hosted security as a service - solution architecture design
TRANSCRIPT
Cisco Confidential© 2016 Cisco and/or its affiliates. All rights reserved. 1
Hosted Security as a Service – Solution Architecture and DesignAlbra Welch – Security Solutions Architect, SBG
Michael Geller – Principal Engineer, CTAO
May 19, 2016
T-SP-30-I
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
Objectives• This session targets hosted security
services for Enterprises and Service Providers
• Understand the impact of orchestration and automation for hosted security
• Cool applications of elastic security services delivered from the cloud
• Performance and scalability considerations
• Security services with N fV and SDN
• Future thinking applications of security from the Cloud to YOUR network
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3
Agenda• Introduction
• The Hosted Security Service Architecture
• Architecture
• HSS: Architecture
• vMS: Architecture
• vMS: Demo
• HSS: Demo
• Conclusion
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4
Agenda• Introduction
• The Hosted Security Service Architecture
• Architecture
• HSS: Architecture
• vMS: Architecture
• vMS: Demo
• HSS: Demo
• Conclusion
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5
Session DescriptionThis session provides in depth discussion on cloud based security services leveraging Cisco security solutions. This session is appropriate for service providers who are interested in delivering managed security services to their customer from their cloud infrastructure. We will provide detailed designs and guidance on:
• Cloud security services including FW, VPN, Web, Email and Routing services
• Architecture layers through influence of N fV and SDN
• Orchestration flexibility and options
• Day 0 and Day 1 provisioning
• Day 2 monitoring and reporting
OSS/BSS IntegrationService Intent
Orchestration
Security Services
Public IP Addresses
Public Internet
Local LAN
WSAv ESAv
ASAv and/or CSR1000v
CPE CPE
Managed Access
(IPSec VPN)
IPSec
VPN
IPSec
VPN
AnyConnect AnyConnect
UnManaged Access
(Remote Access VPN)
SSL
VPN
SSL
VPN
Amazon Salesforce
Internet Sites
IP
Connectivity
IP
Connectivity
Internet - Public IP Address Space
Public IP Addresses
DDoSaaSIDaaSESaaSWSaaSIPSaaSFWaaSVPNaaS
Security as a Service Architecture
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7
IT Transformation
More devices and more apps mean the attack surface has
increased, and attack tools are evolving too
Do more with less
Users will get stuff done any way they can
The hardware we use has never changed so fast
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8
MSSP Market Segmentation
Source: Frost and Sullivan, Global Managed Security Services Market, March 2015
SAMM(Security Asset Monitoring
and Management)
Managed Security
Services
TRIDR(Threat Research, Intelligence,
Detection and Remediation)
RCM(Risk and Compliance
Management)
AEM(Advanced and
Emerging MSS)
Computer Premises
Equipment
(CPE)-based SAMM
Hosted SAMM
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9
Where Do Managed Security Services Live?
PublicAWS, Google, Azure, etc
Private(SP Infrastructure)
HybridMix of Public and Private
Seamless End-to-End Experiences, Cross Workload Size and Type
Required Regardless of App, Service or Environment; Secure Flexibility Critical Requirement
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10
Evolution of Managed Security Services Premise to Cloud
CloudHybridCPE Managed
CPE
SP
IPS WEB EMAIL MALWARE CONTEXT
W W W
NGFW VPN IPS WEB EMAIL MALWARE CONTEXT
SWITCHING NAT DHCP AP VOICE ROUTING
W W W
SWITCHING AP VOICE
SWITCHING AP VOICEROUTING
NAT DHCP NGFW VPN
NGF
W
VP
N
IPS WE
B
EMAI
L
MALWAR
E
CONTEX
T
W W W
NAT DHCP ROUTING
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11
Cloud Based Security Service Offerings SaaS or Hosted
Cisco Managed Security Cloud SP Hosted Security Cloud
VPN, FW, NGFW, NGIPS, AMP,
Web Security, Email Security
as a ServiceNGFW VPN IPS WEB
EMAIL MALWARE CONTEXT
W W W
Cloud Web Security (CWS)
Cloud Email Security (CES)WEB EMAIL
W W W
Pre-Packaged NFV Security
Service Bundles (vMS)
A La Carte Hosted Security as
a Services (HSS)
SP/MSSP Resell
to Enterprises
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12
Comparison of Cloud-Based Security Service Offerings
AttributeSolutions for SP Managed Security Cloud Cisco Managed Security
Cloud ServicesHSS vMS (e.g. Cloud VPN)
Services Flexible A la Carte Security Services:
VPN, Firewall, Web Security, Email
Security or any combination bundles
Pre-Packaged NFV Security Services:
Cloud VPN, Cloud VPN + Web Security
SaaS: Web Security or Email Security
Delivery Model SP hosted within a virtual private cloud SP Hosted within a virtual private cloud Public Cloud – Cisco hosted
SP acts as a reseller or MSSP
Pricing Model SP price per bandwidth usage with per
user add-on
SP price per bandwidth usage with per
user add-on
Price per user
SP CapEx Costs Infrastructure + security software +
orchestration
Infrastructure + Security software +
orchestration
None
SP OpEx Costs Yes. Data center operation + service
operation
Yes. Data center operation + service
operation
Reduced
Reporting / log data Owned by SP, stays at SP DC Owned by SP, stays at SP DC Centralized in Cisco Cloud/Local log
Orchestration /
Management
