ask the expert - data center security - session from tuesday - 8
TRANSCRIPT
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Ask the Expert: Future-proofing Data Centre SecurityEvelyn de SouzaData Center Security Solutions Strategist, Security Technology Group
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Today’s Objectives
• Discuss data center security expert approaches and
recommendations
• Demonstrate how Cisco has applied these strategic approaches
to future-proof data center security
• Leverage Cisco data center infrastructure for maximum security
responsiveness
3
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Data Center Evolution
VirtualizationCloud
Traditional Data Center
Virtualized Data Center (VDC)
Virtualized Desktops Internal, Private Clouds
Virtual Private Clouds (VPC)
Public Clouds
Consolidate Assets Virtualize the Environment
Automate Service DeliveryStandardize
Operations
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
END-TO-END ARCHITECTURE
“A comprehensive (virtual edge to data center edge) portfolio, and network management/security integration will make CIOs think long and hard before replacing Cisco with an alternative vendor”
CONTEXT-AWARE AND ADAPTIVE
“Context-aware and adaptive security will be the only way to securely support the dynamic business and IT infrastructures emerging during the next 10 years.”
SECURITY INTELLIGENCE TO EFFECTIVELY PRIORITIZE
“Security threat intelligence is growing at a crazy rate. It’s not just about detecting fraud, but can also be used to determine risk for so many aspects of the business operation and to effectively prioritize areas of the business.”
ControlVisibility
What Leading Data center Security Experts Predict
Source: Cisco’s End-to –End Data Center Fabric Announcement: A Winner, October 2011, Name: Jon Otsik , Senior Principal Analyst, Enterprise Strategy Group
The Future of Information Security Is Context Aware and Adaptive, September 2012 Name: Neil MacDonald ,Vice President, Distinguished Analyst and Gartner Fellow Emeritus
Blog: Leading Women of Datacenter & Cloud: Wendy Nather 451 Research, October 2012Name: Wendy Nather ,Research Director of Security, 451 Research
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
END-TO-END ARCHITECTURE
“A comprehensive (virtual edge to data center edge) portfolio, and network management/security integration will make CIOs think long and hard before replacing Cisco with an alternative vendor”
CONTEXT-AWARE AND ADAPTIVE
“Context-aware and adaptive security will be the only way to securely support the dynamic business and IT infrastructures emerging during the next 10 years.”
SECURITY INTELLIGENCE TO EFFECTIVELY PRIORITIZE
“Security threat intelligence is growing at a crazy rate. It’s not just about detecting fraud, but can also be used to determine risk for so many aspects of the business operation and to effectively prioritize areas of the business.”
ControlVisibility
What Leading Data center Security Experts Predict
Source: Cisco’s End-to –End Data Center Fabric Announcement: A Winner, October 2011, Name: Jon Otsik , Senior Principal Analyst, Enterprise Strategy Group
The Future of Information Security Is Context Aware and Adaptive, September 2012 Name: Neil MacDonald ,Vice President, Distinguished Analyst and Gartner Fellow Emeritus
Blog: Leading Women of Datacenter & Cloud: Wendy Nather 451 Research, October 2012Name: Wendy Nather ,Research Director of Security, 451 Research
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
DISTRIBUTIONSAN
CORE
Internet Edge
Nexus 7000 Nexus 7000VDC
ASA 5585-XASA 5585-X
VPCVPC
10G Server Rack 10G Server Rack
Nexus 7000Series
Nexus 5000
Nexus 2100
Zone
UnifiedComputing System
VPCVPC VPCVPC
Nexus 1000V
Unified Compute
VSGMultizon
e
VSSVPCVPC
Unified Access
Firewall ACE
NAM IPS
Catalyst 6500
SERVICES
VP
C
VP
CASA
1000V
