Security at the Speed of the Network: Automating and Accelerating Security Through SDN and NfV BRKSEC-2760
Hantzley Tauckoor – CISSP #472723, CCDE #2015::43 Consulting Systems Engineer – MANO & Programmability Global Virtual Engineering, Cisco Systems ./about_me
Hantzley Tauckoor Consulting Systems Engineer – MANO & Programmability Global Virtual Engineering, Cisco Systems linkedin.com/in/hantzley Twitter: @hantzley [email protected] Agenda
• Security from the Service Provider perspective
• Putting SDN/NFV to work – DDoS
• Automating Security in the SP Data Centre
• Generating new revenue streams with hosted security services
• SDN & NFV Infrastructure Security
• Summary Agenda
• Security from the Service Provider perspective
• Putting SDN/NFV to work - DDoS
• Automating Security in the SP Data Centre
• Generating new revenue streams with hosted security services
• SDN & NFV Infrastructure Security
• Summary Security from the Service Provider Perspective Trends: New Opportunities …
The world has gone mobile Traffic growth, driven by video
120,000 Other (43%, 25%) 10XDynamic Mobile Traffic Growth Threat100,000 LandscapeInternet Video (57%, 75%) From 2013-2019 80,000 Changing 23% Global Customer 60,000 CAGR 40,000 2013- 2018 Expectations Ubiquitous Access
to Apps & Services 20,000 Petabytes Petabytes per Month 0 2013 2014 2015 2016 2017 2018 Rise of cloud computingIncreasing ThreatMachine Sophistication-to-Machine Risks to Service ProvidersEmergence of the Internet of Everything Soon to and Their Customers Change SP Architectures/ Changing Enterprise Service Delivery Business Models Efficiency & Capacity People Process Data Things Your Customers Are Being Attacked By DDoS 2015 Verizon Data Breach Investigations Report
~ 84% of initial ~ 65% of initial compromises compromises completed within undetected for hours months
Compromise
Detection Legacy Security: Costly & Complex
Limited integration, security gaps Siloed Hinders realization of Manual Hard-coded processes open and programmable networks Inefficient Over-provisioned, static, and slow SDN Automation: The Speed of The Network
DURING AFTER Threat Analytics
BEFORE Control Visibility How Automated Are You Today?
DURING AFTER Threat Analytics Automated Manual
BEFORE Control Visibility Managing The Threat Lifecycle Protecting the Infrastructure and Offering Elastic Managed Services Attack Continuum
BEFORE DURING AFTER Control Detect Scope Enforce Block Contain Harden Defend Remediate
Firewall VPN NGIPS Advanced Malware Protection
NGFW UTM Web Security Network Behaviour Analysis
NAC + Identity Services Email Security Forensic Analytics
DDoS Visibility/Mitigation Services
Visibility, Context, Autonomics and BCPs Orchestration VMS Quantum WAVE HSS Cloud Services Orchestration WAN Orchestration UBIqube – MS Activator Real Time application of the right Real time topology and service service, in the right place, at the right Security Domain Management health information time Anatomy of the SP network
Aggregation/ Access Service Edge Data Center Video Dist Core Transport
Mobile Cell Site Router
Residential CMTS, DSLAM
Enterprise WAN Business
FW, VPN, FW, VPN, MACsec Security CGNAT, NGIPS, MACsec, FW, NGIPS, AMP, Volumetric DDoS Features AMP VPN, NGIPS, AMP Volumetric DDoS VPN Mobile Inspection App DDoS App DDoS
SP Security Best Practices - http://tools.cisco.com/security/center/serviceProviders.x?i=76 Security for Open & Programmable Networks Cisco Services Cisco Service Provider Architecture Applications
& Services APIs OPEN OPENAPIs Service Broker Benefits: Evolved Services Catalog Service Orchestration Platform of Virtual • New Revenue StreamsProfile Engine SMART Functions SERVICE CAPABILITIES
• Increased Business Agility APIs OPEN OPENAPIs • Lower OperatingEvolved Costs Programmable Network Compute Storage Network Security Network Programmability
Network Bandwidth Load Monitoring Management Balancing
Programmatic Interface Controller Topological awareness CLI Policy resolution
Netconf
: - OpenFlow ) REST APIs Programmability Across Multiple Controllers Threat Defense Security Policy Service Orchestrator Campus / WAN Data Centre APIC-EM / WAE Controller APIC Controller
