BRKSEC-2004 Securing My SP Network

Securing My SP Network
BRKSEC-2004
Michael Geller – Principal Engineer, CTAO
#clmel
Rules of the Game!
• Silence your phone, pda, pager, mp3 player…
• At CiscoLive! your evaluation is extremely important
• Please remember to wear your badge at all times
• Please visit the World of Solutions
• PLEASE! Ask questions any time
BRKSPG 2004 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
Meet the Expert
• To make the most of your time at Networkers at Cisco Live 2015, schedule a
Face-to-Face Meeting with top Cisco Engineers.
• Designed to provide a "big picture" perspective as well as "in-depth" technology
discussions, these face-to-face meetings will provide fascinating dialogue and a
wealth of valuable insights and ideas.
• Visit the Meeting Centre reception desk located in the World of Solutions.
Prerequisites
• Before attending this session, familiarity with basic security concepts as they
apply to networks and business outcomes
• Some familiarity with Virtualisation, SDN and NfV is helpful, but not mandatory
• Thoughts about how security fits in the way you run your business today and the
impact of the cloud
Objectives
• This session targets hosted security services for Enterprises and Service
Providers
• Understand the impact of orchestration & automation for hosted security
• Cool applications of elastic security services delivered from the cloud
• Performance and scalability considerations
• Security services with NfV and SDN
• Future thinking applications of security from the Cloud to YOUR network
Agenda
• Introduction
• The Hosted Security Service
Architecture
– Architecture
– HSS: Architecture and
Demonstration
– CloudVPN: Architecture and
Demonstration
• Conclusion
BRKSEC-2004 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
IT Transformation
More devices and more apps mean the
attack surface has increased, and attack
tools are evolving, too
The hardware we use has

never changed so fast Do more with less
Users will get stuff done

any way they can
BRKSPG 2004 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
End Customer Expectations
 On-Demand & Real Time Customer Requirements coupled with amazing & custom user
experiences
 Multiple Applications, No Limit to “Environment” or Cloud
 New Consumption Models & Multiple Roles Consuming Cloud Differently; Products,
Solutions & Application types (Developer -> IT -> Business User)
 Cross-Environment Requirements: Public, Private, Hybrid for App Development,
Delivery/Deployment, Operation & Maintenance, Add-Ons & Customisation
 New Economies of Scale & One Size Doesn’t Fit All
Public Hybrid Private

Mix of Public & Private (SP Infrastructure)
AWS, GOOG, Azure, etc
Seamless End-to-End Experiences, Cross Workload Size & Type

Required Regardless of App, Service or Environment; Secure Flexibility Critical Requirement
Transformations in Business & Models for Success
Delivering on User Experience Inside & Outside of Your Business Ecosystem
Where Would You Like to Be?
What is Your Business Value?
Support the Business: Enable the Business: Become a Business: Become THE Business
• Reduce Costs & • Support business-side functions • Drive new operational •The Go-To-Business for
Streamline Business and opportunities proactively excellence and business insight, innovation, new ideas,
Operations • The model allows for faster time opportunity via technology proactive business offerings
to market innovation and new opportunities via
• Allows SP to address new technology.
market segment (SMB) •Central Hub of Business &
Ecosystems
Technology + Business Driving New Markets & Revenue

Your Business is the Required Central Hub
Business Case Modelling to Ensure Profitable Business
Market Opportunity
Cloud Service Delivery Shows Higher Growth, but CPE Based Still Growing
Worldw ide CPE-Based Service Revenue Share by Technology
Worldw ide Cloud-Based Service Revenue Share by Technology
$ 12 $ 10
$ 10
$8
Rev enue (US$ Billions)
Revenue (US$ Billions)

