View
1.712
Download
0
Category
Tags:
Preview:
Citation preview
© 2010 Cisco and/or its affiliates. All rights reserved. 1
Monetizing The Enterprise:Borderless Networks
Michael Geller – Architect, SP Chief Technology OfficeKevin Shatzkamer – Distinguished Architect, Sales
September 27, 2011
© 2010 Cisco and/or its affiliates. All rights reserved. 2
Abstract• The impact of the consumerization of IT and mobility cannot be
understated. The impact that these two key business elements have on the evolution of Enterprise Architecture and for Service Provider’s ability to offer services to Enterprises, Governments, and Consumers is addressed in this webinar. The importance of the shift and movement of the secure network edge leads to a very close examination of the changing threat vectors and vulnerabilities impacting our businesses today. Service delivery and consumption on the three “service horizons,” (Mobile Endpoint and CPE, Virtualized Network Edge/Data Center Edge, and the Cloud) is detailed.
© 2010 Cisco and/or its affiliates. All rights reserved. 3
Visibility and Control
Total Visibility in all aspects of your network.
Complete Control over all traffic in the network & cloud.
Building a Secure Infrastructure for Profitable Services
Guaranteed Availability of all services.
© 2010 Cisco and/or its affiliates. All rights reserved. 4
Visibility & Posture
Telstra Cloud:• Nexus 1kV (Netflow/VSG)• UCS: Software based Security
Services (FW, VPN, …)• Nexus 7k Security Services Mod• vWAAS• Enterprise-Hosted Ironport
Web/Content/Email Security/DLP• Scansafe Web Security• Identity/Policy Service Control
Full Service Branch • Firewall• IDS• Encryption (IPSEC
& SSL)• Trust & Identity• Email Security• Web/Content
Security• NAC• WAN Optimization
Multi-Tenant Access and aggregation:
• Session Border Controller• Firewall• IDS/IPS• IPSEC VPN• BNG (Subscriber Controls)• SSL VPN• Trust and Identity• Web/Content Security• Email Security• DLP
P
P
P
P
PE
P
P
PE(s)L2 Agg.
P P
Data Center/Cloud
ACCESS/AGGREGATION COREEndpt / CPE DC/CLOUD
Internet &Peering Edge
Public, Private & Hybrid Clouds
Service Center:• Remediation (quarantine)• Intrusion Detection/Prevention• VM Security & Nexus 1000V• Anomaly detection/Scrubbing• Policy Control Plane• Firewall & XML Firewall• Web/Content/Email Security
CPE:• Firewall• IDS• IPSEC & SSL VPN• Host Security• Control Plane
Security• Forwarding Plane
Security• Email Security• Web/Content
Security• NAC
Access and aggregation:• Basic infrastructure
security role•Control Plane Security•Data Plane Security
• Firewall• IDS/IPS• IPSEC VPN• DHCP—subscriber• SSL VPN• Trust and Identity• Web/Content Security• Email Security
Data/Service Center
Security Operations and Services
Security Experts SOC Processes SOC Toolsets
Security Operations Center One Time Services
Security Monitoring & Management VA PT Web Assessment & SSO MNAC
Mobility
Cable
Fixed Wireless
DSL
Enterprise
SIO, Platform Telemetry, 3rd party rules and systems, Regulatory Policy & Influence
© 2010 Cisco and/or its affiliates. All rights reserved. 5
Operator Portal Capabilities
SP Operator Portal
• Single pane of glass for all mgmt functions
• White label logo and style branding
• RBAC – Role-based-access-control
• Customizable dashboard for different roles
• Share information between SP & customers
• Services catalogue
• Knowledge base
• Real-time threat dashboard
• SLA tracking dashboard
• Forensic
• Historical reporting
Consolidated Views: Risk Score, Alerts, Top Ten Events, Virus & Compliance Status
Events View: Customized view based on need. More focused approached: Online
Events & Forensic view
© 2010 Cisco and/or its affiliates. All rights reserved. 6
Threat IntelligenceGlobal Visibility
Largest Threat Analysis System - Blended Threat Protection
700K+ Global Sensors
5 Billion Web Requests/Day
35% Of Global Email Traffic
Endpoint Threat Telemetry
Reputation, Spam, Malware and Web Category Analysis, and Applications Classification
CISCO SOLUTION
ISPs, Partners, Sensors
IPS ASA WSA
SIO GLOBAL INTELLIGENCEResearchers, Analysts, Developers
ESA
Applied Mitigation Bulletins
Researchers, Analysts,
Developers
ESACisco AnyConnect
© 2010 Cisco and/or its affiliates. All rights reserved. 7
INFRASTRUCTURE
DEVICE SECURITY
DEVICE
CONTENT/ DATA SECURITY
NETWORK SECURITY
SECURESYSTEMS
NETWORK/ SYSTEMMANAGEMENT
Asset MgmtAV Lock/Wipe Zero Day Encryption
Security Services Delivered To The Enterprise
Device Compute StorageTRUSTED SYSTEMNetworkPhysical
AlertingLogging Monitoring
Web ApplicationCoding/Hardening PenetrationAPPLICATION SECURITY
Directories
Remote Access
* Based on common industry models by Gartner, SANs Institute and various customer interviews
DATA GOV.