With third-party tools (e.g. Ubiqube) Cisco Tail-F orchestration, with NFV
service chaining
Cisco turnkey service. Transparent to SP
Cloud Platform Cisco VMDC/VSA, VMware Openstack with KVM Transparent to SP
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13
$0
$2
$4
$6
$8
$10
$12
$14
CY10 CY11 CY12 CY13 CY14 CY15 CY16 CY17 CY18 CY19
Re
ve
nu
e (
US
$ B
illio
ns
)
Worldwide Cloud-Based Service Revenue Share by Technology
Content security Managed firewalls Other security services
DDoS mitigation IDS/IPS
$7.2B
Market OpportunityCloud Service Delivery Shows Higher Growth, but CPE Based Still Growing
© 2015 IHS / Infonetics Research: Cloud and CPE Managed Security Services Market Size and Forecasts; March 2015
$0
$2
$4
$6
$8
$10
$12
CY10 CY11 CY12 CY13 CY14 CY15 CY16 CY17 CY18 CY19
Re
ve
nu
e (
US
$ B
illi
on
s)
Worldwide CPE-Based Service Revenue Share by Technology
Content security Managed firewallsOther security services DDoS mitigationIDS/IPS
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14
Technical Drivers and Challenges
Driver Challenge
Scalability Scale to support increasingly large numbers of transactions and sites
Sizing capacity planning Challenges in sizing the service delivery platform, virtual CPE platforms
Pay as you grow solution High cost / upfront investment impact on service ROI
Ease of deployment and service agility Complexity limits service adoption and the addressable market
Ease of operationImplementing a set of management solutions that require that service operation
people perform complex and frustrating task using disparate management systems
Business and technical view Business focused reporting versus technical oriented
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15
Service Needs
Category Requirement
Management Multi-Tenant / Multi-Role / API for integration with existing SP OSS/BSS tools
Customer Web Portal Customer self service portal for service monitoring and self care change management
Hardware Low CapEx / OpEx integrated solution
Bandwidth Up to multi-Gb per customer tenant
Malware / Anti-Virus Update In-Service upgrades without service interruption
Performance Monitoring Monitor traffic profile and virtual appliance health for capacity planning purpose
Security Policy Management Centralized management of security policies
Virtualization Solution must be available as virtual appliance for private and public cloud deployment
Data Retention Service management platform need to support data retention policies
Security Event and
Incident ManagementCentralized event and incident management
Security Reporting Custom security reports for security appliances
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16
Cisco Business Case Modeling to Predict ROI, TCO, Profit
Market segments (Tenant) input parameters Business and system input parameters Service pricing
Service provider revenue and profit
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17
Focus of Service Creation Team
Service Discovery and Service Creation WorkshopsPart of the Wider Process of Building Services
Service Portfolio
Country
Planning
Service
Discovery
Workshop
Per Service
Exec sponsorship
SC Workshop
Partner Selection
Solution DesignOperation and
Service Delivery
Marketing Plan Marketing
Sales EnablementSales
Engagement
Business Case
Partner
Qualification
Service Development Lifecycle
Cisco leads
Joint CSP and Cisco
CSP or Cisco AS leads
Proposal
Cloud Service Market and Sell
Cloud Service Build
Cloud Service Envision
Cloud Service Discovery
Identify/Qualify the Opportunity
Stages
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18
Cisco Security Vision and Strategy Covering the Entire Attack Continuum
DDoS Visibility / Mitigation Services
Firewall NGFW
Secure Access + Identity Services
VPNUTM NGIPS
Web Security
Email Security
Advanced Malware Protection
Network Behavior Analysis
Malware Sandboxing
Vulnerability Assessment
Attack Continuum
BeforeControl
Enforce
Harden
AfterScope
Contain
Remediate
Detect
Block
Defend
During
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19
Agenda• Introduction
• The Hosted Security Service Architecture
• Architecture
• HSS: Architecture
• vMS: Architecture
• vMS: Demo
• HSS: Demo
• Conclusion
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20
Security as a Service Architecture
Hypervisor
Compute
Storage
FWaaS
WSaaS
ESaaS
Tenant 1
NGFW/IPSaaS
VPNaaS
IDaaS
Tenant 2
FWaaS
DDoSaaS
Tenant 3
Policy Analytics Reporting
Security Service Examples:
FWaaS – Firewall as a Service
VPNaaS – Virtual Private Networking as a Service
NGFW/IPSaaS – Next Generation Firewall and Intrusion Prevention System as a Service
WSaaS – Web Security as a Service
ESaaS – Email Security as a Service
IDaaS – Identity as a Service
DDoSaaS –Distributed Denial of Service Mitigation as a Service
ORCH.LAYER
SERVICES LAYER
INFRA-STRUCTURE
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21
Firewall as a Service: FW-aaS
Centralized Management and Reporting
ASAv or CSR1000v
Firewall Support
• Stateful inspection
• Application inspection
• Network address translation
• Encrypted traffic inspection
• Protocol inspection
Advanced Firewall
• Identity-aware policy
enforcement
• Malware traffic detection
and blocking
• Botnet traffic filter
• Voice and video security
Per throughput
and per feature
service pricing
