inside the scansafe architecture: session...

BRKSEC-2346

Inside The ScanSafe Architecture: Session Overview

Follow us on Twitter for real time updates of the event:

@ciscoliveeurope, #CLEUR

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2346 2

Housekeeping

We value your feedback- don't forget to complete your online session evaluations after each session & the Overall Conference Evaluation which will be available online from Thursday

Visit the World of Solutions and Meet the Engineer

Visit the Cisco Store to purchase your recommended readings

Please switch off your mobile phones

After the event don’t forget to visit Cisco Live Virtual: www.ciscolivevirtual.com

Follow us on Twitter for real time updates of the event: @ciscoliveeurope, #CLEUR

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2346 3

Abstract

This intermediate level technical summary covers what it takes to build and deploy a managed SaaS security service on a global scale. As an introduction we will understand what the ScanSafe Web Security Service is, how it works and the benefits given by using a global cloud service for any organisation. We will then look at where ScanSafe started and the history behind some of the early technology deployed along the way with some of the lessons learnt early on which allowed us to shape our architecture into what it is today. We will then explore major aspects of our service which include how we build our networks, our datawarehouses and our software and how we utilise these platforms and technologies to deliver the service. We will also look at how we monitor, deploy and manage the service day to day using specialised tools and utilities which help us maintain our high uptime SLAs and availability. The final part of the summary will review where the future of the ScanSafe service fits in with other Cisco security products like AnyConnect and ISR routers to create an easily deployable architecture which will be controlled by one policy engine to ensure a consistent user experience anywhere in the world. Plus a look at where the ScanSafe platform is heading from an architecture perspective over the next 12-36 months. The target audience should be solution architects or engineers familiar with operating systems, networks, databases, software delivery, monitoring and anything else cloud based.

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2346 4

Solution Overview

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2346 5

Introducing ScanSafe

Product

- Pioneer in SaaS Web Security

- Billions of Web requests scanned every day

- Zero-hour threat protection

Infrastructure

- Proven reliability, global footprint

- 100% uptime in 8 years

- Multi-tenant infrastructure

- On-demand capacity

Overview Customers

Awards

Partners

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2346 6

Secure Web Gateway: What’s in it?

Subscription-based Security Services

Web Proxy

Authenticatio

n / Identity Caching Logging

Management & Reporting

Data Loss Prevention

Application Visibility &

Control

URL Filtering

Anti-Malware

Policy Engine

VM / Software Cloud Appliance

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2346 7

ScanSafe’s Architecture

Cloud Infrastructure

Roaming User

Home Office

Corporate Office

Branch Office

Internet

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2346 8

Typical Deployment

Identification & Authentication

AD Light-weight agent or existing proxy

Via user’s login script or browser-based

Note: ISR G2 deployment will be covered separately

Cloud-based Secure Web gateway

Web User Firewall

Internet

More details in the session: BRKSEC-2101 Deploying Web Security

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2346 9

Infrastructure Overview

Two main components of the datacenter architecture

Scanning towers

- Scan and process the internet traffic

- Scanning towers geographically distributed

- Scanning towers = low latency

Core

- Data warehouse hub for logging

- Core datacenter in London

- Core = high performance

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2346 10

DataCenter Architecture: Hub-and-Spoke

Core

Scanning towers

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2346 11

DataCenter Footprint

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2346 12

ScanSafe Technology

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2346 13

21 locations

2600+ servers

569+ switches

227+ firewalls

122 gigabits/sec peak traffic

3.5 billion requests per day

Support team of 8 (4 x SysAdmin, 2 x NetOPS, 2 x DBAs)

Vital Statistics

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2346 14

People + Technology + Process

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2346 15

The ScanSafe Infrastructure

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2346 16

ScanSafe Infrastructure

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2346 17

ScanSafe Infrastructure

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2346 18

B

A

proxy123 .scansafe.net

proxy124 .scansafe.net

proxy125 .scansafe.net

proxy126 .scansafe.net

0

1

0

2

0

3

0

4

0

5

0

6

0

7

0

8

0

9

1

0

1

1

1

2

1

3

1

4

1

5

1

6

1

7

1

8

1

9

2

0

2

1

2

2

2

3

2

4

2

5

2

6

2

7

2

8

2

9

3

0

3

1

3

2

ScanSafe Tower Concept

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2346 19

ScanSafe Tower

Dell Blades

Console

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2346 20

ScanSafe Tower

Dell Blades

Redundant Power Distribution

3560G – Core Switch

ASA 55xx – Access Firewall

ACE 4710 – Load Balancer

2960G – Access Switch

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2346 21

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2346 22

Moore’s Law

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2346 23

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2346 24

Moore’s Law

vs

Web 2.0

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2346 25

Scanlets

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2346 26

Outbreak Intelligence Algorithm

Database of traffic which is almost ~2% of all business traffic: statistically significant

- All AV engines are publically available

- Bad guys can reverse engineers signatures to workaround

- Cisco data mines the traffic to identify the holes in the AV

- We use active-learning to highlight false negatives

Pragmatically tune our scanlets to catch the false-negative

- Phase in/out scanlets based on malware trends

Statistical Model

- Parse files and identify features that indicate malware traffic

- Percentage of PDFs with no word count + Java Script tag

- Once you identify this traffic, train the algorithm with good and bad examples

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2346 27

Performance Optimisation (Latency)

• Geographical proximity

• Peering with T1 providers

• Optimisation for parallel scanning

• Highly tuned network stack

• Simplified architecture

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2346 28

Telemetry

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2346 29

Datawarehouse

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2346 30

People + Technology + Process

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2346 31

Rotational Staffing Model

Problems Root cause investigation and resolution

Deployments (x2 weeks) Scheduled rollout of new/upgraded applications or hosts

P3+4: Service Requests Standard work requests, individually prioritised

Pages & P1+2 Incidents Incidents/SR’s which require urgent attention

Engineer 1

Engineer 2

Engineer 3

Engineer 4

Projects Continual technology improvement & personal development

Engineer

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2346 32

Continual change

Beta flag control

DevOPS interation

Agile Software Deployments

Tightly controlled continual change

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2346 33

Agile Software Deployments

Tightly controlled continual change

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2346 34

Security Architecture

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2346 35

ScanSafe Security Architecture

Physical Security

Utilization of high security facilities with biometric access control, stringent change control and authorized access approval.