$8
$6
$6
$4
$4
$2
$2
$0 $0
CY10 CY11 CY12 CY13 CY14 CY15 CY16 CY17 CY18 CY10 CY11 CY12 CY13 CY14 CY15 CY16 CY17 CY18
IDS/IPS DDoS mitigation Other security services IDS/IPS DDoS mitigation Other security services
Managed firewalls Content security Managed firewalls Content security
© Infonetics Research: Cloud and CPE Managed Security Service Market Size and Forecasts, March 2014
Transition to All-virtualised Services?
All SP services are virtualising …
• Drivers: Some services move straight to Scansafe
SAAS Webex2
• Reducing total Service SDVPN
SP
OpEx and Video HCS
CapEx
Offering
Can be leveraged to
• Increased service System HCS offer SAAS
velocity and
agility L2 / L3 SP
SP
Video
Video
VPN
SP infrastructure
• Increasing
Mobile
GWs services
services transitioning to
Product Ent
revenue CPE Managed
Services
Services
NFV
IAAS
HW Appliance Virtualise existing functions SAAS-based

solutions
Implementation
Cisco Security as a Service Solutions
Service Provider Turnkey

Virtual Private Cloud Public Cloud
Hosted Security Cisco Managed

Solution & CloudVPN Security Cloud
Cisco or SP-Hosted,
SP-Hosted Firewall, VPN, IPS,
Cisco-Run Web
Email, and Web Services
Security Services
The New Security Model
Attack Continuum
BEFORE DURING AFTER

Control Detect Scope
Enforce Block Contain
Harden Defend Remediate
Network Endpoint Mobile Virtual Cloud
Telemetry Data Threat Research Advanced Analytics

Managing The Threat Lifecycle
Protecting the Infrastructure and Offering Elastic Managed Services
Attack Continuum
BEFORE
Control
DURING
Detect
AFTER
Scope
Enforce Block Contain
Harden Defend Remediate
Firewall VPN NGIPS Advanced Malware Protection
NGFW UTM Web Security Network Behaviour Analysis
NAC + Identity Services Email Security Forensic Analytics
DDoS Visibility/Mitigation Services
Visibility, Context, Autonomics and BCPs

Orchestration
CloudVPN Quantum WAVE HSS
Cloud Services Orchestration WAN Orchestration UBIqube – MS Activator
Real Time application of the right Real time topology and service
service, in the right place, at the right Security Domain Management
health16information
BRKSPG 2004 time
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Firewall-aaS Tiers Example BEFORE DURING AFTER
Service Tiers
Feature Category
Bronze Silver Gold
NAT Address Translation
Stateful Inspection
Included
High Availability
Advanced Management
Firewall-aaS Tiers Example BEFORE DURING AFTER
Service Tiers
Category Feature
Bronze Silver Gold
NAT Address Translation NAT / PAT

Reference
Slide L3 firew all
Transparent firew all
Proxy authentication
Stateful Inspection
Application hosting private zone
Application control (IM, peer to peer)
Voice security support
Within SP data centre
Included High availability
Betw een SP data centres
Option Customer self service portal
Streamlined management
Auto generated reporting
Management
Custom reporting
Data log retention (1 month)
Extended data log retention (> 1 month)
BEFORE DURING AFTER
VPNaaS Tiers Example Tiers Example
Service Tiers
Feature Category
Bronze Silver Gold
Customer site to Cloud IPSec VPN service
Remote Access VPN

Included
High Availability
Advanced Management
BEFORE DURING AFTER
VPNaaS Tiers Example Tiers Example

Service Tiers
Category Feature
Bronze Silver Gold
Customer site to Cloud Support for multiple crypto policies (DES, 3DES, AES …)
IPsec VPN service
Pre-shared key VPN authentication
Digital certificate VPN authentication
Reference
Slide Multiple class of services / traffic prioritization policies
Remote access VPN IPSec based remote access VPN
Client-less SSL remote access VPN
Client-based SSL remote access VPN
Authentication integration w ith enterprise's radius, LDAP, AD servers
Basis authentication (username and passw ord based)
Strong authentication / token based authentication
Included Digital certificate based authentication

High availability Active / Passive w ithin SP data centre
Option Active / Active w ithin SP data centre
Active / Passive betw een SP data centre
Active / Active betw een SP data centre
Management Customer self service portal
Custom reporting
Web Security-aaS Tiers Example BEFORE DURING AFTER
Service Tiers
Feature Category
Bronze Silver Gold
Real Time Threat Protection Services
Acceptable Use Services
Included Policy Control
High Availability
Advanced Management
Web Security-aaS Tiers Example BEFORE DURING AFTER
Service Tiers
Category Feature
Bronze Silver Gold
Real time threat Web reputation filtering
protection services
Malw are scanning
Reference
Slide Acceptable use services Web URL monitoring by category
Web URL filtering (blocking)
Web application monitoring
Web application control
SaaS access control
Transparent user authentication
Advanced Malw are Protection
Included Policy control Granular access and control policies