App App A Plethora of Controllers
Open Source Data Center Campus WAN Projects
APIC WAE SDN Controller Under Linux Foundation Security extensions Common vendor supported framework Service Chaining User/Things Network Application Network Profile Traffic Optimization Flow Profile QoS, Security, SLA, SLA, Security, QoS, Monitor for path Load Balancing Device, Location, Role Cloud Orchestration constraint violations Objective: Extend OpenStack Neutron’s networking model with new policy APIs Automate network VTS changes to ensure Openstack “Sister-project” to group based policy in OpenDaylight path compliance Overlay Automation Transition to All • • • Drivers: revenue Increasing agility velocity and Increased service OpEx Reducing total and CapEx
Offering - Product Service System virtualised All SP AllSP services are virtualising … L2 / / L2 L3 VPN HCS HWAppliance GWs CPE GWs CPE IAAS IAAS Video Video SP SP Services? Managed Managed Services Services services services Mobile Mobile Ent Ent Some services move straight to Virtualise Implementation services transitioning to SP infrastructure existing existing functions NFV SAAS SDVPN Can beleveraged to offer SAAS Video SP SAAS solutions Scansafe - based HCS Webex2 Network Function Virtualization
• Movement of Network functions to the cloud • Control, services and data plane components
• NFV is not applicable to all network applications • However most service functions are in the frame • High performance plumbing is not at the moment
• NFV is an architecture rather than simply virtualizing functions • Virtual services, compute • service chaining, overlays • Orchestration and redirection
• Covered a number of use cases
See also: http://www.etsi.org/deliver/etsi_gs/NFV/001_099/002/01.01.01_60/gs_NFV002v010101p.pdf Evolving The Network Software Stack
Application Unified Evolved VPN: Custom CCS … Software Communications CloudVPN,… Apps
Orchestration: Management: Optimization: … NSO, .. Prime, .. WAE, .. Infrastructure Software Base Control Infrastructure
Network OS: Plugins: Embedded IOS-XE, NX-OS, … Puppet, Guest shell,… Software virtual physical Base OS: Protocols: Linux, … IETF, IEEE, … Summary: The Building Blocks
Service Orchestration Orchestration Automation, provisioning and interworking of physical and virtual resources
NFV SDN NFV Network functions and software running on any open standards-based hardware SDN Separation of control and data plane, controllers
Traditional Traditional Distributed control plane components, physical entities Agenda
• Security from the Service Provider perspective
• Putting SDN/NFV to work - DDoS
• Automating Security in the SP Data Centre
• Generating new revenue streams with hosted security services
• SDN & NFV Infrastructure Security
• Summary Putting SDN/NFV to Work: Security Services Virtualization & SDN DDoS Mitigation Distributed Denial of Service Attack Mitigation
Controller Distributed Denial of Service Attack Mitigation
Controller Traffic Statistics Distributed Denial of Service Attack Mitigation
DoS Controller Traffic Statistics Distributed Denial of Service Attack Mitigation
DoS Controller Traffic Statistics Traffic Redirection Distributed Denial of Service Attack Mitigation
DoS Controller Traffic Statistics Traffic Redirection Cisco ASR 9000 vDDoS Protection
Arbor Networks ASR 9000 with Cisco ASR 9000 Threat Management System (TMS) Virtual Services Module (VSM) vDDoS Protection “Powered By Arbor Networks”
Architectural Unified Scalable Reduced Flexible Superiority Management Performance OPEX Deployment ASR 9000 vDDoS Solution Components
• Virtualized Peakflow SP Collects Flow records Detects abnormal network behavior DDoS and trigger alerts DDoS Mitigation Can influence the routing, injecting Detection BGP routes in the network Supports BGP FlowSpec as a Controller Virtualized Arbor Peakflow Sets up and monitors the TMS SP remotely ASR 9000 • Virtual DDoS SW (running on A9K VSM)ASR Configured by SP, receives diverted9000 traffic and proceeds to in-depth packet analysis VSM running Discards the attack packets and vDDoS SW transmits the legit ones Licenses Provides real-time monitoring info to operators How Peakflow works?
