Veri Merkezi Güvenliği (Data Center Security) - Cisco Connect Turkey 14'
-
Upload
cisco-turkey -
Category
Internet
-
view
255 -
download
0
Transcript of Veri Merkezi Güvenliği (Data Center Security) - Cisco Connect Turkey 14'
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Data Center Evolution
Virtualization Cloud
Traditional
Data Center
Virtualized Data
Center (VDC)
Virtualized
Desktops
Internal,
Private Clouds
Virtual Private
Clouds (VPC) Public Clouds
Consolidate Assets
Virtualize the Environment
Automate Service Delivery
Standardize Operations
WHERE
ARE YOU
NOW?
WHERE DO
YOU WANT
TO BE?
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Data Center Security Requirements
Scalability: Need for policy enforcement for high speed networks
Segmentation: Policy between specific groups, users, or applications
Resiliency: High availability is imperative for applications
Expanded Deployment Options: Policy enforcement on inter-DC traffic
Threat Management: Threat correlation with contextual analysis
Virtualization: Security for east-west traffic in multi-hypervisor environments
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Edge Security NOT Designed for the DC
• Only sees symmetric traffic
• Mostly sees Internet apps and micro-apps
• Static scalability for predictable data volume, limited by
edge data connection
• Monitors Ingress and Egress traffic.
• Only requires a physical appliance. Virtual devices (if
any) limited to one hypervisor
• Standard deployment takes days or weeks
• Vendor support focused on traditional network
deployments
• Must manage asymmetric traffic
• Sees customized and home-grown applications
• Requires dynamic scalability to secure high volume data
bursts
• Security needs to be integrated in-line (East/West)
• Requires both a physical and a virtual solution. 42% of
DCs have multiple hypervisors
• Must be deployed in hours or minutes
• The DC requires specialized support for planning,
design, and implementation
Internet Edge Security Data Center Security
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
1. Security Must Be Designed for the DC
Network Integration Optimum Performance Threat-Based Security
• Must be deployed dynamically and quickly
• Ties data center and security policy together
• Gives the right tool to the right team
• Optimized for DC data bursts
• Highly available and resilient
• Matches security performance to network performance
• Supports asymmetric traffic.
• North-south and East-west protection
• Signature and signatureless protection
• Reputation-based protection
• Custom application inspection
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
2. Security Must Address The DC Architecture
7
East – West Traffic
76%
North – South Traffic
17% 7%
Inter-DC Traffic
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
3. Security Must Adapt As The DC Evolves
8
Changing business models and
competitive environments are driving
IT organizations down a DC
evolutionary path: Virtualization,
SDN, NFV, ACI, Cloud…
But what about security?
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
4. Security Must Be Threat Oriented
Before Control Enforce Harden
After Scope Contain
Remediate
Attack Continuum
Network Endpoint Mobile Virtual Cloud
Detect Block
Defend
During
Point in Time Continuous
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
5. Data Centers Don’t Exist In A Vacuum Data – and threats – flow horizontally across a network
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
NSS Labs – NGFW Security Effectiveness
Source: NSS Labs 2014
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
NSS Labs – Next-Generation Firewall Security Value Map
Source: NSS Labs 2014
The NGFW Security Value
Map shows the placement of
Cisco ASA with FirePOWER
Services and the
FirePOWER 8350 as
compared to other vendors.
All three products achieved
99.2 percent in security
effectiveness and now all
can be confident that they
will receive the best
protections possible
regardless of deployment.
