hosted security as a service - solution architecture design

Cisco Confidential© 2016 Cisco and/or its affiliates. All rights reserved. 1

Hosted Security as a Service – Solution Architecture and DesignAlbra Welch – Security Solutions Architect, SBG

Michael Geller – Principal Engineer, CTAO

May 19, 2016

T-SP-30-I

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2

Objectives• This session targets hosted security

services for Enterprises and Service Providers

• Understand the impact of orchestration and automation for hosted security

• Cool applications of elastic security services delivered from the cloud

• Performance and scalability considerations

• Security services with N fV and SDN

• Future thinking applications of security from the Cloud to YOUR network



Agenda• Introduction

• The Hosted Security Service Architecture

• Architecture

• HSS: Architecture

• vMS: Architecture

• vMS: Demo

• HSS: Demo

• Conclusion





• Architecture



• vMS: Demo

• HSS: Demo

• Conclusion



Session DescriptionThis session provides in depth discussion on cloud based security services leveraging Cisco security solutions. This session is appropriate for service providers who are interested in delivering managed security services to their customer from their cloud infrastructure. We will provide detailed designs and guidance on:

• Cloud security services including FW, VPN, Web, Email and Routing services

• Architecture layers through influence of N fV and SDN

• Orchestration flexibility and options

• Day 0 and Day 1 provisioning

• Day 2 monitoring and reporting

OSS/BSS IntegrationService Intent

Orchestration

Security Services

Public IP Addresses

Public Internet

Local LAN

WSAv ESAv

ASAv and/or CSR1000v

CPE CPE

Managed Access

(IPSec VPN)

IPSec

VPN

IPSec

VPN

AnyConnect AnyConnect

UnManaged Access

(Remote Access VPN)

SSL

VPN

SSL

VPN

Amazon Salesforce

Internet Sites

IP

Connectivity

IP

Connectivity

Internet - Public IP Address Space

Public IP Addresses

DDoSaaSIDaaSESaaSWSaaSIPSaaSFWaaSVPNaaS

Security as a Service Architecture


IT Transformation

More devices and more apps mean the attack surface has

increased, and attack tools are evolving too

Do more with less

Users will get stuff done any way they can

The hardware we use has never changed so fast


MSSP Market Segmentation

Source: Frost and Sullivan, Global Managed Security Services Market, March 2015

SAMM(Security Asset Monitoring

and Management)

Managed Security

Services

TRIDR(Threat Research, Intelligence,

Detection and Remediation)

RCM(Risk and Compliance

Management)

AEM(Advanced and

Emerging MSS)

Computer Premises

Equipment

(CPE)-based SAMM

Hosted SAMM


Where Do Managed Security Services Live?

PublicAWS, Google, Azure, etc

Private(SP Infrastructure)

HybridMix of Public and Private

Seamless End-to-End Experiences, Cross Workload Size and Type

Required Regardless of App, Service or Environment; Secure Flexibility Critical Requirement


Evolution of Managed Security Services Premise to Cloud

CloudHybridCPE Managed

CPE

SP

IPS WEB EMAIL MALWARE CONTEXT

W W W

NGFW VPN IPS WEB EMAIL MALWARE CONTEXT

SWITCHING NAT DHCP AP VOICE ROUTING

W W W

SWITCHING AP VOICE

SWITCHING AP VOICEROUTING

NAT DHCP NGFW VPN

NGF

W

VP

N

IPS WE

B

EMAI

L

MALWAR

E

CONTEX

T

W W W

NAT DHCP ROUTING


Cloud Based Security Service Offerings SaaS or Hosted

Cisco Managed Security Cloud SP Hosted Security Cloud

VPN, FW, NGFW, NGIPS, AMP,

Web Security, Email Security

as a ServiceNGFW VPN IPS WEB

EMAIL MALWARE CONTEXT

W W W

Cloud Web Security (CWS)

Cloud Email Security (CES)WEB EMAIL

W W W

Pre-Packaged NFV Security

Service Bundles (vMS)

A La Carte Hosted Security as

a Services (HSS)

SP/MSSP Resell

to Enterprises


Comparison of Cloud-Based Security Service Offerings

AttributeSolutions for SP Managed Security Cloud Cisco Managed Security

Cloud ServicesHSS vMS (e.g. Cloud VPN)

Services Flexible A la Carte Security Services:

VPN, Firewall, Web Security, Email

Security or any combination bundles

Pre-Packaged NFV Security Services:

Cloud VPN, Cloud VPN + Web Security

SaaS: Web Security or Email Security

Delivery Model SP hosted within a virtual private cloud SP Hosted within a virtual private cloud Public Cloud – Cisco hosted

SP acts as a reseller or MSSP

Pricing Model SP price per bandwidth usage with per

user add-on

SP price per bandwidth usage with per

user add-on

Price per user

SP CapEx Costs Infrastructure + security software +

orchestration

Infrastructure + Security software +

orchestration

None

SP OpEx Costs Yes. Data center operation + service

operation

Yes. Data center operation + service

operation

Reduced

Reporting / log data Owned by SP, stays at SP DC Owned by SP, stays at SP DC Centralized in Cisco Cloud/Local log

Orchestration /

Management

With third-party tools (e.g. Ubiqube) Cisco Tail-F orchestration, with NFV

service chaining

Cisco turnkey service. Transparent to SP

Cloud Platform Cisco VMDC/VSA, VMware Openstack with KVM Transparent to SP


$0

$2

$4

$6

$8

$10

$12

$14

CY10 CY11 CY12 CY13 CY14 CY15 CY16 CY17 CY18 CY19

Re

ve

nu

e (

US

$ B

illio

ns

)