1 – Anomaly detection 2 – Volumetric DDoS: ACL, BGP FlowSpec 3 – L4-L7 DDoS: redirect to ASR 9K for intelligent mitigation Enterprise A Peering Point ASR 9K ACL PE Arbor Peakflow SP6000 ACL Core Router Peering Enterprise C Point PE
5 – Forward 4 – Identify and filter the legitimate traffic: the malicious GRE, MPLS, … requests Enterprise B Integrated Security Services “at Scale” Legacy Security: Siloed, Inefficient & Expensive
1001 1001 0001011 1001 0001011 1001 0001011 1100010 Data 0001011 1100010 1110 1100010 1110 1100010 1110 Packet 1110
DDoS WAF Sandbo 1001 x 1001 0001011 1001 0001011 0001011 1100010 1100010 1110 1100010 1110 1110 Sandbox DDoS Platform WAF Platform Platform
SSL FW IPS /
SSL Platform FW Platform IPS Platform
Reduced Effectiveness Increased Latency Slows Network Static & Manual Cisco Transforms Security Service Integration
Data
Packet Siloed
Sandbo DDoS WAF x Key: Cisco Service DDoS Platform WAF Platform Sandbox 3rd Party Service
1001 Data SSL000101 FW IPS 111000 SSL DDoS FW WAF NGIPS AMP Packet 101110 1001 0001011 1100010
SSL Platform FW Platform IPS Platform 1110 Integrated
Limited effectiveness Increased latencyUnified PlatformSlows network Static & Manual
Maximum protection Highly efficient Scalable processing Dynamic Firepower 9300 Platform NEW High-Speed, Scalable Security
Multi-Service Modular Carrier-Class Security
Benefits Benefits Benefits • Integration of best-of-breed security • Standards and interoperability • Industry Leading Performance / RU • Dynamic service stitching • Flexible Architecture • 600% Higher Performance • 30% higher port density Features* Features • ASA container • Template driven security Features • Firepower Threat Defense containers • Secure containerization for customer • Compact, 3RU form factor • NGIPS, AMP, URL, AVC apps • 10G/40G I/O; 100G ready • 3rd Party containers • Restful/JSON API • Terabit backplane • Radware DDoS • 3rd party orchestration/management • Low latency, Intelligent fastpath • Other ecosystem partners • NEBS ready Radware Vision Chassis Manager Security Services Architecture Manager & ASDM
Logical ASA Cluster Device Security Module 1 Security Module 2 Security Module 3 Primary Logical ASA Application Device Unit ASA ASA
Link DDoS DDoS DDoS Decorator Decorator Application
Application Connector Logical Data Outside Data Inside Supervisor Packet Flow PortChannel1 PortChannel1 Ethernet1/7 External (Management) Connector On-board 8x10GE 4x40GE NM 4x40GE NM Application interfaces Slot 1 Slot 2 Image Storage Ethernet 1/1-8 Ethernet 2/1-4 Ethernet 3/1-4 Cisco DDoS Positioning
MSSP Services rd SP Scrubbing Center • Various 3 Party Options for Hosted Services Various 3rd Party Options for Hosted : Arbor Cloud, Radware Firepower Cloud, Prolexic /Akamai 9300
Mobile • Complete DDoS system can be complemented users w/Cisco Lancope Threat Defense Radware Defense Pipe Radware Radware Defense Pro Vision SP Mobility Edge w/FP 9300 SP and Radware DDoS Applications, Services & Databases
SP Firepower Threat 9300 Defense SP ASR PE Data Center w/PeakFlow
Data Center FW Based DDoS with Firepower 9300 SP Edge Router Based DDoS with ASR – • Firepower 9300 + SM running Radware Defense Pro • (Volumetric) on ASR 9K + VSM+ Arbor TMS Peak • Application Attack detection and mitigation Flow . SP Backbone detection and mitigation Recap - Cisco DDoS Offerings for Service Provider
