Security & Virtualization in the Data Center
-
Upload
cisco-russia -
Category
Technology
-
view
270 -
download
4
Transcript of Security & Virtualization in the Data Center
Security & Virtualization in the Data Center BRKSEC-2206
Руслан Иванов Системный инженер-консультант [email protected]
© 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-2206 Cisco Public
Requiring a Solutions Approach Internet Edge
DISTRIBUTION
SAN ASA 5585-X ASA 5585-X
VDC Nexus 7018 Nexus 7018
CORE
= Compute
= Network
= Security
Nexus 7000
Series
Nexus 5000
Series
Nexus 2100
Series
Zone
Unified Computing
System
Nexus 1000V VSG
Multizone
Catalyst 6500 SERVICES
VSS
Firewall ACE
NAM IPS
VSS VPC VPC VPC VPC VPC VPC VPC VPC
10G Server Rack 10 G Server Rack Unified Compute Unified Access
© 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-2206 Cisco Public
Reduce complexity and fragmentation of security
solutions
Maintain Security and Compliance while the data
center evolves
Stay ahead of the evolving threat
landscape
95% of firewall breaches caused by
misconfigurations*
3000% increase in network connections/second by 2015
Over 100K new threats every day
* Greg Young, Gartner Inc
PROVISIONING SCALLABILITY PROTECTION
DataCenter Security Challenges
© 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-2206 Cisco Public
Security and Virtualization in the Data Center Agenda
Virtualization Trends, Priorities, Concerns
Virtual Network Security Services
Physical Network Security Services for Virtualization Threat Identification and Correlation Application Centric Infrastructure Security
Summary
4
© 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-2206 Cisco Public Source: IDC, Nov 2010
Tipping Point
Traditional Virtualized
c
App OS
App OS
App OS
App OS
App OS
App OS
App OS
App OS
App OS
...1 Server, or “Host”
Many Apps, or “VMs”…
Hypervisor
App OS
App OS
App OS 1 Application…
...1 Server
App OS
App OS
App OS Transition
The Evolving Data Center Architecture Virtualization on Commodity Compute
5
© 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-2206 Cisco Public
Common Virtualization Concerns
• Unified Policy Enforcement – Applied at physical server—not the individual VM – Impossible to enforce policy for VMs in motion
• Operations and Management – Lack of VM visibility, accountability, and consistency – Difficult management model and inability to effectively troubleshoot
• Roles and Responsibilities – Muddled ownership as server admin must configure
virtual network – Organizational redundancy creates compliance challenges
• Machine and Application Segmentation – Server and application isolation on same physical server – No separation between compliant and non-compliant systems…
Policy, Workflow, Operations
Roles and Responsibilities
Isolation and Segmentation
Management and Monitoring
Hypervisor
Initial Infection
Secondary Infection
6
© 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-2206 Cisco Public
Virtualization Security
• Collateral hacking?
• Segmentation?
• Side channel attacks?
• Visibility?
• Threat identification and defense?
• What about Hypervisor Hyperjacking?
• VM Escape?
• Virtualization Attention Deficit Disorder
Virtualization Security
V-Motion (Memory)
V-Storage (VMDK)
VM Segmentation
Hypervisor Security
Role Based Access
Physical Security
VM OS Hardening
Patch Management VM
Sprawl
7
© 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-2206 Cisco Public
Simple, Effective, Achievable
Segmentation • Establish boundaries: network, compute, virtual • Enforce policy by functions, devices, organizations, compliance • Control and prevent unauthorized access to networks, resources, applications
Threat Defense • Stop internal and external attacks and interruption of services • Patrol zone and edge boundaries • Control information access and usage, prevent data loss and data modification
Visibility • Provide transparency to usage • Apply business context to network activity • Simplify operations and compliance reporting
North-South
East-West
Defend, Detect, Control
8
© 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-2206 Cisco Public
Security Model
BEFORE Detect Block
Defend
DURING AFTER Control Enforce Harden
Scope Contain
Remediate
Attack Continuum
Network Endpoint Mobile Virtual Cloud
Point in time Continuous
© 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-2206 Cisco Public
From Best of Breed…
10
Physical Hosts
NGIPS
ASA FW
Clustering
• Control North/South traffic with ASA 5585
• Scale and HA with Clustering
• Inspect North/South traffic with NGIPS • Segment and Protect virtual enclave with
ASAv and vNGIPS
© 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-2206 Cisco Public
…With Best Infrastructure…
11
NGIPS
ASA FW
Clustering
NGA
Virtual FlowSensor
CTD : Cisco Thread Defense Leverage your Cisco Infrastructure to fight Advanced Pervasive Threats
TrustSec with Security Group Tagging
SGT
SGT SGT
SGT SGT
SGT
SGT
SGT
ISE SGT
Simplify
Automate
Accelerate
Standardize
SGT
© 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-2206 Cisco Public
…With Best Architecture…
12
Virtual Hosts
B
Physical Hosts
NGIPS
SGT
SGT SGT
SGT SGT
SGT SGT
SGT
SGT
SGT
Virtual Hosts
B
Physical Hosts
NGIPS
SGT
SGT SGT
SGT SGT
SGT SGT
SGT
SGT
INTER DC CLUSTERING
OTV
© 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-2206 Cisco Public
…Ready for Next Generation DataCenter.
13 13
Physical Hosts
NGIPS
ASA FW
Clustering
VIRTUAL ENDPOINT
ACI Fabric
PHYSICAL ENDPOINT
SERVICE NODES
SECURITY NODES
Application Centric Infrastructure - Scalable - Simple - Flexible - Reliable - Automated - Secured
Virtual Network & Security Services
© 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-2206 Cisco Public
Managing Virtual Networking Policy
Nexus 1000V § Non-disruptive operation model to
maintain current workflows using Port Profiles
§ Maintain network security policies with isolation and segmentation via VLANs, Private VLANs, Port-based Access Lists, Cisco Integrated Security Features
§ Ensure visibility (VM Introspection) into virtual machine traffic flows using traditional network features such as ERSPAN and NetFlow
Virtual Switches: Example Nexus 1000V
Network Team
Server Team
Management and Monitoring
Roles and Responsibilities
Isolation and Segmentation
Security Team
Nexus 1000V
15
© 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-2206 Cisco Public
What is a Nexus Port-Profile?
