
Project 2
Project 3
vm5vm6
vm3
vm4 vm4vm5vm6
Project 1v
mvm
vm
vm
Project 3v
mvm
vm
vm
Plugin Plugin Plugin
OpFlex OpFlex
![Page 45: Security at the Speed of the Network](https://reader033.fdocuments.in/reader033/viewer/2022042907/587d340c1a28ab2a448b59bb/html5/thumbnails/45.jpg)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2760 45
Virtual Topology System (VTS) Introduction
Automated DCI / WAN
VM
OS
VM
OS
NX-APINetconf/YANG
Physical ToRVirtual
Overlay DCI/WAN
Bare Metal workload
Virtualized workload
BGP-EVPN VXLAN Fabric
VTS
VTS for overlay provisioning and management across Virtual Overlays and Physical Fabric(Cisco Nexus & multivendor)
Flexible Overlays
Open and Programmable
Automated
Scalable VXLAN Mgmt.
Seamless Integration with Orchestrators
Automated Overlay Provisioning
Automated DCI/WAN Integration
REST-Based Northbound APIs
Multi-protocol Support
Multi-hypervisor Support
MP-BGP EVPN Control Plane
Virtual Tenant Networks
High Performance Virtual Forwarding
Physical and Virtual Overlays
Bare-metal and Virtualized Workloads
Service Chaining
VMware vCenter
REST API
GUI
Cisco Network Services Orchestrator
(Tail-f)
![Page 46: Security at the Speed of the Network](https://reader033.fdocuments.in/reader033/viewer/2022042907/587d340c1a28ab2a448b59bb/html5/thumbnails/46.jpg)
46© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2760
• Security from the Service Provider perspective
• Putting SDN/NFV to work - DDoS
• Automating Security in the SP Data Centre
• Generating new revenue streams with hosted security services
• SDN & NFV Infrastructure Security
• Summary
Agenda
![Page 47: Security at the Speed of the Network](https://reader033.fdocuments.in/reader033/viewer/2022042907/587d340c1a28ab2a448b59bb/html5/thumbnails/47.jpg)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 47BRKSEC-2760
Generating new revenue streams with Hosted
Security Services
![Page 48: Security at the Speed of the Network](https://reader033.fdocuments.in/reader033/viewer/2022042907/587d340c1a28ab2a448b59bb/html5/thumbnails/48.jpg)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2760 48
Evolution of Security Services
CloudHybridCPE Managed
CPE
SPIPS WEB EMAIL MALWARE CONTEXT
W W W
NGFW VPN IPS WEB EMAIL MALWARE CONTEXT
SWITCHING NAT DHCP AP VOICE ROUTING
W W W
SWITCHING AP VOICE
SWITCHING AP VOICEROUTING
NAT DHCP NGFW VPN
NGFW VPN IPS WEB
EMAIL MALWARE CONTEXT
W W W
NAT DHCP ROUTING
Premise to Cloud
![Page 49: Security at the Speed of the Network](https://reader033.fdocuments.in/reader033/viewer/2022042907/587d340c1a28ab2a448b59bb/html5/thumbnails/49.jpg)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2760
Market OpportunityCloud Service Delivery Shows Higher Growth, but CPE Based Still Growing
© 2015 IHS / Infonetics Research: Cloud and CPE Managed Security Services Market Size and Forecasts; March 2015
CY10 CY11 CY12 CY13 CY14 CY15 CY16 CY17 CY18 CY19$0
$2,000,000,000
$4,000,000,000
$6,000,000,000
$8,000,000,000
$10,000,000,000
$12,000,000,000
$14,000,000,000
Worldwide CPE-Based Service Revenue Share by Technology
IDS/IPS DDoS mitigationOther security services Managed firewalls
Rev
enue
(US$
Bill
ions
)
CY10 CY11 CY12 CY13 CY14 CY15 CY16 CY17 CY18 CY19$0
$2,000,000,000