Worldwide Cloud-Based Service Revenue Share by Technology

Content security Managed firewalls Other security services

DDoS mitigation IDS/IPS

$7.2B

Market OpportunityCloud Service Delivery Shows Higher Growth, but CPE Based Still Growing

© 2015 IHS / Infonetics Research: Cloud and CPE Managed Security Services Market Size and Forecasts; March 2015

$0

$2

$4

$6

$8

$10

$12

CY10 CY11 CY12 CY13 CY14 CY15 CY16 CY17 CY18 CY19

Re

ve

nu

e (

US

$ B

illi

on

s)

Worldwide CPE-Based Service Revenue Share by Technology

Content security Managed firewallsOther security services DDoS mitigationIDS/IPS


Technical Drivers and Challenges

Driver Challenge

Scalability Scale to support increasingly large numbers of transactions and sites

Sizing capacity planning Challenges in sizing the service delivery platform, virtual CPE platforms

Pay as you grow solution High cost / upfront investment impact on service ROI

Ease of deployment and service agility Complexity limits service adoption and the addressable market

Ease of operationImplementing a set of management solutions that require that service operation

people perform complex and frustrating task using disparate management systems

Business and technical view Business focused reporting versus technical oriented


Service Needs

Category Requirement

Management Multi-Tenant / Multi-Role / API for integration with existing SP OSS/BSS tools

Customer Web Portal Customer self service portal for service monitoring and self care change management

Hardware Low CapEx / OpEx integrated solution

Bandwidth Up to multi-Gb per customer tenant

Malware / Anti-Virus Update In-Service upgrades without service interruption

Performance Monitoring Monitor traffic profile and virtual appliance health for capacity planning purpose

Security Policy Management Centralized management of security policies

Virtualization Solution must be available as virtual appliance for private and public cloud deployment

Data Retention Service management platform need to support data retention policies

Security Event and

Incident ManagementCentralized event and incident management

Security Reporting Custom security reports for security appliances


Cisco Business Case Modeling to Predict ROI, TCO, Profit

Market segments (Tenant) input parameters Business and system input parameters Service pricing

Service provider revenue and profit


Focus of Service Creation Team

Service Discovery and Service Creation WorkshopsPart of the Wider Process of Building Services

Service Portfolio

Country

Planning

Service

Discovery

Workshop

Per Service

Exec sponsorship

SC Workshop

Partner Selection

Solution DesignOperation and

Service Delivery

Marketing Plan Marketing

Sales EnablementSales

Engagement

Business Case

Partner

Qualification

Service Development Lifecycle

Cisco leads

Joint CSP and Cisco

CSP or Cisco AS leads

Proposal

Cloud Service Market and Sell

Cloud Service Build

Cloud Service Envision

Cloud Service Discovery

Identify/Qualify the Opportunity

Stages


Cisco Security Vision and Strategy Covering the Entire Attack Continuum

DDoS Visibility / Mitigation Services

Firewall NGFW

Secure Access + Identity Services

VPNUTM NGIPS

Web Security

Email Security

Advanced Malware Protection

Network Behavior Analysis

Malware Sandboxing

Vulnerability Assessment

Attack Continuum

BeforeControl

Enforce

Harden

AfterScope

Contain

Remediate

Detect

Block

Defend

During




• Architecture



• vMS: Demo

• HSS: Demo

• Conclusion




Hypervisor

Compute

Storage

FWaaS

WSaaS

ESaaS

Tenant 1

NGFW/IPSaaS

VPNaaS

IDaaS

Tenant 2

FWaaS

DDoSaaS

Tenant 3

Policy Analytics Reporting

Security Service Examples:

FWaaS – Firewall as a Service

VPNaaS – Virtual Private Networking as a Service

NGFW/IPSaaS – Next Generation Firewall and Intrusion Prevention System as a Service

WSaaS – Web Security as a Service

ESaaS – Email Security as a Service

IDaaS – Identity as a Service

DDoSaaS –Distributed Denial of Service Mitigation as a Service

ORCH.LAYER

SERVICES LAYER

INFRA-STRUCTURE


Firewall as a Service: FW-aaS

Centralized Management and Reporting

ASAv or CSR1000v

Firewall Support

• Stateful inspection

• Application inspection

• Network address translation

• Encrypted traffic inspection

• Protocol inspection

Advanced Firewall

• Identity-aware policy

enforcement

• Malware traffic detection

and blocking

• Botnet traffic filter

• Voice and video security

Per throughput

and per feature

service pricing


Firewall-aaS Tiers Example

Feature CategoryService Tiers

Bronze Silver Gold

NAT Address Translation

Stateful Inspection

High Availability

Advanced Management

BEFORE DURING AFTER

Included


Firewall-aaS Tiers Example

Category FeatureService Tiers

Bronze Silver Gold

Network Address Translation NAT/PAT

Stateful Inspection

L3 firewall

Transparent firewall

Proxy authentication

Application hosting private zone

Application control (IM, peer to peer)

Voice security support

High AvailabilityWithin SP data center

Between SP data centers

Management

Customer self service portal

Streamlined management

Auto generated reporting

Custom reporting

Data log retention (1 month)

Extended data log retention (>1 month)

