inside the scansafe architecture: session...

BRKSEC-2346

Inside The ScanSafe Architecture: Session Overview

Follow us on Twitter for real time updates of the event:

@ciscoliveeurope, #CLEUR

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2346 2

Housekeeping

We value your feedback- don't forget to complete your online session evaluations after each session & the Overall Conference Evaluation which will be available online from Thursday

Visit the World of Solutions and Meet the Engineer

Visit the Cisco Store to purchase your recommended readings

Please switch off your mobile phones

After the event don’t forget to visit Cisco Live Virtual: www.ciscolivevirtual.com

Follow us on Twitter for real time updates of the event: @ciscoliveeurope, #CLEUR

http://www.ciscolivevirtual.com/

http://www.ciscolivevirtual.com/


Abstract

This intermediate level technical summary covers what it takes to build and deploy a managed SaaS security service on a global scale. As an introduction we will understand what the ScanSafe Web Security Service is, how it works and the benefits given by using a global cloud service for any organisation. We will then look at where ScanSafe started and the history behind some of the early technology deployed along the way with some of the lessons learnt early on which allowed us to shape our architecture into what it is today. We will then explore major aspects of our service which include how we build our networks, our datawarehouses and our software and how we utilise these platforms and technologies to deliver the service. We will also look at how we monitor, deploy and manage the service day to day using specialised tools and utilities which help us maintain our high uptime SLAs and availability. The final part of the summary will review where the future of the ScanSafe service fits in with other Cisco security products like AnyConnect and ISR routers to create an easily deployable architecture which will be controlled by one policy engine to ensure a consistent user experience anywhere in the world. Plus a look at where the ScanSafe platform is heading from an architecture perspective over the next 12-36 months. The target audience should be solution architects or engineers familiar with operating systems, networks, databases, software delivery, monitoring and anything else cloud based.


Solution Overview


Introducing ScanSafe

Product

- Pioneer in SaaS Web Security

- Billions of Web requests scanned every day

- Zero-hour threat protection

Infrastructure

- Proven reliability, global footprint

- 100% uptime in 8 years

- Multi-tenant infrastructure

- On-demand capacity

Overview Customers

Awards

Partners


Secure Web Gateway: What’s in it?

Subscription-based Security Services

Web Proxy

Authenticatio

n / Identity Caching Logging

Management & Reporting

Data Loss Prevention

Application Visibility &

Control

URL Filtering

Anti-Malware

Policy Engine

VM / Software Cloud Appliance


ScanSafe’s Architecture

Cloud Infrastructure

Roaming User

Home Office

Corporate Office

Branch Office

Internet


Typical Deployment

Identification & Authentication

AD Light-weight agent or existing proxy

Via user’s login script or browser-based

Note: ISR G2 deployment will be covered separately

Cloud-based Secure Web gateway

Web User Firewall

Internet

More details in the session: BRKSEC-2101 Deploying Web Security


Infrastructure Overview

Two main components of the datacenter architecture

Scanning towers

- Scan and process the internet traffic

- Scanning towers geographically distributed

- Scanning towers = low latency

Core

- Data warehouse hub for logging

- Core datacenter in London

- Core = high performance


DataCenter Architecture: Hub-and-Spoke

Core

Scanning towers


DataCenter Footprint


ScanSafe Technology


21 locations

2600+ servers

569+ switches

227+ firewalls

122 gigabits/sec peak traffic

3.5 billion requests per day

Support team of 8 (4 x SysAdmin, 2 x NetOPS, 2 x DBAs)

Vital Statistics


People + Technology + Process


The ScanSafe Infrastructure


ScanSafe Infrastructure


B

A

proxy123 .scansafe.net




0

1

0

2

0

3

0

4

0

5

0

6

0

7

0

8

0

9

1

0

1

1

1

2

1

3

1

4

1

5

1

6

1

7

1

8

1

9

2

0

2

1

2

2

2

3

2

4

2

5

2

6

2

7

2

8

2

9

3

0

3

1

3

2

ScanSafe Tower Concept


ScanSafe Tower

Dell Blades

Console


ScanSafe Tower

Dell Blades

Redundant Power Distribution

3560G – Core Switch

ASA 55xx – Access Firewall

ACE 4710 – Load Balancer

2960G – Access Switch


Moore’s Law


Moore’s Law

vs

Web 2.0


Scanlets


Outbreak Intelligence Algorithm

Database of traffic which is almost ~2% of all business traffic: statistically significant

- All AV engines are publically available

- Bad guys can reverse engineers signatures to workaround

- Cisco data mines the traffic to identify the holes in the AV

- We use active-learning to highlight false negatives

Pragmatically tune our scanlets to catch the false-negative

- Phase in/out scanlets based on malware trends

Statistical Model

- Parse files and identify features that indicate malware traffic

- Percentage of PDFs with no word count + Java Script tag

- Once you identify this traffic, train the algorithm with good and bad examples


Performance Optimisation (Latency)

• Geographical proximity

• Peering with T1 providers

• Optimisation for parallel scanning

• Highly tuned network stack

• Simplified architecture


Telemetry


Datawarehouse


People + Technology + Process


Rotational Staffing Model

Problems Root cause investigation and resolution

Deployments (x2 weeks) Scheduled rollout of new/upgraded applications or hosts

P3+4: Service Requests Standard work requests, individually prioritised

Pages & P1+2 Incidents Incidents/SR’s which require urgent attention

Engineer 1

Engineer 2

Engineer 3

Engineer 4

Projects Continual technology improvement & personal development

Engineer


Continual change

Beta flag control

DevOPS interation

Agile Software Deployments

Tightly controlled continual change


Agile Software Deployments

Tightly controlled continual change


Security Architecture


ScanSafe Security Architecture

Physical Security

Utilization of high security facilities with biometric access control, stringent change control and authorized access approval.

