Embed Size (px)
Citation preview
Deploying Secure Branch and Edge SolutionsMichael Lipsey, Systems Engineer, CCIE 42683
BRKSEC-2008
Deploying Secure Branch & Edge Solutions
Session Level: Intermediate
Audience: Network & Security Professionals
At the End of this session you should understand:
• Security is an ongoing process and not a race to the finish
• Components of the Secure Branch
• How to leverage IWAN, Cloud and Virtualization Technologies to improve branch user experience
• How Security & IT can enable the business as well as mitigate risk
BRKSEC-2008 Session Objectives
Additional Related Sessions
• BRKCRS-3447 - Network Function Virtualization for Enterprise Networks
• BRKSEC-4054 - Advanced Concepts of DMVPN
• BRKRST-2309 - Introduction to WAN MACSec - Aligning Encryption Technologies with WAN Transport
• BRKNMS-1040 - IWAN and AVC Management with Cisco Prime Infrastructure
• BRKCRS-2000 - Intelligent WAN (IWAN) Architecture
• TECCRS-2004 - Implementing the Intelligent WAN (IWAN)
• BRKRST-2042 - Highly Available Wide Area Network Design
Additional Related Sessions
• BRKSEC-1030 - Introduction to the Cisco Sourcefire NGIPS
• BRKSEC-2028 - Deploying Next Generation Firewall with ASA and Firepower Services
• BRKSEC-2909 - Think Like an Attacker: Advanced Cloud Protection Against Web-Based Malware & Targeted Attacks
• DEVNET-1155 - Branch Virtualization
• BRKRST-2362 - Implementing Next Generation Performance Routing - PfRv3
• BRKARC-3001 - Cisco Integrated Services Router - Architectural Overview and Use Cases
• Session Objectives
• Security Strategy
• Network as a Visibility Tool
• Evolving the Branch
• Closing Remarks
Agenda
Digital Innovation Overwhelming the Branch80%
30%
20-50%BRANCH
OS
Updates
HD
Video
Omni-channel
Apps
Mobile
Apps
Online
Training
SaaS Enterprise
Apps
Social
Media
Guest
WiFi
Digital
Displays
MORE
USERS
MORE
APPS
MORE
THREATS
Of employee and
customers are served in
branch offices*
Increase in Enterprise
bandwidth per year
through 2018**
Of advanced threats will
target branch offices by
2016 (up from 5%) ***Tech Target, Branch Office Growth Demands New Devices., 2013
**Gartner, Forecast Analysis: Worldwide Enterprise Network Services, Q2 2014 Update
*** Gartner: “Bring Branch Office Network Security Up to the Enterprise Standard, Jeremy D’Hoinne, 26 April. 2013.
73%MORE
DEVICES Growth in in mobile
devices from 2014 - 2018**
Todays Cyber Threats
China PLA Russia Special
Communications Service
France DGSE/DCRI
Government related
hacktivist groups
British - GCHQUSA - NSA
many others…
Put aside rights, wrongs and politics of Snowden: the main point for Network and Information
Technologists is to recognize something significant: What Government Agencies have now, the
average Cyber Criminal will have available to them within 3-4 years*
*Bruce Schneier: NSA snooping tactics will be copied by criminals in 3 to 5 years
Dynamic Threat Landscape
100%of companies connect
to domains that host
malicious files or services
60%of data is
stolen in
hours
54%of breaches
remain undiscovered
for months
It is a Community
that hides in plain sight
avoids detection and
attacks swiftly
There are sharks in the water.
• Session Objectives
• Security Strategy
• Network as a Visibility Tool
• Evolving the Branch
• Closing Remarks
Agenda
If you knew you were going to be hacked would
you do anything differently?
Implications & Consequences
Loss of Intellectual Property
• Litigation Expenses
• Damage Control
• Compromise of Business plans and loss of revenue
Loss of Customer Data
• Public Perception, Sentiment, Reputation
• Liability
• Trust
• Brand Value
Where does Information Security sit in your network architecture development cycle?
What are they after?
