cisco secure datacenter architecture...jamey heary distinguished systems engineer change the...
TRANSCRIPT
![Page 1: Cisco Secure Datacenter Architecture...Jamey Heary Distinguished Systems Engineer Change the equation with Cisco Security Cisco Secure Datacenter Architecture In the future, computers](https://reader034.vdocuments.us/reader034/viewer/2022042218/5ec480c77ab7421cdb15c024/html5/thumbnails/1.jpg)
Jamey HearyDistinguished Systems Engineer
Change the equation with Cisco SecurityCisco Secure Datacenter Architecture
In the future, computers may weigh no more than 1.5 ton – Popular Mechanics, 1949
![Page 2: Cisco Secure Datacenter Architecture...Jamey Heary Distinguished Systems Engineer Change the equation with Cisco Security Cisco Secure Datacenter Architecture In the future, computers](https://reader034.vdocuments.us/reader034/viewer/2022042218/5ec480c77ab7421cdb15c024/html5/thumbnails/2.jpg)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
It is not a fair fight to begin withPeople, Process and Technology Issues• People are too
easy to hack• So many code
vulnerabilities/patches
Security Technology Issues• Lack of true network
and security visibility• To much focus on
prevention “silver bullets”• Point Product overload.
Bolt on security • Nothing works together!
Slow detection, slow response• Security skillset and training
shortage in the workforce
Why is our current Security Approach Failing?
![Page 3: Cisco Secure Datacenter Architecture...Jamey Heary Distinguished Systems Engineer Change the equation with Cisco Security Cisco Secure Datacenter Architecture In the future, computers](https://reader034.vdocuments.us/reader034/viewer/2022042218/5ec480c77ab7421cdb15c024/html5/thumbnails/3.jpg)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Simplifying the DC security architecture
![Page 4: Cisco Secure Datacenter Architecture...Jamey Heary Distinguished Systems Engineer Change the equation with Cisco Security Cisco Secure Datacenter Architecture In the future, computers](https://reader034.vdocuments.us/reader034/viewer/2022042218/5ec480c77ab7421cdb15c024/html5/thumbnails/4.jpg)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Data Center Security Architecture
Threat protection“Stop the breach”
Segmentation“Reduce the
attack surface”
Visibility/Analytics“See everything”
Threat intelligence - Talos
Intent-based
Automation
Analytics
Three focus areas:
Orchestration
![Page 5: Cisco Secure Datacenter Architecture...Jamey Heary Distinguished Systems Engineer Change the equation with Cisco Security Cisco Secure Datacenter Architecture In the future, computers](https://reader034.vdocuments.us/reader034/viewer/2022042218/5ec480c77ab7421cdb15c024/html5/thumbnails/5.jpg)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
ArchitectureIntegrated
PortfolioBest of breed Security
IntelligenceCloud-Delivered
![Page 6: Cisco Secure Datacenter Architecture...Jamey Heary Distinguished Systems Engineer Change the equation with Cisco Security Cisco Secure Datacenter Architecture In the future, computers](https://reader034.vdocuments.us/reader034/viewer/2022042218/5ec480c77ab7421cdb15c024/html5/thumbnails/6.jpg)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
NGFW/NGIPS
Point product approach failsIt takes an integrated architecture
Threat protectionAdvanced Malware
VisibilityAnalytics (Stealthwatch/cloud, Tetration)
SegmentationPolicy and Access
(ISE, NGFW, Tetration and ACI)
Management (CloudCenter, APIC, FMC, Tetration)
pxGridSecurity Group
Tag/EPG
APIsIntel
sharing Automation
![Page 7: Cisco Secure Datacenter Architecture...Jamey Heary Distinguished Systems Engineer Change the equation with Cisco Security Cisco Secure Datacenter Architecture In the future, computers](https://reader034.vdocuments.us/reader034/viewer/2022042218/5ec480c77ab7421cdb15c024/html5/thumbnails/7.jpg)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
SegmentationProblem?