Remote access user control policies
Option High availability Within SP data centre
Management Customer self service portal
Custom reporting
Email Security-aaS Tiers Example BEFORE DURING AFTER
Service Tiers
Feature Category
Bronze Silver Gold
Inbound Email Protection
Outbound Email Protection

Included
Policy control
High availability
Advanced Management
Email Security-aaS Tiers Example BEFORE DURING AFTER
Service Tiers
Category Feature
Bronze Silver Gold
Inbound email protection Reputation scoring and SMTP blocking
Anti-spam
Outbreak filters, Sophos anti-virus
Reference
Slide Inbound email content filtering
Quarantine
Advanced Malw are Protection
Outbound email protection Anti-virus
Outbound email content filtering
Integrated RSA data loss prevention
DLP RSA Enterprise Manager integration (Enterprise provided)
Large volume
Included Quarantine
Policy control Granular policy control
Option
Roaming users protection
High availability Within SP data centre
Management Self service portal
Custom reporting option
NGFW/IPSaaS Tiers Example BEFORE DURING AFTER
Service Tiers
Feature Category
Bronze Silver Gold
Application Visibility and Control (NGFW)
Threat Protection (NGIPS)
Included
High Availability
Advanced Management
NGFW/IPSaaS Tiers Example BEFORE DURING AFTER
Service Tiers
Category Feature
Bronze Silver Gold
Application Visibility and Control Netw ork, User and Application Discovery
Reference (NGFW)
Slide Application Traffic filtering
URL Filtering
File Blocking (block xyz file type)
Threat Protection IPS Basic Threat Protection Services (SNORT signatures)
(NGIPS)
IPS premium security signatures and content
Security Intelligence Feeds
AMP (Advanced Malw are Protection– disposition from the cloud/policy)
High Availability Configurable “fail open” – Appliance only
“Fastpath” & Trust Rules – Exclude/Include velocity
Included Management Streamline Management
IPS signature update
Option
Advanced/Custom Reporting
Automated Policy Tuning – Advanced/Custom Policy Tuning
Event Correlation – Customized Event Correlation Services
Impact Analysis
Agenda
• Introduction
Architecture
– Architecture
Demonstration
Demonstration
• Conclusion
Hosted Security as a Service Architecture
Security Service Examples:

LAYER
ORCH
FWaaS – Firewall as a Service

Policy Analytics Reporting
VPNaaS – Virtual Private Networking as a
Service
Tenant 1 Tenant 2 Tenant 3
NGFW/IPSaaS – Next Generation Firewall and
SERVICES
WSaaS ESaaS FWaaS Intrusion Prevention System as a Service

LAYER
FWaaS WSaaS IDaaS

WSaaS – Web Security as a Service
NGFW/IPSaaS FWaaS VPNaaS
ESaaS – Email Security as a Service
IDaaS – Identity as a Service

STRUCTURE
Hypervisor
INFRA-
Compute DDoSaaS – Distributed Denial of Service as a

Storage Service
Two Hosted Security as a Service Solutions Converging
Hosted Security as a
Service (HSS)
VMware based
Virtual Managed Business Services
HSS
CloudVPN
OpenStack based
Today Future
Hosted Security as a Service
Hosted Security as a Service (HSS)
• Enables Cisco partners to deliver security services from their Cloud infrastructure
or as a managed private cloud offering
• Cisco’s virtual security appliance product (ESAV, WSAV, ASAV, …)
and third party products
• Comprehensive management system using UBIqube as a security domain manager
– Fulfillment
– Assurance
– Northbound API for integrating with Cloud Orchestration Solutions
• Solution supported with IaaS solution VMDC 2.3, testing with VSA 1.0 now
• Platform based on Cisco Unified Computing System (UCS)
• Flexible deployment models
HSS Architecture
• Provisioning SP existing
LAYER
ORCH
API orchestration,
• Reporting API reporting, billing
Policy Analytics Reporting • Billing API infrastructure
Tenant 1 Tenant 2 Tenant 3 • Delivered from service provider’s

