cisco secure datacenter architecture...jamey heary distinguished systems engineer change the...

Jamey HearyDistinguished Systems Engineer

Change the equation with Cisco SecurityCisco Secure Datacenter Architecture

In the future, computers may weigh no more than 1.5 ton – Popular Mechanics, 1949

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

It is not a fair fight to begin withPeople, Process and Technology Issues• People are too

easy to hack• So many code

vulnerabilities/patches

Security Technology Issues• Lack of true network

and security visibility• To much focus on

prevention “silver bullets”• Point Product overload.

Bolt on security • Nothing works together!

Slow detection, slow response• Security skillset and training

shortage in the workforce

Why is our current Security Approach Failing?

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

Simplifying the DC security architecture

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

Data Center Security Architecture

Threat protection“Stop the breach”

Segmentation“Reduce the

attack surface”

Visibility/Analytics“See everything”

Threat intelligence - Talos

Intent-based

Automation

Analytics

Three focus areas:

Orchestration

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

ArchitectureIntegrated

PortfolioBest of breed Security

IntelligenceCloud-Delivered

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

NGFW/NGIPS

Point product approach failsIt takes an integrated architecture

Threat protectionAdvanced Malware

VisibilityAnalytics (Stealthwatch/cloud, Tetration)

SegmentationPolicy and Access

(ISE, NGFW, Tetration and ACI)

Management (CloudCenter, APIC, FMC, Tetration)

pxGridSecurity Group

Tag/EPG

APIsIntel

sharing Automation

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

SegmentationProblem?

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

Cisco TetrationConnection ManagerAutomated security policy recommendation

Whitelist policy recommendation• Identifies application intent• Generates 4 tuple policies

Step1: Behavior analysis

Application conversations

Conversation details/process bindings

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

Cisco TetrationConnection ManagerAutomated security policy recommendation

Step 2: Auto-generation of whitelist policies

Export into Cisco solutions• Export in JSON, XML and YAML• Import into ACI, ASA and NGFW

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

Automated policy discovery, audit and enforcement

• Zero Trust Enforcement

ASA

• Tetration policy conversion to ASA firewall

• Lifecycle management of ACLs• Audit of ACLs

Tetration

Demo

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

DB Endpoint

••••

•••

• NGFW ACI Tetration

Web Endpoint Group

DB Endpoint Group

••••

DC Perimeter

Campus

Integrated

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

Industry leading NGFW performance

Cisco:FP9300-3xSM44

Palo Alto:PA-7050

Fortinet:FG-7060E

CheckPoint CP61000

FW data sheet 234G 120G 630G 400G

FW+AVC+ NGIPS (NGFW) – NSS Labs 133G 42G 100G 70G

Rack units 3 9 8 15

40G actual speed 40G 16G 10G 10G*

•

•

•

Competitive comparisonKey differentiators

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

Data center security working together

CloudCenter

TetrationISE

AMP

Tetrationsensor

EPGApp

AMPExternal Internal

FMC Manager

EPGDB

Tetrationsensor

FTD

fire

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

Simplifying Security Orchestration

• Automated workload deployment• Hybrid Cloud

CloudCenter

• Deploy EPG and contract• Deploy service graph (FW & IPS)

ACI

• Deploy AMP for Endpoints• Deploy Tetration Software Sensor• ISE to ASA Firewall SGT

Security Solutions

Demo

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

Site A

VMVMVM

ACI Extensions to Multi-Cloud

ACI Multi-Site Appliance

Consistent Network and Policy across clouds

Seamless Workload Migration

Single Point of Orchestration Secure Automated

Connectivity

Site C

Site B

Site D

17

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

Advanced Threat Protection

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

Applications and servicesMitigating threats, risks and vulnerabilities

Users zone Server zone 1 Server zone 2 Outside worldbusiness partners

Perimeterfirewall

Segment data center architecture

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

Cisco Advanced Threat solutions

• Context rich• Stop command and

control, security intelligence blacklists

• Application control

• NGFW

• Protection against exploitation of app vulnerabilities

• Impact-assessment and IoC

• Auto-tuning of policy

NGIPS

• File based malware protection

• Sandboxing to find zero-day

• Retrospective remediation of malware

AMP

Integrated

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

Rapid threat containment with ACI micro-segmentation

• Indicators of compromise• Rapid threat containment

NGFW/NGIPS

• Micro-segmentation/uEPG• Automation NGFW to APIC

ACI

• Network AMP• Malware protection – from network,

to endpoint, to cloud

AMP

Demo

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

Visibility and Analytics

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

Application traffic modeling & visibility

Access control policy and audit

Greater visibility and security togetherCisco Tetration and Stealthwatch

Threat detection and hunting

Anomalousbehavior

ISE Context & Visibility

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

Summary

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

In summary… Cisco Data Center Security

Visibility/Analytics“See Everything”

Complete visibility of users, devices, networks,

applications, workloads and processes

Threat protection“Stop the Breach”

Quickly detect, block, and respond to attacks before

hackers can steal data or disrupt operations

Segmentation“Reduce the Attack Surface”Prevent attackers from moving

laterally east-west with application whitelisting and

micro-segmentation

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

Questions?Changing the Equation with Cisco Security