• A port profile is a container used to define a common set of configuration commands for multiple interfaces
• Define once and apply many times
• Simplifies management by storing interface configuration
• Key to collaborative management of virtual networking resources
• Why is it not like a template or SmartPort macro? – Port-profiles are ‘live’ policies – Editing an enabled profile will cause configuration changes to propagate to all
interfaces using that profile (unlike a static one-time macro)
* For lots more detail, reference BRKVIR-3013 Deploying and Troubleshooting the Nexus 1000V
16
© 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-2206 Cisco Public
Port Profiles
Nexus 1000V supports: ü ACLs ü Quality of Service (QoS) ü PVLANs ü Port channels ü SPAN ports
port-profile vm180 vmware port-group pg180 switchport mode access switchport access vlan 180 ip flow monitor ESE-flow input ip flow monitor ESE-flow output no shutdown state enabled interface Vethernet9 inherit port-profile vm180 interface Vethernet10 inherit port-profile vm180
Port Profile –> Port Group vCenter API
vMotion Policy Stickiness
Network
Security
Server
17
© 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-2206 Cisco Public
Nexus 1000V Security Features • Laying the Foundation
Switching § L2 Switching, 802.1Q Tagging, VLAN Segmentation, Rate Limiting (TX)
§ IGMP Snooping, QoS Marking (COS & DSCP)
Security § Virtual Service Domain, Private VLANs w/ local PVLAN Enforcement
§ Access Control Lists (L2–4 w/ Redirect), Port Security, vPATH/VSG
§ Dynamic ARP inspection, IP Source Guard, DHCP Snooping
Provisioning § Automated vSwitch Config, Port Profiles, Virtual Center Integration
§ Optimized NIC Teaming with Virtual Port Channel – Host Mode
Visibility § VMotion Tracking, ERSPAN, NetFlow v9, CDP v2
§ VM-Level Interface Statistics
Management § Virtual Center VM Provisioning, Cisco Network Provisioning, CiscoWorks
§ Cisco CLI, Radius, TACACs, Syslog, SNMP (v.1, 2, 3)
18
© 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-2206 Cisco Public
vPath Enables Chaining of Network Services vPath is Nexus 1000V data plane component:
• Topology agnostic service insertion model
• Service Chaining across multiple virtual services
• Performance acceleration with vPath e.g. VSG flow offload
• Efficient and Scalable Architecture
• Non- Disruptive Operational Model
• VM Policy mobility with VM mobility
Cloud Network Services (CNS)
Hypervisor
Nexus 1000V vPath
19
© 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-2206 Cisco Public
What is the Virtual Security Gateway? • VSG is a L2 firewall that runs as a virtual
machine “bump in the wire”
• Similar to L2 transparent FW mode of ASA
• It provides firewall inspection between L2 adjacent hosts (same subnet or VLAN)
• It can use VMware attributes for policy
• Provides benefits of L2 separation for East-West traffic flows
• One or more VSGs are deployed per tenant
• require the Nexus 1000V Virtual Distributed Switch and utilize the vPath forwarding plane
20
Virtual Hosts
Virtual Hosts
Virtual Hosts
© 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-2206 Cisco Public
VSG Attributes
Name Meaning Source
vm.name Name of this VM vCenter
vm.host-name Name of this ESX-host vCenter
vm.os-fullname Name of guest OS vCenter
vm.vapp-name Name of the associated vApp vCenter
vm.cluster-name Name of the cluster vCenter
vm.portprofile-name Name of the port-profile Port-profile
VM attribute information collected is used for enforcing security policy
Security Policy Profile § Defined/Managed by VNMC / Prime Network Services Controller NSC § Bound to Cisco Nexus 1000V VSM port-profile
vCenter VM Attributes
21
© 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-2206 Cisco Public
Network Admin Security Admin
Policy Workflow
• Mitigate Operational errors between teams • Security team defines security policies • Networking team binds port-profile to VSG service profile • Server team Assigns VMs to Nexus 1000V port-profiles
Server, Network, Security
Server Admin
vCenter Nexus 1KV Prime NSC
Port Group Port Profile Security Profile
22
© 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-2206 Cisco Public
Introducing the Virtualized ASA (ASAv)
• Developed due to customer feedback for a complete ASA firewall running as a virtual machine
• Nexus1000V not required
• Will support VMWare first then other hypervisors
• ASA feature parity (with some exceptions)
• No support for: 1. ASA clustering 2. Multi context mode 3. Etherchannel interfaces 4. Active/Active Failover (requires multi context mode)
23
ASAv Firewall (Virtualized ASA)
© 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-2206 Cisco Public
ASAv Deployment: Cloud Security FW+VPN
24
• Today multi context mode on ASA is used to provide firewall inspection for multi tenant and multi zone environments
• Trunks are typically used to transport zone and tenant traffic
• Challenge of E-W scale requires more firewall resources and scalable solution
Zone 1 Zone 2 Zone 3
VM 1
VM 2
VM 3
VM 4
VFW 1
VM 5
VM 6
VM 7
VM 8
VFW 2 VFW 3
§ ASAv provides edge firewall and can scale for E-W buildout
§ Each tenant or zone gets one or more ASAv for FW + VPN
§ Scaled VPN termination for S2S and RA VPN clients
Vzone 1 Vzone 2
Multi Context Mode ASA
© 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-2206 Cisco Public
ASAv • Three Modes of Policy Enforcement
Routed Firewall • Routing traffic between vNICs • Maintains ARP and routing table • Tenant edge firewall
Transparent Firewall
• VLAN or VxLAN Bridging / Stitching • Maintains MAC-address tables • Non-disruptive to L3 designs
Service Tag Switching
• Applies inspection between service tags • No network participation • Fabric integration mode
25
© 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-2206 Cisco Public
Routed Firewall
• Routed - Tenant edge use case
• First-hop gateway to hosts
• Enable all client hosts, VM or physical
• Scale the number of data interfaces
• Route between multiple subnets
• Traditional Layer 3 Boundary in the network
ASAv Routed
client
Gateway
Outside
Inside
host1
host2
Shared
DMZ
26
© 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-2206 Cisco Public
