cisco's secure data center architecture
TRANSCRIPT
![Page 1: Cisco's Secure Data Center Architecture](https://reader030.vdocument.in/reader030/viewer/2022012504/617e8273468584062b6514d1/html5/thumbnails/1.jpg)
![Page 2: Cisco's Secure Data Center Architecture](https://reader030.vdocument.in/reader030/viewer/2022012504/617e8273468584062b6514d1/html5/thumbnails/2.jpg)
Duc LeASEAN DC Technical Solution Architect
![Page 3: Cisco's Secure Data Center Architecture](https://reader030.vdocument.in/reader030/viewer/2022012504/617e8273468584062b6514d1/html5/thumbnails/3.jpg)
Visibility
Threat Protection
Segmentation
![Page 4: Cisco's Secure Data Center Architecture](https://reader030.vdocument.in/reader030/viewer/2022012504/617e8273468584062b6514d1/html5/thumbnails/4.jpg)
of the security team’s time is spent in the Data Center
47%Servers
29%Customer Data
24%Endpoints
76%
![Page 5: Cisco's Secure Data Center Architecture](https://reader030.vdocument.in/reader030/viewer/2022012504/617e8273468584062b6514d1/html5/thumbnails/5.jpg)
I’ve already invested in many security vendors …
![Page 7: Cisco's Secure Data Center Architecture](https://reader030.vdocument.in/reader030/viewer/2022012504/617e8273468584062b6514d1/html5/thumbnails/7.jpg)
• Attacks are mainly driven by application vulnerabilities, not network
• In most cases the port will be legitimately open
• Apache Struts?
• What about attacks coming from other workloads on the same hypervisor
• Spectre / Meltdown?
• Hybrid Cloud environment – How to protect your workload?
• Containers environment – scale?
Where is it coming from?
![Page 8: Cisco's Secure Data Center Architecture](https://reader030.vdocument.in/reader030/viewer/2022012504/617e8273468584062b6514d1/html5/thumbnails/8.jpg)
How can we secure our workload?
VADIM GHIRDA/AP
![Page 9: Cisco's Secure Data Center Architecture](https://reader030.vdocument.in/reader030/viewer/2022012504/617e8273468584062b6514d1/html5/thumbnails/9.jpg)
Cisco Data Center Security
![Page 10: Cisco's Secure Data Center Architecture](https://reader030.vdocument.in/reader030/viewer/2022012504/617e8273468584062b6514d1/html5/thumbnails/10.jpg)
•
•
•
•
![Page 11: Cisco's Secure Data Center Architecture](https://reader030.vdocument.in/reader030/viewer/2022012504/617e8273468584062b6514d1/html5/thumbnails/11.jpg)
•
•
•
•
![Page 12: Cisco's Secure Data Center Architecture](https://reader030.vdocument.in/reader030/viewer/2022012504/617e8273468584062b6514d1/html5/thumbnails/12.jpg)
![Page 13: Cisco's Secure Data Center Architecture](https://reader030.vdocument.in/reader030/viewer/2022012504/617e8273468584062b6514d1/html5/thumbnails/13.jpg)
![Page 14: Cisco's Secure Data Center Architecture](https://reader030.vdocument.in/reader030/viewer/2022012504/617e8273468584062b6514d1/html5/thumbnails/14.jpg)
ACITetration
Next-gen Firewall
Threat Protection: Stop the Breach
By strategically deploying threat sensors north-south, east-west
01 0302
Multi-Layered Threat SensorsQuickly detect, block, and respond dynamically when threats arise to
prevent breaches from impacting the business
Next-Gen Firewall with AMP
Next-Gen IPS with AMP
Stealthwatch
Next-Gen Firewall with Radware DDoS
![Page 15: Cisco's Secure Data Center Architecture](https://reader030.vdocument.in/reader030/viewer/2022012504/617e8273468584062b6514d1/html5/thumbnails/15.jpg)
![Page 16: Cisco's Secure Data Center Architecture](https://reader030.vdocument.in/reader030/viewer/2022012504/617e8273468584062b6514d1/html5/thumbnails/16.jpg)
Use Cases & Demos
Visibility
Threat Protection
Segmentation
![Page 17: Cisco's Secure Data Center Architecture](https://reader030.vdocument.in/reader030/viewer/2022012504/617e8273468584062b6514d1/html5/thumbnails/17.jpg)
• Automated zero Trust consistent policy enforcement for segmentation
• Whitelist policies are kept up to date based on application behavior
• Automatically track policy for compliance.
