Upload
others
View
0
Download
0
Embed Size (px)
Citation preview
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
스스로 판단하고 진화하는 네트워크Intent Based NetworkingPowered by Cisco DNA (Digital Network Architecture)
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Agenda
1
2
3
4
5
새로운 시대를 위한 Networking
Cisco DNA로 진화하는 네트워크
Intent-based Networking
Supporting Platform
Encrypted Traffic Analysis
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
By the year 2020
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
By the year 2020
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
현 모든 IT business 는 Software 기반 속도에 비례
그러면 인프라인 Network는?
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
The Old Way사이트에 기반 인프라를 적용할려면……
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
영역확장
IT 및 IT Business의가시성 부족
초당 6천3백만의새로운 기기가온라인에 접속
by 20201
복잡성
느리고, 오류 있는수동적 운영방식
3배 증가한 네트웍
오퍼레이션 업무2)
보안성
암호화되고정교해지는 해킹
6개월 마다 탐지되는
새로운 위험 요소들3)
IT Network에 대한 다양한 수요증가
1. Gartner Report - Gartner’s 2017 Strategic Roadmap for Networking2. McKinsey Study of Network Operations for Cisco – 20163. Ponemon Research Institute Study on Malware Detection, Mar 2016
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
이런 생각을 해 본적이 없나요?
①평소와 다른 사용자 행위를 자동으로 막을 수 없을까? ② 먼가 느리다던데누가/얼마나영향받은 거지? Delay는?
정책위반, 정보유출시도…
3F
“수많은 유저 중에서 어떻게 찾아? 찾더라도
그때는 이미 늦었지. ….그리고 이걸 내가 항상
보고 있어야해? 할 일이 얼마나 많은데..”
가용한 모든 정보 기반 분석
누가 느린거지?
IP Address는?
무선AP 문제? 서버? 스위치?
다른 사용자는?
어제도 발생?
아니면 특정 서비스만 잘 안되는 건가?”
현업의 “잘 안되요” 란 질문은
접속/관리기기의 증가
3배 증가한네트웍 업무
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
얼마전 모두 체감했던 보안이슈6개월 마다 탐지되는
새로운 위험 요소들3)
6개월마다새로운위협
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Intent-based Networking
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Users, Device and IOT 기기 분리
Seamless 한 Mobility구성 Follow up
클라우드에 Secure 한Connectivity 구성
End-End Security셋업 필요
WAN
VLAN 2
HQ
ACL 1 ACL 2
ACL 2
과거 방식의 IT Network 구성 및 운영으로 더 이상…
VLAN 1
Remote
Branch ABranch AACL 3
VLAN 3VLAN 1
VLAN 2 VLAN 3
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Why is this Different?
IBN에서 관리자는"무엇을?“ 에 대한 의사만 결정하기만 하면 되고& 시스템은 “어떻게” 하는 것을 알아서 할 것이다. -Zeus
Execution
나는 10:00AM에 비디오화상회의를 해야하는데…
나는 공장 기기 모니터링을위해 새로운 IoT app을적용시켜야 하는데..
새로운 지점을 오픈하고, 좀더 나은 서비스를 하게해야함
고장난 변기를 고쳐야하는데..
새로운 Factory Device를 위해 VLAN을 나누어야 하고, IoT app 트래픽을 다른 쪽이랑 분리시키고 정책도적용해야 하고, SLA도 최적화 시켜야 해야하는데...
브랜치 네트웍을 위해 Provision&configure 를해야하고, Staff를 위해 보안설정도 해야하고어플리케이션 속도도 점검해야 하고...
관리실에 연락해서, 업체전화번호를 알고, 전화해서스케줄을 잡고, 결재는 어떻게 해야하는지 파악하고...
Intent
HD video 연결 설정 ; E2E QoS 우선순위 점검; 비디오 화질 및 퍼포먼스 세팅; 커뮤니케이션 중대기;회의이후 원상복구..
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
네트웍의 새로운 가이드를 제시할Intent-based Networking !!
“ 과거 수동적/메뉴얼적/단순반복 IT 는 이제 그만…“
“운영자가 IT Network으로 하고자 하는 최종 결과만 중요함나머지는 System의 Self-Running을 통해 Automation되게.."
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
The Old Way사이트에 기반 인프라를 적용할려면……
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
The New Way모든 IT Network을 직관적이고 심플하게..
INTENT
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
The New Way 만약 새로운 건물/지점등이 생긴다면 Fabric Network으로 Add하기만 하면 끝
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Policy SegmentationThe New Way User/Device/Policy 모두 한 곳에서….