Transparent Firewall
• Bridging up to 4 (sub-)interfaces
• Max 8 BVIs per ASAv
• NAT and ACL available
• Non-disruptive PCI compliance
• Traditional Layer 2 boundary between hosts
• All segments in one broadcast domain
ASAv Transp
Gateway
client
Segment-1
Segment-3
host1
host2
Segment-2
Segment-4
27
© 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-2206 Cisco Public
Web-zone Fileserver-zone
Hypervisor
Nexus 7000
Nexus 5500
Nexus 1000V
VRF VLAN 50
UCS
VLAN 200 VLAN 300
Application Security & Visibility
• Stateful inspection with virtual ASA for north-south, east-west VM traffic
• Transparent or routed mode
• Service Elasticity
ASAv
.1Q Trunk
VLAN 50
28
© 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-2206 Cisco Public
Comparing Cisco Virtual Firewalls ASAv ASA1000V (Edge) Virtual Security Gateway
L2 and L3 mode L3 routed mode only L2 mode (transparent)
Dynamic and static routing Static routes only No routing DHCP server and client support
DHCP server and client support
No DHCP support
IP And User Based Policies IP and User Based Policies IP and VM Attribute Based Policies S2S and RA VPN Supports S2S IPSEC Only No IPSEC support
Managed via CLI, ASDM, CSM
Managed by ASDM and VNMC/PNSC
Managed by VNMC/PNSC only
Full ASA code, CLI, SSH, REST API
Uses ASA code, CLI, SSH Minimal config via CLI, SSH
Policy for Virtual and Physical Hosts
Policy for Virtual Host only Policy for Virtual Host only
29
More Segmentation Solutions ?
© 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-2206 Cisco Public
Web-zone Fileserver-zone Application-zone
Hypervisor
Nexus 7000
Nexus 1000V
Primary VLAN 20
VRF VLAN 20
UCS
VLAN 100 Isolated
VLAN 200 Isolated
VLAN 300 Community
Layer 2 Segmentation
• VMs in same Layer 2 subnet can be isolated
• Only allowed to communicate outbound to Layer 3 gateway
• Use ACL on gateway to block source and destination IPs from PVLANs
PVLANs for VM Isolation
*PVLANs also supported on VMware vswitch
.1Q Trunk
31
© 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-2206 Cisco Public
Web-zone Fileserver-zone Application-zone
Hypervisor
Nexus 1000V
UCS
VLAN 100 Isolated
VLAN 200 Isolated
VLAN 300 Community
VM Visibility
• VMs flows can be mirrored via span port on virtual switch. Can also use ERSPAN to forward via Layer 3 (ex. 6500 NAM module).
• VM flow analysis via NetFlow for trending, visibility, and security
NetFlow for VM Network Behavior Analysis
NetFlow/ERSPAN/SPAN
NetFlow Data Collector
6500 w/ NAM Layer 3
Layer 2
32
© 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-2206 Cisco Public
System Isolation via Micro Segmentation Policy Per App Tier, Per VM, Per vNIC
Tenant B VSD
Web App
Web DB
Nexus 1000V
VSD
ASAv and vIPS
Nexus 1000V
Web Tier App Tier
Control ingress/egress & inter-VM traffic
vFirewall, ACL, PVLAN
Traffic and Threat Visibility vIPS, Netflow, SPAN/ERSPAN
Mobility Transparent Enforcement Port Profiles
Administrative Segregation Server • Network • Security
Tenant A
ASAv and vIPS
33
VSG
TrustSec
© 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-2206 Cisco Public
Drivers for Deploying TrustSec
35
Reducing attack surface with segmentation Mitigate Risk
Manage security using logical groups not IP
addresses/VLANs
Increase SecOps efficiency
Authorize access to compliance-critical
apps
Meet Compliance Objectives
© 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-2206 Cisco Public
• Managing security rules by groups instead of individual identifiers can mean: – Fewer rules/access control entries – Easier to understand and audit policies – New assets can join a group without changing the policy
• Automating assignment of group membership – avoids rule provisioning effort/lag – Frees SecOps effort for other tasks – Avoids time required for manual provisions of new apps/services
• If group membership can be independent of the network topology – Can apply group-based policies anywhere on the network – Avoids/reduces need for device-specific ACL configurations
36
Simplicity Goals of Group-Based Policies
© 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-2206 Cisco Public
TrustSec Concept
• Classification of systems/users based on context (user role, device, location, access method)
• Context (role) expressed as Security Group Tag (SGT)
• Firewalls, routers and switches use SGT to make filtering decisions
• Classify once – reuse result multiple times 37
Users, Devices
Switch Router DC FW DC Switch
HR Servers
Enforcement
SGT Propagation
Fin Servers SGT = 4
SGT = 10
ISE Directory Classification
SGT:5
© 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-2206 Cisco Public
Inline tagging (SGT in data plane)
38
• SGT embedded within Cisco Meta Data (CMD) in Layer 2 frame
• Capable switches process SGT at line-rate
• Optional MACsec protection
• No impact to QoS, IP MTU/Fragmentation
• L2 Frame Impact: ~40 bytes
• Recommend L2 MTU~1600 bytes
• N.B. Assume incapable devices will drop frames with unknown Ethertype
CRC
PAYLOAD
ETHTYPE
CMD
802.1Q
Source MAC
Destination MAC
Ethernet Frame CMD EtherType Version Length SGT Option Type
Cisco Meta Data
SGT Value Other CMD Option
CRC
PAYLOAD
ETHTYPE
CMD
802.1Q
Source MAC
Destination MAC
MACsec Frame
802.1AE Header
802.1AE Header
AE
S-G
CM
128
bit
Enc
rypt
ion
ETHTYPE:0x88E5
ETHTYPE:0x8909
38
© 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-2206 Cisco Public
SGT eXchange Protocol (SGT in Control Plane)
39
• SXP very simple to enable – SGT propagation without hardware dependencies – Propagation poss from access edge to enforcement device
• Uses TCP for transport protocol
• TCP port 64999 for connection initiation
• Use MD5 for authentication and integrity check
• Two roles: Speaker (initiator) and Listener (receiver) SW
SW RT
SW
SXP (Aggregation) SXP
SXP
Speaker Listener
© 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-2206 Cisco Public
Assigning Security Groups
40
Dynamic Classification Static Classification • IP Address
• VLANs
• Subnets
• L2 Interface
• L3 Interface
• Virtual Port Profile
• Layer 2 Port Lookup
Common Classification for Mobile Devices
Classification for Servers, Topology-based assignments.
