Embed Size (px)
Citation preview
Jamey HearyDistinguished Systems Engineer
Change the equation with Cisco SecurityCisco Secure Datacenter Architecture
In the future, computers may weigh no more than 1.5 ton – Popular Mechanics, 1949
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
It is not a fair fight to begin withPeople, Process and Technology Issues• People are too
easy to hack• So many code
vulnerabilities/patches
Security Technology Issues• Lack of true network
and security visibility• To much focus on
prevention “silver bullets”• Point Product overload.
Bolt on security • Nothing works together!
Slow detection, slow response• Security skillset and training
shortage in the workforce
Why is our current Security Approach Failing?
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Simplifying the DC security architecture
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Data Center Security Architecture
Threat protection“Stop the breach”
Segmentation“Reduce the
attack surface”
Visibility/Analytics“See everything”
Threat intelligence - Talos
Intent-based
Automation
Analytics
Three focus areas:
Orchestration
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
ArchitectureIntegrated
PortfolioBest of breed Security
IntelligenceCloud-Delivered
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
NGFW/NGIPS
Point product approach failsIt takes an integrated architecture
Threat protectionAdvanced Malware
VisibilityAnalytics (Stealthwatch/cloud, Tetration)
SegmentationPolicy and Access
(ISE, NGFW, Tetration and ACI)
Management (CloudCenter, APIC, FMC, Tetration)
pxGridSecurity Group
Tag/EPG
APIsIntel
sharing Automation
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
SegmentationProblem?
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cisco TetrationConnection ManagerAutomated security policy recommendation
Whitelist policy recommendation• Identifies application intent• Generates 4 tuple policies
Step1: Behavior analysis
Application conversations
Conversation details/process bindings
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cisco TetrationConnection ManagerAutomated security policy recommendation
Step 2: Auto-generation of whitelist policies
Export into Cisco solutions• Export in JSON, XML and YAML• Import into ACI, ASA and NGFW
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Automated policy discovery, audit and enforcement
• Zero Trust Enforcement
ASA
• Tetration policy conversion to ASA firewall
• Lifecycle management of ACLs• Audit of ACLs
Tetration
Demo
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
DB Endpoint
••••
•••
• NGFW ACI Tetration
Web Endpoint Group
DB Endpoint Group
••••
DC Perimeter
Campus
Integrated
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Industry leading NGFW performance
Cisco:FP9300-3xSM44
Palo Alto:PA-7050
Fortinet:FG-7060E
CheckPoint CP61000
FW data sheet 234G 120G 630G 400G
FW+AVC+ NGIPS (NGFW) – NSS Labs 133G 42G 100G 70G
Rack units 3 9 8 15
40G actual speed 40G 16G 10G 10G*
•
•
•
Competitive comparisonKey differentiators
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Data center security working together
CloudCenter
TetrationISE
AMP
Tetrationsensor
EPGApp
AMPExternal Internal
FMC Manager
EPGDB
Tetrationsensor
FTD
fire
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Simplifying Security Orchestration
• Automated workload deployment• Hybrid Cloud
CloudCenter
• Deploy EPG and contract• Deploy service graph (FW & IPS)
ACI
• Deploy AMP for Endpoints• Deploy Tetration Software Sensor• ISE to ASA Firewall SGT
Security Solutions
Demo
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Site A
VMVMVM
ACI Extensions to Multi-Cloud
ACI Multi-Site Appliance
Consistent Network and Policy across clouds
Seamless Workload Migration
Single Point of Orchestration Secure Automated
Connectivity
Site C
Site B
Site D
17
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Advanced Threat Protection
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Applications and servicesMitigating threats, risks and vulnerabilities
Users zone Server zone 1 Server zone 2 Outside worldbusiness partners
Perimeterfirewall
Segment data center architecture
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cisco Advanced Threat solutions
• Context rich• Stop command and
control, security intelligence blacklists
• Application control
• NGFW
• Protection against exploitation of app vulnerabilities
• Impact-assessment and IoC
• Auto-tuning of policy
NGIPS
• File based malware protection
• Sandboxing to find zero-day
• Retrospective remediation of malware
AMP
Integrated
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Rapid threat containment with ACI micro-segmentation
• Indicators of compromise• Rapid threat containment
NGFW/NGIPS
• Micro-segmentation/uEPG• Automation NGFW to APIC
ACI
• Network AMP• Malware protection – from network,
to endpoint, to cloud
AMP
Demo
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Visibility and Analytics
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Application traffic modeling & visibility
Access control policy and audit
Greater visibility and security togetherCisco Tetration and Stealthwatch
Threat detection and hunting
Anomalousbehavior
ISE Context & Visibility
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Summary
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
In summary… Cisco Data Center Security
Visibility/Analytics“See Everything”
Complete visibility of users, devices, networks,
applications, workloads and processes
Threat protection“Stop the Breach”
Quickly detect, block, and respond to attacks before
hackers can steal data or disrupt operations
Segmentation“Reduce the Attack Surface”Prevent attackers from moving
laterally east-west with application whitelisting and
micro-segmentation
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Questions?Changing the Equation with Cisco Security