![Page 8: Cisco Secure Datacenter Architecture...Jamey Heary Distinguished Systems Engineer Change the equation with Cisco Security Cisco Secure Datacenter Architecture In the future, computers](https://reader034.vdocuments.us/reader034/viewer/2022042218/5ec480c77ab7421cdb15c024/html5/thumbnails/8.jpg)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cisco TetrationConnection ManagerAutomated security policy recommendation
Whitelist policy recommendation• Identifies application intent• Generates 4 tuple policies
Step1: Behavior analysis
Application conversations
Conversation details/process bindings
![Page 9: Cisco Secure Datacenter Architecture...Jamey Heary Distinguished Systems Engineer Change the equation with Cisco Security Cisco Secure Datacenter Architecture In the future, computers](https://reader034.vdocuments.us/reader034/viewer/2022042218/5ec480c77ab7421cdb15c024/html5/thumbnails/9.jpg)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cisco TetrationConnection ManagerAutomated security policy recommendation
Step 2: Auto-generation of whitelist policies
Export into Cisco solutions• Export in JSON, XML and YAML• Import into ACI, ASA and NGFW
![Page 10: Cisco Secure Datacenter Architecture...Jamey Heary Distinguished Systems Engineer Change the equation with Cisco Security Cisco Secure Datacenter Architecture In the future, computers](https://reader034.vdocuments.us/reader034/viewer/2022042218/5ec480c77ab7421cdb15c024/html5/thumbnails/10.jpg)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Automated policy discovery, audit and enforcement
• Zero Trust Enforcement
ASA
• Tetration policy conversion to ASA firewall
• Lifecycle management of ACLs• Audit of ACLs
Tetration
Demo
![Page 11: Cisco Secure Datacenter Architecture...Jamey Heary Distinguished Systems Engineer Change the equation with Cisco Security Cisco Secure Datacenter Architecture In the future, computers](https://reader034.vdocuments.us/reader034/viewer/2022042218/5ec480c77ab7421cdb15c024/html5/thumbnails/11.jpg)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
![Page 12: Cisco Secure Datacenter Architecture...Jamey Heary Distinguished Systems Engineer Change the equation with Cisco Security Cisco Secure Datacenter Architecture In the future, computers](https://reader034.vdocuments.us/reader034/viewer/2022042218/5ec480c77ab7421cdb15c024/html5/thumbnails/12.jpg)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
DB Endpoint
••••
•••
• NGFW ACI Tetration
Web Endpoint Group
DB Endpoint Group
••••
DC Perimeter
Campus
Integrated
![Page 13: Cisco Secure Datacenter Architecture...Jamey Heary Distinguished Systems Engineer Change the equation with Cisco Security Cisco Secure Datacenter Architecture In the future, computers](https://reader034.vdocuments.us/reader034/viewer/2022042218/5ec480c77ab7421cdb15c024/html5/thumbnails/13.jpg)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Industry leading NGFW performance
Cisco:FP9300-3xSM44
Palo Alto:PA-7050
Fortinet:FG-7060E
CheckPoint CP61000
FW data sheet 234G 120G 630G 400G
FW+AVC+ NGIPS (NGFW) – NSS Labs 133G 42G 100G 70G
Rack units 3 9 8 15
40G actual speed 40G 16G 10G 10G*
•
•
•
Competitive comparisonKey differentiators
![Page 14: Cisco Secure Datacenter Architecture...Jamey Heary Distinguished Systems Engineer Change the equation with Cisco Security Cisco Secure Datacenter Architecture In the future, computers](https://reader034.vdocuments.us/reader034/viewer/2022042218/5ec480c77ab7421cdb15c024/html5/thumbnails/14.jpg)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Data center security working together
CloudCenter
TetrationISE
AMP
Tetrationsensor
EPGApp
AMPExternal Internal
FMC Manager
EPGDB
Tetrationsensor
FTD
fire
![Page 15: Cisco Secure Datacenter Architecture...Jamey Heary Distinguished Systems Engineer Change the equation with Cisco Security Cisco Secure Datacenter Architecture In the future, computers](https://reader034.vdocuments.us/reader034/viewer/2022042218/5ec480c77ab7421cdb15c024/html5/thumbnails/15.jpg)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Simplifying Security Orchestration
• Automated workload deployment• Hybrid Cloud
CloudCenter
• Deploy EPG and contract• Deploy service graph (FW & IPS)
ACI
• Deploy AMP for Endpoints• Deploy Tetration Software Sensor• ISE to ASA Firewall SGT
Security Solutions
Demo
![Page 16: Cisco Secure Datacenter Architecture...Jamey Heary Distinguished Systems Engineer Change the equation with Cisco Security Cisco Secure Datacenter Architecture In the future, computers](https://reader034.vdocuments.us/reader034/viewer/2022042218/5ec480c77ab7421cdb15c024/html5/thumbnails/16.jpg)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
![Page 17: Cisco Secure Datacenter Architecture...Jamey Heary Distinguished Systems Engineer Change the equation with Cisco Security Cisco Secure Datacenter Architecture In the future, computers](https://reader034.vdocuments.us/reader034/viewer/2022042218/5ec480c77ab7421cdb15c024/html5/thumbnails/17.jpg)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Site A
VMVMVM
ACI Extensions to Multi-Cloud
ACI Multi-Site Appliance
Consistent Network and Policy across clouds
Seamless Workload Migration