802.1X Authentication
MAC Auth Bypass
Web Authentication SGT
40
© 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-2206 Cisco Public
Dynamic SGT Assignments in Authorization Rules
41
• Policy > Authorization > Permissions > Security Groups
• Requires basic authorization profile (Access Accept, Access Reject)
© 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-2206 Cisco Public
Nexus 1000V: SGT Assignment in Port Profile
42
• Port Profile – Container of network
properties – Applied to different
interfaces • Server Admin may assign
Port Profiles to new VMs • VMs inherit network
properties of the port-profile including SGT
• SGT stays with the VM even if moved
© 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-2206 Cisco Public
Static SGT Assignments
43
IP to SGT mapping cts role-based sgt-map A.B.C.D sgt SGT_Value
VLAN to SGT mapping* cts role-based sgt-map vlan-list VLAN sgt SGT_Value
Subnet to SGT mapping cts role-based sgt-map A.B.C.D/nn sgt SGT_Value
L3 ID to Port Mapping** (config-if-cts-manual)#policy dynamic identity name
L3IF to SGT mapping** cts role-based sgt-map interface name sgt SGT_Value
L2IF to SGT mapping* (config-if-cts-manual)#policy static sgt SGT_Value
IOS CLI Example
* relies on IP Device Tracking ** relies on route prefix snooping
© 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-2206 Cisco Public
Access Layer Classification Summary
44
C2960-S C3750X C3850/WLC 5760
C4500 C6x00 ISR/ASR1000
WLC
Dynamic 802.1X X X X X X X X
MAB X X X X X X X
Web Auth X X X X X X X
Static VLAN/SGT - X* X X X* - -
Subnet/SGT - - X X X - -
Layer 3 Interface Mapping
- - - X - -
* - limits on the number of VLANs per platform
© 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-2206 Cisco Public
Applying SGACL policies (Matrix View)
45
permit tcp dst eq 443 permit tcp dst eq 80 permit tcp dst eq 22 permit tcp dst eq 3389 permit tcp dst eq 135 permit tcp dst eq 136 permit tcp dst eq 137 permit tcp dst eq 138 permit tcp des eq 139 deny ip
Portal_ACL
45
© 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-2206 Cisco Public
Policy Enforcement on Firewalls: ASA SG-FW
Can still use Network Object (Host, Range, Network’ FQDN)
AND / OR the SGT
SXP informs the ASA of Security Group membership
Security Group definitions from ISE
Trigger other services by SGT like NGIPS
46
© 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-2206 Cisco Public
Typical Deployment Approach
47
Egress Enforcement
§ Security Group ACL
Campus Network
Catalyst® Switches/WLC (3K/4K/6K)
Users, Endpoints
Monitor Mode SRC \ DST PCI Server (111) Dev Server (222)
Dev User(8) Deny all Permit all
PCI User (10) Permit all Permit all
Unknown (0) Deny all Deny all
authentication port-control auto authentication open dot1x pae authenticator
PCI Server
Production Server
Development Server
AUTH=OK SGT= PCI User (10)
N7K
1. Users connect to network, Monitor mode allows traffic regardless of authentication
2. Authentication can be performed passively resulting in SGT assignments
3. Traffic traverses network to Data Center enforcement points
4. Enforcement may be enabled gradually per destination Security Group
© 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-2206 Cisco Public
Classification Propagation Enforcement
TrustSec Functions and Platform Support
Catalyst 2960-S/-C/-Plus/-X/-XR Catalyst 3560-E/-C/-X Catalyst 3750-E/-X
Catalyst 4500E (Sup6E/7E) Catalyst 4500E (Sup8) Catalyst 6500E (Sup720/2T)
Catalyst 3850/3650 WLC 5760
Wireless LAN Controller 2500/5500/WiSM2
Nexus 7000
Nexus 5500 Nexus 1000v (Port Profile)
ISR G2 Router, CGR2000
Catalyst 2960-S/-C/-Plus/-X/-XR Catalyst 3560-E/-C/, 3750-E Catalyst 3560-X, 3750-X Catalyst 3850/3650 Catalyst 4500E (Sup6E) Catalyst 4500E (7E, 8), 4500X Catalyst 6500E (Sup720) Catalyst 6500E (2T), 6800 WLC 2500, 5500, WiSM2 WLC 5760 Nexus 1000v Nexus 6000/5600 Nexus 5500/22xx FEX Nexus 7000/22xx FEX ISRG2, CGS2000 ASR1000 ASA5500 Firewall, ASASM
SXP
SXP
IE2000/3000, CGS2000 NEW
ASA5500 (VPN RAS)
SXP SGT
SXP
SXP SGT
SXP
SXP SGT
SXP
SGT
SXP
SXP SGT
SXP SGT
SXP SGT
SXP
NEW inline tagging
GETVPN. DMVPN, IPsec
• Inline SGT on all ISRG2 except 800 series:
Catalyst 3560-X Catalyst 3750-X
Catalyst 4500E (7E) Catalyst 4500E (8E) Catalyst 6500E (2T) Catalyst 6800
Catalyst 3850/3650 WLC 5760
Nexus 7000
Nexus 5600
Nexus 1000v
ISR G2 Router, CGR2000
ASA 5500 Firewall ASAv Firewall
ASR 1000 Router CSR-1000v Router
SXP
SGT
NEW
SGFW
SGFW
SGFW
SGACL
SGACL
SGACL
SGACL
SGACL
SGACL
SXP SGT
SXP SGT
Nexus 6000
Nexus 6000
NEW
Nexus 5500 NEW
Nexus 5600 NEW NEW
NEW
SXP SGT NEW
NEW
SGT
NEW
GETVPN. DMVPN, IPsec
SGT
Use Case for DC Segmentation
© 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-2206 Cisco Public
Server Segmentation in Data Center
DR Cluster Web Server VLAN App VLAN Database VLAN
Database Web Servers App Servers
App VLAN?