They Are After The Data
• Personal Data
• Customer Information
• Intellectual Property
• Social Security Numbers
• Credit Card numbers
• Bank Account Information
• Healthcare & Employee Data
Your Data, Your Company’s Data, Everyone’s Data
Healthcare & Employee Data
• Social Security Numbers
• Names and Addresses
• Family History & Personal History
• Confidential Medical History
• Used to buy expensive Medical Equipment or Care
• Healthcare fraud takes longer to detect than other types of fraud
Hackers are Organized
• Survey
• Write
• Test
• Execute
• Steal & Sell Your Data
• Profit
For additional information check Cisco’s Annual Security Report
http://www.cisco.com/c/en/us/products/security/annual_security_report.html
Their Projects are to Breach Your Networks
The next two slides are important.
The Threat-Centric Security Model
BEFOREDiscover
Enforce
Harden
AFTERScope
Contain
Remediate
Attack Continuum
Network Endpoint Mobile Virtual Cloud
Detect
Block
Defend
DURING
Point in Time Continuous
How do you address this Threat-Centric Security Model?
TrustSec
Encryption/VPN
Next Generation Firewalling
Next Generation IPS
Application Visibility & Control
Advanced Malware Protection
BEFOREDiscover
Enforce
Harden
AFTERScope
Contain
Remediate
Detect
Block
Defend
DURING
If you can’t see it you can’t secure it.
• Session Objectives
• Security Strategy
• Network as a Visibility Tool
• Evolving the Branch
• Closing Remarks
Agenda
• Application Visibility and Control
• TrustSec
• Next Generation IPS
Network Visibility Tools in the Branch
What is Application Visibility & Control?
• NBAR2
• Deep Packet Inspection
• Application Recognition
• Flexible Netflow (FNF)
• Netflow Version 9 or IPFIX
• Open Protocol so 3rd parties can leverage
• Flexible field exports – streamline your exports to maximize resources
• Application Performance Monitoring
• Traffic statistics
• Application response time
• URL collection
• Control
• QoS w/NBAR2
• Performance Routing (PfR)
FNF +
NBAR2
MAC
Source IP Address
Source Port
Destination Port
Gaining Full Visibility with Flexible Netflow
Flexible NetFlow & NBAR
Monitors data from layer 2 thru 7
Determines applications by combination of port and payload
Flow information who, what, when, where
Flexible NetFlow allows your own select of key fields
Protocol
Link Layer
Header
Deep Packet (Payload)Inspection
ToS
NetFlowDestination IP Address
IP Header
TCP/UDP
Header
Data
Packet
Key Fields Packet #1
Source IP 10.1.1.1
Destination IP 173.194.34.134
Source Port 20457
Destination Port 23
Layer 3 protocol 6
TOS byte 0
Ingres Interface Ethernet 0
Src. IP Dest. IP Src. Port Dest. Port Layer 3 Prot. TOS Byte Ingress Intf.
10.1.1.1 173.194.34.134. 20457 80 6 0 Ethernet 0
Key Fields Packet #2
Source IP 10.1.1.1
Destination IP 72.163.4.161
Source Port 30307
Destination Port 80
Layer 3 protocol 6
TOS byte 0
Ingres Interface Ethernet 0
Src. IP Dest. IP Src. PortDest.
PortLayer 3 Prot.
TOS
ByteIngress Intf. App Name
Timest
ampsBytes Packets
10.1.1.1 173.194.34.134 20457 80 6 0 Ethernet 0 HTTP
10.1.1.1 72.163.4.161 30307 80 6 0 Ethernet 0 Youtube
NetFlow cache
News
Flexible NetFlow - NBAR Integration
flow record app_record
match ipv4 source address
match ipv4 destination address
match …..
match application name
First packet of a flow will create the Flow entry using the Key Fields”
Remaining packets of this flow will only update statistics (bytes, counters, timestamps)
Detailed Application Flow Data
NBAR2 Categorization
How Can Application Visibility Help me?
• Discovery
• Identify business critical applications and services and how they are used across the network
• Identify Indications of Compromise
• Define better network policies either for application support or security
• Use the data to be more precise in your segmentation efforts
• Network behavior anomaly detection
• Forensics data support
• Audit trails of all host to host communications across the network
Where does the ‘Control’ part come into play?