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22
Firewall-aaS Tiers Example
Feature CategoryService Tiers
Bronze Silver Gold
NAT Address Translation
Stateful Inspection
High Availability
Advanced Management
BEFORE DURING AFTER
Included
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23
Firewall-aaS Tiers Example
Category FeatureService Tiers
Bronze Silver Gold
Network Address Translation NAT/PAT
Stateful Inspection
L3 firewall
Transparent firewall
Proxy authentication
Application hosting private zone
Application control (IM, peer to peer)
Voice security support
High AvailabilityWithin SP data center
Between SP data centers
Management
Customer self service portal
Streamlined management
Auto generated reporting
Custom reporting
Data log retention (1 month)
Extended data log retention (>1 month)
… …
……
… …… …… …
Included
… Option
Reference
Slide
BEFORE DURING AFTER
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24
VPN as a Service: VPN-aaS
Centralized Management and Reporting
ASAv or CSR1000v
Per
throughput
per user
service
pricing
VPN Services
• Site-to-site VPN
through Internet FW
VPN Services
•Remote access VPN
• IPSec, SSL VPN
• Session persistence
(always on VPN)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25
VPNaaS Tiers Example
Feature CategoryService Tiers
Bronze Silver Gold
Customer Site to Cloud IPSec VPN Service
Remote Access VPN
High Availability
Advanced Management
Included
BEFORE DURING AFTER
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26
VPNaaS Tiers ExampleCategory Feature
Service Tiers
Bronze Silver Gold
Customer Site to Cloud IPSec VPN Service
Support for multiple crypto policies (DES, 3DES, AES …)
Pre-shared key VPN authentication
Digital certificate VPN authentication
Multiple class of services / traffic prioritization policies
Remote Access VPN
IPSec based remote access VPN
Client-less SSL remote access VPN
Client-based SSL remote access VPN
Authentication integration with enterprise's radius, LDAP, AD servers
Basis authentication (username and password based)
Strong authentication / Token based authentication
Digital certificate based authentication
High Availability
Active / Passive within SP data center
Active / Active within SP data center
Active / Passive between SP data center
Active / Active between SP data center
Management
Customer self service portal
Streamlined management
Auto generated reporting
Custom reporting
Data log retention (1 month)
Extended data log retention (> 1 month)
… …
… …… …
… …… …
……
Reference
Slide
Included
…Option
BEFORE DURING AFTER
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27
Web Security as a Service: WS-aaS
Centralized Management and Reporting
WSAV
• Anti-Malware protection
• Web content analysis
• Web usage controls
• Application visibility
• Bi-Directional control
Per user
pricing
model
driven by
features
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28
Web Security-aaS Tiers Example
Feature CategoryService Tiers
Bronze Silver Gold
Real Time Threat Protection Services
Acceptable Use Services
Policy Control
High Availability
Advanced Management
Included
BEFORE DURING AFTER
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 29
Web Security-aaS Tiers Example Category Feature
Service Tiers
Bronze Silver Gold
Real Time Threat Protection ServicesWeb reputation filtering
Malware scanning
Acceptable Use Services
Web URL monitoring by category
Web URL filtering (blocking)
Web application monitoring
Web application control
SaaS access control
Transparent user authentication
Advanced Malware Protection
Policy ControlGranular access and control policies
Remote access user control policies
High AvailabilityWithin SP data center
Between SP data centers
Management
Customer self service portal
Streamlined management
Auto generated reporting
Custom reporting
Data log retention (>1 month)
Extended data log retention (>month)
… …
…
………
……
……
……
Reference
Slide
Included
…Option
BEFORE DURING AFTER
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 30
Email Security as a Service: ES-aaSInbound and Outbound Security Control
ESAV
Inbound
Security
Virus and
Malware
Defense
Spam
Defense
Data Loss
Prevention
Secure
Messaging
(Encryption)
Outbound
Control
Centralized Management and Reporting
Per user
pricing model
driven by
features
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 31
Email Security-aaS Tiers Example
Feature CategoryService Tiers
Bronze Silver Gold
Inbound Email Protection
Outbound Email Protection
Policy Control
High Availability
Advanced Management
Included
BEFORE DURING AFTER
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 32
Email Security-aaS Tiers Example Category Feature
Service Tiers
Bronze Silver Gold
Inbound Email Protection
Reputation scoring and SMTP blocking
Anti-spam
Outbreak filters, Sophos anti-virus
Inbound email content filtering
Quarantine
Advanced Malware Protection
Outbound Email Protection
Anti-virus
Outbound email content filtering
Integrated RSA data loss prevention
DLP RSA enterprise manager integration (enterprise provided)
Large volume
Quarantine
Policy ControlGranular policy control
Roaming users protection
High AvailabilityWithin SP data center
Between SP data centers
Management
Self service portal
Streamlined management
Auto generated reporting
Custom reporting option
Data log retention (1 month)
