cisco's secure data center architecture
TRANSCRIPT
Duc LeASEAN DC Technical Solution Architect
Visibility
Threat Protection
Segmentation
of the security team’s time is spent in the Data Center
47%Servers
29%Customer Data
24%Endpoints
76%
I’ve already invested in many security vendors …
Reference: http://map.norsecorp.com/
• Attacks are mainly driven by application vulnerabilities, not network
• In most cases the port will be legitimately open
• Apache Struts?
• What about attacks coming from other workloads on the same hypervisor
• Spectre / Meltdown?
• Hybrid Cloud environment – How to protect your workload?
• Containers environment – scale?
Where is it coming from?
How can we secure our workload?
VADIM GHIRDA/AP
Cisco Data Center Security
•
•
•
•
•
•
•
•
ACITetration
Next-gen Firewall
Threat Protection: Stop the Breach
By strategically deploying threat sensors north-south, east-west
01 0302
Multi-Layered Threat SensorsQuickly detect, block, and respond dynamically when threats arise to
prevent breaches from impacting the business
Next-Gen Firewall with AMP
Next-Gen IPS with AMP
Stealthwatch
Next-Gen Firewall with Radware DDoS
Use Cases & Demos
Visibility
Threat Protection
Segmentation
• Automated zero Trust consistent policy enforcement for segmentation
• Whitelist policies are kept up to date based on application behavior
• Automatically track policy for compliance.
• Run what-if scenarios with live or old data
• You are alerted of anomalies in app behavior
• Breach Detection and custom forensic rule
• File access
• Privilege escalation
• Shell-code execution
• Raw sockets
• Anomalous behavior
• Hash Anomaly Detection
• Data Leak Detection
Reduce your attack Surface quickly as by identify common vulnerabilities and exposures by
• Installed software pkg tracking
• Tracking CVE associated with installed software packages
• Identify the criticality of vulnerability
• Taking action to restrict access or quarantine workloads
Cisco Tetration platform
Application Communication control App behavior and Anomaly detection Vulnerability detection
Tetration for Policy Creation & Validation Visibility
Demo 1 - Tetration Application Dependency Mapping & Policy Generation
Segmentation
Purpose of segmentation
Evil Genius Hacker Person
2
1
Evil Genius Hacker Person
1
34
2
3
4
VMware Hyper-V
Mainframes
DC Firewalls
AWS
DirectConnect
CampusContainers
security group
struts
server
db
server
struts
server
db
server
file
server
Segmentation your network
The Traditional Approach
23
Gather Data Analyze the Data
100 Billion Events in 3 Months
Implement the Policy 1 Year Later?
Troubleshooting? Apps Change?
App Guy
• Once apps are defined, global policies set
• Someone has to test
• With Live traffic
• With Historical traffic
• Goes without saying, but without creating disruption…
Policy Simulation and Experimentation
Policy Enforcement into switches/FW?
leaf1# show zoning-rule scope VNID-OF-THE-VRF
3278749166
The contract filters are programmed in the Policy Cam on the Leaf or FW
but this cam is limited in size, and the size is different between switches
Policy Enforcement into Cloud?
Application dependency between clouds?
By default, each security group supportsup to 50 rules and each networkinterface can have up to 5 securitygroups, for a maximum of 250 rules perinterface. If your AWS network is in EC2-Classic, maximum cap limit of 500security groups in each region for eachaccount.
Network Security Groups (NSG)
default limit is 100 can be
increased up to 400. NSG rules per
NSG default limit is 200 can be increased up to 1000.
Firewall rules: Maximum
Number of Stateful
Connections per VM by default is 130,000.
Policy enforcement
How can we enforce this type ofpolicies into our switches? Whichswitches can survive?
How can we maintain this policiesin clouds with consistent?
Tetration – Policy Director
The Strategy – Defense in depth
Zone-Based
North-South
AWS
security group
struts
server
db
server
Host-Based
NGFW North-South Protection Demo
Automated Policy Discovery, Audit and Enforcement
• Create a segmentation policy based on real application data• Firewall policy change modeling• Full policy audit and forensics • No one else can do this!• Unique integration between Cisco NGFW (north/south), ACI (fabric),
and Tetration (host)
Demo 2 - Tetration Streaming Policy to ASA
Tetration Host-Based Segmentation Demo
Demo 3 - Tetration Host-Based SegmentationMulti-Cloud, Platform-Agnostic Segmentation and Enforcement
NGFWStealthwatchTetrationACI
Threat Protection and Cloud Workload Protection
With the Industry Best Threat Intelligence
Identify advanced threats Get specific intelligence Catch stealthy threats Stay protected with updates
Endpoints
Devices
Networks
NGFW, NGIPS
WWW Web250+Researchers
24 x 7 x 365 Operations
Security Coverage Research Response
1.5 million daily malware samples
600 billion daily email messages
16 billion daily web requests
Threat Intelligence
NGFW
NGIPS
Breach Detection(Cisco AMP)
NGFW(test average)
NGIPS(test average)
Stopping the most threats in NSS Labs testing year after year
2010 2012 2013 2014 20162011
100
98
96
94
92
90
88
86
84
82
Cisco
Test Average
2017
Cisco has Industry-Best Threat Protection
The power of Cisco Talos!
98.9% efficacy = 6.8M missed threats/year
Demo 4 - Tetration Cloud Workload ProtectionMulti-Cloud Workload Protection
• Multi-layered threat protection quickly stops threats across the network (NGIPS and Network AMP) and servers (AMP for Endpoints)
Multi-Layered Threat Protection
Summary
• Once threats are detected, infected servers and workloads are contained in real-time by the segmentation architecture.
• Cisco DC threat protection ensures you will have a lower risk of application compromise and a breach