Small number of trusted dedicated hands only allowed access and to control hardware/inventory globally

Application Security

Customer administration is provided via a secure web portal

Each administrative account is accessed via a unique username/password and the entire session is encrypted using SSL.

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2346 36

ScanSafe Security Architecture

Data Security

Dedicated Data Team manage and support the data associated - only access to data through this team

Data replicated locally and off-site in separate datacenters for DR/replication purposes

Logical Security

Dedicated Operations Team sandboxed from corporate networks for administration of the service

Use of best practice procedures and tools following ITIL workflows ensuring secure access to systems

Centralized auditing and monitoring solutions to ensure protection and delivery of service

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2346 37

Security

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2346 38

Security Incident Response

Event CSIRT

Monitoring

CSIRT

Investigations ScanSafe

False Positive

Suspected

Breach

Policy Violation

After-Action

Review

Resolve

Provide Feedback

Remediate

Remediate

Analyze Investigate + forensics

Analyze Investigate

Mitigate

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2346 39

Distributed Denial of Service – Real Experience

Detected as slowdown of single tower throughput

Huge spike in tcp connections to proxies outbound IP address

Caused CPU spike and increased session count on ASA

Changed outbound proxy IP and routed traffic to Null0

Total incident duration of less than 20 minutes

CPU was consumed by syslogging; implemented rate limiting

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2346 40

Operational Tools

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2346 41

ZenOSS

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2346 42

Puppet, Cacti

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2346 43

Autodeployer

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2346 44

Infrastructure Future Plans

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2346 45

IPv6

IPv4

Internal IPv6

IPv6 Host ScanSafe Internet Connector

IPv6 Host ScanSafe Internet Connector

DataCenter IPv6 migration

Phase I

Phase II

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2346 46

IPv6 Addressing

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2346 47

IPv6 Issues

Network-level IPv6 is generally healthy

Routing table capacity & disagreement on subnetting

AAAA records – lots of broken DNS servers

Routing optimisation – rebuilding the internet

Difficult to find subject matter experts

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2346 48

Future Developments

IPv6

Cisco-on-Cisco (UCS)

Virtualisation

Local core: Partitional data storage and portal by region – Americas, EMEAR and APAC

Simplification

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2346 49

Capacity & Future Plans

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2346 50

Capacity Management

Bandwidth capacity in the datacenters is actively managed – transparent to end users

Scale through hardware

Monitor trends and events to forecast usage spikes

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2346 51

Royal Wedding in the UK

Frankfurt +70% over typical

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2346 52

Andy Murray at Wimbledon

London +80% over typical

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2346 53

Cisco Integration

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2346 54

ScanSafe Deployment Vision

Cisco-on-Cisco

WSA

Home Office Coffee Shop Mobile User

Branch Office

Corporate Office / HQ

AnyConnect

Easy to deploy Customer choice Centralized management and reporting

ASA or ISR G2

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2346 55

ISR G2 with ScanSafe

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2346 56

ISR G2 with ScanSafe: Functionality

The connector will be available in IOS (universal) images with security feature set (SEC) licenses.

Supported on the 880, 890, 19XX, 29XX and 39XX/E ISR G2 platforms.

Supports re-direction of HTTP/HTTPS traffic.

No need of a client or agent software (Anywhere + or AnyConnect) to be installed on each laptop or desktop

No HTTP proxy settings changes for the web browsers running at the end-points.

Supports Single Sign-on based identity with LDAP and AD sync.

User provisioning are configured using ScanCenter Web Portal. Reporting (accesses allowed or denied per user or group, etc…)

ISR Connector will be able to work independently with or without IOS Security services such as (IOS FW, IPS, VPN)

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2346 57

Summary

Insight into building and maintaining a robust, scalable and multitenant artchitecture

Success depends on more than technology – people and processes

Exciting plans for leveraging Cisco technology to grow ScanSafe’s cloud

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2346 58

Questions?

Recommended Reading

Please visit the Cisco Store for suitable reading.

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2346 60

Please complete your Session Survey

Don't forget to complete your online session evaluations after each session.

Complete 4 session evaluations & the Overall Conference Evaluation

(available from Thursday) to receive your Cisco Live T-shirt

Surveys can be found on the Attendee Website at www.ciscolivelondon.com/onsite

which can also be accessed through the screens at the Communication Stations

Or use the Cisco Live Mobile App to complete the

surveys from your phone, download the app at

www.ciscolivelondon.com/connect/mobile/app.html

We value your feedback

http://m.cisco.com/mat/cleu12/

1. Scan the QR code

(Go to http://tinyurl.com/qrmelist for QR code reader

software, alternatively type in the access URL above)

2. Download the app or access the mobile site

3. Log in to complete and submit the evaluations

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2346 61

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2346 62

Thank you.