infrastructure
SERVICES
WSAv ESAv ESAv

LAYER
WSAv WSAv CSR1Kv • UBIqube MSActivator used as the

Security Domain Manager
ASAv ASAv
• Orchestration SW interfaces with native

appliance configuration mechanisms
STRUCTURE
VMware ESXi
INFRA-
• All customer data lives inside the SP

Cisco UCS
Cloud environment
Storage
• Security on virtual form factor available
today
VMDC 2.3 Expanded Gold Container
MPLS
Internet Shared Transit VLAN
VPN Per-Tenant VLAN
Customer Site
Customer
VRF ASR1006 Global
ASA5555 Remote
Access
VPN
Global
Customer PVT Nexus 7004
Outside VRF
Customer PVT Customer

ASA5585X Inside VRF DMZ VRF ASA5585X
Customer
Customer DMZ Context
Private Context
Citrix/F5
Customer VSG
Nexus1000v ASA5585X
Private Context
UCS vCenter UCS

UCS UCS
UCS
Private Zone - 3 VLANs DMZ - 1 VLAN SP Management
* Not showing redundant nodes

VMDC 2.3 Expanded Gold Container with HSS
AD DNS MPLS Internet Shared Transit VLAN
VPN Per-Tenant VLAN
MS Exchange
Customer
Customer Site VRF ASR1006 Global
ASA5555 Customer DMZ Context

Remote
Global
Access
VPN
Outside VRF

Customer
Private Context
Citrix/F5
Customer M1 M1
Private Context
Citrix/F5 Citrix/F5 ASA5585X
WSAV ESAV M1 UBIqube
Nexus1000v M1
VSG
UCS UCS UCS ESAV vCenter UCS
UCS WSAV
UCS
Private Zone 3 VLANs DMZ 1 - 1 VLAN DMZ 2 - 1 VLAN SP Management

ESAV Flows - Customer Hosted Email
VPN Per-Tenant VLAN
MS Exchange
Customer

Remote
Global
Access
VPN
Outside VRF

Customer
Private Context
Citrix/F5
Customer M1 M1
Private Context
Nexus1000v M1
VSG
UCS WSAV
UCS

ESAV Flows - SP Hosted Email
AD DNS MPLS
Internet Shared Transit VLAN
VPN Per-Tenant VLAN
Customer

Remote
Global
Access
VPN
Outside VRF

Customer
Private Context
Citrix/F5
Customer Citrix/F5 M1 Citrix/F5 ASA5585X
M1
Private Context
Nexus1000v WSAV M1 ESAV M1 UBIqube
VSG
UCS
UCS UCS
Private UCS WSAV UCS ESAV vCenter UCS
Zone 3
MS Exchange
VLANs DMZ 1 - 1 VLAN DMZ 2 - 1 VLAN SP Management

WSAV Flows
VPN Per-Tenant VLAN
Customer

Remote
Global
Access
VPN
Outside VRF

Customer
Private Context
Citrix/F5
Customer M1 M1
Private Context
Nexus1000v M1
VSG
UCS WSAV
UCS

HSS Phase 1 Components
HSS Components Version Cloud Orchestration Options Version
VMDC Expanded Gold Container 2.3 Cisco Intelligent Automation for Cloud (CIAC) 4.0
WSAV 7.7.5 BMC Cloud Lifecycle Manager V3.1SP1
ESAV 8.0
UBIqube MSActivator 13.1
VMware vSphere 5.1
VMware vCenter 5.0
VMDC 2.3 Expanded Gold Container
VMDC 2.3 Component Version HSS Required/Recommended/Optional?
Unified Computing System (UCS) 2.0(4b) UCS B or C required