An End-to-End Architectural Approach
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
DISTRIBUTIONSAN
= NetworkCORE
Internet Edge
Nexus 7000 Nexus 7000VDC
ASA 5585-XASA 5585-X
VPCVPC
10G Server Rack 10G Server Rack
Nexus 7000Series
Nexus 5000
Nexus 2100
Zone
UnifiedComputing System
VPCVPC VPCVPC
Nexus 1000V
Unified Compute
VSGMultizon
e
VSSVPCVPC
Unified Access
Firewall ACE
NAM IPS
Catalyst 6500
SERVICES
VP
C
VP
CASA
1000V
An End-to-End Architectural Approach
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
DISTRIBUTIONSAN
= NetworkCORE
Internet Edge
Nexus 7000 Nexus 7000VDC
ASA 5585-XASA 5585-X
VPCVPC
10G Server Rack 10G Server Rack
Nexus 7000Series
Nexus 5000
Nexus 2100
Zone
UnifiedComputing System
VPCVPC VPCVPC
Nexus 1000V
Unified Compute
VSGMultizon
e
VSSVPCVPC
Unified Access
Firewall ACE
NAM IPS
Catalyst 6500
SERVICES
= Security
VP
C
VP
CASA
1000V
An End-to-End Architectural Approach
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
DISTRIBUTIONSAN
= NetworkCORE
Internet Edge
Nexus 7000 Nexus 7000VDC
ASA 5585-XASA 5585-X
VPCVPC
10G Server Rack 10G Server Rack
Nexus 7000Series
Nexus 5000
Nexus 2100
Zone
UnifiedComputing System
VPCVPC VPCVPC
Nexus 1000V
Unified Compute
VSGMultizon
e
VSSVPCVPC
Unified Access
Firewall ACE
NAM IPS
Catalyst 6500
SERVICES
= Compute
= Security
VP
C
VP
CASA
1000V
An End-to-End Architectural Approach
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Global and Local Threat Intelligence
Common Policy and Management
Sees All Traffic
Routes All RequestsSources All Data
Controls All Flows
Handles All Devices
Touches All Users
Shapes All StreamsNETWORK
Building in Contextual awareness and Security Intelligence
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Global and Local Threat Intelligence
Common Policy and Management
Sees All Traffic
Routes All RequestsSources All Data
Controls All Flows
Handles All Devices
Touches All Users
Shapes All Streams
Information NETWORK
Building in Contextual awareness and Security Intelligence
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Global and Local Threat Intelligence
Common Policy and Management
Sees All Traffic
Routes All RequestsSources All Data
Controls All Flows
Handles All Devices
Touches All Users
Shapes All Streams
Information
Network Enforcement Policy
NETWORK
Building in Contextual awareness and Security Intelligence
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Global and Local Threat Intelligence
Common Policy and Management
Sees All Traffic
Routes All RequestsSources All Data
Controls All Flows
Handles All Devices
Touches All Users
Shapes All Streams
Information
Network Enforcement Policy
NETWORK
Building in Contextual awareness and Security IntelligenceE
nforcement
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Global and Local Threat Intelligence
Common Policy and Management
Information
Enforcem
ent
Network Enforcement Policy
NETWORKBehavioral Analysis
Encryption
Threat Defense
Access Control
Policy Enforcement
Device Visibility
Building in Contextual awareness and Security Intelligence
Identity Awareness
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Context-aware and Adaptive Policy Architecture
WHAT
WHERE
HOWWHO
Identity
WHEN
User and DevicesApplication
Controls
Monitoring& ReportingSecurity Policy
Enforcement
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Context-aware and Adaptive Policy Architecture
Security Policy Attributes
WHAT
WHERE
HOWWHO
Identity
WHEN
User and DevicesApplication
Controls
Monitoring& ReportingSecurity Policy
Enforcement
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Context-aware and Adaptive Policy Architecture
Security Policy Attributes
WHAT
WHERE
HOWWHO
Identity
WHEN
User and DevicesApplication
Controls
Monitoring& ReportingSecurity Policy
Enforcement
Business-Relevant Policies
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Context-aware and Adaptive Policy Architecture