Single Point of Orchestration Secure Automated
Connectivity
Site C
Site B
Site D
17
![Page 18: Cisco Secure Datacenter Architecture...Jamey Heary Distinguished Systems Engineer Change the equation with Cisco Security Cisco Secure Datacenter Architecture In the future, computers](https://reader034.vdocuments.us/reader034/viewer/2022042218/5ec480c77ab7421cdb15c024/html5/thumbnails/18.jpg)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Advanced Threat Protection
![Page 19: Cisco Secure Datacenter Architecture...Jamey Heary Distinguished Systems Engineer Change the equation with Cisco Security Cisco Secure Datacenter Architecture In the future, computers](https://reader034.vdocuments.us/reader034/viewer/2022042218/5ec480c77ab7421cdb15c024/html5/thumbnails/19.jpg)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Applications and servicesMitigating threats, risks and vulnerabilities
Users zone Server zone 1 Server zone 2 Outside worldbusiness partners
Perimeterfirewall
Segment data center architecture
![Page 20: Cisco Secure Datacenter Architecture...Jamey Heary Distinguished Systems Engineer Change the equation with Cisco Security Cisco Secure Datacenter Architecture In the future, computers](https://reader034.vdocuments.us/reader034/viewer/2022042218/5ec480c77ab7421cdb15c024/html5/thumbnails/20.jpg)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cisco Advanced Threat solutions
• Context rich• Stop command and
control, security intelligence blacklists
• Application control
• NGFW
• Protection against exploitation of app vulnerabilities
• Impact-assessment and IoC
• Auto-tuning of policy
NGIPS
• File based malware protection
• Sandboxing to find zero-day
• Retrospective remediation of malware
AMP
Integrated
![Page 21: Cisco Secure Datacenter Architecture...Jamey Heary Distinguished Systems Engineer Change the equation with Cisco Security Cisco Secure Datacenter Architecture In the future, computers](https://reader034.vdocuments.us/reader034/viewer/2022042218/5ec480c77ab7421cdb15c024/html5/thumbnails/21.jpg)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Rapid threat containment with ACI micro-segmentation
• Indicators of compromise• Rapid threat containment
NGFW/NGIPS
• Micro-segmentation/uEPG• Automation NGFW to APIC
ACI
• Network AMP• Malware protection – from network,
to endpoint, to cloud
AMP
Demo
![Page 22: Cisco Secure Datacenter Architecture...Jamey Heary Distinguished Systems Engineer Change the equation with Cisco Security Cisco Secure Datacenter Architecture In the future, computers](https://reader034.vdocuments.us/reader034/viewer/2022042218/5ec480c77ab7421cdb15c024/html5/thumbnails/22.jpg)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
![Page 23: Cisco Secure Datacenter Architecture...Jamey Heary Distinguished Systems Engineer Change the equation with Cisco Security Cisco Secure Datacenter Architecture In the future, computers](https://reader034.vdocuments.us/reader034/viewer/2022042218/5ec480c77ab7421cdb15c024/html5/thumbnails/23.jpg)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Visibility and Analytics
![Page 24: Cisco Secure Datacenter Architecture...Jamey Heary Distinguished Systems Engineer Change the equation with Cisco Security Cisco Secure Datacenter Architecture In the future, computers](https://reader034.vdocuments.us/reader034/viewer/2022042218/5ec480c77ab7421cdb15c024/html5/thumbnails/24.jpg)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Application traffic modeling & visibility
Access control policy and audit
Greater visibility and security togetherCisco Tetration and Stealthwatch
Threat detection and hunting
Anomalousbehavior
ISE Context & Visibility
![Page 25: Cisco Secure Datacenter Architecture...Jamey Heary Distinguished Systems Engineer Change the equation with Cisco Security Cisco Secure Datacenter Architecture In the future, computers](https://reader034.vdocuments.us/reader034/viewer/2022042218/5ec480c77ab7421cdb15c024/html5/thumbnails/25.jpg)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Summary
![Page 26: Cisco Secure Datacenter Architecture...Jamey Heary Distinguished Systems Engineer Change the equation with Cisco Security Cisco Secure Datacenter Architecture In the future, computers](https://reader034.vdocuments.us/reader034/viewer/2022042218/5ec480c77ab7421cdb15c024/html5/thumbnails/26.jpg)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
In summary… Cisco Data Center Security
Visibility/Analytics“See Everything”
Complete visibility of users, devices, networks,
applications, workloads and processes
Threat protection“Stop the Breach”
Quickly detect, block, and respond to attacks before
hackers can steal data or disrupt operations
Segmentation“Reduce the Attack Surface”Prevent attackers from moving
laterally east-west with application whitelisting and
micro-segmentation
![Page 27: Cisco Secure Datacenter Architecture...Jamey Heary Distinguished Systems Engineer Change the equation with Cisco Security Cisco Secure Datacenter Architecture In the future, computers](https://reader034.vdocuments.us/reader034/viewer/2022042218/5ec480c77ab7421cdb15c024/html5/thumbnails/27.jpg)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Questions?Changing the Equation with Cisco Security