Veri Merkezi Güvenliği (Data Center Security) - Cisco Connect Turkey 14'

Data Center Security

Fuat KILIÇ

Consulting Systems Engineer @Security

Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public

Data Center Evolution

Virtualization Cloud

Traditional

Data Center

Virtualized Data

Center (VDC)

Virtualized

Desktops

Internal,

Private Clouds

Virtual Private

Clouds (VPC) Public Clouds

Consolidate Assets

Virtualize the Environment

Automate Service Delivery

Standardize Operations

WHERE

ARE YOU

NOW?

WHERE DO

YOU WANT

TO BE?


Data Center Security Requirements

Scalability: Need for policy enforcement for high speed networks

Segmentation: Policy between specific groups, users, or applications

Resiliency: High availability is imperative for applications

Expanded Deployment Options: Policy enforcement on inter-DC traffic

Threat Management: Threat correlation with contextual analysis

Virtualization: Security for east-west traffic in multi-hypervisor environments


Edge Security NOT Designed for the DC

• Only sees symmetric traffic

• Mostly sees Internet apps and micro-apps

• Static scalability for predictable data volume, limited by

edge data connection

• Monitors Ingress and Egress traffic.

• Only requires a physical appliance. Virtual devices (if

any) limited to one hypervisor

• Standard deployment takes days or weeks

• Vendor support focused on traditional network

deployments

• Must manage asymmetric traffic

• Sees customized and home-grown applications

• Requires dynamic scalability to secure high volume data

bursts

• Security needs to be integrated in-line (East/West)

• Requires both a physical and a virtual solution. 42% of

DCs have multiple hypervisors

• Must be deployed in hours or minutes

• The DC requires specialized support for planning,

design, and implementation

Internet Edge Security Data Center Security


1. Security Must Be Designed for the DC

Network Integration Optimum Performance Threat-Based Security

• Must be deployed dynamically and quickly

• Ties data center and security policy together

• Gives the right tool to the right team

• Optimized for DC data bursts

• Highly available and resilient

• Matches security performance to network performance

• Supports asymmetric traffic.

• North-south and East-west protection

• Signature and signatureless protection

• Reputation-based protection

• Custom application inspection


2. Security Must Address The DC Architecture

7

East – West Traffic

76%

North – South Traffic

17% 7%

Inter-DC Traffic


3. Security Must Adapt As The DC Evolves

8

Changing business models and

competitive environments are driving

IT organizations down a DC

evolutionary path: Virtualization,

SDN, NFV, ACI, Cloud…

But what about security?


4. Security Must Be Threat Oriented

Before Control Enforce Harden

After Scope Contain

Remediate

Attack Continuum

Network Endpoint Mobile Virtual Cloud

Detect Block

Defend

During

Point in Time Continuous


5. Data Centers Don’t Exist In A Vacuum Data – and threats – flow horizontally across a network


NSS Labs – NGFW Security Effectiveness

Source: NSS Labs 2014


NSS Labs – Next-Generation Firewall Security Value Map


The NGFW Security Value

Map shows the placement of

Cisco ASA with FirePOWER

Services and the

FirePOWER 8350 as

compared to other vendors.

All three products achieved

99.2 percent in security

effectiveness and now all

can be confident that they

will receive the best

protections possible

regardless of deployment.


NSS Labs – NGFW Throughput



NSS Labs – NGFW Connection Per Second



Cisco ASA 5585-X Series Cisco ASA Virtual Firewall

• Full ASA Feature Set

• Hypervisor Independent

• vSwitch Agnostic

• Dynamic Scalability

• New: Now with FirePOWER NGIPS services

• Up to 640 Gbps throughput

• 16-node, multi-site clustering

• Clusters managed as a single device

Load balancing between physical and virtual ASAs

Support Traditional and Next-Gen Data Centers (SDN, NFV, ACI)

Fully integrated into ACI – APIC-based provisioning, orchestration, and management

Security Designed for the Data Center ASAv and ASA 5585-X


World’s most widely deployed, enterprise-class Cisco ASA stateful firewall

Cisco Application Visibility and Control (AVC) with detailed control

Industry-leading Cisco FirePOWER next-generation IPS (NGIPS)

Reputation- and category-based URL filtering

Cisco Advanced Malware Protection (AMP)

Cisco ASA

Secure Data Center for the Enterprise Capabilities Necessary to Defend the Modern Data Center

Identity-Policy

Control and VPN

URL Filtering

(Subscription) FireSIGHT

Analytics and

Automation

Advanced Malware

Protection

(Subscription)

Application

Visibility and Control

Network Firewall

Routing | Switching

Clustering and

High Availability

WWW

Cisco® Collective Security Intelligence Enabled

Built-in Network

Profiling

Intrusion Prevention

(Subscription)


ASA Cluster Scalability

Nexus 7K #2 Nexus 7K #1

Layer-2 Deployment Data Plane

ASA 5585-X Cluster

Nexus 7Ks are vPC Peers

Master

Slave

Slave

Slave

Slave

Slave

Slaves

Slave

...