$4,000,000,000
$6,000,000,000
$8,000,000,000
$10,000,000,000
$12,000,000,000
Worldwide Cloud-Based Service Revenue Share by Technology
IDS/IPS DDoS mitigationOther security services Managed firewalls
Rev
enue
(US$
Bill
ions
)
![Page 50: Security at the Speed of the Network](https://reader033.fdocuments.in/reader033/viewer/2022042907/587d340c1a28ab2a448b59bb/html5/thumbnails/50.jpg)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2760 50
Cloud Based Security Service Offerings
Cisco Managed Security Cloud SP Hosted Security Cloud
VPN, FW, NGFW, NGIPS, AMP,Web Security, Email Security as a Service
NGFW VPN IPS WEB
EMAIL MALWARE CONTEXT
W W WCloud Web Security (CWS)Cloud Email Security (CES)
WEB EMAIL
W W W
Pre-Packaged NFV Security Service Bundles (vMS)
A La Carte Hosted Security as a Services (HSS)
SP/MSSP Resell to Enterprises
SaaS or Hosted
![Page 51: Security at the Speed of the Network](https://reader033.fdocuments.in/reader033/viewer/2022042907/587d340c1a28ab2a448b59bb/html5/thumbnails/51.jpg)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2760
Hosted Security as a Service Architecture
51
Security Service Examples:
FWaaS – Firewall as a Service
VPNaaS – Virtual Private Networking as a Service
NGFW/IPSaaS – Next Generation Firewall and Intrusion Prevention System as a Service
WSaaS – Web Security as a Service
ESaaS – Email Security as a Service
IDaaS – Identity as a Service
DDoSaaS – Distributed Denial of Service as a ServiceIN
FRA
-S
TRU
CTU
RE
Hypervisor
Compute
Storage
SE
RV
ICE
SLA
YE
R WSaaS
FWaaS
Tenant 1
ESaaS
WSaaS
FWaaS
Tenant 2
FWaaS
IDaaS
Tenant 3
OR
CH
.LA
YE
R
Policy Analytics Reporting
NGFW/IPSaaS VPNaaS
![Page 52: Security at the Speed of the Network](https://reader033.fdocuments.in/reader033/viewer/2022042907/587d340c1a28ab2a448b59bb/html5/thumbnails/52.jpg)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2760
Feature CategoryService Tiers
Bronze Silver Gold
NAT Address Translation
Stateful Inspection
High Availability
Advanced Management
Firewall-aaS Tiers Example
Included
BEFORE DURING AFTER
![Page 53: Security at the Speed of the Network](https://reader033.fdocuments.in/reader033/viewer/2022042907/587d340c1a28ab2a448b59bb/html5/thumbnails/53.jpg)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2760
Category FeatureService Tiers
Bronze Silver Gold
NAT Address Translation NAT / PAT
Stateful Inspection
L3 firewall
Transparent firewall
Proxy authentication
Application hosting private zone
Application control (IM, peer to peer)
Voice security support
High availabilityWithin SP data centre
Between SP data centres
Management
Customer self service portal
Streamlined management
Auto generated reporting
Custom reporting
Data log retention (1 month)
Extended data log retention (> 1 month)
Firewall-aaS Tiers Example
Included
Option
Reference Slide
BEFORE DURING AFTER
![Page 54: Security at the Speed of the Network](https://reader033.fdocuments.in/reader033/viewer/2022042907/587d340c1a28ab2a448b59bb/html5/thumbnails/54.jpg)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2760
Feature CategoryService Tiers
Bronze Silver Gold
Customer site to Cloud IPSec VPN service
Remote Access VPN
High Availability
Advanced Management
VPNaaS Tiers Example Tiers Example