Arbor TMS on ASR9k Radware vDP on FP9300 • DDoS target is bandwidth • DDoS target is firewall and devices behind it, NOT • Volumetric attacks bandwidth • Part of SP Clean Pipes solution • vDP sits inline and sees all • Traffic diverted to scrubber traffic going to firewall within router backplane • Other Radware capabilities in • Clean traffic reinjected locally the cloud can help with bandwidth-based attacks • Additional Arbor products can protect enterprise assets Agenda
• Security from the Service Provider perspective
• Putting SDN/NFV to work - DDoS
• Automating Security in the SP Data Centre
• Generating new revenue streams with hosted security services
• SDN & NFV Infrastructure Security
• Summary Automating Security in the SP Data Centre Cisco SDN: Providing Choice in Automation and Programmability
Application Centric Programmable Fabric Programmable Network Infrastructure
DB DB
Web Web App Web App
Turnkey integrated solution with VxLAN-BGP EVPN Modern NX-OS with enhanced security, centralized management, standard-based NX-APIs compliance and scale 3rd party controller support Automation Ecosystem Automated application centric-policy (Puppet, Chef, Ansible etc.) model with embedded security VTS for software overlay provisioning and management Common NX-API Broad and deep ecosystem across N2K-N9K across N2K-N9K
Mass Market Service Providers Mega Scale Datacenters (commercial, enterprises, public sector) Introducing Application Centric Infrastructure
Automation Hypervisor Enterprise Systems Orchestration ACI Management Monitoring Management Frameworks Ecosystem OVM Partners
Centralized Policy Management Application Open APIs, Open Source, Network Profile APIC Open Standards
Fabric
Physical Hypervisors and Compute L4–L7 Storage Multi DC Networking Virtual Networking Services WAN and Cloud Nexus 7K End Points Physical &
Integrated Virtual Nexus 2K WAN Edge Typical Service Chain
• Full abstraction within the service chain • Every device only knows its function and exchanges packets with the fabric as instructed • High degree of modularity with low coupling, specific devices are interchangeable
• ACI maintains flow symmetry through the same device instance
Policy rules, NAT, Inspection EPG IPS “Web”
EPG “Users” SSL Firewall
EPG Analyzer “Files” ACI and OpenStack
Project 1 Project 2 Project 3 v v v v v v v v v v v v OpenStack Multi-vendor m m m m m m m m m m m m Orchestration Open Source APIC Plugins Controller 1 Controller 2 Controller 3 Plugin Plugin Plugin
Cisco ACI APIC Nexus 9000
Project 1 Project 2 Project 3 Project 1 Project 2 Project 3 vm4 vm4 vm6 vm6 vm3 vm3 Open vSwitch vm5 vm5 vm5 vm5 Hypervisor vm4 OpFlex vm6 vm4 vm4 vm6 vm4 Hypervisor OpFlex Hypervisor OpFlex Virtual Topology System (VTS) Introduction
Cisco Network Services Orchestrator (Tail-f) VMware vCenter GUI Flexible Overlays REST API Automated
Physical and Virtual Overlays VTS Seamless Integration with Orchestrators Bare-metal and Virtualized Workloads Automated Overlay Provisioning Service Chaining Automated DCI/WAN Integration NX-API Netconf/ YANG Open and Programmable Scalable VXLAN Mgmt.