PC-1 PC-1

A 16 node ASA 5585-X cluster*

can deliver up to:

256Gps of real-world mixed traffic throughput

(640Gbps Max)

50M concurrent connections

Consistent scaling factor regardless

of units in cluster

Handles the expected asymmetric traffic flows

found in a modern data centers

Integrates with FirePOWER Appliances and

Services Modules for AVC and NextGen IPS

*Cisco ASA Software release 9.2 +

1

2

3

4

5

6

7-15

16


Cisco ASA Clustering Correct Asynchronous Flows

Inside Outside

South Context

Inside Outside

North Context

ASA-1 (5585-X)

NGIPS-1

ASA / FirePOWER Appliance Set #1

Flow Inspection

Inside Outside

South Context

Inside Outside

North Context

ASA-2 (5585-X)

NGIPS-2

ASA / FirePOWER Appliance Set #2

Cluster lookup

of flow owner Request

Reply

Source

Destination

Firewall

Policy

Firewall

Policy

Flow Inspection

DATA

CCL

DATA

ASA Clustering eliminates the need for a statefull load-balancer in the data center to scale security services performance

Firewall

Policy

Firewall

Policy

LACP

chooses

ASA to send

packet to


Network Integration Performance

Redundancy and Scalability

Link Device Site

Redundancy and Scalability


Link Scalability

Multiple Uplink Routers

Multiple Physical Links

Equal Cost Multipath (ECMP)

OSPF/BGP routing for rapid failure detection

Port Aggregation (EtherChannel)

LACP for dynamic bundling and failure detection

Full Flow Asymmetry Support


Device Scalability

Redundant Switches

Redundant Firewalls

Single Logical Firewall

Clustering with full state backup

Single Virtual Switch

Virtual PortChannel (vPC) on Nexus

Virtual Switch System (VSS) on Catalyst

Complete Fault Tolerance

Spanned Etherchannel with LACP for

ports

Non-Stop Forwarding (NSF) for

OSPF/BGP

Cluster

vPC/VSS


Site Scalability

Site A Site B

Endpoint Mobility

Local Traffic Processing Inter-site Clustering

Clustering with full state backup

Site-specific switch connections

VLAN Segment Extension

Overlay Transport Virtualiation (OTV)

Clustering retains connection state


Security & Threat Operations Management

NetOPS Workflows - CSM 4.6 or ASDM-ASA-On-Box 1

SecOPS Workflows -FireSIGHT Management Center 2

NGFW/NGIPS Management

Forensics / Log Management

Network AMP / Trajectory

Vulnerability Management¹

Incident Control System¹

Adaptive Security Policy

Retrospective Analysis

Correlated SIEM Eventing²

Network-Wide / Client Visibility

Visibility Categories

Threats

Users

Web Applications

Application Protocols

File Transfers

Malware

Command & Control

Servers

Client Applications

Network Servers

Operating Systems

Routers & Switches

Mobile Devices

Printers

VoIP Phones

Virtual Machines

FireAMP Connector

(Managed by FMC)

1 – Passive Vulnerability Management and Basic ICS – Customer may still choose to invest in a commercial product

2 – FMC is NOT a SIEM, while it does provide Correlated SIEM eventing and integrates natively into the SIEM used by the customer


Simplifying Security Across the Enterprise End-to-End Cisco TrustSec® Security

Data Center

Master

Slaves

Cisco® ASA 5585-X

Firewall Cluster

Cisco® Security

Manager

Cisco UCS®

Director

Roles-Based Policies User

Identity

Campus and

Mobile Workers

Remote

VPN User

IT Managed

Devices

Wireless User

Personal Devices

Wired User

Vblocks/

FlexPods

Cisco

Nexus® 7000

Identity Services

Engine

WiF

i

Allow

Limited

Access

Deny

Allow

Limited

Access

Deny

Authorized

Users

Guest

Access

Devices

Allow

Limited

Access

Deny

Storage

Converged Network Stack

vSphere

App O

S

App O

S

App O

S

App O

S

Tier 1

Cisco

Nexus

1000V

vSphere

App O

S

App O

S

App O

S

App O

S

Tier 2

Cisco

Nexus

1000V

App O

S

App O

S

App O

S

App O

S

Tier N

Cisco

Nexus

1000V

ASA firewall learns when new a workload is provisioned and

automatic applies security policy

Administrator assigns workload to proper group. Switches send

update to devices for policy maps.

Policies

SG Tags

Physical

Access

Compute


Simplified Matrix of Policies Increases Security

Public Portal

(SGT 8)

Internal Portal

(SGT 9)

IT Portal

(SGT 4)

Patient Record DB

(SGT 10)

Doctor (SGT 7)

Web Web No Access Web

File Share

HR DB (SGT 5)

SQL

SSL

Web

SSH

RDP

File Share

Full Access SQL

Destination

SGT

Source

SGT

Simplified policies eases auditability for addressing the compliance challenges of today


Capabilities Flow Diagram Malware Flow From User to Server Asset…Protections Along the Way

AD

ISE

Campus Core DC Core/Agg

ASA 5585

3D8250

Cluster

Data Center Servers/Assets

User Identity

SXP & SGACLs

SXP

On Campus User

Mobile User

2

Device Posturing

FireAMP for file

analysis

User Logging

SGACL

Enforcement

NetFlow

Analysis

Mgmt.