ASR 1000 IOS XE 3.7.1S Cisco 7600/ASR 1000/ASR 9000 recommended
ASA 5555-X (RA) 9.0.1 Recommended
ASA 5585-X (FW) 9.0.1 Recommended
Nexus 7000 NX-OS 6.1(3) Recommended
Nexus 5548 NX-OS 5.2(1)N1(2) Recommended
Nexus 1010 NX-OS 4.2(1)SP1(5.1) Optional
Nexus 1000V NX-OS 4.2(1)SV2(1.1) Optional
Virtual Security Gateway (VSG) NX-OS 4.2(1)VSG1(4.1) Optional
Prime Network Management Controller (PNMC) 2.0(3f) Optional
Citrix Netscaler VPX, SPX 10.1 Citrix or F5 recommended (if needed)
NetApp FAS ONTAP 8.1.1 NetApp or EMC recommended
VSA 1.0 Gold Container with HSS
VSA 1.01 Gold
Use Case Container
– CSR1Kv, with HSS
WSAV, ESAV
AD DNS
MS Exchange
CSR1Kv
P1
M1 M1 UBIqube
WSAV ESAV
vCenter
VSA 1.02 Gold
Use Case – ASAV,Container
WSAV, ESAV with HSS
AD DNS
MS Exchange
ASAv
P1
M1 M1 UBIqube
ESAV WSAV
vCenter
VSA 1.03 Gold
Use Case Container
– CSR1Kv, with
ASAv, WSAV, ESAVHSS
AD DNS
MS Exchange
CSR1Kv
ASAV
P1
M1 M1 UBIqube
ESAV WSAV
vCenter
HSS Security Domain Management
Demo: HSS
HSS References
• Hosted Security as a Service Documentation
– www.cisco.com/go/hss
• Cisco Content Security Virtual Appliance Installation Guide
– www.cisco.com/en/US/docs/security/content_security/virtual_appliances/Cisco_Content
_Security_Virtual_Appliance_Install_Guide.pdf
• Knowledge Base and Support Tools
– www.cisco.com/en/US/products/ps10154/tsd_products_support_series_home.html
CloudVPN
CloudVPN at a Glance
• Provisioning SP existing
LAYER
ORCH
API orchestration,
• Reporting API reporting, billing
Svc. Lifecycle Policy • Billing API infrastructure
Mgt. Provisioning Net+Svc. Analytics Reporting
• Rapid provisioning/Ops Portal

Tenant 1 Tenant 2 Tenant 3
• Standard YANG models
SERVICES
IPSv ESAV vDDoS

LAYER
ASAv WSAV ASAv • All customer data lives inside the SP

CSR1kv CSR1Kv
Cloud environment
CSR1Kv
• Appliance plus Virtual Services chained

together
STRUCTURE
KVM
INFRA-
• Orchestration of Network + Service

Compute
Topology
Storage
• Service lifecycle management + elasticity
+ workload placement
• IPv6 deployed here

Hosted Security as a Service
• Security is all about two concepts: Visibility & Control
• Threats are mitigated as close to the source as possible
• Security services are dynamically chained together and instantiated to form a service
chain to mitigate a specific threat and/or to provide a managed security service on
distributed compute resources
• Threat defence provides a distributed capability to mitigate threats – targeted at the
network, the Data Centre, the Cloud and the applications that they serve
Endpoints and
Customer Premises Private
Equipment Cloud
Cable or
DSL
Service
SP
Provider
Enterprise Virtualised Internet and
Data Intercloud
Network
Centre and
Edge
Cloud
Mobility Public &
Partner
BRKSPG 2004 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 51 Cloud
Elastic Security Services – Places in the Network
Orchestration/Management & API per vService
Internet
Ubiquitous Controller
Ethernet Access L2 VPN
Node L3 VPN
Customer Satellite, EoMPLS, Elastic Service
Residential MPLS-TP, etc A9K Cluster Cloud
UCS
IronPort
• Virtualised Services at the VSM/On Box Compute Resources