REST-Based Northbound APIs MP-BGP EVPN Control Plane Multi-protocol Support Virtual Tenant Networks Multi-hypervisor Support High Performance Virtual Forwarding BGP-EVPNVirtual VXLAN Fabric Physical ToR Overlay DCI/WAN
VM VM Automated OS OS DCI / WAN Bare Metal Virtualized workload workload VTS for overlay provisioning and management across Virtual Overlays and Physical Fabric (Cisco Nexus & multivendor) Agenda
• Security from the Service Provider perspective
• Putting SDN/NFV to work - DDoS
• Automating Security in the SP Data Centre
• Generating new revenue streams with hosted security services
• SDN & NFV Infrastructure Security
• Summary Generating new revenue streams with Hosted Security Services Evolution of Security Services Premise to Cloud
CPE Managed Hybrid Cloud
SP NAT DHCP ROUTING WWW WWW NGFW VPN IPS WEB IPS WEB EMAIL MALWARE CONTEXT
EMAIL MALWARE CONTEXT
WWW
NGFW VPN IPS WEB EMAIL MALWARE CONTEXT ROUTING SWITCHING AP VOICE CPE SWITCHING AP VOICE
SWITCHING NAT DHCP AP VOICE ROUTING NAT DHCP NGFW VPN Market Opportunity Cloud Service Delivery Shows Higher Growth, but CPE Based Still Growing
Worldwide Cloud-Based Service Worldwide CPE-Based Service Revenue Share by Technology Revenue Share by Technology $12 $14
$10 $12 $10 $8 $8 $6 $6 $4 $4 $2
Revenue (US$ Billions) (US$ Revenue $2 Revenue (US$ Billions) (US$ Revenue $0 $0 CY10 CY11 CY12 CY13 CY14 CY15 CY16 CY17 CY18 CY19 CY10 CY11 CY12 CY13 CY14 CY15 CY16 CY17 CY18 CY19
IDS/IPS DDoS mitigation IDS/IPS DDoS mitigation Other security services Managed firewalls Other security services Managed firewalls
© 2015 IHS / Infonetics Research: Cloud and CPE Managed Security Services Market Size and Forecasts; March 2015 Cloud Based Security Service Offerings SaaS or Hosted
Cisco Managed Security Cloud SP Hosted Security Cloud
VPN, FW, NGFW, NGIPS, AMP, Cloud Web Security (CWS) Web Security, Email Security WWW Cloud Email Security (CES) WWW NGFW VPN IPS WEB WEB EMAIL as a Service
EMAIL MALWARE CONTEXT
Pre-Packaged NFV SP/MSSP Resell A La Carte Hosted Security Security Service Bundles to Enterprises as a Services (HSS) (vMS) Hosted Security as a Service Architecture
. Security Service Examples:
FWaaS – Firewall as a Service
ORCH LAYER Policy Analytics Reporting VPNaaS – Virtual Private Networking as a Service Tenant 1 Tenant 2 Tenant 3 NGFW/IPSaaS – Next Generation Firewall and WSaaS ESaaS FWaaS Intrusion Prevention System as a Service FWaaS WSaaS IDaaS LAYER WSaaS – Web Security as a Service SERVICES NGFW/IPSaaS FWaaS VPNaaS ESaaS – Email Security as a Service
Hypervisor IDaaS – Identity as a Service - Compute DDoSaaS – Distributed Denial of Service as a
INFRA Storage Service STRUCTURE STRUCTURE
52 BEFORE DURING AFTER Firewall-aaS Tiers Example
Service Tiers Feature Category Bronze Silver Gold
NAT Address Translation
Stateful Inspection
Included High Availability
Advanced Management BEFORE DURING AFTER Firewall-aaS Tiers Example
Service Tiers Category Feature Bronze Silver Gold
NAT Address Translation NAT / PAT Reference Slide L3 firewall Transparent firewall Proxy authentication Stateful Inspection Application hosting private zone Application control (IM, peer to peer)
Voice security support Within SP data centre Included High availability Between SP data centres