Extended data log retention (> 1 month)
… …
………………
…
… …
……
Reference
Slide
Included
…Option
BEFORE DURING AFTER
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 33
NGFW/IPSaaS Tiers Example
Feature CategoryService Tiers
Bronze Silver Gold
Application Visibility and Control (NGFW)
Threat Protection (NGIPS)
High Availability
Advanced Management
Included
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 34
Category FeatureService Tiers
Bronze Silver Gold
Application Visibility and Control (NGFW)
Network, user and application discovery
Application traffic filtering
URL filtering
File blocking (block xyz file type)
Threat Protection (NGIPS)
IPS Basic Threat Protection Services (SNORT signatures)
IPS premium security signatures and content
Security intelligence feeds
AMP (Advanced Malware Protection – disposition from the cloud/policy)
High AvailabilityConfigurable “fail open” – Appliance only
“Fastpath” and Trust Rules – Exclude/Include velocity
Management
Streamline management
IPS signature update
Advanced/Custom reporting
Automated policy tuning – Advanced/Custom policy tuning
Event correlation – Customized event correlation services
Impact analysis
…
NGFW/IPSaaS Tiers Example
Reference
Slide
Included
…Option
BEFORE DURING AFTER
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 35
Agenda• Introduction
• The Hosted Security Service Architecture
• Architecture
• HSS: Architecture
• vMS: Architecture
• vMS: Demo
• HSS: Demo
• Conclusion
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 35
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 36
Hosted Security as a Service (HSS)• Enables Cisco partners to deliver security services from their
Cloud infrastructure or as a managed private cloud offering
• Cisco’s virtual security appliance product (ESAV, WSAV, ASAV, CSR1000v, …) and third party products
• Comprehensive management system using UBIqubeas a security domain manager
• Fulfillment
• Assurance
• Northbound API for integrating with Cloud Orchestration Solutions
• Solution supported with IaaS solutions: VMDC 2.3 and VSA 1.0
• Platform based on Cisco Unified Computing System (UCS)
• Flexible deployment models
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 37
Orchestration Layer
Services Layer
Infrastructure
HSS Architecture
• Delivered from service provider’s infrastructure
• UBIqube MSActivator used as the Security Domain Manager
• Orchestration SW interfaces with native appliance configuration mechanisms
• All customer data lives inside the SP Cloud environment
• Security on virtual form factor available today
VMware ESXi
Cisco UCS
Storage
WSAv
WSAv
ASAv
Tenant 1
ESAv
WSAv
ASAv
Tenant 2
ESAv
CSR1Kv
Tenant 3
Policy Analytics Reporting
SP existing
orchestration,
reporting, billing
infrastructure
• Provisioning API
• Reporting API
• Billing API
Multi-Tenant
Security
Appliance
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 38
ASR9000 Global
Tenant 1 Site
AD DNS
MS Exchange
Customer VRF
MPLS VPN or
IPSec VPNInternet
Tenant 1 Private Zone Tenant 1 DMZ Zone
Global
Nexus 5000/7000/9000
L2 Fabric
UBIqube
vCenter
ASA5585X
M1
M1
gi0/6 gi0/7
gi0/5
mgmt0/0gi0/2
gi0/3 gi0/4
WSAv ESAv
VSA 1.0 Expanded Gold ContainerASAv, WSAV, ESAV
ASAv
Tenant 1 Expanded Gold Container
Virtual Machine on UCS
Shared Transit VLAN
Per-Tenant VLAN
Note: Not showing redundant notes
P1
gi0/1
Tenant 1 Mobile
Worker
SP Management Zone
Private
Tier 1
VMs
Private
Tier 2
VMs
Private
Tier 3
VMs
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 39
ASR9000
Nexus 5000/7000/9000
L2 Fabric
ASA5585X
VSA 1.0 Expanded Gold ContainerCSR1Kv, WSAV, ESAV
Global
UBIqube
vCenterM1
M1
Customer VRF
Virtual Machine on UCSInternet
gi6 gi7
gi5gi8
gi2gi3 gi4
Tenant 1 Expanded Gold Container
WSAv ESAv
CSR1Kv
Shared Transit VLAN
Per-Tenant VLAN
Note: Not showing redundant notes
gi1
P1
Tenant 1 Mobile
Worker
Tenant 1 Site
AD DNS
MS Exchange
MPLS VPN or
IPSec VPN
Tenant 1 Private Zone Tenant 1 DMZ ZoneSP Management Zone
Private
Tier 1
VMs
Private
Tier 2
VMs
Private
Tier 3
VMs
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 40
ASR9000 GlobalCustomer VRF
Internet
Global
Nexus 5000/7000/9000
L2 Fabric
UBIqube
vCenter
ASA5585X
M1
M1
gi6 gi7
gi5gi8
ESAv
CSR1Kv
Tenant 1 Expanded Gold Container
VSA 1.0 Expanded Gold ContainerCSR1Kv, ASAv, WSAV, ESAV
gi0/2gi0/3
gi0/4
WSAv
ASAV
Virtual Machine on UCS
Shared Transit VLAN
Per-Tenant VLAN
Private
Tier 1
VMs
Private
Tier 2
VMs
Private
Tier 3
VMs
Note: Not showing redundant notes
gi1
gi0/5
P1
mgmt0/0
Tenant 1 Mobile
Worker
Tenant 1 Site
AD DNS
MS Exchange
MPLS VPN or
IPSec VPN
Tenant 1 Private Zone Tenant 1 DMZ ZoneSP Management Zone
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 41
ASR9000 Global
Tenant 1 Site
AD DNS
MS Exchange
Customer VRF
MPLS VPN or
IPSec VPNInternet
Global
Nexus 5000/7000/9000
L2 Fabric
UBIqube
vCenter
ASA5585X
M1
M1
gi0/6 gi0/7
gi0/5
mgmt0/0gi0/2
gi0/3 gi0/4
WSAv ESAv
VSA 1.0 Expanded Gold ContainerCustomer Hosted Email Inbound Flow
ASAv
Tenant 1 Expanded Gold Container
Virtual Machine on UCS
Shared Transit VLAN
Per-Tenant VLAN
Note: Not showing redundant notes
P1
gi0/1
Tenant 1 Mobile
Worker
Tenant 1 Private Zone Tenant 1 DMZ ZoneSP Management Zone
Private
Tier 1
VMs
Private
Tier 2
VMs
Private
Tier 3
VMs
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 42
ASR9000 Global
Tenant 1 Site
AD DNS
Customer VRF