Included
Reference Slide
BEFORE DURING AFTER
![Page 55: Security at the Speed of the Network](https://reader033.fdocuments.in/reader033/viewer/2022042907/587d340c1a28ab2a448b59bb/html5/thumbnails/55.jpg)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2760
Feature CategoryService Tiers
Bronze Silver GoldReal Time Threat Protection Services
Acceptable Use Services
Policy Control
High Availability
Advanced Management
Web Security-aaS Tiers Example
Included
Reference Slide
BEFORE DURING AFTER
![Page 56: Security at the Speed of the Network](https://reader033.fdocuments.in/reader033/viewer/2022042907/587d340c1a28ab2a448b59bb/html5/thumbnails/56.jpg)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2760
Feature CategoryService Tiers
Bronze Silver Gold
Inbound Email Protection
Outbound Email Protection
Policy control
High availability
Advanced Management
Email Security-aaS Tiers Example
Included
Reference Slide
BEFORE DURING AFTER
![Page 57: Security at the Speed of the Network](https://reader033.fdocuments.in/reader033/viewer/2022042907/587d340c1a28ab2a448b59bb/html5/thumbnails/57.jpg)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2760
Feature CategoryService Tiers
Bronze Silver Gold
Application Visibility and Control (NGFW)
Threat Protection (NGIPS)
High Availability
Advanced Management
NGFW/IPSaaS Tiers Example
Included
Reference Slide
BEFORE DURING AFTER
![Page 58: Security at the Speed of the Network](https://reader033.fdocuments.in/reader033/viewer/2022042907/587d340c1a28ab2a448b59bb/html5/thumbnails/58.jpg)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2760 58
Hosted Security as a Service (HSS)
![Page 59: Security at the Speed of the Network](https://reader033.fdocuments.in/reader033/viewer/2022042907/587d340c1a28ab2a448b59bb/html5/thumbnails/59.jpg)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2760
HSS Architecture
59
• Delivered from service provider’s infrastructure
• UBIqube MSActivator used as the Security Domain Manager
• Orchestration SW interfaces with native appliance configuration mechanisms
• All customer data lives inside the SP Cloud environment
• Security on virtual form factor available today
INFR
A-
STR
UC
TUR
E
VMware ESXi
Cisco UCS
Storage
SE
RV
ICE
SLA
YE
R WSAv
WSAv
ASAv
Tenant 1
ESAv
WSAv
ASAv
Tenant 2
ESAv
CSR1Kv
Tenant 3
OR
CH
.LA
YE
R
Policy Analytics Reporting
SP existing orchestration, reporting, billing infrastructure
• Provisioning API
• Reporting API• Billing API
![Page 60: Security at the Speed of the Network](https://reader033.fdocuments.in/reader033/viewer/2022042907/587d340c1a28ab2a448b59bb/html5/thumbnails/60.jpg)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2760 60
VSA 1.0 Expanded Gold Container
ASR9000 Global
SP Management
Tenant 1 Site
AD DNS
MS Exchange
Customer VRF
Internet
Tenant 1 Private Zone Tenant 1 DMZ Zone
Nexus 5000/7000/9000L2 Fabric
UBIqube
vCenter
ASA5585X
M1 M1P1
ESAV WSAV
MPLS VPN or
IPSec VPN
ASAv
Tenant 1 Expanded Gold Container
Customer Hosted Email Inbound Flow
gi0/6 gi0/7
gi0/5 mgt 0/0
gi0/2gi0/3 gi0/4
Virtual Machine on UCS
Shared Transit VLAN
Per-Tenant VLAN
Private Tier 1 VMs
Private Tier 2 VMs
Private Tier 3 VMs
Note: Not showing redundant notes