Which Policy?
Physical and Virtual Servers Segmented using VLAN
Policy Stays with VLAN or IP address, Not with Servers
Network Ops, Server Ops, and Security Ops are involved in Operation
As the number of server grows… Complexity and OPEX follow
© 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-2206 Cisco Public
Web Server SGT (10)
Application Server SGT (20)
Database Server SGT (30)
Server Segmentation with TrustSec
DR Cluster Production Server VLAN
DB
Web App DB
permit tcp from src Web to dst App eq HTTPS permit tcp from src App to dst DB eq SQL deny any from src Web to dst DB eq SQL
App Web
Server, Network, and Security Team share common security object
Policy Stays with Servers, Not based on Topology
Works for both Physical and Virtual Servers
As the number of servers grows… Management complexity and OPEX do not
© 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-2206 Cisco Public
• Segment servers into logical zones
• Control access to logical DC entities based on role
• Apply controls to physical and virtual servers
52
Data Center Segmentation
Web Servers Middleware Servers
Database Servers Storage
Web Servers R R Q Q Middleware Servers R R R R Database Servers Q R R R Storage Q R R R Switch
How to define this policy:
Web Servers
Middleware Servers
Database Servers
Storage
Blocked
© 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-2206 Cisco Public
Using SGACL and SG-FW functions together
53
Risk Level 1
ISE
Risk Level 2
PCI_Web PCI_App PCI_DB
SXP SXP
LOB2_DB
PCI_Users
• SGACL on switches enforcing policy within each Risk Level
• ASA enforcing policy between Risk Levels (with IP/SGT mappings supplied from switch infrastructure)
Virtual NGIPS
54
© 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-2206 Cisco Public
vIPS • Virtual Switch Inline and Passive Deployment Options
Web-zone
VLAN 200
Promiscuous Port
vSwitch
Web-zone
VLAN 200
External
vSwitch vSwitch
55
Internal
© 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-2206 Cisco Public
Web-zone Fileserver-zone
Hypervisor
Nexus 7000
Nexus 5500
Nexus 1000V
VRF VLAN 50
UCS
Application Security & Visibility
• Stateful inspection with virtual ASA for north-south, east-west VM traffic
• Deep inspection with virtual IPS – inline with VLAN pairing
Service chaining - ASAv and vIPS
.1Q Trunk
External VLAN 50
Defense Center with Firesight for Application flow data
56
Inline Set
Inline Set Internal
External Internal
VLAN 200
© 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-2206 Cisco Public
Web-zone Fileserver-zone
Hypervisor
Nexus 7000
Nexus 5500
Nexus 1000V
VRF VLAN 50
UCS
VLAN 200
VLAN 300
Application Security & Visibility ASAv + vNGIPS passive
.1Q Trunk
VLAN 50
57
© 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-2206 Cisco Public
Virtual Appliance Inline
58
© 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-2206 Cisco Public
Virtual IDS Passive
59
© 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-2206 Cisco Public
FireSIGHT Context Explorer Application Security and Visibility
View all application traffic… Look for risky applications… Who is using them?
On what operating systems? What else have these users been up to?
What does their traffic look like over time?
© 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-2206 Cisco Public
Application Security & Visibility • Geo Location Information
61
© 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-2206 Cisco Public
Application Security & Visibility • Defense Center with FireSight
62
© 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-2206 Cisco Public
Application Security & Visibility • Defense Center with FireSight
63
Physical Security Services for Virtualization
© 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-2206 Cisco Public
ASA Firewalls and the Data Center Fabric
• ASA and Nexus Virtual Port Channel – vPC ensures all active links utilized (eliminates blocked STP
links) – ASA leverages DC redundancy technologies – Unique integration with ASA and Nexus (LACP)
• IPS module relies of ASA connectivity –provides DPI
• Validated design to provide segmentation, threat protection, visibility
• Transparent (recommended) and routed modes
• Works with both A/S and A/A failover
Data Center Aggregation Layer
Active vPC Peer-link
vPC vPC
Core IP1
Core IP2
Active or Standby
N7K VPC 41 N7K VPC 40
Nexus 1000V vPath
Hypervisor Nexus 1000V
vPath
Hypervisor
Core Layer
Aggregation Layer
Access Layers
65
© 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-2206 Cisco Public
Aggregation Layer
L2
L3
FW HA
VPC VPC
VPC
DC Core / EDGE
VPC VPC
FHRP FHRP
SVI VLAN200 SVI VLAN200
North Zone VLAN 200
South Zone VLAN 201
Trunks
VLAN 200 Outside
VLAN 201 Inside
N7K VPC 40
N7K VPC 41
ASA channel 32
VPC PEER LINK
VPC PEER LINK
Access Layer
ASA Connecting to Nexus with vPC
• ASA connected to Nexus using multiple physical interfaces on vPC – ASA can be configured to
failover after a certain number of links lost (when using HA)
• Note that vPC identifiers are different for each ASA on the Nexus switch (this changes with ASA clustering feature and cLACP [not yet shown])
Best Practices Shown
66
© 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-2206 Cisco Public
North Zone VLAN 200
South Zone VLAN 201
VPC VLAN 200 Outside
VLAN 201 Inside
interface TenGigabitEthernet0/6 channel-group 32 mode active no nameif no security-level ! interface TenGigabitEthernet0/7 channel-group 32 mode active no nameif no security-level !