MPLS VPN or
IPSec VPNInternet
Global
Nexus 5000/7000/9000
L2 Fabric
UBIqube
vCenter
ASA5585X
M1
M1
gi0/6 gi0/7
gi0/5
mgmt0/0gi0/2
gi0/3 gi0/4
WSAv ESAv
VSA 1.0 Expanded Gold ContainerSP Hosted Email Inbound Flow
ASAv
Tenant 1 Expanded Gold Container
Virtual Machine on UCS
Shared Transit VLAN
Per-Tenant VLAN
Note: Not showing redundant notes
P1
gi0/1
Tenant 1 Mobile
Worker
MS Exchange
Tenant 1 Private Zone Tenant 1 DMZ ZoneSP Management Zone
Private
Tier 2
VMs
Private
Tier 3
VMs
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 43
ASR9000 Global
Tenant 1 Site
AD DNS
MS Exchange
Customer VRF
MPLS VPN or
IPSec VPNInternet
Global
Nexus 5000/7000/9000
L2 Fabric
UBIqube
vCenter
ASA5585X
M1
M1
gi0/6 gi0/7
gi0/5
mgmt0/0gi0/2
gi0/3 gi0/4
WSAv ESAv
VSA 1.0 Expanded Gold ContainerASAv Web traffic flow – Explicit Proxy
ASAv
Tenant 1 Expanded Gold Container
Virtual Machine on UCS
Shared Transit VLAN
Per-Tenant VLAN
Note: Not showing redundant notes
P1
gi0/1
Tenant 1 Mobile
WorkerWSAv is setup as the web proxy
on user’s endpoint
Tenant 1 Private Zone Tenant 1 DMZ ZoneSP Management Zone
Private
Tier 1
VMs
Private
Tier 2
VMs
Private
Tier 3
VMs
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 44
ASR9000 Global
Tenant 1 Site
AD DNS
MS Exchange
Customer VRF
MPLS VPN or
IPSec VPNInternet
Global
Nexus 5000/7000/9000
L2 Fabric
UBIqube
vCenter
ASA5585X
M1
M1
gi0/6 gi0/7
gi0/5
mgmt0/0gi0/2
gi0/3 gi0/4
WSAv ESAv
VSA 1.0 Expanded Gold ContainerASAv Web traffic flow – Transparent Redirection with Policy Based Routing
ASAv
Tenant 1 Expanded Gold Container
Virtual Machine on UCS
Shared Transit VLAN
Per-Tenant VLAN
Note: Not showing redundant notes
P1
gi0/1
Tenant 1 Mobile
WorkerPolicy Based Routing in ASAv
provides transparent redirection
Tenant 1 Private Zone Tenant 1 DMZ ZoneSP Management Zone
Private
Tier 1
VMs
Private
Tier 2
VMs
Private
Tier 3
VMs
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 45
ASR9000 Global
Tenant 1 Site
AD DNS
MS Exchange
Customer VRF
MPLS VPN or
IPSec VPNInternet
Global
Nexus 5000/7000/9000
L2 Fabric
UBIqube
vCenter
ASA5585X
M1
M1
gi6 gi7
gi5
gi8gi2
gi3 gi4
WSAv ESAv
VSA 1.0 Expanded Gold ContainerCSR1Kv Web traffic flow – Transparent Redirection with WCCP
CSR1Kv
Tenant 1 Expanded Gold Container
Virtual Machine on UCS
Shared Transit VLAN
Per-Tenant VLAN
Note: Not showing redundant notes
P1
gi1
Tenant 1 Mobile
WorkerWCCP in CSR1Kv provides
transparent redirection
Tenant 1 Private Zone Tenant 1 DMZ ZoneSP Management Zone
Private
Tier 1
VMs
Private
Tier 2
VMs
Private
Tier 3
VMs
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 46
HSS VSA 1.0 Components
HSS Components Version Required/Recommended/Optional
ASAv 9.52(204) Required
WSAV 9-0-1-162 Required
ESAV 9-7-1-066 Required
AnyConnect 4.2 Required
UBIqube MSActivator 15.3.2 Recommended
Virtual Services Architecture 1.0 Recommended
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 47
VSA 1.0 Expanded Gold Container
VSA 1.0 Component VersionHSS
Required/Recommended/Optional
Unified Computing System (UCS) B-Series 2.2(3d) UCS B or C Required
UCS C-Series 1.5(1f) UCS B or C Required
ASR 9000 IOS XE 5.1.2 Cisco 7600/ASR 1000/ASR 9000 Recommended
Nexus 7000 NX-OS 6.2(2) Nexus 7000/Nexus 9000 Recommended
Nexus 5000 NX-OS 6.0(2)N2(6) Recommended
UCS 6200 NX-OS 5.2(3)N2(2.23g) Recommended
NetApp FAS8020 ONTAP 8.1NetApp, EMC or VMware virtual SAN
Recommended
VMware vSphere 5.5.0 Build 1623387 Required
VMware vCenter 5.5.0 Build 2183111 Required
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 48
Customer Site
AD DNS
ASR1006Customer VRF
MS Exchange
Global
VMDC 2.3 Expanded Gold Container
Nexus 7004
ASA5555
ASA5585X
Customer PVT
Outside VRF
Customer PVT
Inside VRF
Global
Customer
DMZ VRF
Remote
Access
VPN
Customer
Private Context
ASA5585X
Customer DMZ Context
Customer Private
Context
UCS
Citrix/F5
UCSUCS
Citrix/F5 Citrix/F5
UBIqubeESAV
vCenterESAV
M1
WSAV
M1
UCS
M1
M1
UCS
ASA5585X
UCS
WSAV
VMVM
VM
VM VMVM
* Not showing redundant notes
Shared Transit VLAN
Per-Tenant VLAN
Private Zone 3 VLANs DMZ 2 - 1 VLANDMZ 1 - 1 VLAN
SP Management
MPLS
VPN Internet
Cisco ConfidentialCisco Confidential© 2016 Cisco and/or its affiliates. All rights reserved. 49
HSS Security Domain Management
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 50
Sales Presence in Europe, USA, ME, Far East, India
Partners: Network and security vendors, OSS vendors, MSPs
Customers: Service Providers, Enterprise (multivendor IT security management)
MSActivatorTM = Automated Device configuration and Service orchestration framework
Any device, Any service, Any vendor
UBIqube is a privately funded Network Software specialist
About UBIqube
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 51
HSS Security Domain Manager – UBIqube MSActivator
Southbound Interface
SSH SNMPTELNET SyslogHTTP OpenflowFTP
OBMF Mediation Layer
Netflow TR069
Web Portal GUI
Service Profiles
Service Designer Templates and Objects
3rd Party OSS/BSS
Web Services
Verbs and Web Services API, Order Stack Management
Device Adaptor
Update Conf Restore Conf
Get Asset Update Firmware
Device Adaptor (SDK)
Update Conf Restore Conf
Get Asset Update Firmware
VOIP
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 52
MSActivator Adaptable Framework
SDK for Adapting/creating new function over the
MSA framework (analytics, services, etc.)