Performance Routing (PfR)
• Application routing based on real time performance information
• Load sharing to fully utilize available WAN resources
• Improve performance of critical applications
Quality of Service (QoS)
• Guarantee Bandwidth to protect critical applications
• Provide low latency to delay sensitive applications
• Stop or limit unwanted applications from using WAN resources
The ‘Traditional’ Control Part
Control from a Security Perspective
• Detect Anomalous Traffic
• Detect User Access Policy Violations
• Obtain Broad Visibility of Network Traffic
• Dynamic Segmentation to Contain Attacks
• Control Access to Critical Assets
• Do all this in a manageable and scaleable way
What do we need to accomplish our security goals?
Lets look at that traffic again…
Application Flow data tied to IP addresses
User IDENTITY Tied to NBAR2 and Netflowinformation
Lancope: Anomaly detection
Lancope: Anomaly detection
Lancope: Anomaly detection
• Application Visibility and Control
• TrustSec
• Next Generation IPS
Network Visibility Tools in the Branch
What is TrustSec?
• TrustSec is a systemic approach to policy control in your network.
• Who is connecting to it?
• What is connecting to it?
• Type of device, is it a user or non-user device?
• Where are they?
• Location information.
• When?
• Time based controls.
• How are they connecting?
• Wired or Wireless?
Traditional Controls & Access Policy
• Access Lists based on 5-Tuples
• Source IP address
• Source Port
• Destination IP address
• Destination Port
• Transport Protocol
• Policy Applied at Demarcation points
• Firewalls in the DMZ, Edge & Data Center
• Mobility users challenge traditional ACLs
• Internet of Everything
How do we take this complexity out?
The Usual Access Controls
• Static – usually manually maintained
• Difficult to maintain documentation
IP Address Based Access-lists
Context – A Set of Circumstances
• User authentication & role-based access
• Device Posture assessment
• Non-User devices profiling
• Guest access services
• Centralized policy management
• Distributed access policy enforcement
TrustSec builds and enforces centralized, identity based access policies
Secure Group TaggingContext Based Dynamic Access Policy
Simplified Access Management
• Control access by business role
• Uses plain language
• Accelerated Security Operations
Moves, adds & changes are simplified
• Automated FW & ACL administration
• Quicker deployment of servers
Consistent Policy Anywhere
• Enforces policy on wired, wireless & VPN
• Scales to remote, branch, campus & data center
TrustSec: Simplifying your Network Security Policy
Security Group ACL Enforcement PolicyS
ourc
e
Destination
Policy Representing
Source = Credit Card Scanner SGT
Destination=Credit Card Server
Policy = Deny IP
Campus to Data Center Access Control
Wired
Access
Wireless
Access
DC Firewall
Enterprise
Backbone
DC
Virtual
AccessCampus Core DC Core
DC
Distribution
Physical
Server
Source
Classification Propagation Enforcement
Destination
Classification
Physical
Server
VM
Server
VM
Server
DC
Physical
Access
End user authenticated
Classified as Employee
(5)
FIB Lookup
Destination MAC/Port SGT 20
Destination Classification
WEB: SGT 20
EMAIL: SGT 30
SGT 20
SGT 30
SRC\DST WEB (20) EMAIL (30)
Employee (5) SGACL-A SGACL-B
BYOD (7) Deny Deny
5SRC:10.1.10.220
DST: 10.1.100.52
SGT: 5
DST: 10.1.100.52
SGT: 20
DST: 10.1.200.100
SGT: 30
TrustSec Brings Context into Network Visibility
Lancope: Anomaly detection
• Application Visibility and Control
• TrustSec
• Next Generation IPS
Network Visibility Tools in the Branch
What is Next Generation IPS?
• Must contain the functionality of 1st generation IPS
• Full stack visibility
• Application awareness
• Context awareness
• Content awareness
• Agile engine
Why do I need Next Generation IPS (NGIPS)?