Option Customer self service portal Streamlined management Auto generated reporting Management Custom reporting
Data log retention (1 month) Extended data log retention (> 1 month) BEFORE DURING AFTER VPNaaS Tiers Example Tiers Example
Service Tiers Reference Feature Category Slide Bronze Silver Gold Customer site to Cloud IPSec VPN service
Remote Access VPN
Included High Availability
Advanced Management BEFORE DURING AFTER Web Security-aaS Tiers Example
Service Tiers Reference Feature Category Slide Bronze Silver Gold Real Time Threat Protection Services
Acceptable Use Services
Included Policy Control
High Availability
Advanced Management BEFORE DURING AFTER Email Security-aaS Tiers Example
Reference Service Tiers Slide Feature Category Bronze Silver Gold Inbound Email Protection
Outbound Email Protection Included Policy control High availability
Advanced Management BEFORE DURING AFTER NGFW/IPSaaS Tiers Example
Reference Service Tiers Slide Feature Category Bronze Silver Gold Application Visibility and Control (NGFW)
Threat Protection (NGIPS)
Included High Availability
Advanced Management Hosted Security as a Service (HSS) HSS Architecture
• Provisioning SP existing . API orchestration,
• Reporting API reporting, billing
ORCH LAYER Policy Analytics Reporting • Billing API infrastructure
Tenant 1 Tenant 2 Tenant 3 • Delivered from service provider’s infrastructure WSAv ESAv ESAv
WSAv WSAv CSR1Kv • UBIqube MSActivator used as the LAYER
SERVICES Security Domain Manager ASAv ASAv • Orchestration SW interfaces with native appliance configuration mechanisms
VMware ESXi - • All customer data lives inside the SP Cisco UCS Cloud environment INFRA Storage STRUCTURE STRUCTURE • Security on virtual form factor available today
60 VSA 1.0 Expanded Gold Container Customer Hosted Email Inbound Flow
AD DNS MPLS VPN or Internet Virtual Machine on UCS MS Exchange IPSec VPN
Customer VRF ASR9000 Global Shared Transit VLAN Tenant 1 Site Per-Tenant VLAN
Nexus 5000/7000/9000 L2 Fabric Note: Not showing redundant notes
Tenant 1 Expanded Gold Container gi0/6 gi0/7 gi0/2 ASAv gi0/3 gi0/4 gi0/5 mgt 0/0
ASA5585X UBIqube P1 M1 M1 vCenter Private Private Private ESAV WSAV Tier 1 VMs Tier 2 VMs Tier 3 VMs
Tenant 1 Private Zone Tenant 1 DMZ Zone SP Management VSA 1.0 Expanded Gold Container SP Hosted Email Inbound Flow
AD DNS MPLS Internet Virtual Machine on UCS VPN Customer VRF ASR9000 Global Shared Transit VLAN Tenant 1 Site Per-Tenant VLAN
Nexus 5000/7000/9000 L2 Fabric Note: Not showing redundant notes
Tenant 1 Expanded Gold Container gi0/6 gi0/7 gi0/2 ASAv gi0/3 gi0/4 gi0/5 mgt 0/0
ASA5585X UBIqube P1 M1 M1 vCenter MS Exchange Private Private ESAV WSAV Tier 2 VMs Tier 3 VMs
Tenant 1 Private Zone Tenant 1 DMZ Zone SP Management VMDC 2.3 Expanded Gold Container
Shared Transit VLAN AD DNS MPLS Internet VPN Per-Tenant VLAN MS Exchange Customer Site Customer VRF ASR1006 Global ASA5555 Customer DMZ Context Remote Access Global VPN Customer PVT Nexus 7004 Outside VRF
Customer PVT Customer ASA5585X Inside VRF DMZ VRF ASA5585X Customer Private Context
Citrix/F5