Edge
Hypervisor
• Redirect to cloud to scale
OS OS OS OS OS
elastically
3rd
• SDN based management IPSec DDOS
Security vASA
vWSA
DPI Party
orchestration for monitoring
and control
Same virtual services on the edge and in the cloud, managed through a
BRKSPG 2004 © 2015 Ciscocommon
and/or its affiliates. Allcentral
rights reserved. monitoring
52Cisco Public and orchestration system
NBI
NfV Security Services and Securing NfV
4 OSS/BSS 3 CLOUD SERVICE ORCHESTRATION – NVFO
• Components: REAL TIME OSS
– Evolved IP+Optical Real-time OSS

SERVICE CATALOG WORKFLOW
RESOURCE MGMT
ASSURANCE
network architecture
– DC infra +
virtualisation 5 VNF DOMAIN VNF MANAGER(s) – VNFM
– Unified orchestration VM/STORAGE ELASTICITY & SERVICE CONTROL
…
platform – Openstack Virtual service vASA
focussed TENANT “onboarding”
VIRTUAL FUNCTIONS CSR
VMs (VNF) Unified Orchestration platform
Service Model
– Real-time OSS
– Virtual service “on-
boarding”
2 NVFI VIRTUAL INFRASTRUCTURE MANAGEMENT (VIM)
DC infra
VIRTUAL + Virtualisation
COMPUTE / STORAGE / NETWORK COMPUTE / STORAGE NETWORK CONTROL
CONTROL
Solution
PHYSICAL COMPUTE / STORAGE / NETWORK
AWS
VMware
APIC
vPE
Openstack Openstack
Nova
1
PHYSICAL PACKET / OPTICAL NETWORK
Core + Access
How To Dynamically Build and Test Services
The Innovation Pod Program
Secure Cloud Services
Fully Flexible, Modular & Pluggable into Your Existing Infrastructure Customer
Portal
Easy Onboarding of New Services and

Service Creation,
Automated & On-Demand Shopping
Cart of
Admin Portal:
GUI OSS/BSS
Open API
Integration
Choice Sys Mgmt
Customer Portal
Automation, Service Delivery, In-App Purchases

Service
Integration Management of & Service
Design GUI Onboarding
Tooling Customers, Monitoring
Service Creation & Delivery System & Portal
cisco
cisco
Service Design
Service Design
My Designs My Deployments
My Designs My Deployments
Deployment Wizard
Deployment Wizard
Create
Operator BSS
Create
End-User
Select Scope
Select Scope
Deliver New Folder

Deliver New Folder
Deploy
Deploy
Operate Operate Engineering Testing

Engineering Testing
Optimize Optimize
Portal Portal Systems
vMS Architecture
– A Deeper Look RESTCONF / UICONF
service
models
ESC
confd
NCS fastmap
reactive
fastmap virt infra
device
Tailflow models lifecycle
NEDs O/S
component
APIs
Config & O/S

Operation virt infra
mgr
IP Network
VR_CSR VFW_vASA
Data Centre
x86 MPLS WAN

ISR Cloud Service
vMS
– A deeper view
Portal & Service Catalog (PSC)
Billing
Ticketing Product Operations

Customer Portal Portal
Mgmt Portal
CMDB
Service Orchestration & Provisioning

(TAIL-F NCS)
VTC ESC
Service
Provisioning
cycle
Openstack
VNFLife
Inject Routes
Into L3VPN
VM Lifecycle
vFW vWSA vIPS vESA
NFV -
CPE NFV - DCI NFV - Fabric
IP/MPLS Compute
Centre of vMS Orchestration
Tail-f Network Control System Overview
Management Network Multi-vendor service orchestrator
Applications Engineer for existing and future networks
REST, Java, NETCONF Network-wide CLI, Web UI Single pane of glass for:
 L2-L7 networking
Tail-f Network Control System Service
 Hardware Devices
Models
Service Manager  Virtual Appliances
Device Manager  OpenFlow Switches
Device Tail-F Network Control System

Network Element Drivers Models
provides abstractions
based on
NETCONF, CLI, SNMP, REST, etc.  Data models
End-to-End
 Transactions
Transactions
Sold to service providers
• Applications
• Controllers Perpetual license
vMS Service Bundles
• (1) Internet Access (IA), FWaaS, VPNaaS
 CSR1kv, vASA with NAT, FW, RA.
• (2) IA, FWaaS, VPNaaS and WSaaS