![Page 61: Security at the Speed of the Network](https://reader033.fdocuments.in/reader033/viewer/2022042907/587d340c1a28ab2a448b59bb/html5/thumbnails/61.jpg)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2760 61
VSA 1.0 Expanded Gold Container
ASR9000 Global
SP Management
Tenant 1 Site
AD DNS
Customer VRF
MPLS
VPN
Tenant 1 Private Zone Tenant 1 DMZ Zone
Global
Nexus 5000/7000/9000L2 Fabric
UBIqube
vCenter
ASA5585X
M1 M1P1
ESAV WSAV
ASAv
Tenant 1 Expanded Gold Containergi0/6 gi0/7
gi0/5 mgt 0/0
gi0/2gi0/3 gi0/4
SP Hosted Email Inbound Flow
MS Exchange
Internet Virtual Machine on UCS
Shared Transit VLAN
Per-Tenant VLAN
Private Tier 2 VMs
Private Tier 3 VMs
Note: Not showing redundant notes
![Page 62: Security at the Speed of the Network](https://reader033.fdocuments.in/reader033/viewer/2022042907/587d340c1a28ab2a448b59bb/html5/thumbnails/62.jpg)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSPG 2517
MPLS VPN
Customer Site
AD DNS
ASR1006Customer VRF
MS Exchange
Global
VMDC 2.3 Expanded Gold Container
Nexus 7004
ASA5555
ASA5585X
Customer PVTOutside VRF
Customer PVT Inside VRF
Global
Customer DMZ VRF
Remote Access VPN
Customer Private Context
ASA5585X
Customer DMZ Context
Customer Private Context
UCS
Citrix/F5
UCSUCS
Citrix/F5 Citrix/F5
UBIqubeESAV
vCenterESAV
M1
WSAV
M1
UCS
M1
M1
UCS
ASA5585X
UCS
WSAV
VMVM
VMVM VM
VM* Not showing redundant notes
Internet
Shared Transit VLAN
Per-Tenant VLAN
Private Zone 3 VLANs DMZ 2 - 1 VLANDMZ 1 - 1 VLAN SP Management
62
![Page 63: Security at the Speed of the Network](https://reader033.fdocuments.in/reader033/viewer/2022042907/587d340c1a28ab2a448b59bb/html5/thumbnails/63.jpg)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSPG 2517
HSS Security Domain Manager UBIqube MSActivator
Southbound Interface
SSH SNMPTELNET SyslogHTTP OpenflowFTP
OBMF Mediation Layer
Netflow TR069
Web Portal GUI
Service Profiles
Service Designer Templates and Objects
3rd Party OSS/BSS
Web Services
Verbs and Web Services API, Order Stack Management
Device Adaptor
Update Conf Restore Conf
Get Asset Update Firmware
Device Adaptor (SDK)
Update Conf Restore Conf
Get Asset Update Firmware
VOIP
63
![Page 64: Security at the Speed of the Network](https://reader033.fdocuments.in/reader033/viewer/2022042907/587d340c1a28ab2a448b59bb/html5/thumbnails/64.jpg)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2760 64
vMS (CloudVPN)
![Page 65: Security at the Speed of the Network](https://reader033.fdocuments.in/reader033/viewer/2022042907/587d340c1a28ab2a448b59bb/html5/thumbnails/65.jpg)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2760
vMS (CloudVPN) at a Glance
65
INFR
A-
STR
UC
TUR
E
KVM
Compute
Storage
SE
RV
ICE
SLA
YE
R IPSv
ASAv
Tenant 1
ESAV
WSAV
CSR1Kv
Tenant 2
vDDoS
ASAv
Tenant 3
OR
CH
.LA
YE
R
PolicyNet+Svc. Analytics Reporting
CSR1kv CSR1Kv
• Rapid provisioning/Ops Portal
• Standard YANG models
• All customer data lives inside the SP Cloud environment
• Appliance plus Virtual Services chained together
• Orchestration of Network + Service Topology
• Service lifecycle management + elasticity + workload placement
• IPv6 deployed here
SP existing orchestration, reporting, billing infrastructure
• Provisioning API
• Reporting API• Billing APIProvisioning
Svc. LifecycleMgt.