Control
• AUTOMATE your control mechanisms
• ACT
• Enforce policy
• Detect and Block active compromise attempts
• REPORT
• Report on indications of compromise
• Provide forensics data (continuous and point in time)
• Provide an additional source for host to host communications records (second place to send netflow data)
FireSIGHT: More Contextual Awareness and Visibility
FireSIGHT Adds The Ability To:
• Get detailed contextual awareness including real time network analysis
• Obtain detailed information on host, OS, running applications, services hosted,
Host vulnerabilities, Geolocations, Users and many more
• Get a Network File trajectory that provides file path and information about point
of origin
• Session Objectives
• Security Strategy
• Network as a Visibility Tool
• Evolving the Branch
• Closing Remarks
Agenda
Evolving the Branch
• Technology Trends
• Leveraging Virtualization
• Prioritizing Critical Business Applications
• Connecting the Cloud
Improving the Secure Branch User Experience
Technology Trends in the Branch OfficeInfrastructure Centralization Improves IT Efficiency
Data Center/Cloud Branch Office
WAN/Internet
Mail ServersFile ServersWeb Servers
Voice Systems
Storage Security
Infrastructure
Simplified IT Operations, Higher Resource Use, Cost Savings
Limitations of Centralized Infrastructure Reliance on WAN Affects User Experience
Performance
WAN Speed Limitations
Latency
Bandwidth
Performance targets may require local processing
Availability
WAN Quality Limitations
Reliability
Congestion
Availability targets may require local survivability
Compliance
Off-Site Data Limitations
Privacy
Access
Compliance policies may require local presence
The Lean Branch OfficeBalancing IT Efficiency and User Experience
• No local servers
• Full reliance on WAN
• Simplicity, low cost
• No service guarantees
Serverless Branch
Data Center/
Cloud
WAN/Internet
Branch Office
Lean Branch
Data Center/
Cloud
WAN/Internet
Branch Office
• 4-5 local servers
• Full reliance on WAN except for mission-critical applications
• All servers local
• No reliance on WAN
• Complexity, high cost
• Service guarantees
Full-Service Branch
Data Center/
Cloud
WAN/Internet
Branch Office
Branch Challenges Need for Converged Branch IT
Reduce Branch Complexity
Management Complexity
Branch Footprint
OpEx, Power, Cooling
Business Agility
Increased Productivity
Lower Costs
Compute and Storage
Unified Communications
WAN Optimization
WAN Path Control
QoS
Application Visibility
Threat Defense
VPN Services
Network and Compute Performance for All Office SizesCisco ISR 4400/4300 Series
ISR 432150-100 Mbps
ISR 4331100-300 Mbps
ISR 4351 200-400 Mbps
ISR 4431 500-1000 Mbps
ISR 4451-X 1-2Gbps
WA
N A
ccess S
peed
Wit
h S
ervic
es
2911
1921 1941
2901
3945
150 Mb100 Mb75 Mb50 Mb35 Mb
EFMSubrateFE
VDSL2+/Sub-rate FE
Line Rate FE +
25 Mb
Line Rate N x FE
3945E
3925E
350 Mb
2921
2951
3925
800
15 Mb 250 Mb10 Mb
WAN Access Speeds with Services
Cisco ISR G2
Cisco UCS E- Network Compute EngineCompact, Multipurpose Blade Housed in ISR G2 – UCS-EN120E
Cisco UCS E-Series Single-Wide Blade Compact Blade Housed in Cisco ISR G2 and ISR 4000 Chassis – UCS-E140S M2
Up to 2 SATA, SAS, or SSD hard drives
Configuration and
management through CIMC
Intel® Xeon® E3 Family quad-core
processor
On-board hardware RAID 0/1 with hot-
swappable capability
One external and two
internal GE ports
USB 2.0 port for external
device connectivity
8, 12, and 16 GB
DRAM options
Maximum 65 W power draw
80 percent less than server
Wire-free, plug-and-play modularity,
low shipping weight (2.5 lb/1.1 kg)
Remote and
schedulable power
management
iSCSI initiator
hardware offload