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
NSS Labs – NGFW Throughput
Source: NSS Labs 2014
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
NSS Labs – NGFW Connection Per Second
Source: NSS Labs 2014
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Cisco ASA 5585-X Series Cisco ASA Virtual Firewall
• Full ASA Feature Set
• Hypervisor Independent
• vSwitch Agnostic
• Dynamic Scalability
• New: Now with FirePOWER NGIPS services
• Up to 640 Gbps throughput
• 16-node, multi-site clustering
• Clusters managed as a single device
Load balancing between physical and virtual ASAs
Support Traditional and Next-Gen Data Centers (SDN, NFV, ACI)
Fully integrated into ACI – APIC-based provisioning, orchestration, and management
Security Designed for the Data Center ASAv and ASA 5585-X
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
World’s most widely deployed, enterprise-class Cisco ASA stateful firewall
Cisco Application Visibility and Control (AVC) with detailed control
Industry-leading Cisco FirePOWER next-generation IPS (NGIPS)
Reputation- and category-based URL filtering
Cisco Advanced Malware Protection (AMP)
Cisco ASA
Secure Data Center for the Enterprise Capabilities Necessary to Defend the Modern Data Center
Identity-Policy
Control and VPN
URL Filtering
(Subscription) FireSIGHT
Analytics and
Automation
Advanced Malware
Protection
(Subscription)
Application
Visibility and Control
Network Firewall
Routing | Switching
Clustering and
High Availability
WWW
Cisco® Collective Security Intelligence Enabled
Built-in Network
Profiling
Intrusion Prevention
(Subscription)
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
ASA Cluster Scalability
Nexus 7K #2 Nexus 7K #1
Layer-2 Deployment Data Plane
ASA 5585-X Cluster
Nexus 7Ks are vPC Peers
Master
Slave
Slave
Slave
Slave
Slave
Slaves
Slave
...
PC-1 PC-1
A 16 node ASA 5585-X cluster*
can deliver up to:
256Gps of real-world mixed traffic throughput
(640Gbps Max)
50M concurrent connections
Consistent scaling factor regardless
of units in cluster
Handles the expected asymmetric traffic flows
found in a modern data centers
Integrates with FirePOWER Appliances and
Services Modules for AVC and NextGen IPS
*Cisco ASA Software release 9.2 +
1
2
3
4
5
6
7-15
16
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Cisco ASA Clustering Correct Asynchronous Flows
Inside Outside
South Context
Inside Outside
North Context
ASA-1 (5585-X)
NGIPS-1
ASA / FirePOWER Appliance Set #1
Flow Inspection
Inside Outside
South Context
Inside Outside
North Context
ASA-2 (5585-X)
NGIPS-2
ASA / FirePOWER Appliance Set #2
Cluster lookup
of flow owner Request
Reply
Source
Destination
Firewall
Policy
Firewall
Policy
Flow Inspection
DATA
CCL
DATA
ASA Clustering eliminates the need for a statefull load-balancer in the data center to scale security services performance
Firewall
Policy
Firewall
Policy
LACP
chooses
ASA to send
packet to
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Network Integration Performance
Redundancy and Scalability
Link Device Site
Redundancy and Scalability
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Link Scalability
Multiple Uplink Routers
Multiple Physical Links
Equal Cost Multipath (ECMP)
OSPF/BGP routing for rapid failure detection
Port Aggregation (EtherChannel)
LACP for dynamic bundling and failure detection
Full Flow Asymmetry Support
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Device Scalability