![Page 66: Security at the Speed of the Network](https://reader033.fdocuments.in/reader033/viewer/2022042907/587d340c1a28ab2a448b59bb/html5/thumbnails/66.jpg)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2760
vMS Architecture A Deeper Look
VR_CSR
OpenStack(virt infra mgr)
NSO(VNF-O)
End-UserPortal
Cloud Service
IP Network
Data Centre
BSSSystems
VFW_vASA
ESCvirt infraLifecycle
(VNF-M)
conf
d
servicemodels
device models
fastmap
O/S component
APIs
reactivefastmap
Config &Operation
ISR
OperatorPortal
RESTCONF / UICONF
x86 MPLS WAN
NEDs
SDN Controller
![Page 67: Security at the Speed of the Network](https://reader033.fdocuments.in/reader033/viewer/2022042907/587d340c1a28ab2a448b59bb/html5/thumbnails/67.jpg)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSPG 2517
VMS Release 2.0: Delivering Comprehensive Cloud VPN Services
CPECust-A
CPECust-A
CPECust-B
ASA
Over The TopAccess
Flex-VPN
Internet
VR
VR ASA
CPECust-C
CPECust-C
NSO – NFV OrchestratorCloud VPN Services • 3 Service Models for Enterprise deployment flexibility:
• CloudVPN Foundation • CloudVPN Advanced• CloudVPN Advanced w/Web Security• vIPS option for both Advanced and Advanced
w/Web Security• CSR1Kv: Virtual Router for Site-to-Site VPN with Secure
IP Overlay using FlexVPN/IKEv2 for IPSec Tunnels• ASAv: vFW with NAT and Policy (*)• ASAv: vFW with IPSec/SSL Remote Access (*)• WSAv for Enhanced Web Security (*)
Management and Orchestration• Enterprise Admin Service Interface (Portal) driven service
instantiation • Zero-Touch Deployment of enterprise CPE (ISR G2)• Model driven Network Services lifecycle management with
Network Service Orchestrator (NSO) from Tail-f• VNF lifecycle management with Elastic Services
Controller (ESC)• Virtual Infrastructure Management with Openstack
featuring: OVS and ODL/VPP as SDN Controllers
Advanced
VRFoundation
CPECust-B
ESC – VNF Manager
WSAAdvanced w/Web Security
PnP RFS VirTo RFSAPI
CPE Managed Orchestration Link
Foundation ServiceDirect Internet Access via
“Split Tunnel”
Access Model:Flex-VPN Links
IPSEC VPN
Service AccessvRouter
Internet Access/Remote Access
Openstack – Virtual Infrastructure Manager
67
![Page 68: Security at the Speed of the Network](https://reader033.fdocuments.in/reader033/viewer/2022042907/587d340c1a28ab2a448b59bb/html5/thumbnails/68.jpg)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2760
vMS Service Bundles• (1) Internet Access (IA), FWaaS, VPNaaS
CSR1kv, vASA with NAT, FW, RA.
• (2) IA, FWaaS, VPNaaS and WSaaS CSR1kv, vASA, vWSA
• (3) IA, FWaaS, VPNaaS and Next-Gen IPSaaS CSR1kv, vASA, vWSA, vNG-IPS(SourceFire)
• 4) IA, FWaaS, VPNaaS and IdentityaaS CSR1kv, vASA, vISE with NAT, BYOD, Policy, TrustSec
• (5) IA, FWaaS, VPNaaS and ESaaS CSR1kv, vASA, vESA
• (6) IA, FWaaS, VPNaaS and DDoSaaS
Flexibility for other variations based on marketing needs
![Page 69: Security at the Speed of the Network](https://reader033.fdocuments.in/reader033/viewer/2022042907/587d340c1a28ab2a448b59bb/html5/thumbnails/69.jpg)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2760
VirtualSecurityWorkflows
Reference Slide
![Page 70: Security at the Speed of the Network](https://reader033.fdocuments.in/reader033/viewer/2022042907/587d340c1a28ab2a448b59bb/html5/thumbnails/70.jpg)
70© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2760
• Security from the Service Provider perspective
• Putting SDN/NFV to work - DDoS
• Automating Security in the SP Data Centre
• Generating new revenue streams with hosted security services
• SDN & NFV Infrastructure Security
• Summary
Agenda
![Page 71: Security at the Speed of the Network](https://reader033.fdocuments.in/reader033/viewer/2022042907/587d340c1a28ab2a448b59bb/html5/thumbnails/71.jpg)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 71BRKSEC-2760