… …

……

… …… …… …

Included

… Option

Reference

Slide

BEFORE DURING AFTER


VPN as a Service: VPN-aaS


ASAv or CSR1000v

Per

throughput

per user

service

pricing

VPN Services

• Site-to-site VPN

through Internet FW

VPN Services

•Remote access VPN

• IPSec, SSL VPN

• Session persistence

(always on VPN)


VPNaaS Tiers Example


Bronze Silver Gold

Customer Site to Cloud IPSec VPN Service

Remote Access VPN

High Availability

Advanced Management

Included

BEFORE DURING AFTER


VPNaaS Tiers ExampleCategory Feature

Service Tiers

Bronze Silver Gold

Customer Site to Cloud IPSec VPN Service

Support for multiple crypto policies (DES, 3DES, AES …)

Pre-shared key VPN authentication

Digital certificate VPN authentication

Multiple class of services / traffic prioritization policies

Remote Access VPN

IPSec based remote access VPN

Client-less SSL remote access VPN

Client-based SSL remote access VPN

Authentication integration with enterprise's radius, LDAP, AD servers

Basis authentication (username and password based)

Strong authentication / Token based authentication

Digital certificate based authentication

High Availability

Active / Passive within SP data center

Active / Active within SP data center

Active / Passive between SP data center

Active / Active between SP data center

Management




Custom reporting


Extended data log retention (> 1 month)

… …

… …… …

… …… …

……

Reference

Slide

Included

…Option

BEFORE DURING AFTER


Web Security as a Service: WS-aaS


WSAV

• Anti-Malware protection

• Web content analysis

• Web usage controls

• Application visibility

• Bi-Directional control

Per user

pricing

model

driven by

features


Web Security-aaS Tiers Example


Bronze Silver Gold

Real Time Threat Protection Services

Acceptable Use Services

Policy Control

High Availability

Advanced Management

Included

BEFORE DURING AFTER


Web Security-aaS Tiers Example Category Feature

Service Tiers

Bronze Silver Gold

Real Time Threat Protection ServicesWeb reputation filtering

Malware scanning

Acceptable Use Services

Web URL monitoring by category

Web URL filtering (blocking)

Web application monitoring

Web application control

SaaS access control

Transparent user authentication


Policy ControlGranular access and control policies

Remote access user control policies



Management




Custom reporting

Data log retention (>1 month)

Extended data log retention (>month)

… …

…

………

……

……

……

Reference

Slide

Included

…Option

BEFORE DURING AFTER


Email Security as a Service: ES-aaSInbound and Outbound Security Control

ESAV

Inbound

Security

Virus and

Malware

Defense

Spam

Defense

Data Loss

Prevention

Secure

Messaging

(Encryption)

Outbound

Control


Per user

pricing model

driven by

features


Email Security-aaS Tiers Example


Bronze Silver Gold

Inbound Email Protection

Outbound Email Protection

Policy Control

High Availability

Advanced Management

Included

BEFORE DURING AFTER


Email Security-aaS Tiers Example Category Feature

Service Tiers

Bronze Silver Gold

Inbound Email Protection

Reputation scoring and SMTP blocking

Anti-spam

Outbreak filters, Sophos anti-virus

Inbound email content filtering

Quarantine


Outbound Email Protection

Anti-virus

Outbound email content filtering

Integrated RSA data loss prevention

DLP RSA enterprise manager integration (enterprise provided)

Large volume

Quarantine

Policy ControlGranular policy control

Roaming users protection



Management

Self service portal



Custom reporting option


Extended data log retention (> 1 month)

… …

………………

…

… …

……

Reference

Slide

Included

…Option

BEFORE DURING AFTER


NGFW/IPSaaS Tiers Example


Bronze Silver Gold

Application Visibility and Control (NGFW)

Threat Protection (NGIPS)

High Availability

Advanced Management

Included


Category FeatureService Tiers

Bronze Silver Gold

Application Visibility and Control (NGFW)

Network, user and application discovery

Application traffic filtering

URL filtering

File blocking (block xyz file type)

Threat Protection (NGIPS)

IPS Basic Threat Protection Services (SNORT signatures)

IPS premium security signatures and content

Security intelligence feeds

AMP (Advanced Malware Protection – disposition from the cloud/policy)

High AvailabilityConfigurable “fail open” – Appliance only

“Fastpath” and Trust Rules – Exclude/Include velocity

Management

Streamline management

IPS signature update

Advanced/Custom reporting

Automated policy tuning – Advanced/Custom policy tuning

Event correlation – Customized event correlation services

Impact analysis

…

NGFW/IPSaaS Tiers Example

Reference

Slide

Included

…Option

BEFORE DURING AFTER




• Architecture



• vMS: Demo

• HSS: Demo

• Conclusion



Hosted Security as a Service (HSS)• Enables Cisco partners to deliver security services from their

Cloud infrastructure or as a managed private cloud offering

• Cisco’s virtual security appliance product (ESAV, WSAV, ASAV, CSR1000v, …) and third party products

• Comprehensive management system using UBIqubeas a security domain manager

• Fulfillment

• Assurance

• Northbound API for integrating with Cloud Orchestration Solutions

• Solution supported with IaaS solutions: VMDC 2.3 and VSA 1.0

• Platform based on Cisco Unified Computing System (UCS)