Server in VLAN 201
Trunk Allowed 1,200,201
Trunk Allow
ed 1,201
VPC
Trun
k A
llow
ed 1
,201
Trunk Allowed 1,201
SVI VLAN200 172.16.25.253 FHRP – 172.16.25.1
SVI VLAN200 172.16.25.254 FHRP – 172.16.25.1
172.16.25.86/24
Transparent Mode Configuration in the DC Two Interfaces
interface BVI1 ip address 172.16.25.86 255.255.255.0 ! interface Port-channel32 no nameif no security-level ! interface Port-channel32.201 mac-address 3232.1111.3232 vlan 201 nameif inside bridge-group 1 security-level 100 ! interface Port-channel32.200 mac-address 3232.1a1a.3232 vlan 200 nameif outside bridge-group 1 security-level 0
67
© 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-2206 Cisco Public
Physical to Virtual
Hypervisor Hypervisor Hypervisor Hypervisor
VRF Blue VRF Purple
Firewall Firewall Nexus 7000
Nexus 5500
Nexus 1000V Nexus 1000V
Aggregation
Core
Physical Layout
• Leverage physical to provide isolation and segmentation for virtual
• Zones used define policy enforcement
• Physical Infrastructure mapped per zone
§ Separate and dedicated routing tables per zone via VRF
§ Firewall enforcement per zone maps north-south, east-west
§ Layer 2 and Layer 3 path through physical services
68
© 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-2206 Cisco Public
Firewall & Virtual Environment ASA Virtual Contexts for Inter-Zone VM Traffic Flows
Firewall Virtual Context provides
inter-zone East-West security
Aggregation
Core
Hypervisor Hypervisor
Database
ASA Context 2 Transparent Mode
ASA Context 1 Transparent Mode
ASA 5585 ASA 5585
Aggregation
Core
Physical Layout
East-West Zone filtering
VLAN 21
VLAN 20
VLAN 100
VLAN 101
Context1 Context2
Front-End Apps
69
© 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-2206 Cisco Public Hypervisor
Inspecting Inter-VLAN VM Traffic Flows ASA with Bridge Groups within a context
Layer 2 AdjacentSwitched Locally
Direct Communication
ASA 5585 Transparent Mode
Aggregation
Core
Layer 3 GatewayVRF or SVI
Aggregation
Core
Physical Layout
East-West VLAN filtering
VLAN 20
VLAN 100
interface vlan 21 10.10.20.1/24 interface vlan 101 10.10.101.1/24
interface TenGigabitEthernet0/6 channel-group 32 mode active vss-id 1 no nameif no security-level ! interface TenGigabitEthernet0/7 channel-group 32 mode active vss-id 2 no nameif no security-level ! interface BVI1 ip address 10.10.20.254 255.255.255.0 ! interface Port-channel32 no nameif no security-level ! interface Port-channel32.20 mac-address 3232.1111.3232 vlan 20 nameif inside bridge-group 1 security-level 100 ! interface Port-channel32.21 mac-address 3232.1a1a.3232 vlan 21 nameif outside bridge-group 1 security-level 0 …
70
VLAN 21
VLAN 101
© 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-2206 Cisco Public
ASA Clustering Overview • Clustering is only supported on 5580 and 5585s
and 5500-X (5500-X supports clustering of two units)
• CCL is critical for cluster, without it no clustering can occur
• Master is elected among cluster members for configuration sync only—no bearing on packet flow through the cluster itself
• New concept of “spanned port-channel” i.e. a port channel configuration that is shared among clustered ASAs
• Cluster has capacity for rebalancing flows
• All flows in the cluster have an Owner and a Director and possibly a Forwarder
• Data Plane of Cluster MUST use cLACP (Spanned Port-Channel) Cluster Control Link
vPC
Data Plane
Aggregation
Core
ASA Cluster
vPC 40
71
© 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-2206 Cisco Public
Firewall Clustering ASA Clustering to meet DC requirements
Cluster Control link shares state and
connection information among cluster members
Aggregation
Core
Hypervisor Hypervisor
Database
ASA Cluster includes Context 1 & 2
Transparent Mode
ASA 5585 ASA 5585 ASA 5585 ASA 5585
Aggregation
Core
Physical Layout
Cluster Control Link
Cluster functionally the same in either
transparent or routed mode
Cluster members used for North-South, East-West inspection and
filtering
Context1 Context2
Owner Director
IPS relies on ASA Clustering
72
Web Apps
© 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-2206 Cisco Public
Firewall Section Summary • Physical appliances and virtualized firewalls offer different options for security
control in the DC
• Virtual firewalls (multi mode) are common for stateful control between VRF and Nexus VDC
• Transparent mode (L2) firewall offers many benefits without the constraints of routed mode
• Routing protocols, multicast, IPSEC, etc all can traverse
• Use LACP for link aggregation in the DC
• Firewall clustering offers benefits for higher throughput and asymmetric flow reassembly
• Integration with Emerging technologies ie. ACI
73
© 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-2206 Cisco Public
8250
8370
8360
8350
8140
7120
All appliances include: ● Integrated lights-out management ● Sourcefire acceleration technology ● LCD display
7020
7010
30 Gbps
15 Gbps
6 Gbps
4 Gbps
2 Gbps
1 Gbps
500 Mbps
250 Mbps
100 Mbps 50 Mbps
8130
60 Gbps
45 Gbps
8390
Appliances Summary
7125
750 Mbps
1.25 Gbps
SSL2000
SSL1500
SSL8200
500 Mbps 7050
7030
10 Gbps
IPS Throughput (440Byte HTTP)
AMP 8150
AMP 7150
Sourcefire Proprietary & Confiden:al
7115
1.5 Gbps
8120
7110
NGIPS / Ap
p Co
ntrol / NGFW
/ AMP
© 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-2206 Cisco Public
What platforms support FP Hardware Module? Maximum AVC and IPS throughput
75
ASA 5585-SSP10 ASA 5585-SSP20
Campus / Data Center
2 Gbps NGFW 500K Connections 40,000 CPS
3.5 Gbps NGFW 1 M Connections 75,000 CPS
Enterprise Internet Edge
ASA 5585-SSP40
ASA 5585-SSP60
6 Gbps NGFW 1.8 M Connections 120,000 CPS
10 Gbps NGFW 4 M Connections 160,000 CPS
© 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-2206 Cisco Public
