cisco's secure data center architecture

Duc LeASEAN DC Technical Solution Architect

Visibility

Threat Protection

Segmentation

of the security team’s time is spent in the Data Center

47%Servers

29%Customer Data

24%Endpoints

76%

I’ve already invested in many security vendors …

Reference: http://map.norsecorp.com/

• Attacks are mainly driven by application vulnerabilities, not network

• In most cases the port will be legitimately open

• Apache Struts?

• What about attacks coming from other workloads on the same hypervisor

• Spectre / Meltdown?

• Hybrid Cloud environment – How to protect your workload?

• Containers environment – scale?

Where is it coming from?

How can we secure our workload?

VADIM GHIRDA/AP

Cisco Data Center Security

•

•

•

•

•

•

•

•

ACITetration

Next-gen Firewall

Threat Protection: Stop the Breach

By strategically deploying threat sensors north-south, east-west

01 0302

Multi-Layered Threat SensorsQuickly detect, block, and respond dynamically when threats arise to

prevent breaches from impacting the business

Next-Gen Firewall with AMP

Next-Gen IPS with AMP

Stealthwatch

Next-Gen Firewall with Radware DDoS

Use Cases & Demos

Visibility

Threat Protection

Segmentation

• Automated zero Trust consistent policy enforcement for segmentation

• Whitelist policies are kept up to date based on application behavior

• Automatically track policy for compliance.

• Run what-if scenarios with live or old data

• You are alerted of anomalies in app behavior

• Breach Detection and custom forensic rule

• File access

• Privilege escalation

• Shell-code execution

• Raw sockets

• Anomalous behavior

• Hash Anomaly Detection

• Data Leak Detection

Reduce your attack Surface quickly as by identify common vulnerabilities and exposures by

• Installed software pkg tracking

• Tracking CVE associated with installed software packages

• Identify the criticality of vulnerability

• Taking action to restrict access or quarantine workloads

Cisco Tetration platform

Application Communication control App behavior and Anomaly detection Vulnerability detection

Tetration for Policy Creation & Validation Visibility

Demo 1 - Tetration Application Dependency Mapping & Policy Generation

Segmentation

Purpose of segmentation

Evil Genius Hacker Person

2

1

Evil Genius Hacker Person

1

34

2

3

4

VMware Hyper-V

Mainframes

DC Firewalls

AWS

DirectConnect

CampusContainers

security group

struts

server

db

server

struts

server

db

server

file

server

Segmentation your network

The Traditional Approach

23

Gather Data Analyze the Data

100 Billion Events in 3 Months

Implement the Policy 1 Year Later?

Troubleshooting? Apps Change?

App Guy

• Once apps are defined, global policies set

• Someone has to test

• With Live traffic

• With Historical traffic

• Goes without saying, but without creating disruption…

Policy Simulation and Experimentation

Policy Enforcement into switches/FW?

leaf1# show zoning-rule scope VNID-OF-THE-VRF

3278749166

The contract filters are programmed in the Policy Cam on the Leaf or FW

but this cam is limited in size, and the size is different between switches

Policy Enforcement into Cloud?

Application dependency between clouds?

By default, each security group supportsup to 50 rules and each networkinterface can have up to 5 securitygroups, for a maximum of 250 rules perinterface. If your AWS network is in EC2-Classic, maximum cap limit of 500security groups in each region for eachaccount.

Network Security Groups (NSG)

default limit is 100 can be

increased up to 400. NSG rules per

NSG default limit is 200 can be increased up to 1000.

Firewall rules: Maximum

Number of Stateful

Connections per VM by default is 130,000.

Policy enforcement

How can we enforce this type ofpolicies into our switches? Whichswitches can survive?

How can we maintain this policiesin clouds with consistent?

Tetration – Policy Director

The Strategy – Defense in depth

Zone-Based

North-South

AWS

security group

struts

server

db

server

Host-Based

NGFW North-South Protection Demo

Automated Policy Discovery, Audit and Enforcement

• Create a segmentation policy based on real application data• Firewall policy change modeling• Full policy audit and forensics • No one else can do this!• Unique integration between Cisco NGFW (north/south), ACI (fabric),

and Tetration (host)

Demo 2 - Tetration Streaming Policy to ASA

Tetration Host-Based Segmentation Demo

Demo 3 - Tetration Host-Based SegmentationMulti-Cloud, Platform-Agnostic Segmentation and Enforcement

NGFWStealthwatchTetrationACI

Threat Protection and Cloud Workload Protection

With the Industry Best Threat Intelligence

Identify advanced threats Get specific intelligence Catch stealthy threats Stay protected with updates

Endpoints

Devices

Networks

NGFW, NGIPS

WWW Web250+Researchers

24 x 7 x 365 Operations

Security Coverage Research Response

1.5 million daily malware samples

600 billion daily email messages

16 billion daily web requests

Threat Intelligence

NGFW

NGIPS

Breach Detection(Cisco AMP)

NGFW(test average)

NGIPS(test average)

Stopping the most threats in NSS Labs testing year after year

2010 2012 2013 2014 20162011

100

98

96

94

92

90

88

86

84

82

Cisco

Test Average

2017

Cisco has Industry-Best Threat Protection

The power of Cisco Talos!

98.9% efficacy = 6.8M missed threats/year

Demo 4 - Tetration Cloud Workload ProtectionMulti-Cloud Workload Protection

• Multi-layered threat protection quickly stops threats across the network (NGIPS and Network AMP) and servers (AMP for Endpoints)

Multi-Layered Threat Protection

Summary

• Once threats are detected, infected servers and workloads are contained in real-time by the segmentation architecture.

• Cisco DC threat protection ensures you will have a lower risk of application compromise and a breach