• Flexible deployment models


Orchestration Layer

Services Layer

Infrastructure

HSS Architecture

• Delivered from service provider’s infrastructure

• UBIqube MSActivator used as the Security Domain Manager

• Orchestration SW interfaces with native appliance configuration mechanisms

• All customer data lives inside the SP Cloud environment

• Security on virtual form factor available today

VMware ESXi

Cisco UCS

Storage

WSAv

WSAv

ASAv

Tenant 1

ESAv

WSAv

ASAv

Tenant 2

ESAv

CSR1Kv

Tenant 3

Policy Analytics Reporting

SP existing

orchestration,

reporting, billing

infrastructure

• Provisioning API

• Reporting API

• Billing API

Multi-Tenant

Security

Appliance


ASR9000 Global

Tenant 1 Site

AD DNS

MS Exchange

Customer VRF

MPLS VPN or

IPSec VPNInternet

Tenant 1 Private Zone Tenant 1 DMZ Zone

Global

Nexus 5000/7000/9000

L2 Fabric

UBIqube

vCenter

ASA5585X

M1

M1

gi0/6 gi0/7

gi0/5

mgmt0/0gi0/2

gi0/3 gi0/4

WSAv ESAv

VSA 1.0 Expanded Gold ContainerASAv, WSAV, ESAV

ASAv

Tenant 1 Expanded Gold Container

Virtual Machine on UCS

Shared Transit VLAN

Per-Tenant VLAN

Note: Not showing redundant notes

P1

gi0/1

Tenant 1 Mobile

Worker

SP Management Zone

Private

Tier 1

VMs

Private

Tier 2

VMs

Private

Tier 3

VMs


ASR9000

Nexus 5000/7000/9000

L2 Fabric

ASA5585X

VSA 1.0 Expanded Gold ContainerCSR1Kv, WSAV, ESAV

Global

UBIqube

vCenterM1

M1

Customer VRF

Virtual Machine on UCSInternet

gi6 gi7

gi5gi8

gi2gi3 gi4


WSAv ESAv

CSR1Kv

Shared Transit VLAN

Per-Tenant VLAN


gi1

P1

Tenant 1 Mobile

Worker

Tenant 1 Site

AD DNS

MS Exchange

MPLS VPN or

IPSec VPN

Tenant 1 Private Zone Tenant 1 DMZ ZoneSP Management Zone

Private

Tier 1

VMs

Private

Tier 2

VMs

Private

Tier 3

VMs


ASR9000 GlobalCustomer VRF

Internet

Global

Nexus 5000/7000/9000

L2 Fabric

UBIqube

vCenter

ASA5585X

M1

M1

gi6 gi7

gi5gi8

ESAv

CSR1Kv


VSA 1.0 Expanded Gold ContainerCSR1Kv, ASAv, WSAV, ESAV

gi0/2gi0/3

gi0/4

WSAv

ASAV


Shared Transit VLAN

Per-Tenant VLAN

Private

Tier 1

VMs

Private

Tier 2

VMs

Private

Tier 3

VMs


gi1

gi0/5

P1

mgmt0/0

Tenant 1 Mobile

Worker

Tenant 1 Site

AD DNS

MS Exchange

MPLS VPN or

IPSec VPN



ASR9000 Global

Tenant 1 Site

AD DNS

MS Exchange

Customer VRF

MPLS VPN or

IPSec VPNInternet

Global

Nexus 5000/7000/9000

L2 Fabric

UBIqube

vCenter

ASA5585X

M1

M1

gi0/6 gi0/7

gi0/5

mgmt0/0gi0/2

gi0/3 gi0/4

WSAv ESAv

VSA 1.0 Expanded Gold ContainerCustomer Hosted Email Inbound Flow

ASAv



Shared Transit VLAN

Per-Tenant VLAN


P1

gi0/1

Tenant 1 Mobile

Worker


Private

Tier 1

VMs

Private

Tier 2

VMs

Private

Tier 3

VMs


ASR9000 Global

Tenant 1 Site

AD DNS

Customer VRF

MPLS VPN or

IPSec VPNInternet

Global

Nexus 5000/7000/9000

L2 Fabric

UBIqube

vCenter

ASA5585X

M1

M1

gi0/6 gi0/7

gi0/5

mgmt0/0gi0/2

gi0/3 gi0/4

WSAv ESAv

VSA 1.0 Expanded Gold ContainerSP Hosted Email Inbound Flow

ASAv



Shared Transit VLAN

Per-Tenant VLAN


P1

gi0/1

Tenant 1 Mobile

Worker

MS Exchange


Private

Tier 2

VMs

Private

Tier 3

VMs


ASR9000 Global

Tenant 1 Site

AD DNS

MS Exchange

Customer VRF

MPLS VPN or

IPSec VPNInternet

Global

Nexus 5000/7000/9000

L2 Fabric

UBIqube

vCenter

ASA5585X

M1

M1

gi0/6 gi0/7

gi0/5

mgmt0/0gi0/2

gi0/3 gi0/4

WSAv ESAv

VSA 1.0 Expanded Gold ContainerASAv Web traffic flow – Explicit Proxy

ASAv



Shared Transit VLAN

Per-Tenant VLAN


P1

gi0/1

Tenant 1 Mobile

WorkerWSAv is setup as the web proxy

on user’s endpoint


Private

Tier 1

VMs

Private

Tier 2

VMs

Private

Tier 3

VMs


ASR9000 Global

Tenant 1 Site

AD DNS

MS Exchange

Customer VRF

MPLS VPN or

IPSec VPNInternet

Global

Nexus 5000/7000/9000

L2 Fabric

UBIqube

vCenter

ASA5585X

M1

M1

gi0/6 gi0/7

gi0/5

mgmt0/0gi0/2

gi0/3 gi0/4

WSAv ESAv

VSA 1.0 Expanded Gold ContainerASAv Web traffic flow – Transparent Redirection with Policy Based Routing