SERVICE MGMT.
AUDIT
POLICY
IDENTITY
FORENSICS
APIs VPNFirewall IDS/IPS
Email Web DLP Encryption
Collaboration Virtualization Mobility Cloud
© 2010 Cisco and/or its affiliates. All rights reserved. 888
Corporate Office
ASA IronPort WSA
Branch Office
Cisco IntegratedServices Routers
ISE
TrustSec
Anyconnect Secure Mobility (Enterprise)
© 2010 Cisco and/or its affiliates. All rights reserved. 9
Unified Anywhere+/AnyConnect
Simplified remote access
Connection and app persistence
Always-on VPN enforcement
Location-aware policy
Application controls
SaaS Access Control
Per User Subscription Model
Portal for Provisioning/Forensics
Web/Email Security From The Cloud
Scan Safe
AnyConnect Secure Mobility Client1 2
Email/Web Security from the CloudMulti-Tenant Edge Services Gateway
VPN, FW, SBC, Visibility, DPI
AnyConnect
HCS & IaaS vOptimizationvLoad Balancing
3Secure GW + Network + DCEnhanced Customer Experience via End-to-End
Seamless Security & Assurance
Cloud Offering PerCustomer Application Experience with SLA
Policy + Identity
Cius / SmartPhone
Smart Branch
Anyconnect Secure Mobility-SP Mgd.
© 2010 Cisco and/or its affiliates. All rights reserved. 10
Secure Places In The Network: Summary
Security Services• Firewall & IPS• VPN (IPSEC & SSL)• Trust & Identity• Email Security• Web/Content Security• Anti-Malware• WAN Optimization• SBC (CUBE Ent.)• WaaS• DPI
Mobility
Cable
Fixed Wireless
DSL
Enterprise
Private Cloud
Public & Partner Cloud
SP DC/Cloud
Anyconnect(Policy)
Consumer/SoHo
VirtualizedNetwork/DC
Edge
Internet &Inter-Cloud
MobileEndpoint
&CPE
SIO, SecOps (SmartOps, Tools, Ecosystem)
Defense In Depth - Common ASA Code Base
Security Infrastructure
Policy, Trust & Identity Services
© 2010 Cisco and/or its affiliates. All rights reserved. 11
Secure Places In The Network: Horizon 1Mobile Endpoint & CPE
Security Services• Firewall & IPS• VPN (IPSEC & SSL)• Trust & Identity• Email Security• Web/Content Security• Anti-Malware• WAN Optimization• SBC (CUBE Ent.)• WaaS• DPI
Mobility
Cable
Fixed Wireless
DSL
Enterprise
Anyconnect(Policy)
Consumer/SoHo
MobileEndpoint
&CPE
Platform/Area of Interest• MDM and Partners• Evolution of The ISR G2• Connecting the CPE to
the cloud• ASA & Identity FW• Ironport ESA/WSA• DPI & Visibility• Identity Services & Policy
© 2010 Cisco and/or its affiliates. All rights reserved. 12
Connecting the CPE To The CloudLeveraging Cisco Product Multi-service capability
Threat Protection Security Services
End to end security service via optimized hybrid on-premise / cloud services On-Premise encryption, Firewall,
intrusion protection Hosted Web content protection
(ScanSafe) & Email Protection … Managed Identity Services
Service Virtualization -UCS Express
Lowering Capex / Opex for on premise application services
Mission critical on-premise application hosting
Integration into IaaS Service Orchestration
Optimized experience for the Application Consumer
App Visibility & Optimization (WaaS)
Improving end user quality of experience End to end application visibility &
SLA Focus on Application Optimization
… Security services upsell
opportunity
WAAS Express
Dedicated Router Module
DC + vWaaS
© 2010 Cisco and/or its affiliates. All rights reserved. 13
Connecting the CPE To The Cloud - 2Leveraging Cisco Product Multi-service capability
Services Led Selling
Removing NOC /SOC complexity and allocation of people, process and tools –GTM acceleration SmartOps for Security – SOC
BOT Models SmartOps for CPE – NOC White
labeling or BOT Models Testing and validation
Video
Providing End to End Video Service insurance IPSLA Video Probe for Video SLA Video Optimized ISR G2 Bundle Integration of ISR G2 into Video
Architectures like Telepresence Optimized delivery of Video ISR G2 ad-hoc video conferencing
Energy Wise
Minimize energy consumption and costs of delivered Managed Services