• Run what-if scenarios with live or old data
• You are alerted of anomalies in app behavior
• Breach Detection and custom forensic rule
• File access
• Privilege escalation
• Shell-code execution
• Raw sockets
• Anomalous behavior
• Hash Anomaly Detection
• Data Leak Detection
Reduce your attack Surface quickly as by identify common vulnerabilities and exposures by
• Installed software pkg tracking
• Tracking CVE associated with installed software packages
• Identify the criticality of vulnerability
• Taking action to restrict access or quarantine workloads
Cisco Tetration platform
Application Communication control App behavior and Anomaly detection Vulnerability detection
![Page 18: Cisco's Secure Data Center Architecture](https://reader030.vdocument.in/reader030/viewer/2022012504/617e8273468584062b6514d1/html5/thumbnails/18.jpg)
Tetration for Policy Creation & Validation Visibility
![Page 19: Cisco's Secure Data Center Architecture](https://reader030.vdocument.in/reader030/viewer/2022012504/617e8273468584062b6514d1/html5/thumbnails/19.jpg)
Demo 1 - Tetration Application Dependency Mapping & Policy Generation
![Page 20: Cisco's Secure Data Center Architecture](https://reader030.vdocument.in/reader030/viewer/2022012504/617e8273468584062b6514d1/html5/thumbnails/20.jpg)
Segmentation
![Page 21: Cisco's Secure Data Center Architecture](https://reader030.vdocument.in/reader030/viewer/2022012504/617e8273468584062b6514d1/html5/thumbnails/21.jpg)
Purpose of segmentation
Evil Genius Hacker Person
2
1
Evil Genius Hacker Person
1
34
2
3
4
![Page 22: Cisco's Secure Data Center Architecture](https://reader030.vdocument.in/reader030/viewer/2022012504/617e8273468584062b6514d1/html5/thumbnails/22.jpg)
VMware Hyper-V
Mainframes
DC Firewalls
AWS
DirectConnect
CampusContainers
security group
struts
server
db
server
struts
server
db
server
file
server
Segmentation your network
![Page 23: Cisco's Secure Data Center Architecture](https://reader030.vdocument.in/reader030/viewer/2022012504/617e8273468584062b6514d1/html5/thumbnails/23.jpg)
The Traditional Approach
23
Gather Data Analyze the Data
100 Billion Events in 3 Months
Implement the Policy 1 Year Later?
Troubleshooting? Apps Change?
App Guy
![Page 24: Cisco's Secure Data Center Architecture](https://reader030.vdocument.in/reader030/viewer/2022012504/617e8273468584062b6514d1/html5/thumbnails/24.jpg)
• Once apps are defined, global policies set
• Someone has to test
• With Live traffic
• With Historical traffic
• Goes without saying, but without creating disruption…
Policy Simulation and Experimentation
![Page 25: Cisco's Secure Data Center Architecture](https://reader030.vdocument.in/reader030/viewer/2022012504/617e8273468584062b6514d1/html5/thumbnails/25.jpg)
Policy Enforcement into switches/FW?
leaf1# show zoning-rule scope VNID-OF-THE-VRF
3278749166
The contract filters are programmed in the Policy Cam on the Leaf or FW
but this cam is limited in size, and the size is different between switches
![Page 26: Cisco's Secure Data Center Architecture](https://reader030.vdocument.in/reader030/viewer/2022012504/617e8273468584062b6514d1/html5/thumbnails/26.jpg)
Policy Enforcement into Cloud?
Application dependency between clouds?
By default, each security group supportsup to 50 rules and each networkinterface can have up to 5 securitygroups, for a maximum of 250 rules perinterface. If your AWS network is in EC2-Classic, maximum cap limit of 500security groups in each region for eachaccount.
Network Security Groups (NSG)
default limit is 100 can be
increased up to 400. NSG rules per
NSG default limit is 200 can be increased up to 1000.
Firewall rules: Maximum
Number of Stateful
Connections per VM by default is 130,000.
![Page 27: Cisco's Secure Data Center Architecture](https://reader030.vdocument.in/reader030/viewer/2022012504/617e8273468584062b6514d1/html5/thumbnails/27.jpg)
Policy enforcement
How can we enforce this type ofpolicies into our switches? Whichswitches can survive?
How can we maintain this policiesin clouds with consistent?