ASAv



Shared Transit VLAN

Per-Tenant VLAN


P1

gi0/1

Tenant 1 Mobile

WorkerPolicy Based Routing in ASAv

provides transparent redirection


Private

Tier 1

VMs

Private

Tier 2

VMs

Private

Tier 3

VMs


ASR9000 Global

Tenant 1 Site

AD DNS

MS Exchange

Customer VRF

MPLS VPN or

IPSec VPNInternet

Global

Nexus 5000/7000/9000

L2 Fabric

UBIqube

vCenter

ASA5585X

M1

M1

gi6 gi7

gi5

gi8gi2

gi3 gi4

WSAv ESAv

VSA 1.0 Expanded Gold ContainerCSR1Kv Web traffic flow – Transparent Redirection with WCCP

CSR1Kv



Shared Transit VLAN

Per-Tenant VLAN


P1

gi1

Tenant 1 Mobile

WorkerWCCP in CSR1Kv provides

transparent redirection


Private

Tier 1

VMs

Private

Tier 2

VMs

Private

Tier 3

VMs


HSS VSA 1.0 Components

HSS Components Version Required/Recommended/Optional

ASAv 9.52(204) Required

WSAV 9-0-1-162 Required

ESAV 9-7-1-066 Required

AnyConnect 4.2 Required

UBIqube MSActivator 15.3.2 Recommended

Virtual Services Architecture 1.0 Recommended


VSA 1.0 Expanded Gold Container

VSA 1.0 Component VersionHSS

Required/Recommended/Optional

Unified Computing System (UCS) B-Series 2.2(3d) UCS B or C Required

UCS C-Series 1.5(1f) UCS B or C Required

ASR 9000 IOS XE 5.1.2 Cisco 7600/ASR 1000/ASR 9000 Recommended

Nexus 7000 NX-OS 6.2(2) Nexus 7000/Nexus 9000 Recommended

Nexus 5000 NX-OS 6.0(2)N2(6) Recommended

UCS 6200 NX-OS 5.2(3)N2(2.23g) Recommended

NetApp FAS8020 ONTAP 8.1NetApp, EMC or VMware virtual SAN

Recommended

VMware vSphere 5.5.0 Build 1623387 Required

VMware vCenter 5.5.0 Build 2183111 Required


Customer Site

AD DNS

ASR1006Customer VRF

MS Exchange

Global

VMDC 2.3 Expanded Gold Container

Nexus 7004

ASA5555

ASA5585X

Customer PVT

Outside VRF

Customer PVT

Inside VRF

Global

Customer

DMZ VRF

Remote

Access

VPN

Customer

Private Context

ASA5585X

Customer DMZ Context

Customer Private

Context

UCS

Citrix/F5

UCSUCS

Citrix/F5 Citrix/F5

UBIqubeESAV

vCenterESAV

M1

WSAV

M1

UCS

M1

M1

UCS

ASA5585X

UCS

WSAV

VMVM

VM

VM VMVM

* Not showing redundant notes

Shared Transit VLAN

Per-Tenant VLAN

Private Zone 3 VLANs DMZ 2 - 1 VLANDMZ 1 - 1 VLAN

SP Management

MPLS

VPN Internet

Cisco ConfidentialCisco Confidential© 2016 Cisco and/or its affiliates. All rights reserved. 49

HSS Security Domain Management


Sales Presence in Europe, USA, ME, Far East, India

Partners: Network and security vendors, OSS vendors, MSPs

Customers: Service Providers, Enterprise (multivendor IT security management)

MSActivatorTM = Automated Device configuration and Service orchestration framework

Any device, Any service, Any vendor

UBIqube is a privately funded Network Software specialist

About UBIqube


HSS Security Domain Manager – UBIqube MSActivator

Southbound Interface

SSH SNMPTELNET SyslogHTTP OpenflowFTP

OBMF Mediation Layer

Netflow TR069

Web Portal GUI

Service Profiles

Service Designer Templates and Objects

3rd Party OSS/BSS

Web Services

Verbs and Web Services API, Order Stack Management

Device Adaptor

Update Conf Restore Conf

Get Asset Update Firmware

Device Adaptor (SDK)

Update Conf Restore Conf

Get Asset Update Firmware

VOIP


MSActivator Adaptable Framework

SDK for Adapting/creating new function over the

MSA framework (analytics, services, etc.)