KVM console connector
10/100 Ethernet
management port
Two SD cards: One for the CIMC
and temporary storage of OS and
one for a blank virtual drive
Cisco UCS E-Series Double-Wide BladeMultipurpose Blade Housed in ISR G2 and ISR 4000 Chassis – UCS-E160D/UCS-E180D
Up to 3 SATA, SAS, SSD hard drives or 2
HDD and a PCIe card
Out-of-band
configuration and
management through
CIMC
On-board hardware RAID 0, 1,
and 5 configuration options
with hot-swappable capabilityTwo external and two internal GE ports
with TCP/IP acceleration
Front-panel VGA, 2 USB, and serial
console connectors
8 GB – 96* GB
DRAM options
Maximum 130 W power draw,
80 percent less than server
Wire-free, plug-and-play modularity,
low shipping weight (7 lb / 3.2 kg)
Remote and
schedulable power
management
iSCSI initiator
hardware offload
Two SD Cards: one for the CIMC
and temporary storage of OS
and one for a blank virtual drive
Intel Xeon E5-2400 Quad
Core/Six-Core/Eight-Core
Processor
UCS E-Series Portfolio
Cisco UCS-E140S
• SKU: UCS-E140S-
M2/K9
• Cores: 4
• RAM: 8-16GB (2
DIMMs)
• HDD: 2 hard-drives,
available in 3 SSD,
SAS and SATA
options
Cisco UCS-E180D
Cisco UCS-E160D
• SKU: UCS-E160D-
M2/K9
• Cores: 6
• RAM: 8-48GB (3
DIMMs)
• HDD: 3 hard-drives,
available in SSD,
SAS and SATA
options
• SKU: UCS-E180D-
M2/K9
• Cores: 8
• RAM: 8-48GB (3
DIMMs)
• HDD: 3 hard-drives,
available in SSD,
SAS and SATA
options
• SKU: UCS-EN120S-
M2/K9
• Cores: 2
• RAM: 4-16GB (2
DIMMs)
• HDD: 2 hard-drives,
available in 2 SAS
and SATA options
Cisco UCS-EN120S
Cisco UCS-EN120E
• SKU: UCS-EN120E
• Cores: 2
• RAM: 4-8GB (1DIMM)
• HDD: up to 200GB SSD
Storage
Cisco UCS E-Series Server Hypervisor and OS Support
VMware Hypervisor
• VMware vSphere Hypervisor™ 5.0.1
• VMware vSphere Hypervisor™ 5.1
• VMware vSphere Hypervisor™ 5.5
Other Hypervisors
• Hyper-V (Windows 2008 R2, 2012 R2)
• Citrix XenServer 6.0
Microsoft Windows
• Windows Server 2008 R2 Standard 64-bit
• Windows Server 2008 R2 Enterprise 64-bit
• Windows Server 2012, 2012 R2
Linux
• Red Hat Enterprise Linux 6.2
• SUSE Linux Enterprise 11, service pack 2
• Oracle Enterprise Linux 6.0, update 2
Supported by Cisco SMARTnet
Attached to ISR
Supported by OS / Hypervisor Vendor
Purchased separately
ISR Chassis
Cisco® UCS E-Series Server Module
Hypervisor
Hardware Support
Provided by Cisco®
UCS E-Series hardware
supported under ISR
SMARTnet at no
additional cost
VMware Embedded
Software - ESX and
Foundation supported
by ISR SMARTnet
Cisco ISR 4451-X Converged Branch Infrastructure Solution
Technology Consolidation for Branch Services Unified
Communications
Server Blades with Storage
Security
WAN Optimization Mobility
Routing
Management Interface
Connects control plane directly to
a management network.
Front Panel GE
• 4 RJ45/SFP GE Interfaces
• PoE available on 2 Interfaces
Network Interface Modules (NIM)
• Larger & more powerful than EHWICs
• Up to 8 ports per module
• DSPs directly on modules
Optional Drive NIM for Embedded
Applications
• RAID 1 for data protection
• Single HD (future) &
Dual SSD Options
Extended Service Modules
• Compatible with ISR G2
• Up to 10Gb connection to system
• Faster & more powerful than SMs
SM-X Layer2/3 EtherSwitch® Service Module(SM-X)
• Capable of PoE+ (30W), MACSec and Cisco
TrustSec
• Simplified Licensing for upgrade to Layer-3 features
Enable Advanced Threat Protection Across Branches
HIGH
PERFORMANCE VPN
ADVANCED THREAT
DEFENSECLOUD WEB
SECURITY
CONSISTENT POLICY
ENFORCEMENT
DMVPN, GET VPN,
Flex VPN
• Up to 1.3 Gbps encryption
• Advanced encryption
(Suite B)
• Integrated crypo without
additional hardware
FirePOWER IPS & IDS
• Industry leading network