![Page 28: Cisco's Secure Data Center Architecture](https://reader030.vdocument.in/reader030/viewer/2022012504/617e8273468584062b6514d1/html5/thumbnails/28.jpg)
Tetration – Policy Director
The Strategy – Defense in depth
Zone-Based
North-South
AWS
security group
struts
server
db
server
Host-Based
![Page 29: Cisco's Secure Data Center Architecture](https://reader030.vdocument.in/reader030/viewer/2022012504/617e8273468584062b6514d1/html5/thumbnails/29.jpg)
![Page 30: Cisco's Secure Data Center Architecture](https://reader030.vdocument.in/reader030/viewer/2022012504/617e8273468584062b6514d1/html5/thumbnails/30.jpg)
NGFW North-South Protection Demo
![Page 31: Cisco's Secure Data Center Architecture](https://reader030.vdocument.in/reader030/viewer/2022012504/617e8273468584062b6514d1/html5/thumbnails/31.jpg)
Automated Policy Discovery, Audit and Enforcement
• Create a segmentation policy based on real application data• Firewall policy change modeling• Full policy audit and forensics • No one else can do this!• Unique integration between Cisco NGFW (north/south), ACI (fabric),
and Tetration (host)
![Page 32: Cisco's Secure Data Center Architecture](https://reader030.vdocument.in/reader030/viewer/2022012504/617e8273468584062b6514d1/html5/thumbnails/32.jpg)
Demo 2 - Tetration Streaming Policy to ASA
![Page 33: Cisco's Secure Data Center Architecture](https://reader030.vdocument.in/reader030/viewer/2022012504/617e8273468584062b6514d1/html5/thumbnails/33.jpg)
Tetration Host-Based Segmentation Demo
![Page 34: Cisco's Secure Data Center Architecture](https://reader030.vdocument.in/reader030/viewer/2022012504/617e8273468584062b6514d1/html5/thumbnails/34.jpg)
Demo 3 - Tetration Host-Based SegmentationMulti-Cloud, Platform-Agnostic Segmentation and Enforcement
![Page 35: Cisco's Secure Data Center Architecture](https://reader030.vdocument.in/reader030/viewer/2022012504/617e8273468584062b6514d1/html5/thumbnails/35.jpg)
NGFWStealthwatchTetrationACI
Threat Protection and Cloud Workload Protection
![Page 36: Cisco's Secure Data Center Architecture](https://reader030.vdocument.in/reader030/viewer/2022012504/617e8273468584062b6514d1/html5/thumbnails/36.jpg)
With the Industry Best Threat Intelligence
Identify advanced threats Get specific intelligence Catch stealthy threats Stay protected with updates
Endpoints
Devices
Networks
NGFW, NGIPS
WWW Web250+Researchers
24 x 7 x 365 Operations
Security Coverage Research Response
1.5 million daily malware samples
600 billion daily email messages
16 billion daily web requests
Threat Intelligence
![Page 37: Cisco's Secure Data Center Architecture](https://reader030.vdocument.in/reader030/viewer/2022012504/617e8273468584062b6514d1/html5/thumbnails/37.jpg)
NGFW
NGIPS
Breach Detection(Cisco AMP)
NGFW(test average)
NGIPS(test average)
Stopping the most threats in NSS Labs testing year after year
2010 2012 2013 2014 20162011
100
98
96
94
92
90
88
86
84
82
Cisco
Test Average
2017
Cisco has Industry-Best Threat Protection
The power of Cisco Talos!
98.9% efficacy = 6.8M missed threats/year
![Page 38: Cisco's Secure Data Center Architecture](https://reader030.vdocument.in/reader030/viewer/2022012504/617e8273468584062b6514d1/html5/thumbnails/38.jpg)
Demo 4 - Tetration Cloud Workload ProtectionMulti-Cloud Workload Protection
![Page 39: Cisco's Secure Data Center Architecture](https://reader030.vdocument.in/reader030/viewer/2022012504/617e8273468584062b6514d1/html5/thumbnails/39.jpg)
• Multi-layered threat protection quickly stops threats across the network (NGIPS and Network AMP) and servers (AMP for Endpoints)
Multi-Layered Threat Protection
Summary
• Once threats are detected, infected servers and workloads are contained in real-time by the segmentation architecture.
• Cisco DC threat protection ensures you will have a lower risk of application compromise and a breach
![Page 40: Cisco's Secure Data Center Architecture](https://reader030.vdocument.in/reader030/viewer/2022012504/617e8273468584062b6514d1/html5/thumbnails/40.jpg)