SDN & NfV Infrastructure Security
![Page 72: Security at the Speed of the Network](https://reader033.fdocuments.in/reader033/viewer/2022042907/587d340c1a28ab2a448b59bb/html5/thumbnails/72.jpg)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2760 72
SDN Security Components
SecurityApplication
Third PartyApplication
IdentitySecurityNetwork Services
Service Abstraction Layer
OpenFlow Netconf I2RS Security
Plugin
pxGridSDN
Security Infrastructure
Cisco CloudThreat Defence
SDN Applications
Identity Services Engine
Next Generation Defence Centre, PRSM, CSM…
Visibility
CLI
![Page 73: Security at the Speed of the Network](https://reader033.fdocuments.in/reader033/viewer/2022042907/587d340c1a28ab2a448b59bb/html5/thumbnails/73.jpg)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2760 73
Threat Defence Services
Network Capabilities
Application View
TargetedBlocking
TargetedInspection
TargetedRate Limiting
TargetedPacket Capture
TargetedFile
Capture
TargetedConfinement
TargetedEnforcement
OpenFlow Netconf SecurityPlugin VLAN SGT VxLAN ISE
![Page 74: Security at the Speed of the Network](https://reader033.fdocuments.in/reader033/viewer/2022042907/587d340c1a28ab2a448b59bb/html5/thumbnails/74.jpg)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2760 74
Security Services Through SDNAudit
Recording
Monitoring
Inspection
Rate Limiting
DDoS Scrubbing
Quarantine
Active Web Firewall
Blocking
EffectiveTimely
Non-invasive
![Page 75: Security at the Speed of the Network](https://reader033.fdocuments.in/reader033/viewer/2022042907/587d340c1a28ab2a448b59bb/html5/thumbnails/75.jpg)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2760 75
Network Controller Reconciles Mitigations Against The Needs of Mission-critical Applications
Mitigationsfrom
Security System
Applicationand
NetworkRequirements
![Page 76: Security at the Speed of the Network](https://reader033.fdocuments.in/reader033/viewer/2022042907/587d340c1a28ab2a448b59bb/html5/thumbnails/76.jpg)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2760 76
Threats to an SDN System
Controller
App 1 App 2 App 3
SpoofingRogueDoS Attacks
![Page 77: Security at the Speed of the Network](https://reader033.fdocuments.in/reader033/viewer/2022042907/587d340c1a28ab2a448b59bb/html5/thumbnails/77.jpg)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2760 77
Threats to an SDN System
Controller
App 1 App 2 App 3 Hardening
Secure ProvisioningAuthenticationAuthorisation/RBACIntegritySecure StorageAudit
![Page 78: Security at the Speed of the Network](https://reader033.fdocuments.in/reader033/viewer/2022042907/587d340c1a28ab2a448b59bb/html5/thumbnails/78.jpg)
78© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2760
• Security from the Service Provider perspective
• Putting SDN/NFV to work - DDoS
• Automating Security in the SP Data Centre
• Generating new revenue streams with hosted security services
• SDN & NFV Infrastructure Security
• Summary
Agenda
![Page 79: Security at the Speed of the Network](https://reader033.fdocuments.in/reader033/viewer/2022042907/587d340c1a28ab2a448b59bb/html5/thumbnails/79.jpg)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 79BRKSEC-2760
Summary
![Page 80: Security at the Speed of the Network](https://reader033.fdocuments.in/reader033/viewer/2022042907/587d340c1a28ab2a448b59bb/html5/thumbnails/80.jpg)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2760 80
Considerations
How automated is your telemetry capture?
How automated is your threat analysis?
Are you limited by privacy considerations?
What actions are you willing to take in real time?
What actions should be one-click for a security analyst?
What type of SDN can you use?
How SDN-ready is your network?
SDN security?