Security Policy Attributes
WHAT
WHERE
HOWWHO
Identity
WHEN
User and DevicesApplication
Controls
Monitoring& ReportingSecurity Policy
Enforcement
Business-Relevant Policies
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Context-aware and Adaptive Policy Architecture
Security Policy Attributes
WHAT
WHERE
HOWWHO
Identity
WHEN
User and Devices
CentralizedPolicy Engine
Dynamic Policy & Enforcement
ApplicationControls
Monitoring& ReportingSecurity Policy
Enforcement
Business-Relevant Policies
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
WWW Email WebDevices
IPS EndpointsNetworks
Visibility
0010 010 10010111001 10 100111 010 000100101 110011 01100111010000110000111000111010011101 1100001110001110 1001 1101 1110011 0110011 101000 0110 00 0111000 111010011 101 1100001 11000 111010011101
0010 010 10010111001 10 100111 010 000100101 110011 01100111010000110000111000111010011101 1100001110001110 1001 1101 1110011 0110011 101000 0110 00 0111000 111010011 101 1100001 11000 111010011101 Cisco SIO
1.6M global sensors
75TB data received per day
150M+ deployed endpoints
35% worldwide email traffic
13B web requests
Cloud-based Threat Intelligence
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
WWW Email WebDevices
IPS EndpointsNetworks
Visibility
0010 010 10010111001 10 100111 010 000100101 110011 01100111010000110000111000111010011101 1100001110001110 1001 1101 1110011 0110011 101000 0110 00 0111000 111010011 101 1100001 11000 111010011101
0010 010 10010111001 10 100111 010 000100101 110011 01100111010000110000111000111010011101 1100001110001110 1001 1101 1110011 0110011 101000 0110 00 0111000 111010011 101 1100001 11000 111010011101 Cisco SIO
1.6M global sensors
75TB data received per day
150M+ deployed endpoints
35% worldwide email traffic
13B web requests
Info
rmati
on
Cloud-based Threat Intelligence
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
WWW Email WebDevices
IPS EndpointsNetworks
Visibility
0010 010 10010111001 10 100111 010 000100101 110011 01100111010000110000111000111010011101 1100001110001110 1001 1101 1110011 0110011 101000 0110 00 0111000 111010011 101 1100001 11000 111010011101
0010 010 10010111001 10 100111 010 000100101 110011 01100111010000110000111000111010011101 1100001110001110 1001 1101 1110011 0110011 101000 0110 00 0111000 111010011 101 1100001 11000 111010011101 Cisco SIO
1.6M global sensors
75TB data received per day
150M+ deployed endpoints
35% worldwide email traffic
13B web requests
Info
rmati
on
Cloud-based Threat Intelligence
40+ languages 600+ engineers, technicians and researchers$100M+ spent in dynamic research and development
80+ PH.D.S, CCIE, CISSP, MSCE24x7x365 operations
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
WWW Email WebDevices
IPS EndpointsNetworks
Visibility
0010 010 10010111001 10 100111 010 000100101 110011 01100111010000110000111000111010011101 1100001110001110 1001 1101 1110011 0110011 101000 0110 00 0111000 111010011 101 1100001 11000 111010011101
0010 010 10010111001 10 100111 010 000100101 110011 01100111010000110000111000111010011101 1100001110001110 1001 1101 1110011 0110011 101000 0110 00 0111000 111010011 101 1100001 11000 111010011101 Cisco SIO
Info
rmati
on
Cloud-based Threat Intelligence
40+ languages 600+ engineers, technicians and researchers$100M+ spent in dynamic research and development
80+ PH.D.S, CCIE, CISSP, MSCE24x7x365 operations
Actions
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
WWW
ESA ASA WSA
AnyConnectCWS IPS
Control
WWW Email WebDevices
IPS EndpointsNetworks
Visibility
0010 010 10010111001 10 100111 010 000100101 110011 01100111010000110000111000111010011101 1100001110001110 1001 1101 1110011 0110011 101000 0110 00 0111000 111010011 101 1100001 11000 111010011101