(Web based object editor, central repository,

couple of days per service)

SDK for integrating new devices (physical and

virtual)/vendors (syntax) and protocols over the

MSA framework (php based, couple of weeks

per vendor)

Service Provider Third Party Tool Service

Designer

Service Orchestrator

Northbound API

Network

Provisioning

Security

Policy

Provisioning

VIP

Provisioning

Cloud

ProvisioningService Designs SDK

OBMFTM

Core Engine

Adaptor SDKPhysical Device Adaptor Virtual Device Adaptor


MSA Features Highlighted

Platform Mediation Portal

• Telco grade scalability

• Modular building blocks

• Multi vendor

• Multi-Tenant (RBAC)

• Highly abstracted provisioning

• Day 0 (ZTD) to Day 2 change management

• Brown field deployment

• Comprehensive APIs

• Flexible Platform via open SDK

• Auto Order -> Activation

• Network and Services inventory

• Big Data Analytics

• Customer self service

• Network operation center

• Partitioned views

• Enable remediation by lower skilled operators

• Customizable by language, look and feel

• Centralized control and workflow automation


Multi-Tenant – Multi-Roles

Privileged Administrator (ncroot)

Administrator A Administrator B Administrator CTenants

Customer

Site

Devices

Privileged Manager PM1

Manager M1 Manager M2

Customer Wells Fargo Customer ABC Tech

Site1 Site2 Site1 Site4

Operator ABC Operator DEF

Privileged Manager PM2

Customer YTT Corp




• Architecture



• vMS: Demo

• HSS: Demo

• Conclusion



Securing the Application Delivery• Security is all about two concepts: Visibility & Control

• Threats are mitigated as close to the source as possible

• Security services are dynamically chained together and instantiated to form a service chain to mitigate a specific threat and/or to provide a managed security service on distributed compute resources

• Threat defense provides a distributed capability to mitigate threats – targeted at the network, the Data Center, the Cloud and the applications that they serve

Endpoints and Customer

Premises Equipment

Service

Provider

Data Center

and Cloud

SP Virtualized

Network

Edge

Private Cloud

Internet and Intercloud

Public and Partner Cloud

Cable or DSL

Enterprise

Mobility


CPE

Device

CPE

Device

Orchestration Layer

Network Service Lifecycle Mgmt

Network Layer

Control and Data Planes

• Service models

• Soft-real time service to

device mappings

• Event driven

• Creation of cloud devices

• Discovery of devices

• Network topology

• Physical devices

• Virtual devices

• Service immediacy and speed

• Freedom of choice, service customization

• Personalized experience, user in charge

• Consumption based economics

• Bring your own device, craft your own design

Goal Defined

• Automated service delivery simplicity and efficiency (“IT-less”)

• Automated service creation, high cadence of new services

• Self-service creation and reporting

• Elasticity of network and compute resources

• Open architecture, extensibility

Goal Realised

Background


Evolution of Managed Services – Premise to Cloud

Customer

Premise

Cloud(SP Hosted)

Network Functions from the Cloud

Network Functions on the CPENetwork Functions

Virtual Network

Functions

Network(Connect

Premise to Cloud)

Secure IP Overlays MPLS (L2/L3) Carrier Ethernet Intelligent / Hybrid

Cisco Cloud SP Private Cloud

Cisco Cloud Virtual Private Cloud Public Cloud

Cloud

Application

Containers

Applications

from the Cloud

SP Hosted Cloud

Cloud(SP Hosted or

Public Cloud)

L3 “classic” L2 NIDL3 CPE + x86 on

premiseSimple L3 CPEx86 on premise


Virtual Managed ServicesCommon Software Elements - Flexible Network Access Models

Common Service Orchestration and Automation Consistent Portal and Service Dashboard Instrumentation

vRouter vFirewall

vWSA

Cloud VPN Cloud IWAN

Remote Access

vRouter WaaS

AVC PfR

Branch Offices

Private

CloudPublic

Cloud

InternetHQ

Dedicatedinternet

Business Locations

Private

Cloud

Public

CloudHQ

SecureBroadband

Service Provider

Cloud

Internet

SecureMPLS


Customer Experience in Brief

Order / Customize

Your Services1

CPE ships (if needed)2

CPE is connected(if needed)

3

Orchestration

occurs

automatically

4

10.12.162.x

Internet

Customer

VPN

Service is up and running

Service

Provider

Cloud


vMS Value-AddsDeveloping Managed Services on Platform

• A Service Blueprint is an abstract representation of a service that can be ordered through the UI or NB API

• Every Service Blueprint is associated with a given Service Offering

A ‘Function Pack’ is the components needed to instantiate a given service request

• Service topology, written in Yang, modeling the “Intent” to instantiate a particular service offering

A Service API is exposed from the Virto Model northbound (automatically created at compile time)

A Service Request is the user calling the model with defined variables according to the service

• The orchestrator is already aware of all Service Models that may be requested and these are preloaded into the Orchestrator

Service Request

Service API

Compiled

Infrastructure

Service Topology

Model (Virto)

Instantiation Logic

Device Models

Function Pack

Device Drivers


CSR ASAv WSAv VTF (DC Overlay)

SDN ControllerOVS (DC Overlay)VNFs

vMS Orchestration Component Mapping

NSO Orchestrator(VNF-O)

ESC(VNF-M)

OpenStack

Service APIs

Operator Portal

Physical ISR

OSS/BSS

Customer Facing Services

Resource Facing Services

SSHSSH


End User PortalExposing Service Blueprints to the Operator

• The Orchestration Process can be kicked off through a Portal

• The Portal is aware of different Service Blueprints that can be exposed to an operator

• The values that are selected in the Service Selection process result in the subsequent API call into NSO

• The portal was developed with 2 Modules

• Front-End: Skinned to the Customer’s Requirements

• Back-end: Modified to support the Service Blueprints that can be orchestrated


vMS VNF-O; NSO from Tail-F

PnP Server

Transaction

Database

(CDB)

Open PnP

Service Manager

Device Manager

Network Element

Drivers

x86ISR Virtual

Service Intent Service Intent Service Intent

Zero Touch Deployment

(ZTD)