Redundant Switches
Redundant Firewalls
Single Logical Firewall
Clustering with full state backup
Single Virtual Switch
Virtual PortChannel (vPC) on Nexus
Virtual Switch System (VSS) on Catalyst
Complete Fault Tolerance
Spanned Etherchannel with LACP for
ports
Non-Stop Forwarding (NSF) for
OSPF/BGP
Cluster
vPC/VSS
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Site Scalability
Site A Site B
Endpoint Mobility
Local Traffic Processing Inter-site Clustering
Clustering with full state backup
Site-specific switch connections
VLAN Segment Extension
Overlay Transport Virtualiation (OTV)
Clustering retains connection state
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Security & Threat Operations Management
NetOPS Workflows - CSM 4.6 or ASDM-ASA-On-Box 1
SecOPS Workflows -FireSIGHT Management Center 2
NGFW/NGIPS Management
Forensics / Log Management
Network AMP / Trajectory
Vulnerability Management¹
Incident Control System¹
Adaptive Security Policy
Retrospective Analysis
Correlated SIEM Eventing²
Network-Wide / Client Visibility
Visibility Categories
Threats
Users
Web Applications
Application Protocols
File Transfers
Malware
Command & Control
Servers
Client Applications
Network Servers
Operating Systems
Routers & Switches
Mobile Devices
Printers
VoIP Phones
Virtual Machines
FireAMP Connector
(Managed by FMC)
1 – Passive Vulnerability Management and Basic ICS – Customer may still choose to invest in a commercial product
2 – FMC is NOT a SIEM, while it does provide Correlated SIEM eventing and integrates natively into the SIEM used by the customer
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Simplifying Security Across the Enterprise End-to-End Cisco TrustSec® Security
Data Center
Master
Slaves
Cisco® ASA 5585-X
Firewall Cluster
Cisco® Security
Manager
Cisco UCS®
Director
Roles-Based Policies User
Identity
Campus and
Mobile Workers
Remote
VPN User
IT Managed
Devices
Wireless User
Personal Devices
Wired User
Vblocks/
FlexPods
Cisco
Nexus® 7000
Identity Services
Engine
WiF
i
Allow
Limited
Access
Deny
Allow
Limited
Access
Deny
Authorized
Users
Guest
Access
Devices
Allow
Limited
Access
Deny
Storage
Converged Network Stack
vSphere
App O
S
App O
S
App O
S
App O
S
Tier 1
Cisco
Nexus
1000V
vSphere
App O
S
App O
S
App O
S
App O
S
Tier 2
Cisco
Nexus
1000V
App O
S
App O
S
App O
S
App O
S
Tier N
Cisco
Nexus
1000V
ASA firewall learns when new a workload is provisioned and
automatic applies security policy
Administrator assigns workload to proper group. Switches send
update to devices for policy maps.
Policies
SG Tags
Physical
Access
Compute
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Simplified Matrix of Policies Increases Security
Public Portal
(SGT 8)
Internal Portal
(SGT 9)
IT Portal
(SGT 4)
Patient Record DB
(SGT 10)
Doctor (SGT 7)
Web Web No Access Web
File Share
HR DB (SGT 5)
SQL
SSL
Web
SSH
RDP
File Share
Full Access SQL
Destination
SGT
Source
SGT
Simplified policies eases auditability for addressing the compliance challenges of today
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Capabilities Flow Diagram Malware Flow From User to Server Asset…Protections Along the Way
AD
ISE
Campus Core DC Core/Agg
ASA 5585
3D8250
Cluster
Data Center Servers/Assets
User Identity
SXP & SGACLs
SXP
On Campus User
Mobile User
2
Device Posturing
FireAMP for file
analysis
User Logging
SGACL
Enforcement
NetFlow
Analysis
Mgmt.
