Securing DC Journey
Total Page:16
File Type:pdf, Size:1020Kb
Securing DC Journey Mohammad AlYousef Systems Engineer February,2013 © 2012 Cisco and/or its affiliates. All rights reserved. CISCO CONFIDENTIAL INTERNAL USE ONLY 1 Why we care about 1. DC Security 2. DC Security Portfolio Agenda 3. PCI 2.0 4. Summary © 2012 Cisco and/or its affiliates. All rights reserved. CISCO CONFIDENTIAL INTERNAL USE ONLY 2 Why We Care about DC Security © 2012 Cisco and/or its affiliates. All rights reserved. CISCO CONFIDENTIAL INTERNAL USE ONLY 3 ALMOST MORE THAN NEARLY 100K 50% 2000% new threats identified everyday of workloads in the data increase in application traffic center will be virtualized and network connections per by 2013 second by 2015 © 2012 Cisco and/or its affiliates. All rights reserved. CISCO CONFIDENTIAL INTERNAL USE ONLY 4 I need higher performance, I am tired of defining policies in lower power security. multiple locations. Security I want to establish tenant Why is security always an boundaries. Decision afterthought? We are moving to cloud-based How do I maintain compliance as I architectures. embrace virtualization and cloud? © 2012 Cisco and/or its affiliates. All rights reserved. CISCO CONFIDENTIAL INTERNAL USE ONLY 5 • Defend against threats Data Center • Maintain compliance and Security Administrators • Manage security policies need to: • Build and secure multi-tenant environments • Protect applications and virtual machines © 2012 Cisco and/or its affiliates. All rights reserved. CISCO CONFIDENTIAL INTERNAL USE ONLY 6 Internet Edge = Security CORE = Network DISTRIBUTION VDC Nexus 7000 Nexus 7000 = Compute VPC SAN VPC ASA 5585-X ASA 5585-X VPC VPC VPC VPC VPC VPC VPC VPC VSS Nexus Catalyst SERVICES 5000 Unified 6500 Computing Nexus System 7000 Nexus Series 2100 ASA Firewall ACE Nexus 1000V Zone 1000V VSG NAM IPS Multizone 10G Server Rack 10G Server Rack Unified Compute Unified Access © 2012 Cisco and/or its affiliates. All rights reserved. CISCO CONFIDENTIAL INTERNAL USE ONLY 7 Zone1 Zone2 • Zones used define policy enforcement • Unique policies and traffic decisions applied to each zone • Physical Infrastructure mapped per zone Steer VM traffic to Firewall Context VRF, Virtual Context • Merging physical and virtual Segment pools infrastructure of blade resources per Zone Virtual Switch Virtual Switch vSphere vSphere © 2012 Cisco and/or its affiliates. All rights reserved. CISCO CONFIDENTIAL INTERNAL USE ONLY 8 Segmentation Threat Defense Visibility • Establish boundaries— • Stop internal and external • Provide transparency network, compute, virtual attacks to usage and utilization • Enforce policy by • Patrol zone and edge • Apply business context to functions, devices, orgs boundaries network activity • Control access to • Control information • Simplify operations and networks, resources, apps access and usage compliance reporting © 2012 Cisco and/or its affiliates. All rights reserved. CISCO CONFIDENTIAL INTERNAL USE ONLY 9 Data Center Security Portfolio © 2012 Cisco and/or its affiliates. All rights reserved. CISCO CONFIDENTIAL INTERNAL USE ONLY 10 Fabric Segmentation Network Segmentation UCS Fabric Interconnect Physical, Virtual Tru stS ec Context-Aware Segmentation SegmentationThreat Defense FirewallVisibility Segmentation TrustSec Tags and ACLs StatefulInspection Application Control Enforcing Consistent Policies Across Physical and Virtual Boundaries to Protect Data at Rest and In Motion © 2012 Cisco and/or its affiliates. All rights reserved. CISCO CONFIDENTIAL INTERNAL USE ONLY 11 Cisco® ASA 5585-X North-South Traffic: Physical Inspecting all traffic into and out of the data center Cisco Catalyst 6500 ASA FW Module Cisco ASA 1000V East-West Traffic: Virtual / Virtual Firewall Creating secure trust zones Multitenant between applications and tenants within the data center Cisco Virtual Security Gateway (VSG) © 2012 Cisco and/or its affiliates. All rights reserved. CISCO CONFIDENTIAL INTERNAL USE ONLY 12 • How to scale to 100 Gbps of traffic through a cluster of firewall appliances? © 2012 Cisco and/or its affiliates. All rights reserved. CISCO CONFIDENTIAL INTERNAL USE ONLY 13 100+Gbps ASA version 9.0 • Cluster up to 8 ASA appliances • Hitless Upgrade Cluster Control Link Control Cluster • Intelligent data-path to forward packets through the cluster to accomplish stateful firewall inspection • Fully distributed data-path so there is no single point of failure • State sharing between units for both Channel Port 2 x Traffic Data 10GbE concerted operation (e.g. share user identity after authentication) and high availability (e.g. No need to re- authenticate should a unit fail) • Centralized management and monitoring © 2012 Cisco and/or its affiliates. All rights reserved. CISCO CONFIDENTIAL INTERNAL USE ONLY 15 Owner SYN SYN