(Web based object editor, central repository,
couple of days per service)
SDK for integrating new devices (physical and
virtual)/vendors (syntax) and protocols over the
MSA framework (php based, couple of weeks
per vendor)
Service Provider Third Party Tool Service
Designer
Service Orchestrator
Northbound API
Network
Provisioning
Security
Policy
Provisioning
VIP
Provisioning
Cloud
ProvisioningService Designs SDK
OBMFTM
Core Engine
Adaptor SDKPhysical Device Adaptor Virtual Device Adaptor
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 53
MSA Features Highlighted
Platform Mediation Portal
• Telco grade scalability
• Modular building blocks
• Multi vendor
• Multi-Tenant (RBAC)
• Highly abstracted provisioning
• Day 0 (ZTD) to Day 2 change management
• Brown field deployment
• Comprehensive APIs
• Flexible Platform via open SDK
• Auto Order -> Activation
• Network and Services inventory
• Big Data Analytics
• Customer self service
• Network operation center
• Partitioned views
• Enable remediation by lower skilled operators
• Customizable by language, look and feel
• Centralized control and workflow automation
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 54
Multi-Tenant – Multi-Roles
Privileged Administrator (ncroot)
Administrator A Administrator B Administrator CTenants
Customer
Site
Devices
Privileged Manager PM1
Manager M1 Manager M2
Customer Wells Fargo Customer ABC Tech
Site1 Site2 Site1 Site4
Operator ABC Operator DEF
Privileged Manager PM2
Customer YTT Corp
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 55
Agenda• Introduction
• The Hosted Security Service Architecture
• Architecture
• HSS: Architecture
• vMS: Architecture
• vMS: Demo
• HSS: Demo
• Conclusion
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 55
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 56
Securing the Application Delivery• Security is all about two concepts: Visibility & Control
• Threats are mitigated as close to the source as possible
• Security services are dynamically chained together and instantiated to form a service chain to mitigate a specific threat and/or to provide a managed security service on distributed compute resources
• Threat defense provides a distributed capability to mitigate threats – targeted at the network, the Data Center, the Cloud and the applications that they serve
Endpoints and Customer
Premises Equipment
Service
Provider
Data Center
and Cloud
SP Virtualized
Network
Edge
Private Cloud
Internet and Intercloud
Public and Partner Cloud
Cable or DSL
Enterprise
Mobility
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 57
CPE
Device
CPE
Device
Orchestration Layer
Network Service Lifecycle Mgmt
Network Layer
Control and Data Planes
• Service models
• Soft-real time service to
device mappings
• Event driven
• Creation of cloud devices
• Discovery of devices
• Network topology
• Physical devices
• Virtual devices
• Service immediacy and speed
• Freedom of choice, service customization
• Personalized experience, user in charge
• Consumption based economics
• Bring your own device, craft your own design
Goal Defined
• Automated service delivery simplicity and efficiency (“IT-less”)
• Automated service creation, high cadence of new services
• Self-service creation and reporting
• Elasticity of network and compute resources
• Open architecture, extensibility
Goal Realised
Background
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 58
Evolution of Managed Services – Premise to Cloud
Customer
Premise
Cloud(SP Hosted)
Network Functions from the Cloud
Network Functions on the CPENetwork Functions
Virtual Network
Functions
Network(Connect
Premise to Cloud)
Secure IP Overlays MPLS (L2/L3) Carrier Ethernet Intelligent / Hybrid
Cisco Cloud SP Private Cloud
Cisco Cloud Virtual Private Cloud Public Cloud
Cloud
Application
Containers
Applications
from the Cloud
SP Hosted Cloud
Cloud(SP Hosted or
Public Cloud)
L3 “classic” L2 NIDL3 CPE + x86 on
premiseSimple L3 CPEx86 on premise
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 59
Virtual Managed ServicesCommon Software Elements - Flexible Network Access Models
Common Service Orchestration and Automation Consistent Portal and Service Dashboard Instrumentation
vRouter vFirewall
vWSA
Cloud VPN Cloud IWAN
Remote Access
vRouter WaaS
AVC PfR
Branch Offices
Private
CloudPublic
Cloud
InternetHQ
Dedicatedinternet
Business Locations
Private
Cloud
Public
CloudHQ
SecureBroadband
Service Provider
Cloud
Internet
SecureMPLS
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 60
Customer Experience in Brief
Order / Customize
Your Services1
CPE ships (if needed)2
CPE is connected(if needed)
3
Orchestration
occurs
automatically
4
10.12.162.x
Internet
Customer
VPN
Service is up and running
Service
Provider
Cloud
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 61
vMS Value-AddsDeveloping Managed Services on Platform
• A Service Blueprint is an abstract representation of a service that can be ordered through the UI or NB API
• Every Service Blueprint is associated with a given Service Offering
A ‘Function Pack’ is the components needed to instantiate a given service request
• Service topology, written in Yang, modeling the “Intent” to instantiate a particular service offering
A Service API is exposed from the Virto Model northbound (automatically created at compile time)
A Service Request is the user calling the model with defined variables according to the service
• The orchestrator is already aware of all Service Models that may be requested and these are preloaded into the Orchestrator
Service Request
Service API
Compiled
Infrastructure
Service Topology
Model (Virto)
Instantiation Logic
Device Models
Function Pack
Device Drivers
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 62
CSR ASAv WSAv VTF (DC Overlay)
SDN ControllerOVS (DC Overlay)VNFs
vMS Orchestration Component Mapping
NSO Orchestrator(VNF-O)
ESC(VNF-M)
OpenStack
Service APIs
Operator Portal
Physical ISR
OSS/BSS
Customer Facing Services
Resource Facing Services
SSHSSH
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 63
End User PortalExposing Service Blueprints to the Operator
• The Orchestration Process can be kicked off through a Portal
• The Portal is aware of different Service Blueprints that can be exposed to an operator
• The values that are selected in the Service Selection process result in the subsequent API call into NSO
• The portal was developed with 2 Modules
• Front-End: Skinned to the Customer’s Requirements
• Back-end: Modified to support the Service Blueprints that can be orchestrated
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 64
vMS VNF-O; NSO from Tail-F
PnP Server
Transaction
Database
(CDB)
Open PnP
Service Manager
Device Manager
Network Element
Drivers
x86ISR Virtual
Service Intent Service Intent Service Intent
Zero Touch Deployment
(ZTD)
Open Method for
ZTD Access
Transactional Datcapabilities
abase Allows full CRUD
to Services
Service Manager Interprets
Service Intent with Service
Instantiation Rules and
derives configuration deltas
Device Manager manages derived
and validated configurations in a
transaction manner towards derived
infrastructure
Network Element Drivers Abstract
the interfaces to the devices
allowing 3rd party infrastructure to
participate in Service Instantiation
Service Models written in
Yang Abstract Service from
underlying physical devices
Domain Controller
Rest/NetConf/Yang
NSO
Mapping
ControllerMaps the Service Intent
to the Derived Device
Topology. Known as
“Fastmap”
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 65
vMS VNF-M; Elastic Service Controller
Rules Engine
Service Monitor
Custom
DHCP
SNMP
Ganglia
Service
Provisioning
Scale
Up/Down
Elasticity
Custom
Day 0 Config
VM Provisioning and
Configuration Module
VNS Bring-up & Initial
Configuration Application.