 CSR1kv, vASA, vWSA
• (3) IA, FWaaS, VPNaaS and Next-Gen IPSaaS

 CSR1kv, vASA, vWSA, vNG-IPS(SourceFire)
• 4) IA, FWaaS, VPNaaS and IdentityaaS

 CSR1kv, vASA, vISE with NAT, BYOD, Policy, TrustSec
• (5) IA, FWaaS, VPNaaS and ESaaS

 CSR1kv, vASA, vESA
• (6) IA, FWaaS, VPNaaS and DDoSaaS
Flexibility for other variations based on marketing needs

CloudVPN Business Services:
Use Case 1: CloudVPN with Internet, Firewall (FW), Remote Access (RA)
Cloud IPVPN with FW and Remote

Access to Internet
Cloud-Hosted Management  vFW with NAT and Policy
Scalable, elastic, on-demand  vFW with IPSec/SSL Remote Access
including Remote End-Host posture
verification
Internet
VR vFW
Router
CPE
Internet
SP CLOUD
Overlay Packet Tunnels
 Keyed IPv6 tunnels - mesh, hub&spoke;
 IPSec tunnels – mesh, hub&spoke if
keyed IPv6 tunnels not supported;
CPE
CPE
Use Case 2: CloudVPN with Internet, FW, RA and Enhanced Web Security

Access to Internet
verification
 WSAv for Enhanced Web Security
Internet
VR vFW
Router
WSAv
CPE
Internet
SP CLOUD
CPE
CPE
Use Case 3: CloudVPN with Internet, FW, RA and Next-Gen-IPS

Access to Internet
verification
 vNG-IPS (SourceFire) for advanced
Internet threat protection and real-time
VR vFW
Router
contextual awareness
vNG-
IPS
CPE
Internet
SP CLOUD
CPE
CPE
Virtual
Security
Workflows
Reference
Slide
Open Daylight
Brings up Compute and Receives attack information out of the Admin to book the
SDN & NfV DDoS Topology
Storage
Installer is used
Used for provisioning of the chain service,
Interface for automation & for OSS system
network, reprograms the network and
DefencePro App to
service, triggers the
Spin up of the chain
Infrastructure Protection & MSSP Mitigate automatically
vDP
TeraVM Per Tenant
Attack Gen Orchestration Plugin vDP
Detection
Network & Application
DDoS Protection
vDP
Perimeter Protection
Data Centre
“Hosting”
Service PE VRF Red
vDP
WWW SP Backbone Network & Application
DCI Router DDoS Protection
Service PE
Customer
Network 1
VRF Blue
Customer
Network 2
vDP
vDP+vFW+vIPS
Scrubbing Centre
BRKSPG 2004 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public VRF Green
SDN Controller Visibility Application
SDN Controller: QoS Management Application
Self Learning Networks
Network as a Sensor for Ubiquitous Security
Server
Attack!
Distributed Analytics
for Security Internet
Private Cloud
• DoS attacks get extremely
hard to combat (“Subtle” and Link
saturated!
highly impactful)
• Highly Distributed Server
Attack!
• From the Internet and within

the network
Server
Attack!
Demo: CloudVPN
Agenda
• Introduction
Architecture
– Architecture
Demonstration
Demonstration
• Conclusion
Cisco Cloud Security Services Solution Guidance
Do you want
Do you plan
to own, host Yes to deploy in a KVM Deploy Cisco CloudVPN, a virtual
and license
KVM or Managed Service (vMS)
cloud security
VMware
services
environment?
yourself?
No VMware
Explore Cisco Cloud Web Security,

Cloud Email Security, Managed Thread Deploy Cisco Hosted Security as a
Defence or Secure Ops as a Service Service (HSS)
options
Summary
• Lower cost due to virtualisation.