In Cluster
Cisco Classic IPS Module in ASA Data Center Core Layer
DC Aggregation Layer
DC Access Layer
Access & Virtual Access
Virtual Servers
Physical Servers
ASA5585 + NGIPS FP service Module HA – Act/Stb
ASA5585 + NGIPS FP service Module
© 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-2206 Cisco Public
Physical to Virtual Segmentation VRF-VLAN-Virtual
ASAv/VSG
vIPS
ASAv Zone B Zone C
Nexus 7K
ASA
CTX1 CTX2 CTX3
VLANx1 VLANx2
VLANy1 VLANy2
VLANz1 VLANz2
SGT SGT SGT SGT SGT SGT
Segmentation Building Blocks
• Merging physical and virtual infrastructure
• Zones used define policy enforcement
• Unique policies and traffic decisions applied to each zone
• Physical Infrastructure mapped per zone – VRF, Nexus Virtual Device Context,
VLANs, SGT
77
Enhanced Visibility and Threat Defense for the Data Center
© 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-2206 Cisco Public
Security Model
BEFORE Detect Block
Defend
DURING AFTER Control Enforce Harden
Scope Contain
Remediate
Attack Continuum
Network Endpoint Mobile Virtual Cloud
Point in time Continuous
© 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-2206 Cisco Public
Detection is key to Respond and Recover
Source: Verizon 2012 Data Breach Investigation Report
© 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-2206 Cisco Public
1. Command and Control
2. Reconnaissance
3.Propagation 4. Data Theft
Kill Chain: Post Breach
Firewall
IPS
Web Sec
N-AV
Email Sec
Routers
Switches
Firewall
Threat Detection
© 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-2206 Cisco Public
1. Command and Control
2. Reconnaissance
3.Propagation 4. Data Theft
Scalable Network Defense
Firewall
IPS
Web Sec
N-AV
Email Sec
Threat Detection
Routers
Switches
Firewall
© 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-2206 Cisco Public
Scalable Network Defense
Today – Advanced Visibility & Investigation
• Partner with Lancope to deliver NetFlow visibility and security intelligence • Enhance with Identity, device, application awareness
Cisco ISE
Cisco ISR G2 + NBAR
Firewall
IPS
Web Sec
N-AV
Email Sec
Threat Detection
Routers
Switches
Firewall
NetFlow
Visibility
© 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-2206 Cisco Public
Cisco CTD Solution: Providing Scalable Visibility Drilling into a single flow yields a plethora of information
© 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-2206 Cisco Public
Collect & Analyze Flows
1 2 • # Concurrent flows • Packets per second • Bits per second • New flows created • Number of SYNs sent • Time of day
• Number of SYNs received
• Rate of connection resets
• Duration of the flow • Over 80+ other
attributes
Establish Baseline of Behaviors
Alarm on Anomalies & Changes in Behavior
threshold
threshold
threshold threshold
Critical Servers Exchange Server Web Servers Marketing
Anomaly detected in host behavior
3
Flow-based Anomaly Detection
© 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-2206 Cisco Public
Behavior-Based Attack Detection
High Concern Index indicates a significant number of suspicious events that deviate from
established baselines
Host Groups Host CI CI% Alarms Alerts
Desktops 10.10.101.118 865,645,669 8,656% High Concern Index
Ping, Ping_Scan, TCP_Scan
© 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-2206 Cisco Public
Cisco Network
StealthWatch FlowCollector
StealthWatch Management
Console
NetFlow
Users/Devices
Cisco ISE
NBAR NSEL
StealthWatch Solution Components
StealthWatch FlowSensor
StealthWatch FlowSensor
VE
NetFlow
StealthWatch FlowReplicator
Other tools/collectors
© 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-2206 Cisco Public
Cyber Threat Defence in the Data Center
88
Data Center Best Practices:
§ Very high volume of traffic (choose the Flow Collector accordingly in size)
§ In asymmetric traffic, all devices should send to same collector
§ SGT can be reported and seen via ISE
§ Position the collectors in choke point to have full visibility of traffic
§ Monitor entrance to DC with N7K or ASA
§ Monitor virtual traffic with N1000v, or FlowSensor VE
§ Best Practice would be to offload Netflow Generation to external FlowSensors and not
do it directly on devices to optimize performances
© 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-2206 Cisco Public
Cisco Netflow Generation Appliance (NGA)
StealthWatch FlowCollector
StealthWatch Management
Console
https
Data Center Switch
Cisco NGA
SPAN or passive Tap
NetFlow § Offloads NetFlow Generation to Dedicated High-Performance § End-to-end flow information collected across multiple network
observation points using SPAN and passive TAP § Up to 6 destinations
• 4x10G Monitoring Interfaces
• 80M Active Flow Cache
• Targets 200K Flow record export per sec
NGA § Very high volume § Less boxes and more
centralized deployment
Flow Sensor § Less scalable § More capabilities like Deep
Packet inspection and URL data
© 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-2206 Cisco Public
Flow Exporters
Flow Collectors
Management and Reporting
Scalability
X 25 up to 25 collectors per StealthWatch System
StealthWatch FC for NetFlow
StealthWatch Management Console
X 2 full redundancy between primary and secondary
X 2000 up to 2000 exporters and/or 120,000 flows per second
User Interface X everyone customizable views for Virtualization, Network, and Security Teams
Physical Virtual
Routers, switches, firewall FlowSensor VE FlowSensor
3 million flows per second scalability
Nexus 1000v
© 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-2206 Cisco Public
§ Revealing Data Loss. Code can be hidden in the enterprise to export of sensitive information back to the attacker. This Data Leakage may occur rapidly or over time.