Customer Private Citrix/F5 M1 Citrix/F5 ASA5585X Context M1 WSAV M1 ESAV M1 UBIqube UCS vCenter UCS VM UCS UCS VM WSAV UCS ESAV VM UCS VM Private Zone 3 VLANs VM DMZ 1 - 1 VLAN DMZ 2 - 1 VLAN SP Management VM * Not showing redundant notes HSS Security Domain Manager UBIqube MSActivator Web Portal GUI 3rd Party OSS/BSS
Service Designer Service Templates Web Services Profiles and Objects
OBMF Mediation Layer Verbs and Web Services API, Order Stack Management
Device Adaptor Device Adaptor (SDK)
Update Conf Restore Conf Update Conf Restore Conf
Get Asset Update Firmware Get Asset Update Firmware
Southbound Interface
TELNET SSH HTTP SNMP Syslog FTP Netflow Openflow TR069
VOIP vMS (CloudVPN) vMS (CloudVPN) at a Glance
• Provisioning SP existing . API orchestration,
• Reporting API reporting, billing ORCH LAYER Svc. Lifecycle Policy • Billing API infrastructure Mgt. Provisioning Net+Svc. Analytics Reporting
• Rapid provisioning/Ops Portal Tenant 1 Tenant 2 Tenant 3 IPSv ESAV vDDoS • Standard YANG models
ASAv WSAV ASAv
LAYER • All customer data lives inside the SP Cloud SERVICES CSR1kv CSR1Kv CSR1Kv environment • Appliance plus Virtual Services chained together KVM - • Orchestration of Network + Service Topology Compute
INFRA Storage • Service lifecycle management + elasticity + STRUCTURE STRUCTURE workload placement
• IPv6 deployed here
66 cisco
Service Design
My Designs My Deployments
Deployment Wizard Create Select Scope
Deliver New Folder
Deploy Operate Engineering Testing End-User Operator BSS Optimize vMS Architecture Portal Portal Systems A Deeper Look RESTCONF / UICONF
service models reactive ESC NSO fastmap (VNF-O) fastmap virt infra device confd Lifecycle models (VNF-M)
O/S NEDs component APIs
Config & OpenStack Operation (virt infra mgr) IP Network SDN Controller
VR_CSR VFW_vASA Data Centre
x86 ISR Cloud Service MPLS WAN VMS Release 2.0: Delivering Comprehensive Cloud VPN Services API PnP RFS VirTo RFS Internet Access/ NSO – NFV Orchestrator Remote Access Cloud VPN Services ESC – VNF Manager CPE Managed • 3 Service Models for Enterprise deployment flexibility: Orchestration Link Openstack – Virtual Infrastructure Manager • CloudVPN Foundation Advanced w/Web Security • CloudVPN Advanced WSA • CloudVPN Advanced w/Web Security VR • vIPS option for both Advanced and Advanced ASA w/Web Security
Advanced • CSR1Kv: Virtual Router for Site-to-Site VPN with Secure VR ASA Internet IP Overlay using FlexVPN/IKEv2 for IPSec Tunnels • ASAv: vFW with NAT and Policy (*) Foundation VR • ASAv: vFW with IPSec/SSL Remote Access (*) • WSAv for Enhanced Web Security (*) CPE Cust-A Management and Orchestration Service Access Over The Top • Enterprise Admin Service Interface (Portal) driven service vRouter Access instantiation Flex-VPN • Zero-Touch Deployment of enterprise CPE (ISR G2) CPE • Model driven Network Services lifecycle management with Cust-C Foundation Service Network Service Orchestrator (NSO) from Tail-f CPE Direct Internet Access via • VNF lifecycle management with Elastic Services Cust-A “Split Tunnel” Controller (ESC) CPE • Virtual Infrastructure Management with Openstack Cust-C CPE CPE featuring: OVS and ODL/VPP as SDN Controllers Cust-B Cust-B Access Model: Flex-VPN Links IPSEC VPN vMS Service Bundles
• (1) Internet Access (IA), FWaaS, VPNaaS CSR1kv, vASA with NAT, FW, RA.