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
ContextUser,apps,devices,threats등 모든 정보를 네트웍이 수집하고 이를 다시 Running 하고 표시
The New Way
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Encrypted Traffic Analytics
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Protect the Business:Encrypted Traffic Analytics Visibility and Malware Detection without Decryption
ETA 알고리즘은multiple network data sources
분석함
악성코드/해킹In Encrypted Traffic
별도 Decryption
없이도 분석
보안성 및개인정보보호
99.99%
탐지정확성
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Encrypted Traffic Analytics overview
Global-to-local knowledge correlation results in higher precision of threat findings
Cisco® Stealthwatch® enhanced analytics and machine learning reduce threat investigation time
Enhanced NetFlow with Encrypted Traffic Analytics from Cisco’s newest switches and routers
Network sensors
NetFlow
Encrypted malwaretelemetry and Crypto
audittelemetry Flow
collector(s)
cognitive.cisco.com
https
글로벌에서 발생한 위험을 로컬과상호연관 분석하여 보다 높은
위함발견 결과를 고객에게 제공
Stealthwatch enhanced analytics And 와 머신러닝은 99%의 위험탐지
정확성과 효율성을 제공
Enhanced NetFlow 를 통해Encrypted traffic analytics 구현
Cisco 만의 특별한 HW 및 SW아키텍쳐 구조 적용
CognitiveAnalytics
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Initial Data PacketSequence of Packet Lengths and Times
어떻게 Encrypted traffic안의 위험을 탐지하나?
Make the most of the unencrypted fields
Identify the content type through the size and timing of
packets
Self-Signed Certificate
Data Exfiltration
C2 Message
Threat Intelligence map
Who’s who of the Internet’s dark side
Broad behavioral information
about the servers on the Internet.
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cybersecurity and Network Context Catalyst 9000 view of the data
• Talos Threat Intelligence
• Catalyst 9000 network context
• Machine learning identifies malware in encrypted traffic
• Network closed-loop response
Google Search
Firefox self-repair
Bestafera Malware
Machine Learning Identifies Malware
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cisco Catalyst 9000 Family enables enhanced network as a sensor with ETA
Stealthwatch®
pxGrid
MitigationISEMachine learning with enhanced behavior analytics
Encrypted Traffic Analytics
• Industry’s most pervasively deployable solution for Encrypted Traffic Analytics
• Complements other encrypted traffic management solutions
Networktelemetry based(no decryption)
Line-rate performance
Investment optimization
Simplifiedmanagement
Globally correlated threat intel
네트웍을 가시화 시키다는 것은…
Cisco DNA
Constantly Learning
Support 100X new devices, apps, users
Constantly Protecting
See and predict issues and threats and respond fast
Constantly Adapting
Respond instantly to business demands with limited staff and budget
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Framework of Cisco DNA
Intent Context
Security
Learning
Intent-Based Network Infrastructure
DNA Center
AnalyticsPolicy Automation
Switching Routers Wireless
DC BranchCampus
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Framework of Cisco DNA
Assurance
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Assurance by NDP
Data Type: Users, User Group
Data Source: AD, ISE
Mechanism: Pull (API)
Rate: Triggered
Data Type: Policy
Data Source: ISE
Mechanism:
Subscription through PxGrid
Rate: Triggered
Data Type: Location
Data Source: APIC-EM. MSE
Mechanism: Built-in
Connector, Pull
Rate: Triggered
Data Type: Flow, Applications
Data Source: Network Device
Mechanism: Push
Rate: 100K fps+
Data Type: SNMP
Data Source: Network Device
Mechanism: Pull
Rate: 10,000 OIDs/min+
Data Type: Logs, Traps
Data Source: Network Device
Mechanism: Push
Rate: 10,000 msgs/min+
Data Type: Topology, Inventory,
Configuration, Capabilities
Data Source: APIC-EM
Mechanism: Built-in Connector
Rate: 1000 devices/request
Data Type: IP Address
Management, Namespaces
Data Source: Infoblox, DHCP, DNS
Mechanism: Pull (API)
Rate: 1000 blocks/request
Data Type: Wireless Signaling,
Roaming data
Data Source: WLC/AP
Mechanism: Streaming
Rate: Triggered
A singular framework for ingestion
• Types of Collection
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
DNA Center high-level architecture
Telemetry protocols: NetFlow, SNMP, Syslog, streaming
CLI, SNMP, PnP, NETCONF
Northbound Open REST APIs
Cisco DNA Center
NDPAPIC-EM 2.0ISE
물리적/가상화/클라우드 네트웍 인프라
Meraki dashboardCisco Meraki™
Meraki® Dashboard API
Wireless AP
Catalyst(R) 2000/3000
Catalyst 4000/6000
Cisco Nexus(R)
7000
WLC ISR/ASR NFV-IS
Northbound Open REST APIs
IPAM (3rd Party)
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Supported Platform
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
DNA Ready Platforms
ASR-1000-X
ASR-1000-HX
ISR 4430
ISR 4450
WIRELESSROUTINGSWITCHING
AIR-CT5520
AIR-CT8540
Wave 2 APs (1800, 2800,3800)
Wave 1 APs* (1700, 2700,3700)
Catalyst 9400
Catalyst 9300
Catalyst 9500
Catalyst 4500E Catalyst 6K Nexus 7700
Catalyst 3850 and 3650
AIR-CT3504
CSR 1000V
*with Caveats
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
DNA Ready Platforms
C9300 Series
C9400 Series
C9500 Series
C3850/3650 Series
C4500 Series (샤시형)
C4500-X Series
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
The Journey to the New Network
Infrastructure Readiness
Open and Programmable
Policy Based
AutomationSimplify, scale network deployment
for Cloud, Mobile, IoT
Intent-based Network
Constantly learning, adapting, protecting
Analytics for AssurancePredictive performance with machine learning
Secure
FoundationRapid threat detection
and mitigation
Software-Driven Innovation