Open Method for

ZTD Access

Transactional Datcapabilities

abase Allows full CRUD

to Services

Service Manager Interprets

Service Intent with Service

Instantiation Rules and

derives configuration deltas

Device Manager manages derived

and validated configurations in a

transaction manner towards derived

infrastructure

Network Element Drivers Abstract

the interfaces to the devices

allowing 3rd party infrastructure to

participate in Service Instantiation

Service Models written in

Yang Abstract Service from

underlying physical devices

Domain Controller

Rest/NetConf/Yang

NSO

Mapping

ControllerMaps the Service Intent

to the Derived Device

Topology. Known as

“Fastmap”


vMS VNF-M; Elastic Service Controller

Rules Engine

Service Monitor

Custom

DHCP

SNMP

Ganglia

Service

Provisioning

Scale

Up/Down

Elasticity

Custom

Day 0 Config

VM Provisioning and

Configuration Module

VNS Bring-up & Initial

Configuration Application.

Multi-vendor Support

Allows Modular

Communication with NSO.

Data Model Driven

Affinity Rules and Scale

Requirements for the VNF

components. Also manages

the startup sequences

ESC uses

multidimensional

approach to VNF

Monitoring/Restartability

Programmable Interface to ESC

allows Functional Interaction to

ESC Subcomponents

Elastic Services

Controller (ESC)

NSO

API Confd

Public Clouds

Open Stack


VNFVNF

vMS VIM; OpenStack, OVS, and SDN Controller

• OVS will be supported by ODL in coming release

• Common Neutron Plugin gives upgrade path on SDN Controller

Nova

OVS Plugin

Neutron

Port

OVS

ODL Plugin

ODL Controller

Image Management

ML2

Plugins

Port

Port

Port

Port

Port

MGMT

External

InternalEdge

Network

Internet

VNF

Port

Port

Port

NSO

Management

VNF

Port

VPPPort

Port

Port

Port

Port

MGMT

External

Internal

Internet

VNF

Port

Port

Port

ESC

NSO

Model Driven

(MDSAL)Network

Management

Edge

Network

Confd


vMS Use Cases and Its Service Topologies


vMS Release 2.0: Delivering Comprehensive Cloud VPN Services

CPE

Cust-A

CPE

Cust-A

CPE

Cust-B

ASA

Over The Top

Access

Flex-VPN

Internet

VR

VR ASA

CPE

Cust-C

CPE

Cust-C

NSO – NFV Orchestrator

Cloud VPN Services

• 3 Service Models for Enterprise deployment

flexibility:

• CloudVPN Foundation

• CloudVPN Advanced

• CloudVPN Advanced w/Web Security

• vIPS option for both Advanced and Advanced

w/Web Security

• CSR1Kv: Virtual Router for Site-to-Site VPN with

Secure IP Overlay using FlexVPN/IKEv2 for IPSec

Tunnels

• ASAv: vFW with NAT and Policy (*)

• ASAv: vFW with IPSec/SSL Remote Access (*)

• WSAv for Enhanced Web Security (*)

Management and Orchestration

• Enterprise Admin Service Interface (Portal) driven

service instantiation

• Zero-Touch Deployment of enterprise CPE (ISR G2)

• Model driven Network Services lifecycle

management with Network Service Orchestrator

(NSO) from Tail-f

• VNF lifecycle management with Elastic Services

Controller (ESC)

• Virtual Infrastructure Management with Openstack

featuring: OVS and ODL/VPP as SDN Controllers

Advanced

VRFoundation

CPE

Cust-B

ESC – VNF Manager

WSA∂

∂∂

Advanced w/Web Security

PnP RFS VirTo RFSAPI

CPE Managed

Orchestration Link

Foundation Service

Direct Internet Access via

“Split Tunnel”

Access Model:

Flex-VPN Links

IPSEC VPN

Service Access

vRouter

Internet Access/

Remote Access

Openstack – Virtual Infrastructure Manager


G2 & 4000

Series

VPNCPEISR 800, 1900,

2900, 3900, 4000

Series

Managed

WAN

Managed

Security

vMS Services

Branch

Branch

vRouter

(CSR1Kv)CloudVPN

(IPSec)

Branch

Branch

MPLS VPN(MPLS)

Firewall

(ASAv)

Web Security

(WSAv)

Remote Access

Internet

CPEBranch

Headquarters

IWAN

Internet(IPSec)

MPLS VPN(MPLS)

InternetDMVPN

MPLSDMVPN

IWAN

(BR/MC)

vMS on CIS


Cisco Intelligent WANSolution Components for SPs

Intelligent Path Control

Load Balancing

Policy-Based Path Selection

Network Availability

Secure Connectivity

Scalable, Strong Encryption

App-Aware Threat Defense

Cloud Web Security

Application Optimization

Application Visibility

App Acceleration

Intelligent Caching

Hybrid WAN

Application-Centric Design

Common Operational Model

Deployment Flexibility


vMS Components for IWAN

NSO OrchestrationService Assurance

Operator Views

CFS (Ordering Experience)

Identity Management for SSO

Portal for Network

Visualization

Living Objects for

Network/App/

Perf View


Hybrid WAN: Leveraging the InternetSecure WAN Transport and Internet Access

• Secure WAN transport for private

and virtual private cloud access

• Leverage local Internet path for

public cloud and Internet access

• Increased WAN transport capacity; and

cost effectiveness

• Improve application performance

(right flows to right places)

Branch

Secure WAN Transport

Direct Internet Access

Virtual Private Cloud

Public Cloud

Private Cloud

MPLS (IP-VPN)