• Faster time to service delivery (zero touch deployment, no truck roll), due to
virtualisation and service provisioning automation.
• Operational simplicity due to virtualisation.
• Easy upsell for multi-service strategy for additional services and revenue with no
additional truck roll.
• Value of multi-service strategy for virtualised managed security services and
Cloud hosted services.
Call to Action
• Visit the World of Solutions for
– Cisco Campus – Security and Service Provider areas
– Campus Theatre Presentation on Wednesday at 6:30pm by Terri Quinn
• Meet the Expert
• Lunch time Table Topics
• DevNet Zone related labs and sessions
– CloudVPN
• Recommended Reading:
– HSS CVD link, www.cisco.com/go/hss
• We want to work with you, please contact us if you need help:
– Michael Geller – mgeller@cisco.com
– Albra Welch – albra@cisco.com
Q&A
Complete Your Online Session Evaluation
Give us your feedback and receive a
Cisco Live 2015 T-Shirt!
Complete your Overall Event Survey and 5 Session
Evaluations.
• Directly from your mobile device on the Cisco Live

Mobile App
• By visiting the Cisco Live Mobile Site
http://showcase.genie-connect.com/clmelbourne2015
• Visit any Cisco Live Internet Station located
throughout the venue Learn online with Cisco Live!
Visit us online after the conference for full
T-Shirts can be collected in the World of Solutions access to session videos and
on Friday 20 March 12:00pm - 2:00pm presentations. www.CiscoLiveAPAC.com

BRKSEC-2004 Securing My SP Network

Diunggah oleh

Informasi Dokumen

Hak Cipta

Format Tersedia

Bagikan dokumen Ini

Bagikan atau Tanam Dokumen

Opsi Berbagi

Apakah menurut Anda dokumen ini bermanfaat?

Apakah konten ini tidak pantas?

Hak Cipta:

Format Tersedia

BRKSEC-2004 Securing My SP Network

Diunggah oleh

Hak Cipta:

Format Tersedia

Securing My SP Network

Michael Geller – Principal Engineer, CTAO

• PLEASE! Ask questions any time

The hardware we use has

Users will get stuff done

Public Hybrid Private

Seamless End-to-End Experiences, Cross Workload Size & Type

Technology + Business Driving New Markets & Revenue

Revenue (US$ Billions)

HW Appliance Virtualise existing functions SAAS-based

Service Provider Turnkey

Hosted Security Cisco Managed

BEFORE DURING AFTER

Network Endpoint Mobile Virtual Cloud

Telemetry Data Threat Research Advanced Analytics

Firewall VPN NGIPS Advanced Malware Protection

NGFW UTM Web Security Network Behaviour Analysis

NAC + Identity Services Email Security Forensic Analytics

DDoS Visibility/Mitigation Services

Visibility, Context, Autonomics and BCPs

NAT Address Translation

NAT Address Translation NAT / PAT

VPNaaS Tiers Example Tiers Example

Remote Access VPN

VPNaaS Tiers Example Tiers Example

Included Digital certificate based authentication

Acceptable Use Services

Included Policy Control

Included Policy control Granular access and control policies

Outbound Email Protection

Threat Protection (NGIPS)

Security Service Examples:

FWaaS – Firewall as a Service

WSaaS ESaaS FWaaS Intrusion Prevention System as a Service

FWaaS WSaaS IDaaS

IDaaS – Identity as a Service

Compute DDoSaaS – Distributed Denial of Service as a

Tenant 1 Tenant 2 Tenant 3 • Delivered from service provider’s

WSAv ESAv ESAv

WSAv WSAv CSR1Kv • UBIqube MSActivator used as the

• Orchestration SW interfaces with native

• All customer data lives inside the SP

Customer PVT Customer

UCS vCenter UCS

* Not showing redundant nodes

ASA5555 Customer DMZ Context

Customer PVT Customer

* Not showing redundant nodes

ASA5555 Customer DMZ Context

Customer PVT Customer

* Not showing redundant nodes

ASA5555 Customer DMZ Context

Customer PVT Customer

* Not showing redundant nodes

ASA5555 Customer DMZ Context

Customer PVT Customer

* Not showing redundant nodes

HSS Components Version Cloud Orchestration Options Version

WSAV 7.7.5 BMC Cloud Lifecycle Manager V3.1SP1

UBIqube MSActivator 13.1

VMware vSphere 5.1

VMware vCenter 5.0

Unified Computing System (UCS) 2.0(4b) UCS B or C required

• Rapid provisioning/Ops Portal