The “Green WAN / LAN” Service The “Energy Optimized” Data
Center
© 2010 Cisco and/or its affiliates. All rights reserved. 14
Aspiration: Policy Governed Networks
Centralized View
Central Dashboard, Reports, Measurements,
Troubleshooting
Applications in Data Center or Cloud
Product Bookings
SalesForce.com
Customer Data
Router/SwitchASR/ISR/ASA
MPLS
Encrypt
Service, Context
Application, Context
Device, LocationUser, Role
iPad
Corporate Laptop
Policy Teams
IT Systems Mgmt, Cisco Network Mgmt Policy & Rules
Security ComplianceBusiness
Identity Services Engine (ISE)
Centralized Policy Platform
Full
Restricted
Third-Party Applications
© 2010 Cisco and/or its affiliates. All rights reserved. 15
Context-Based Security Services
Prevent uncontrolled mobile
devices from accessing servers with confidential
information• Media Actors• E2E Flow
Characteristics• Real-Time Metering
Security
wwwwww
Phased ExecutionCentralized Policy Platform
Identity Services Engine (ISE)
Policy Use Case
TrustSecISE
Authenticated &Authorized Access
Authenticate Guests and provide only
Internet access
• User• Device• Health• Location• Reputation
(future)
VXIVDS/ISE
Optimize Virtual Desktop Service
DeliveryProvide predictable
quality for audio, video on virtual
desktop(VDI)
• Virtual Desktop
+
Prioritized Branch Service Delivery
Prioritize point-of-sale transactions over Video
(YouTube …)
Branch Office
• Application• Network Services
+
CCN
Agile Virtual Service Delivery
Move WebEx from RTP DC to SP US
Cloud with Premium Service Level
• Server• DC Resources• Service Level+ +
© 2010 Cisco and/or its affiliates. All rights reserved. 16
Secure Places In The Network: Horizon 2&3Network and DC Edge + DC/Cloud
Security Services• Firewall & IPS• VPN (IPSEC & SSL)• Trust & Identity• Email Security• Web/Content Security• Anti-Malware• WAN Optimization• SBC (CUBE Ent.)• WaaS• DPI
Mobility
Cable
Fixed Wireless
DSL
Enterprise
Consumer/SoHo
Platform/Area of Interest-2
• MDDC & CCN• ASR 1k – Multitenancy
and DC Edge• IOS-XE on a VM• Virtual Appliance +
Physical Application• Hosted Content, Email,
Web Security• DPI & Visibility
Private Cloud
Public & Partner Cloud
SP DC/Cloud
VirtualizedNetwork/DC
Edge
Internet &Inter-Cloud
Platform/Area of Interest-3
• Nexus 1kV• VSG and vASA• IOS-XE on a VM• vWaaS• CCN & Service
Orchestration• vESA/vWSA• DPI & Visibility• Network Proximity• Partner Ecosystem
© 2010 Cisco and/or its affiliates. All rights reserved. 17
Applications /Desktop OS
MS Office
End-to-End Security, Management and Automation
Cisco VXI:Virtualized End-to-End System
VirtualizedData Center
Virtualized Collaborative Workspace
Thin Client Ecosystem
Generic VDI
No support for UC or
Rich Media
ACEUnified
CM
QuadASA
Nexus 1000v
Virtual Security Gateway
WAAS
Cisco CollaborationApplications
Hypervisor
Desktop Virtualization Software
Storage
Cisco Clients
Cisco Virtualization Experience Clients
Cius Business Tablets
AnyConnect
Compute
UCS
Cisco Products
WAAS
Virtualization-Aware Borderless Network
Routing PoE
Switching
SiSi
CDN
© 2010 Cisco and/or its affiliates. All rights reserved. 18
Borderless Network VXI Components
Campus
Access Security Data Center
EmployeeContractor Finance
Secure VXI Data Center
VSG
N1K
App Data BaseWeb
VSG
N1K
Cisco ACE
WAAS DC
DC Network
McAfee MOVE-AV
VXI Network
CampusCat4K
Dot1x/MAB
Dot1x/MAB
UPoE/P
oE+
Anyconnectw/ Split Tunnel
Internet
ASA
SecureDisplay Traffic
Remote/Home User
Branch One
Branch Two
DMVPN
DMVPN
WAAS Express
ISR-G2
Display Traffic
Vo
ice/V
ide
o
WAE
• ASA and Anyconnect provide single secure remote access solution for large device footprint
• Device profiling and posture assessment using ISE ensures conformance
• UPoE and PoE+ provide de-cluttered and energy efficient virtual workspace
• 802.1x based device and user authentication