Defense Center
SGACL
Enforcement
TrustSec SXP
Data Black hole
Prevention
Operational
Efficiency
4
1 2 3 4
Policy Consolidation
Traffic Normalization
Asymmetric Traffic
Flow Redundancy
ASA Cluster
Intrusion Prevention
Network AMP Application
Detection Application
Control
Indicators of Compromise
Retrospection
Connection Intelligence
File Trajectory
Network Trajectory
FireAMP on Servers
Secure Application
Tiering
Port Profile SGT
Assignments
East-West
Protection
5 6
User Identity
6
1
3
5
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Cyber Threat Defense for Data Center
Global view of infrastructure threats
OOB management infrastructure supports
relevant traffic flows
Cisco® ASA cluster monitored from the
Cisco Nexus® 7000
−NetFlow Security Event Logging (NSEL)
on the ASA is optional and complementary
−NSEL monitors flow creation, flow teardown,
and flow denial by ACLs
−NSEL was not validated
Cisco Nexus® 1000v
Virtual Services Module (VSM) NetFlow Generation Appliance(s)
(NGA)
ISE Policy Manager StealthWatch Management
Console VE
StealthWatch
FlowCollector(s)
HTTPS
HT
TP
S
Rad
ius
SPAN
Sources
NetFlow
Sources
SMC
FC FC
FC
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Application Centric Infrastructure (ACI)
“Users” “Files”
Intelligent Fabric
Logical Endpoint
Groups by Role
Heterogeneous clients, servers,
external clouds; fabric controls
communication
Every device is one hop away,
microsecond latency, no power or
port availability constraints, ease of
scaling
Flexible Insertion
ACI Controller manages all
participating devices, change
control and audit capabilities
Unified Management
and Visibility
Fabric Port Services
Hardware filtering and bridging;
seamless service insertion, “service
farm” aggregation
Flat Hardware
Accelerated Network Full abstraction, de-coupled
from VLANs and Dynamic
Routing, low latency, built-in
QoS
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Traditional ASA Policy Set Complication
192.168.1.1 192.168.1.100
10.1.1.1
172.16.1.1
192.168.100.1
HTTP (TCP/80)
HTTPS (TCP/443)
SSH (TCP/22)
SMTP (TCP/25)
ICMP access-list OUT permit tcp host 192.168.1.1 host 10.1.1.1 eq 80
access-list OUT permit tcp host 192.179.1.1 host 10.1.1.1 eq 443
[…]
access-list OUT permit icmp host 192.168.1.100 host 192.168.100.1 30 ACL Rules
172.18.20.13
access-list OUT permit tcp host 172.18.20.13 host 10.1.1.1 eq 80
access-list OUT permit tcp host 172.18.20.13 host 10.1.1.1 eq 443
[…]
access-list OUT permit icmp host 172.18.20.13 host 192.168.100.1
15 ACL Rules
45 ACL
Rules
Network Admin Security Admin
Add client
172.18.20.13, call
Security Admin to
enable access
Remove client
192.168.1.1, “no other
action necessary” Add ASA rules for
client
172.18.20.13
Original ASA rules
never change 4
1
2
2
3
4
Servers
Clients
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Distributed Port Level Filtering with ACI
10.1.1.1
172.16.1.1
192.168.100.1
Servers
192.168.1.1
192.168.1.100
172.18.20.13
HTTP (TCP/80)
HTTPS (TCP/443)
SSH (TCP/22)
SMTP (TCP/25)
ICMP Source EPG
Leaf 1, port 1 Users
Leaf 1, port 10 Users
Destination EPG
Leaf 3, port 2 Servers
Leaf 4, port 8 Servers
Leaf 5, port 12 Servers
Service Action
TCP/80 Redirect, ASA1
TCP/443 Redirect, ASA1
TCP/22 Redirect, ASA1
TCP/25 Redirect, ASA1
ICMP Redirect, ASA1 Leaf 2, port 12 Users
Port Rules
Network Admin
Add client 172.18.20.13,
use standard ASA
template
Remove client
192.168.1.1
Security Admin Create standard
ASA advanced
policy templates in
IFC
Advanced policies,
limited ACL rules
Same 5 port–level
service rules and
actions
ASA1 Clients
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Scalable performance
Simplified policy management
Intrusion protection and application visibility
Recommended architecture based on best practices
Cisco Secure Data Center Enterprise
Cisco Validated Designs that include
www.cisco.com/go/designzone
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Combined Overview of CVD Architecture
Secure Enclave Architecture (SEA)
FlexPod
Active Directory
Identity Services Engine
Cisco Security Manager
NetFlow
Generation
Appliances
Data
Storage SAN
Cyber Threat
Defense
ASA Clustering with
FirePOWER Services
Threat Management
with NextGen IPS
CCL
Enterprise
Core
Cisco Nexus® 1000v
Virtual Supervisor
Module
Four solutions jointly validated to create a complete portfolio