intrusion detection &
prevention
• Integrated on UCS E-
Series blades
CWS with Advanced
Malware Protection
• Real-time web filtering with
AVC
• Threat analytics for full
continuum: Before, During,
After
TrustSec with Identity
Service Engine
• Single Source for Policy
Rules
• Context Aware
• 80% reduction in rules and
policy
VPN
FireSIGHT
HQ
Cisco FirePOWER Threat Defense for ISRCentralized Policy Distributed enforcement
Branch
Office
Branch
Office
Branch
Office
Cisco Cloud Intelligent NetworkDelivering Optimal Experience, Pervasive Security, and Simplified Operations
Branch Private/Public/Hybrid
3rd PartyWebSecurity
Cloud
Storage
Collaboration
Survivability
Cloud Connectors
Cloud-Ready Network Services
Visibility Optimization CollaborationApp
HostingSecurity
Cloud-Ready Platforms
OS
Campus / Data Center
Cloud
ISR G2 ASR 1K CSR 1KV
Branch Office
Management and Policy
Server
Hypervisor
Virtual Switch
VPC/ vDC
OS
App
OS
App
CSR 1000V
RP
FP
CSR 1000V - Cloud Ready Router• IOS-XE code base
• Comprehensive feature set
• Infrastructure Agnostic
• Cisco UCS, Dell, HP, etc. - Intel and AMD processors supported
• Runs on vSwitch, dVS, N1KV, etc..
• VMware ESXi 5.1, Citrix Xen Server 6.1, KVM – RHEL 6.3, RHEV 3.1 supported
• Amazon AMI support
• Footprint
• 4 vCPU, 2 vCPU, 1vCPU supported. Note: 2 physical cores * 2 = 4 vCPU with Hyperthreading
• 2.5 GB/1vCPU [default] , 4 GB/4vCPU
• 8 GB HD – Local, SAN, NAS supported
Enterprise
A
Single-Tenant Gateway in the CloudCan be deployed by Enterprises or Cloud Providers
AS
R
Branch
ISR
Current Use Cases MPLS CE Router (vCE)
Network Services – VPN
Gateway, Control Point
Hybrid Cloud Connectivity - L2/
L3 Extension
Potential Use Cases MPLS PE Router (vPE)
Control Plane Function – Route
Reflector
Military Apps – MANET/ Radio-
aware Routing
Enterprise
BBranch
ISR
Data
Center
CSR
1000V
CSR
1000V
Data Center
WAN
Router
Cloud Provider
Additional Information & Reference Materials
• Try it for yourself – go to dCloud – http://dcloud.cisco.com
• FirePOWER Labs
• TrustSec Labs
• IWAN Labs
• Lancope Labs
• Much more…
• User your CCO account to gain access
• Next Generation Cryptography: http://www.cisco.com/web/about/security/intelligence/nextgen_crypto.html
• Cisco’s Annual Security report
http://www.cisco.com/c/en/us/products/security/annual_security_report.html
Q & A
• Session Objectives
• Security Strategy
• Network as a Visibility Tool
• Evolving the Branch
• Closing Remarks
Agenda
What about the sharks?
Participate in the “My Favorite Speaker” Contest
• Promote your favorite speaker through Twitter and you could win $200 of Cisco Press products (@CiscoPress)
• Send a tweet and include
• Your favorite speaker’s Twitter handle - @CCIE42683
• Two hashtags: #CLUS #MyFavoriteSpeaker
• You can submit an entry for more than one of your “favorite” speakers
• Don’t forget to follow @CiscoLive and @CiscoPress
• View the official rules at http://bit.ly/CLUSwin
Promote Your Favorite Speaker and You Could Be a Winner
Complete Your Online Session Evaluation
Don’t forget: Cisco Live sessions will be available for viewing on-demand after the event at CiscoLive.com/Online
• Give us your feedback to be entered into a Daily Survey Drawing. A daily winner will receive a $750 Amazon gift card.
• Complete your session surveys though the Cisco Live mobile app or your computer on Cisco Live Connect.
Continue Your Education
• Demos in the Cisco campus
• Walk-in Self-Paced Labs
• Table Topics
• Meet the Engineer 1:1 meetings
• Related sessions
• Threat Defense Demo in The Hub – Live traffic from the show’s Internet connection
• Whisper Suites - Cisco FirePOWER Threat Defense for ISR
Thank you