Small number of trusted dedicated hands only allowed access and to control hardware/inventory globally

Application Security

Customer administration is provided via a secure web portal

Each administrative account is accessed via a unique username/password and the entire session is encrypted using SSL.


ScanSafe Security Architecture

Data Security

Dedicated Data Team manage and support the data associated - only access to data through this team

Data replicated locally and off-site in separate datacenters for DR/replication purposes

Logical Security

Dedicated Operations Team sandboxed from corporate networks for administration of the service

Use of best practice procedures and tools following ITIL workflows ensuring secure access to systems

Centralized auditing and monitoring solutions to ensure protection and delivery of service


Security


Security Incident Response

Event CSIRT

Monitoring

CSIRT

Investigations ScanSafe

False Positive

Suspected

Breach

Policy Violation

After-Action

Review

Resolve

Provide Feedback

Remediate

Remediate

Analyze Investigate + forensics

Analyze Investigate

Mitigate


Distributed Denial of Service – Real Experience

Detected as slowdown of single tower throughput

Huge spike in tcp connections to proxies outbound IP address

Caused CPU spike and increased session count on ASA

Changed outbound proxy IP and routed traffic to Null0

Total incident duration of less than 20 minutes

CPU was consumed by syslogging; implemented rate limiting


Operational Tools


ZenOSS


Puppet, Cacti


Autodeployer


Infrastructure Future Plans


IPv6

IPv4

Internal IPv6

IPv6 Host ScanSafe Internet Connector

IPv6 Host ScanSafe Internet Connector

DataCenter IPv6 migration

Phase I

Phase II


IPv6 Addressing


IPv6 Issues

Network-level IPv6 is generally healthy

Routing table capacity & disagreement on subnetting

AAAA records – lots of broken DNS servers

Routing optimisation – rebuilding the internet

Difficult to find subject matter experts


Future Developments

IPv6

Cisco-on-Cisco (UCS)

Virtualisation

Local core: Partitional data storage and portal by region – Americas, EMEAR and APAC

Simplification


Capacity & Future Plans


Capacity Management

Bandwidth capacity in the datacenters is actively managed – transparent to end users

Scale through hardware

Monitor trends and events to forecast usage spikes


Royal Wedding in the UK

Frankfurt +70% over typical


Andy Murray at Wimbledon

London +80% over typical


Cisco Integration


ScanSafe Deployment Vision

Cisco-on-Cisco

WSA

Home Office Coffee Shop Mobile User

Branch Office

Corporate Office / HQ

AnyConnect

Easy to deploy Customer choice Centralized management and reporting

ASA or ISR G2


ISR G2 with ScanSafe


ISR G2 with ScanSafe: Functionality

The connector will be available in IOS (universal) images with security feature set (SEC) licenses.

Supported on the 880, 890, 19XX, 29XX and 39XX/E ISR G2 platforms.

Supports re-direction of HTTP/HTTPS traffic.

No need of a client or agent software (Anywhere + or AnyConnect) to be installed on each laptop or desktop

No HTTP proxy settings changes for the web browsers running at the end-points.

Supports Single Sign-on based identity with LDAP and AD sync.

User provisioning are configured using ScanCenter Web Portal. Reporting (accesses allowed or denied per user or group, etc…)

ISR Connector will be able to work independently with or without IOS Security services such as (IOS FW, IPS, VPN)


Summary

Insight into building and maintaining a robust, scalable and multitenant artchitecture

Success depends on more than technology – people and processes

Exciting plans for leveraging Cisco technology to grow ScanSafe’s cloud


Questions?

Recommended Reading

Please visit the Cisco Store for suitable reading.


Please complete your Session Survey

Don't forget to complete your online session evaluations after each session.

Complete 4 session evaluations & the Overall Conference Evaluation

(available from Thursday) to receive your Cisco Live T-shirt

Surveys can be found on the Attendee Website at www.ciscolivelondon.com/onsite

which can also be accessed through the screens at the Communication Stations

Or use the Cisco Live Mobile App to complete the

surveys from your phone, download the app at

www.ciscolivelondon.com/connect/mobile/app.html

We value your feedback

http://m.cisco.com/mat/cleu12/

1. Scan the QR code

(Go to http://tinyurl.com/qrmelist for QR code reader

software, alternatively type in the access URL above)

2. Download the app or access the mobile site

3. Log in to complete and submit the evaluations

http://www.ciscolivelondon.com/onsite

http://www.ciscolivelondon.com/connect/mobile/app.html

http://tinyurl.com/qrmelist


Thank you.

inside the scansafe architecture: session...

Documents