• Trustsec allows policy based access to specific applications in Data Center
• Unmanaged devices (BYOD) only allowed access to specific Virtual desktop pools and applications
• DMVPN allows secure, dynamic and direct branch to branch collaboration
• WAAS and ISR together accelerate performance
© 2010 Cisco and/or its affiliates. All rights reserved. 1919
From Router to vRouter
Secure Connectivity from Premise to Cloud- Extend enterprise VPN infrastructure into cloud via cloud-based virtual VPN appliance
- Enable secure split tunneling, bypassing expensive MPLS/ private IP network backhauling
- Provide end-to-end security – access control, DAR encryption, app/ user/ content visibility, IPS, web security – and unified mgmt
- This will enable enterprises to move mission-critical data to the cloud, retain control and meet compliance requirements
Networking Services from the Cloud- Provide routing, switching, WAN accel, end-to-end secy, perf monitoring, traff prioritization/
QoS, etc via cloud-based virtual router
- Enables SPs and Cloud Providers to offer value-added pay-for-use services – networking, security – in virtualized form factor to their customers
- Enables SPs to move services away from CPE ISRs to the cloud/ provider edge and minimizing/ simplifying mgmt
PHASE 2
PHASE 1
© 2010 Cisco and/or its affiliates. All rights reserved. 20
NPS
NationalData Center
NationalData Center
NationalData Center
Core
Capacity at Multiple DCs
Improves Experiences, Reduces Operational and Network CostsPhase II – Distributed Placement
Orchestration System Requests Capacity - available at Multiple DCs
1
NPS informs best location(s) / PE Routers
3
2 Insufficient Bandwidth and / or sub-optimal location to meet SLA
3
1
2
Network Positioning System
© 2010 Cisco and/or its affiliates. All rights reserved. 21
Other SPs
IP/MPLS Network
Using Security Conductor for DDoS Attack Mitigation
Monitoring Info: Netflow, MIBs, Logs for Baselining, Forensics and Planning
1
1. Visibility Apps Gather Physical and Virtual Interface traffic information
2. Visibility Apps builds a Network Baseline and monitors and traffic anomalies
3. In case of an anomaly it transfer information to Security Incident Control Application
4. Incident Control Apps informs SECOPS
5. Incident Control performs a RTBH using BGP route insertion at SP DC PE router.
6. “Sinkhole” Apps VMs assigned for analysis
7. Using the Security Conductor, security mitigation policies (ACL, QoS Policers, etc) are downloaded in the network
8. All Visibility and Mitigation information is sent for Forensic analysis
Security Apps
Incident Control
Visibility Logging & Forensics2
5
3
Attack Mitigation Policies are downloaded in all applicable routers
Access / Aggregation
Network
CPE
SECOPS, NETOPS SECOPS
DC Control PointResource
ManagerPolicy Engine
Dependency Tracker
Capabilities Directory
4
Peering
Security Policy Conductor7
8
1. RTBH configured
2. Sinkhole Apps activated on VMs
3. Attack Analysis
6
Forensics
© 2010 Cisco and/or its affiliates. All rights reserved. 22
Cloud Security solution focusMapping
VDC, DCI (OTV), VPLS/ VRF …..
Services: Virtual LB, FW
VN-Link, LISP, SIA tags w/HW assist, N1k, VSG
PortProfile, vNetFlow, SAN
• Policy based control for ID, Data Confidentiality
• Visbility, Forensics, Governance• VM-VM security, Routing policies in VM• VPATH to stitch and control VMotion
Secure Cloud Services
Scansafe (SAML), DLP,
Cisco ID Connect
Loss of Control
Business Needs
Multi-tenantReference
Architecture
Data-in-flight security
Anyconnect: VDI/VXI
Data-at-rest security
© 2010 Cisco and/or its affiliates. All rights reserved. 23Pure Hosted Remote Managed On PremHybrid
Customer 3
Dedicated / Private Network
Customer 1
Customer 2
ESX Server ESX Server ESX Server
Customer 4 Customer 5
Unified Communications and Collaboration
Putting It All Together: HCS
Recommended