0010 010 10010111001 10 100111 010 000100101 110011 01100111010000110000111000111010011101 1100001110001110 1001 1101 1110011 0110011 101000 0110 00 0111000 111010011 101 1100001 11000 111010011101 Cisco SIO
3 to 5 minute updates
5,500+ IPS signatures produced
8M+ rules per day
200+ parameters tracked
70+ publications produced
Info
rmati
on
Actions
40+ languages 600+ engineers, technicians and researchers$100M+ spent in dynamic research and development
80+ PH.D.S, CCIE, CISSP, MSCE24x7x365 operations
Cloud-based Threat Intelligence
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
WWW
ESA ASA WSA
AnyConnectCWS IPS
Control
WWW Email WebDevices
IPS EndpointsNetworks
Visibility
0010 010 10010111001 10 100111 010 000100101 110011 01100111010000110000111000111010011101 1100001110001110 1001 1101 1110011 0110011 101000 0110 00 0111000 111010011 101 1100001 11000 111010011101
0010 010 10010111001 10 100111 010 000100101 110011 01100111010000110000111000111010011101 1100001110001110 1001 1101 1110011 0110011 101000 0110 00 0111000 111010011 101 1100001 11000 111010011101 Cisco SIO
3 to 5 minute updates
5,500+ IPS signatures produced
8M+ rules per day
200+ parameters tracked
70+ publications produced
Info
rmati
on
Actions
Zero-day detection
Reputation-based protection
Consistent enforcement
Cloud-based Threat Intelligence
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Tenant 3
Tenant 2
Tenant 1
ASA 1000V
ASA 5585-X
Endpoints
VSG
vm
vm
vm
vm
vm
vm
vm
vm
vm
Nexus 1000V
vm
vm
vm
ISE
Bringing it All Together to Future-proof your Data Center
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Tenant 3
Tenant 2
Tenant 1
ASA 1000V
ASA 5585-X
Endpoints
VSG
vm
vm
vm
vm
vm
vm
vm
vm
vm
Nexus 1000V
vm
vm
vm
ISE
Bringing it All Together to Future-proof your Data Center
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Tenant 3
Tenant 2
Tenant 1
ASA 1000V
ASA 5585-X
Endpoints
VSG
vm
vm
vm
vm
vm
vm
vm
vm
vm
Nexus 1000V
vm
vm
vm
ISE
Bringing it All Together to Future-proof your Data Center
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Tenant 3
Tenant 2
Tenant 1
ASA 1000V
ASA 5585-X
Endpoints
VSG
vm
vm
vm
vm
vm
vm
vm
vm
vm
Nexus 1000V
vm
vm
vm
ISE
Bringing it All Together to Future-proof your Data Center
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Tenant 3
Tenant 2
Tenant 1
ASA 1000V
ASA 5585-X
Endpoints
VSG
vm
vm
vm
vm
vm
vm
vm
vm
vm
Nexus 1000V
vm
vm
vm
ISE
Bringing it All Together to Future-proof your Data Center
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Tenant 3
Tenant 2
Tenant 1
ASA 1000V
ASA 5585-X
Endpoints
VSG
vm
vm
vm
vm
vm
vm
vm
vm
vm
Nexus 1000V
vm
vm
vm
ISE
Bringing it All Together to Future-proof your Data Center
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Tenant 3
Tenant 2
Tenant 1
ASA 1000V
ASA 5585-X
Endpoints
VSG
vm
vm
vm
vm
vm
vm
vm
vm
vm
Nexus 1000V
vm
vm
vm
ISE
Bringing it All Together to Future-proof your Data Center
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Tenant 3
Tenant 2
Tenant 1
ASA 1000V
ASA 5585-X
Endpoints
VSG
vm
vm
vm
vm
vm
vm
vm
vm
vm
vm
vm
vm
ISE
Bringing it All Together to Future-proof your Data Center
Nexus 1000V
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Tenant 3
Tenant 2
Tenant 1
ASA 1000V
ASA 5585-X
Endpoints
VSG
vm
vm
vm
vm
vm
vm
vm
vm
vm
vm
vm
vm
ISE
Bringing it All Together to Future-proof your Data Center
Nexus 1000V
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Tenant 3
Tenant 2
Tenant 1
ASA 1000V
ASA 5585-X
Endpoints
VSG
vm
vm
vm
vm
vm
vm
vm
vm
vm
vm
vm
vm
ISE
Bringing it All Together to Future-proof your Data Center
Nexus 1000V
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Call-to-Actions
Leverage Cisco’s blueprints for an end-to-end security architecturehttp://www.cisco.com/en/US/solutions/ns340/ns414/ns742/ns743/ns1050/landing_vmdc.html
Follow Cisco’s Ask the Data Center Security Blogshttp://blogs.cisco.com/author/evelyndesouza/
Ask your account manager or Cisco reseller partner for a demo