• (2) IA, FWaaS, VPNaaS and WSaaS CSR1kv, vASA, vWSA
• (3) IA, FWaaS, VPNaaS and Next-Gen IPSaaS CSR1kv, vASA, vWSA, vNG-IPS(SourceFire)
• 4) IA, FWaaS, VPNaaS and IdentityaaS CSR1kv, vASA, vISE with NAT, BYOD, Policy, TrustSec
• (5) IA, FWaaS, VPNaaS and ESaaS CSR1kv, vASA, vESA
• (6) IA, FWaaS, VPNaaS and DDoSaaS
Flexibility for other variations based on marketing needs Virtual Security Workflows
Reference Slide Agenda
• Security from the Service Provider perspective
• Putting SDN/NFV to work - DDoS
• Automating Security in the SP Data Centre
• Generating new revenue streams with hosted security services
• SDN & NFV Infrastructure Security
• Summary SDN & NfV Infrastructure Security SDN Security Components Next Generation Defence Centre, PRSM, CSM…
SDN Applications Cisco Cloud Security Third Party Threat Defence Application Application
SDN Network Security Security Visibility Identity pxGrid Infrastructure Services Identity Services Service Abstraction Layer Engine
Open Netconf CLI I2RS Security Flow Plugin Threat Defence Services
Application View
Targeted Targeted Targeted Targeted Targeted Targeted Targeted Packet File Blocking Inspection Rate Limiting Confinement Enforcement Capture Capture
Network Capabilities
Security OpenFlow Netconf VLAN SGT VxLAN ISE Plugin Security Services Through SDN Audit Recording Monitoring Inspection Effective Rate Limiting Non-invasive Timely DDoS Scrubbing Quarantine Active Web Firewall Blocking Network Controller Reconciles Mitigations Against The Needs of Mission-critical Applications
Mitigations Application from and Security Network System Requirements Threats to an SDN System
App 1 App 2 App 3
Controller Spoofing Rogue DoS Attacks Threats to an SDN System
App 1 App 2 App 3
Hardening Controller Secure Provisioning Authentication Authorisation/RBAC Integrity Secure Storage Audit Agenda
• Security from the Service Provider perspective
• Putting SDN/NFV to work - DDoS
• Automating Security in the SP Data Centre
• Generating new revenue streams with hosted security services
• SDN & NFV Infrastructure Security
• Summary Summary Considerations
Detection Response SDN
. How automated is your . What actions are you . What type of SDN can telemetry capture? willing to take in real you use? time? . How automated is your . How SDN-ready is your threat analysis? . What actions should be network? one-click for a security . Are you limited by analyst? . SDN security? privacy considerations? Summary • SP Security concerns
• How traditional products/solutions are embracing SDN/NfV
• Security automation in the SP DC
• Revenue generating security solutions for SP
• SDN & NFV Infrastructure Security
• Is there “One” solution to tackle security end-to-end at the “speed of the network” ? • The reality is, each use case is different. • Technology, People, Processes • The key enabler “Automation”, through the use SDN, programmability, APIs, NFV… Related Cisco Live Sessions
• BRKRST-1014 - Introduction to Software-Defined Networking (SDN) and Network Programmability
• BRKSPG-3616 - SDN and NFV for Service Providers
• BRKSDN-2040 - SDN Controllers - A Use Case Driven Approach to the Options
• BRKSDN-2065 - Cisco Virtual Managed Services (vMS)
• BRKSPG-2619 - Cisco Evolved Programmable Networks
• BRKSEC-3010 - Firepower 9300 Deep Dive
• BRKSEC-1205 - Introduction to DC Security
• BRKSDN-1119 - Device Programmability Options with APIs
• BRKSEC-2005 - The Internet of Things: A Double-Edged Sword. How Can You Embrace it Securely? Where to go next? • Other complementary security solutions: • OpenDNS • Lancope • Cloud Web Services • CliQr
• Demos in the Cisco World of Solutions
• Walk-in Self-Paced Labs
• DevOps & DevNet Sessions
• Meet the Engineer 1:1 Q & A Complete Your Online Session Evaluation Give us your feedback and receive a Cisco 2016 T-Shirt by completing the Overall Event Survey and 5 Session Evaluations. – Directly from your mobile device on the Cisco Live Mobile App – By visiting the Cisco Live Mobile Site http://showcase.genie-connect.com/ciscolivemelbourne2016/ – Visit any Cisco Live Internet Station located throughout the venue Learn online with Cisco Live! T-Shirts can be collected from Friday 11 Visit us online after the conference for full access to session videos and March at Registration presentations. www.CiscoLiveAPAC.com Thanks…
• Session Managers – Robert Page, Usen Tulemisov, Stefan Avgoustakis
• Previous BRKSEC-2760 presenters – Mike Geller, David McGrew, Ken Beck
• Collaborators – Kerry Loveless, Sam Rastogi, Siruo Yu, Mike Geller, Albra Welch Thank you