NetFlow Security Use cases
§ Identifying BotNet Command & Control Activity. BotNets are implanted in the enterprise to execute commands from their Bot herders to send SPAM, Denial of Service attacks, or other malicious acts.
§ Detecting Sophisticated and Persistent Threats. Malware that makes it past perimeter security can remain in the enterprise waiting to strike as lurking threats. These may be zero day threats that do not yet have an antivirus signature or be hard to detect for other reasons.
§ Finding Internally Spread Malware. Network interior malware proliferation can occur across hosts for the purpose gathering security reconnaissance data, data exfiltration or network backdoors.
§ Uncovering Network Reconnaissance. Some attacks will probe the network looking for attack vectors to be utilized by custom-crafted cyber threats.
© 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-2206 Cisco Public
Detecting Command and Control
NetFlow: what to analyze? • Countries • Applications • Uploads/Downloads ratio • Time of day • Repeated connections • Beaconing - Repeated
dead connections • Long lived flows • Known C&C servers
Periodic “phone home” activity
StealthWatch Method of Detection: Host Lock Violation Suspect Long Flow
Beaconing Host SLIC Reputation Feed
© 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-2206 Cisco Public
Detecting Command and Control
Start Active Time
Alarms Source User Name
Source Source Host Groups
Target Target Host Groups
Details
Dec 11, 2012
Bot Infected Host –
Attempted C&C Activity
John Chambers
1.1.1.1 Sales and Marketing, Atlanta,
Desktops
node1.bytecluster.com (209.190.85.12)
Optima, United Kingdom
Attempted communication was detected between this inside host and C&C server using port 80 and the TCP
protocol
Alarm indicating communication with known
BotNet Controllers Source IP Address and username Target that trigged alarm Details
© 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-2206 Cisco Public
Identifying Reconnaissance Activity
What to analyze: • High number of flows • High client byte ratio • One-way or unanswered flows • Flows within the subnet/host group • Flows to non-existent IP’s • Flow patterns • Abnormal behaviour
Long and slow activity to discover resources and vulnerabilities
StealthWatch Method of Detection: Concern Index
High Traffic High Connections
Trapped Hosts
© 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-2206 Cisco Public
Identifying Reconnaissance Activity
High Concern Index indicates a significant number of suspicious events that deviate from
established baselines
Host Groups Host CI CI% Alarms Alerts
Desktops 10.10.101.118 865,645,669 8,656% High Concern Index
Ping, Ping_Scan, TCP_Scan
© 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-2206 Cisco Public
Identifying Malware Propagation Discovered host answers and
vulnerability exploited
What to analyze: • High number of flows • High client byte ratio • Connections within the subnet/
host group • Flow patterns • Abnormal behaviour
StealthWatch Method of Detection: Concern Index, Target Index
Scanning Alarms Touched Host
Worm Propagation Alarm Worm Tracker
© 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-2206 Cisco Public
Infection Tracking
Initial infection
Secondary infection
Tertiary infection
© 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-2206 Cisco Public
Detecting Data Loss
What to analyze: • Historical data transfer behaviour • Applications • Time of day • Countries • Amount of data – single and in
aggregate • Time frames • Asymmetric traffic patterns • Traffic between functional groups
Data is exported off resource
StealthWatch Method of Detection: Suspect Data Loss Alarm Suspect Long Flow Alarm
Beaconing Host Alarm
Intermediary resource used to obfuscate theft
© 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-2206 Cisco Public
Looking at abnormal traffic
99
© 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-2206 Cisco Public
Looking at abnormal traffic
100
© 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-2206 Cisco Public
Summary
Provides Rich Context Unites NetFlow data with identity and application ID to provide security context
Leverages Cisco Network for Security Telemetry
NetFlow-enabled Cisco switches and routers become security telemetry sources Cisco is the undisputed market leader in Hardware-enabled NetFlow devices
Cisco ISE
Cisco Network
Provides Threat Visibility and Context
Single pane of glass that unifies threat detection, visibility, forensics analysis, and reporting
Cisco ISR G2/ASR1k + NBAR
+ +
+ NetFlow
FlowSensor FlowCollector StealthWatch Management
Console
Cisco ASA Who What Where When How
BRKSEC-2136 – Preventing Armagedon
Summary
© 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-2206 Cisco Public
Summary
• Virtual network services – Extend policy – Extend Visibility – Extend Workflow
• Leverage P-to-V fabric services to create unified policy
• Assume both internal and external threats
• ACI – Automatically instantiate security services and policies right with the
application flows
Defend, Detect, Control
103
Q&A
104