Multi-vendor Support
Allows Modular
Communication with NSO.
Data Model Driven
Affinity Rules and Scale
Requirements for the VNF
components. Also manages
the startup sequences
ESC uses
multidimensional
approach to VNF
Monitoring/Restartability
Programmable Interface to ESC
allows Functional Interaction to
ESC Subcomponents
Elastic Services
Controller (ESC)
NSO
API Confd
Public Clouds
Open Stack
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 66
VNFVNF
vMS VIM; OpenStack, OVS, and SDN Controller
• OVS will be supported by ODL in coming release
• Common Neutron Plugin gives upgrade path on SDN Controller
Nova
OVS Plugin
Neutron
Port
OVS
ODL Plugin
ODL Controller
Image Management
ML2
Plugins
Port
Port
Port
Port
Port
MGMT
External
InternalEdge
Network
Internet
VNF
Port
Port
Port
NSO
Management
VNF
Port
VPPPort
Port
Port
Port
Port
MGMT
External
Internal
Internet
VNF
Port
Port
Port
ESC
NSO
Model Driven
(MDSAL)Network
Management
Edge
Network
Confd
Cisco ConfidentialCisco Confidential© 2016 Cisco and/or its affiliates. All rights reserved. 67
vMS Use Cases and Its Service Topologies
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 68
vMS Release 2.0: Delivering Comprehensive Cloud VPN Services
CPE
Cust-A
CPE
Cust-A
CPE
Cust-B
ASA
Over The Top
Access
Flex-VPN
Internet
VR
VR ASA
CPE
Cust-C
CPE
Cust-C
NSO – NFV Orchestrator
Cloud VPN Services
• 3 Service Models for Enterprise deployment
flexibility:
• CloudVPN Foundation
• CloudVPN Advanced
• CloudVPN Advanced w/Web Security
• vIPS option for both Advanced and Advanced
w/Web Security
• CSR1Kv: Virtual Router for Site-to-Site VPN with
Secure IP Overlay using FlexVPN/IKEv2 for IPSec
Tunnels
• ASAv: vFW with NAT and Policy (*)
• ASAv: vFW with IPSec/SSL Remote Access (*)
• WSAv for Enhanced Web Security (*)
Management and Orchestration
• Enterprise Admin Service Interface (Portal) driven
service instantiation
• Zero-Touch Deployment of enterprise CPE (ISR G2)
• Model driven Network Services lifecycle
management with Network Service Orchestrator
(NSO) from Tail-f
• VNF lifecycle management with Elastic Services
Controller (ESC)
• Virtual Infrastructure Management with Openstack
featuring: OVS and ODL/VPP as SDN Controllers
Advanced
VRFoundation
CPE
Cust-B
ESC – VNF Manager
WSA∂
∂∂
Advanced w/Web Security
PnP RFS VirTo RFSAPI
CPE Managed
Orchestration Link
Foundation Service
Direct Internet Access via
“Split Tunnel”
Access Model:
Flex-VPN Links
IPSEC VPN
Service Access
vRouter
Internet Access/
Remote Access
Openstack – Virtual Infrastructure Manager
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 69
G2 & 4000
Series
VPNCPEISR 800, 1900,
2900, 3900, 4000
Series
Managed
WAN
Managed
Security
vMS Services
Branch
Branch
vRouter
(CSR1Kv)CloudVPN
(IPSec)
Branch
Branch
MPLS VPN(MPLS)
Firewall
(ASAv)
Web Security
(WSAv)
Remote Access
Internet
CPEBranch
Headquarters
IWAN
Internet(IPSec)
MPLS VPN(MPLS)
InternetDMVPN
MPLSDMVPN
IWAN
(BR/MC)
vMS on CIS
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 70
Cisco Intelligent WANSolution Components for SPs
Intelligent Path Control
Load Balancing
Policy-Based Path Selection
Network Availability
Secure Connectivity
Scalable, Strong Encryption
App-Aware Threat Defense
Cloud Web Security
Application Optimization
Application Visibility
App Acceleration
Intelligent Caching
Hybrid WAN
Application-Centric Design
Common Operational Model
Deployment Flexibility
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 71
vMS Components for IWAN
NSO OrchestrationService Assurance
Operator Views
CFS (Ordering Experience)
Identity Management for SSO
Portal for Network
Visualization
Living Objects for
Network/App/
Perf View
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 72
Hybrid WAN: Leveraging the InternetSecure WAN Transport and Internet Access
• Secure WAN transport for private
and virtual private cloud access
• Leverage local Internet path for
public cloud and Internet access
• Increased WAN transport capacity; and
cost effectiveness
• Improve application performance
(right flows to right places)
Branch
Secure WAN Transport
Direct Internet Access
Virtual Private Cloud
Public Cloud
Private Cloud
MPLS (IP-VPN)
Internet
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 73
Operator
View
Each vMS Use Case Has Orchestration, Portal and Assurance Components
Service Name:
Cloud VPN service
• Portal implements the ordering
and self-service management UI
as well as APIs
• Service provisioning and service
change are performed
by Orchestration
• Health, metrics and consumption
data is provided by Assurance
Customer
View
Example
Cisco ConfidentialCisco Confidential© 2016 Cisco and/or its affiliates. All rights reserved. 74
Leveraging Microservices in vMS
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 75
What Are Microservices?• Each microservice is relatively small
• Easier for a developer to understand
• The web container starts faster, which makes developers more productive, and speeds up deployments
• Each service can be deployed independently of other services - easier to deploy new versions of services frequently
• Easier to scale development. Each team is responsible a single service