Defense Center

SGACL

Enforcement

TrustSec SXP

Data Black hole

Prevention

Operational

Efficiency

4

1 2 3 4

Policy Consolidation

Traffic Normalization

Asymmetric Traffic

Flow Redundancy

ASA Cluster

Intrusion Prevention

Network AMP Application

Detection Application

Control

Indicators of Compromise

Retrospection

Connection Intelligence

File Trajectory

Network Trajectory

FireAMP on Servers

Secure Application

Tiering

Port Profile SGT

Assignments

East-West

Protection

5 6

User Identity

6

1

3

5


Cyber Threat Defense for Data Center

Global view of infrastructure threats

OOB management infrastructure supports

relevant traffic flows

Cisco® ASA cluster monitored from the

Cisco Nexus® 7000

−NetFlow Security Event Logging (NSEL)

on the ASA is optional and complementary

−NSEL monitors flow creation, flow teardown,

and flow denial by ACLs

−NSEL was not validated

Cisco Nexus® 1000v

Virtual Services Module (VSM) NetFlow Generation Appliance(s)

(NGA)

ISE Policy Manager StealthWatch Management

Console VE

StealthWatch

FlowCollector(s)

HTTPS

HT

TP

S

Rad

ius

SPAN

Sources

NetFlow

Sources

SMC

FC FC

FC


Application Centric Infrastructure (ACI)

“Users” “Files”

Intelligent Fabric

Logical Endpoint

Groups by Role

Heterogeneous clients, servers,

external clouds; fabric controls

communication

Every device is one hop away,

microsecond latency, no power or

port availability constraints, ease of

scaling

Flexible Insertion

ACI Controller manages all

participating devices, change

control and audit capabilities

Unified Management

and Visibility

Fabric Port Services

Hardware filtering and bridging;

seamless service insertion, “service

farm” aggregation

Flat Hardware

Accelerated Network Full abstraction, de-coupled

from VLANs and Dynamic

Routing, low latency, built-in

QoS


Traditional ASA Policy Set Complication

192.168.1.1 192.168.1.100

10.1.1.1

172.16.1.1

192.168.100.1

HTTP (TCP/80)

HTTPS (TCP/443)

SSH (TCP/22)

SMTP (TCP/25)

ICMP access-list OUT permit tcp host 192.168.1.1 host 10.1.1.1 eq 80

access-list OUT permit tcp host 192.179.1.1 host 10.1.1.1 eq 443

[…]

access-list OUT permit icmp host 192.168.1.100 host 192.168.100.1 30 ACL Rules

172.18.20.13



[…]

access-list OUT permit icmp host 172.18.20.13 host 192.168.100.1

15 ACL Rules

45 ACL

Rules

Network Admin Security Admin

Add client

172.18.20.13, call

Security Admin to

enable access

Remove client

192.168.1.1, “no other

action necessary” Add ASA rules for

client

172.18.20.13

Original ASA rules

never change 4

1

2

2

3

4

Servers

Clients


Distributed Port Level Filtering with ACI

10.1.1.1

172.16.1.1

192.168.100.1

Servers

192.168.1.1

192.168.1.100

172.18.20.13

HTTP (TCP/80)

HTTPS (TCP/443)

SSH (TCP/22)

SMTP (TCP/25)

ICMP Source EPG

Leaf 1, port 1 Users

Leaf 1, port 10 Users

Destination EPG

Leaf 3, port 2 Servers



Service Action

TCP/80 Redirect, ASA1




ICMP Redirect, ASA1 Leaf 2, port 12 Users

Port Rules

Network Admin

Add client 172.18.20.13,

use standard ASA

template

Remove client

192.168.1.1

Security Admin Create standard

ASA advanced

policy templates in

IFC

Advanced policies,

limited ACL rules

Same 5 port–level

service rules and

actions

ASA1 Clients


Scalable performance

Simplified policy management

Intrusion protection and application visibility

Recommended architecture based on best practices

Cisco Secure Data Center Enterprise

Cisco Validated Designs that include

www.cisco.com/go/designzone


Combined Overview of CVD Architecture

Secure Enclave Architecture (SEA)

FlexPod

Active Directory

Identity Services Engine

Cisco Security Manager

NetFlow

Generation

Appliances

Data

Storage SAN

Cyber Threat

Defense

ASA Clustering with

FirePOWER Services

Threat Management

with NextGen IPS

CCL

Enterprise

Core

Cisco Nexus® 1000v

Virtual Supervisor

Module

Four solutions jointly validated to create a complete portfolio

Veri Merkezi Güvenliği (Data Center Security) - Cisco Connect Turkey 14'

Internet

Transcript of Veri Merkezi Güvenliği (Data Center Security) - Cisco Connect Turkey 14'