Detection SDNResponse
![Page 81: Security at the Speed of the Network](https://reader033.fdocuments.in/reader033/viewer/2022042907/587d340c1a28ab2a448b59bb/html5/thumbnails/81.jpg)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2760 81
Summary• SP Security concerns
• How traditional products/solutions are embracing SDN/NfV
• Security automation in the SP DC
• Revenue generating security solutions for SP
• SDN & NFV Infrastructure Security
• Is there “One” solution to tackle security end-to-end at the “speed of the network” ?• The reality is, each use case is different. • Technology, People, Processes
• The key enabler “Automation”, through the use SDN, programmability, APIs, NFV…
![Page 82: Security at the Speed of the Network](https://reader033.fdocuments.in/reader033/viewer/2022042907/587d340c1a28ab2a448b59bb/html5/thumbnails/82.jpg)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2760 82
Related Cisco Live Sessions• BRKRST-1014 - Introduction to Software-Defined Networking (SDN) and Network Programmability
• BRKSPG-3616 - SDN and NFV for Service Providers
• BRKSDN-2040 - SDN Controllers - A Use Case Driven Approach to the Options
• BRKSDN-2065 - Cisco Virtual Managed Services (vMS)
• BRKSPG-2619 - Cisco Evolved Programmable Networks
• BRKSEC-3010 - Firepower 9300 Deep Dive
• BRKSEC-1205 - Introduction to DC Security
• BRKSDN-1119 - Device Programmability Options with APIs
• BRKSEC-2005 - The Internet of Things: A Double-Edged Sword. How Can You Embrace it Securely?
![Page 83: Security at the Speed of the Network](https://reader033.fdocuments.in/reader033/viewer/2022042907/587d340c1a28ab2a448b59bb/html5/thumbnails/83.jpg)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2760 83
Where to go next?• Other complementary security solutions:
• OpenDNS• Lancope• Cloud Web Services• CliQr
• Demos in the Cisco World of Solutions
• Walk-in Self-Paced Labs
• DevOps & DevNet Sessions
• Meet the Engineer 1:1
![Page 84: Security at the Speed of the Network](https://reader033.fdocuments.in/reader033/viewer/2022042907/587d340c1a28ab2a448b59bb/html5/thumbnails/84.jpg)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 84BRKSEC-2760
Q & A
![Page 85: Security at the Speed of the Network](https://reader033.fdocuments.in/reader033/viewer/2022042907/587d340c1a28ab2a448b59bb/html5/thumbnails/85.jpg)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2760 85
Complete Your Online Session Evaluation
Learn online with Cisco Live! Visit us online after the conference for full access to session videos and presentations. www.CiscoLiveAPAC.com
Give us your feedback and receive a Cisco 2016 T-Shirt by completing the Overall Event Survey and 5 Session Evaluations.
– Directly from your mobile device on the Cisco Live Mobile App
– By visiting the Cisco Live Mobile Site http://showcase.genie-connect.com/ciscolivemelbourne2016/
– Visit any Cisco Live Internet Station located throughout the venue
T-Shirts can be collected from Friday 11 March at Registration
![Page 86: Security at the Speed of the Network](https://reader033.fdocuments.in/reader033/viewer/2022042907/587d340c1a28ab2a448b59bb/html5/thumbnails/86.jpg)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2760 86
• Session Managers – Robert Page, Usen Tulemisov, Stefan Avgoustakis
• Previous BRKSEC-2760 presenters – Mike Geller, David McGrew, Ken Beck
• Collaborators – Kerry Loveless, Sam Rastogi, Siruo Yu, Mike Geller, Albra Welch
Thanks…
![Page 87: Security at the Speed of the Network](https://reader033.fdocuments.in/reader033/viewer/2022042907/587d340c1a28ab2a448b59bb/html5/thumbnails/87.jpg)
Thank you
87© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2760
![Page 88: Security at the Speed of the Network](https://reader033.fdocuments.in/reader033/viewer/2022042907/587d340c1a28ab2a448b59bb/html5/thumbnails/88.jpg)