Internet


Operator

View

Each vMS Use Case Has Orchestration, Portal and Assurance Components

Service Name:

Cloud VPN service

• Portal implements the ordering

and self-service management UI

as well as APIs

• Service provisioning and service

change are performed

by Orchestration

• Health, metrics and consumption

data is provided by Assurance

Customer

View

Example


Leveraging Microservices in vMS


What Are Microservices?• Each microservice is relatively small

• Easier for a developer to understand

• The web container starts faster, which makes developers more productive, and speeds up deployments

• Each service can be deployed independently of other services - easier to deploy new versions of services frequently

• Easier to scale development. Each team is responsible a single service

• Improved fault isolation. For example, if there is a memory leak in one service then only that service will be affected

• Each service can be developed and deployed independently

• Eliminates any long-term commitment to a technology stack

http://microservices.io/patterns/microservices.html

http://microservices.io/patterns/microservices.html


Consume

Microservices Enable Architecture Extensibility in vMS Portal

Consume’(based on Python)

Register

Recommendation

Service(based on C++)

Register

• Scale up a service

• Replace a service

• Add a service

• Write a service in any language

• Inter-microservice

communications also go through

the API gateway

Custom App

Symphony UI

Identity

Management

Manage

Monitor

API Gateway

Example

Unregister


Front End

Back End

UX/UI

SP FulfillmentSP Identity Provider

SP BSS

vMS

Log Aggregation

Common

Infrastructure Services

Identity/RBAC

Ticketing SP Helpdesk

OSS Analytics SP AssurancevMS Services

Orchestration

Who is the SP

customer?

Is there any physical/

un-orchestrated fulfillment?

Product/offer definition, pricing,

subscription, and

customer billing

Your system for handling

customer support requests

Your data collection engine can

provide deeper insights for vMS

customers as well as operators

Designed for SP Environment but Works Fully Standalone


vMS 2.0 Deployment Architecture

HTTP Load Balancer / Router

Identity Mgmt.

As a Service

Cloud Controller

Hea

lth

Ma

nag

er

ESC NCS

PaaS-based to deliver manageability, cloud native scalability and

resilience

API Gateway

Service Discovery

As a Service

Logs/Metrics

As a Service

Service Assurance

Cassandra /

Hadoop / Redis

As a Service

Micro-Services

Cloud Storage

Identity Mgmt.

As a Service

Service Discovery

As a Service

Logs/Metrics

As a Service

Identity Mgmt.

As a Service

Service Discovery

As a Service

Logs/Metrics

As a Service




• Architecture



• vMS: Demo

• HSS: Demo

• Conclusion



Demo: vMS


CPEISR 800, 1900,

2900, 3900, 4000

Series

VPN Managed

WAN

Managed

Security

vMS Demonstration

Firewall

(ASAv)

Web Security

(WSAv)

Branch

Branch

vRouter

(CSR1Kv)CloudVPN

(IPSec)

Internet

Remote Access

CIS: VMS on IaaS




• Architecture



• vMS: Demo

• HSS: Demo

• Conclusion



Demo: HSS




• Architecture

• HSS: Architecture and Demonstration

• vMS: Architecture and Demonstration

• vMS: Demo

• HSS: Demo

• Conclusion


OSS/BSS IntegrationService Intent

Orchestration

Security Services

Public IP Addresses

Public Internet

Local LAN

WSAv ESAv

ASAv and/or CSR1000v

CPE CPE

Managed Access

(IPSec VPN)

IPSec

VPN

IPSec

VPN

AnyConnect AnyConnect

UnManaged Access

(Remote Access VPN)

SSL

VPN

SSL

VPN

Amazon Salesforce

Internet Sites

IP

Connectivity

IP

Connectivity

Internet - Public IP Address Space

Public IP Addresses

DDoSaaSIDaaSESaaSWSaaSIPSaaSFWaaSVPNaaS



Summary• Lower cost due to virtualization

• Faster time to service delivery (zero touch deployment, no truck roll), due to virtualization and service provisioning automation

• Operational simplicity due to virtualization

• Easy upsell for multi-service strategy for additional services and revenue with no additional truck roll

• Value of multi-service strategy for virtualized managed security services and Cloud hosted services


© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 87© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 87

References• Hosted Security as a Service (HSS) Documentation

http://www.cisco.com/go/hss

• Virtual Managed Services (vMS) Documentationhttp://www.cisco.com/go/vms

• Cisco Adaptive Security Virtual Appliance (ASAv) http://www.cisco.com/c/en/us/support/security/virtual-adaptive-security-appliance-firewall/tsd-products-support-series-home.html

• Cisco Web Security Virtual Appliance (WSAV) http://www.cisco.com/c/en/us/support/security/web-security-virtual-appliance/tsd-products-support-series-home.html

• Cisco Email Security Virtual Appliance (ESAV) http://www.cisco.com/c/en/us/support/security/email-security-virtual-appliance/tsd-products-support-series-home.html


http://www.cisco.com/go/hss

http://www.cisco.com/go/vms

http://www.cisco.com/c/en/us/support/security/virtual-adaptive-security-appliance-firewall/tsd-products-support-series-home.html

http://www.cisco.com/c/en/us/support/security/web-security-virtual-appliance/tsd-products-support-series-home.html

http://www.cisco.com/c/en/us/support/security/email-security-virtual-appliance/tsd-products-support-series-home.html

Thank you.