• Improved fault isolation. For example, if there is a memory leak in one service then only that service will be affected
• Each service can be developed and deployed independently
• Eliminates any long-term commitment to a technology stack
http://microservices.io/patterns/microservices.html
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 76
Consume
Microservices Enable Architecture Extensibility in vMS Portal
Consume’(based on Python)
Register
Recommendation
Service(based on C++)
Register
• Scale up a service
• Replace a service
• Add a service
• Write a service in any language
• Inter-microservice
communications also go through
the API gateway
Custom App
Symphony UI
Identity
Management
Manage
Monitor
API Gateway
Example
Unregister
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 77
Front End
Back End
UX/UI
SP FulfillmentSP Identity Provider
SP BSS
vMS
Log Aggregation
Common
Infrastructure Services
Identity/RBAC
Ticketing SP Helpdesk
OSS Analytics SP AssurancevMS Services
Orchestration
Who is the SP
customer?
Is there any physical/
un-orchestrated fulfillment?
Product/offer definition, pricing,
subscription, and
customer billing
Your system for handling
customer support requests
Your data collection engine can
provide deeper insights for vMS
customers as well as operators
Designed for SP Environment but Works Fully Standalone
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 78
vMS 2.0 Deployment Architecture
HTTP Load Balancer / Router
Identity Mgmt.
As a Service
Cloud Controller
Hea
lth
Ma
nag
er
ESC NCS
PaaS-based to deliver manageability, cloud native scalability and
resilience
API Gateway
Service Discovery
As a Service
Logs/Metrics
As a Service
Service Assurance
Cassandra /
Hadoop / Redis
As a Service
Micro-Services
Cloud Storage
Identity Mgmt.
As a Service
Service Discovery
As a Service
Logs/Metrics
As a Service
Identity Mgmt.
As a Service
Service Discovery
As a Service
Logs/Metrics
As a Service
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 79
Agenda• Introduction
• The Hosted Security Service Architecture
• Architecture
• HSS: Architecture
• vMS: Architecture
• vMS: Demo
• HSS: Demo
• Conclusion
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 79
Cisco ConfidentialCisco Confidential© 2016 Cisco and/or its affiliates. All rights reserved. 80
Demo: vMS
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 81
CPEISR 800, 1900,
2900, 3900, 4000
Series
VPN Managed
WAN
Managed
Security
vMS Demonstration
Firewall
(ASAv)
Web Security
(WSAv)
Branch
Branch
vRouter
(CSR1Kv)CloudVPN
(IPSec)
Internet
Remote Access
CIS: VMS on IaaS
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 82
Agenda• Introduction
• The Hosted Security Service Architecture
• Architecture
• HSS: Architecture
• vMS: Architecture
• vMS: Demo
• HSS: Demo
• Conclusion
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 82
Cisco ConfidentialCisco Confidential© 2016 Cisco and/or its affiliates. All rights reserved. 83
Demo: HSS
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 84
Agenda• Introduction
• The Hosted Security Service Architecture
• Architecture
• HSS: Architecture and Demonstration
• vMS: Architecture and Demonstration
• vMS: Demo
• HSS: Demo
• Conclusion
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 84
OSS/BSS IntegrationService Intent
Orchestration
Security Services
Public IP Addresses
Public Internet
Local LAN
WSAv ESAv
ASAv and/or CSR1000v
CPE CPE
Managed Access
(IPSec VPN)
IPSec
VPN
IPSec
VPN
AnyConnect AnyConnect
UnManaged Access
(Remote Access VPN)
SSL
VPN
SSL
VPN
Amazon Salesforce
Internet Sites
IP
Connectivity
IP
Connectivity
Internet - Public IP Address Space
Public IP Addresses
DDoSaaSIDaaSESaaSWSaaSIPSaaSFWaaSVPNaaS
Security as a Service Architecture
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 86
Summary• Lower cost due to virtualization
• Faster time to service delivery (zero touch deployment, no truck roll), due to virtualization and service provisioning automation
• Operational simplicity due to virtualization
• Easy upsell for multi-service strategy for additional services and revenue with no additional truck roll
• Value of multi-service strategy for virtualized managed security services and Cloud hosted services
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 86
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 87© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 87
References• Hosted Security as a Service (HSS) Documentation
http://www.cisco.com/go/hss
• Virtual Managed Services (vMS) Documentationhttp://www.cisco.com/go/vms
• Cisco Adaptive Security Virtual Appliance (ASAv) http://www.cisco.com/c/en/us/support/security/virtual-adaptive-security-appliance-firewall/tsd-products-support-series-home.html
• Cisco Web Security Virtual Appliance (WSAV) http://www.cisco.com/c/en/us/support/security/web-security-virtual-appliance/tsd-products-support-series-home.html
• Cisco Email Security Virtual Appliance (ESAV) http://www.cisco.com/c/en/us/support/security/email-security-virtual-appliance/tsd-products-support-series-home.html
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 87
Thank you.