Outside Network Outside 1: State Server update Director Inside Network Inside Client ASA Cluster Forwarder • Director is selected per connection using a consistent hashing algorithm • Director also acts as a backup server should the owner fail • Optimization exists in implementation to eliminate steps 2 and 3 when appropriate © 2012 Cisco and/or its affiliates. All rights reserved. CISCO CONFIDENTIAL INTERNAL USE ONLY 16 Owner SYN SYN Outside Network Outside 1: State Server update Director Inside Network Inside Client SYN/ACK Forwarder ASA Cluster • Director is selected per connection using a consistent hashing algorithm • Director also acts as a backup server should the owner fail • Optimization exists in implementation to eliminate steps 2 and 3 when appropriate © 2012 Cisco and/or its affiliates. All rights reserved. CISCO CONFIDENTIAL INTERNAL USE ONLY 17 Owner SYN SYN Outside Network Outside 1: State Server update Director Inside Network Inside Client 3:Owner 2: Owner location query SYN/ACK Forwarder ASA Cluster • Director is selected per connection using a consistent hashing algorithm • Director also acts as a backup server should the owner fail • Optimization exists in implementation to eliminate steps 2 and 3 when appropriate © 2012 Cisco and/or its affiliates. All rights reserved. CISCO CONFIDENTIAL INTERNAL USE ONLY 18 Owner SYN After step All4, remaining packets SYN SYN/ACK are forwarded Outside Network Outside 1: State Server update 4: SYN/ACK directly Director to owner to Inside Network Inside Client 3:Owner 2: Owner location query SYN/ACK Forwarder ASA Cluster • Director is selected per connection using a consistent hashing algorithm • Director also acts as a backup server should the owner fail • Optimization exists in implementation to eliminate steps 2 and 3 when appropriate © 2012 Cisco and/or its affiliates. All rights reserved. CISCO CONFIDENTIAL INTERNAL USE ONLY 19 ASA 8.4.1 64-Bit ASA 8.4.2 Dual Blade ASA 9.0 Clustering 5X 2X 5-7X Capacity Performance Scale 64-Bit 10 million connections 80 Gbps 300 Gbps 250 contexts 700K CPS 1.5 million CPS 1000 VLANs 20 million connections 50 million connections © 2012 Cisco and/or its affiliates. All rights reserved. CISCO CONFIDENTIAL INTERNAL USE ONLY 20 Virtual Security Gateway Zone based intra-tenant segmentation of VMs Nexus 1000V ASA 1000V Virtual Service Nodes vPAT H Nexus 1000V Hypervisor Ingress/Egress multi-tenant edge deployment vCenter Nexus 1KV VNMC Server Network Security Admin Admin Admin © 2012 Cisco and/or its affiliates. All rights reserved. CISCO CONFIDENTIAL INTERNAL USE ONLY 21 Cisco® VSG Cisco ASA 1000V Intra-Tenant Tenant-Edge Security Security • Secures traffic between virtual • Secures the tenant edge machines within a tenant • Default gateway; Layer 3 firewall • Layer 2 and 3 firewall to secure to secure north-to-south traffic east-to-west traffic • Edge firewall capabilities including • ACLs using network attributes network attribute-based ACLs, and virtual machine attributes site-to-site VPN, NAT, DHCP, inspections, and IP audit • First-packet lookup and performance acceleration using • All packets go through the Cisco vPath ASA 1000V © 2012 Cisco and/or its affiliates. All rights reserved. CISCO CONFIDENTIAL INTERNAL USE ONLY 22 Per Instance of Cisco® ASA 1000V Minimal resources required for each ASA 1000V Required vCPU 1 vCPU - 1 Ghz Required vRAM 1.5 GB Required vHD Space 2.5 GB Network Data Interfaces 2 Out-of-band management Management Interfaces 1 High Availability Interfaces 1 Bandwidth 1 GB © 2012 Cisco and/or its affiliates. All rights reserved. CISCO CONFIDENTIAL INTERNAL USE ONLY 23 hackers organized crime Protection • IPS 4500 Security Appliance • Cisco® ASA CX Application Control cyber criminals disgruntled employee Protecting Businesses from External and Internal Threats © 2012 Cisco and/or its affiliates. All rights reserved. CISCO CONFIDENTIAL INTERNAL USE ONLY 24 Protection for demanding data centers • Extensive protection against thousands of internal/external network, server, and Cisco application attacks IPS 4500 • High-performance hardware accelerated inspection in a highly port-dense, expandable chassis • Designed for PCI compliance Contextual application-aware firewall • Extensive application visibility and control spanning thousands of applications and Cisco micro-applications ASA CX • Granular contextual policy control by application-category, users and groups • Visibility into SSL traffic for application identification © 2012 Cisco and/or its affiliates. All rights reserved. CISCO CONFIDENTIAL INTERNAL USE ONLY 25 Management and Reporting • Cisco® Security Manager (CSM) • Cisco Virtual Network Management Center (VNMC) Insights • Cisco NetFlow Policy Orchestration • Business Context • TrustSec Tagging Maintaining Compliance and Providing