BRKSEC-2004
#clmel
Rules of the Game!
• Silence your phone, pda, pager, mp3 player…
• At CiscoLive! your evaluation is extremely important
• Please remember to wear your badge at all times
• Please visit the World of Solutions
BRKSPG 2004 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
Meet the Expert
• To make the most of your time at Networkers at Cisco Live 2015, schedule a
Face-to-Face Meeting with top Cisco Engineers.
• Designed to provide a "big picture" perspective as well as "in-depth" technology
discussions, these face-to-face meetings will provide fascinating dialogue and a
wealth of valuable insights and ideas.
• Visit the Meeting Centre reception desk located in the World of Solutions.
BRKSPG 2004 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
Prerequisites
• Before attending this session, familiarity with basic security concepts as they
apply to networks and business outcomes
• Some familiarity with Virtualisation, SDN and NfV is helpful, but not mandatory
• Thoughts about how security fits in the way you run your business today and the
impact of the cloud
BRKSPG 2004 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
Objectives
• This session targets hosted security services for Enterprises and Service
Providers
• Understand the impact of orchestration & automation for hosted security
• Cool applications of elastic security services delivered from the cloud
• Performance and scalability considerations
• Security services with NfV and SDN
• Future thinking applications of security from the Cloud to YOUR network
BRKSPG 2004 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
Agenda
• Introduction
• The Hosted Security Service
Architecture
– Architecture
– HSS: Architecture and
Demonstration
– CloudVPN: Architecture and
Demonstration
• Conclusion
BRKSEC-2004 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
IT Transformation
More devices and more apps mean the
attack surface has increased, and attack
tools are evolving, too
BRKSPG 2004 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
End Customer Expectations
On-Demand & Real Time Customer Requirements coupled with amazing & custom user
experiences
Multiple Applications, No Limit to “Environment” or Cloud
New Consumption Models & Multiple Roles Consuming Cloud Differently; Products,
Solutions & Application types (Developer -> IT -> Business User)
Cross-Environment Requirements: Public, Private, Hybrid for App Development,
Delivery/Deployment, Operation & Maintenance, Add-Ons & Customisation
New Economies of Scale & One Size Doesn’t Fit All
Support the Business: Enable the Business: Become a Business: Become THE Business
• Reduce Costs & • Support business-side functions • Drive new operational •The Go-To-Business for
Streamline Business and opportunities proactively excellence and business insight, innovation, new ideas,
Operations • The model allows for faster time opportunity via technology proactive business offerings
to market innovation and new opportunities via
• Allows SP to address new technology.
market segment (SMB) •Central Hub of Business &
Ecosystems
BRKSPG 2004 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
Market Opportunity
Cloud Service Delivery Shows Higher Growth, but CPE Based Still Growing
Worldw ide CPE-Based Service Revenue Share by Technology
Worldw ide Cloud-Based Service Revenue Share by Technology
$ 12 $ 10
$ 10
$8
Rev enue (US$ Billions)
$6
$4
$4
$2
$2
$0 $0
CY10 CY11 CY12 CY13 CY14 CY15 CY16 CY17 CY18 CY10 CY11 CY12 CY13 CY14 CY15 CY16 CY17 CY18
IDS/IPS DDoS mitigation Other security services IDS/IPS DDoS mitigation Other security services
Managed firewalls Content security Managed firewalls Content security
© Infonetics Research: Cloud and CPE Managed Security Service Market Size and Forecasts, March 2014
BRKSPG 2004 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Transition to All-virtualised Services?
All SP services are virtualising …
• Drivers: Some services move straight to Scansafe
SAAS Webex2
• Reducing total Service SDVPN
SP
OpEx and Video HCS
CapEx
Offering
Can be leveraged to
• Increased service System HCS offer SAAS
velocity and
agility L2 / L3 SP
SP
Video
Video
VPN
SP infrastructure
• Increasing
Mobile
GWs services
services transitioning to
Product Ent
revenue CPE Managed
Services
Services
NFV
IAAS
Implementation
BRKSPG 2004 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
Cisco Security as a Service Solutions
Cisco or SP-Hosted,
SP-Hosted Firewall, VPN, IPS,
Cisco-Run Web
Email, and Web Services
Security Services
BRKSPG 2004 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
The New Security Model
Attack Continuum
BEFORE
Control
DURING
Detect
AFTER
Scope
Enforce Block Contain
Harden Defend Remediate
Service Tiers
Feature Category
Bronze Silver Gold
Stateful Inspection
Included
High Availability
Advanced Management
BRKSPG 2004 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Firewall-aaS Tiers Example BEFORE DURING AFTER
Service Tiers
Category Feature
Bronze Silver Gold
BRKSPG 2004 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
BEFORE DURING AFTER
Service Tiers
Feature Category
Bronze Silver Gold
Customer site to Cloud IPSec VPN service
Advanced Management
BRKSPG 2004 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
BEFORE DURING AFTER
Service Tiers
Feature Category
Bronze Silver Gold
Real Time Threat Protection Services
High Availability
Advanced Management
BRKSPG 2004 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Web Security-aaS Tiers Example BEFORE DURING AFTER
Service Tiers
Category Feature
Bronze Silver Gold
Real time threat Web reputation filtering
protection services
Malw are scanning
Reference
Slide Acceptable use services Web URL monitoring by category
Web URL filtering (blocking)
Web application monitoring
Web application control
SaaS access control
Transparent user authentication
Advanced Malw are Protection
BRKSPG 2004 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Email Security-aaS Tiers Example BEFORE DURING AFTER
Service Tiers
Feature Category
Bronze Silver Gold
Inbound Email Protection
Policy control
High availability
Advanced Management
BRKSPG 2004 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Email Security-aaS Tiers Example BEFORE DURING AFTER
Service Tiers
Category Feature
Bronze Silver Gold
Inbound email protection Reputation scoring and SMTP blocking
Anti-spam
Outbreak filters, Sophos anti-virus
Reference
Slide Inbound email content filtering
Quarantine
Advanced Malw are Protection
Outbound email protection Anti-virus
Outbound email content filtering
Integrated RSA data loss prevention
DLP RSA Enterprise Manager integration (Enterprise provided)
Large volume
Included Quarantine
Policy control Granular policy control
Option
Roaming users protection
High availability Within SP data centre
Betw een SP data centres
Management Self service portal
Streamlined management
Auto generated reporting
Custom reporting option
Data log retention (1 month)
Extended data log retention (> 1 month)
BRKSPG 2004 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
NGFW/IPSaaS Tiers Example BEFORE DURING AFTER
Service Tiers
Feature Category
Bronze Silver Gold
Application Visibility and Control (NGFW)
Included
High Availability
Advanced Management
BRKSPG 2004 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
NGFW/IPSaaS Tiers Example BEFORE DURING AFTER
Service Tiers
Category Feature
Bronze Silver Gold
Application Visibility and Control Netw ork, User and Application Discovery
Reference (NGFW)
Slide Application Traffic filtering
URL Filtering
File Blocking (block xyz file type)
Threat Protection IPS Basic Threat Protection Services (SNORT signatures)
(NGIPS)
IPS premium security signatures and content
Security Intelligence Feeds
AMP (Advanced Malw are Protection– disposition from the cloud/policy)
High Availability Configurable “fail open” – Appliance only
“Fastpath” & Trust Rules – Exclude/Include velocity
Included Management Streamline Management
IPS signature update
Option
Advanced/Custom Reporting
Automated Policy Tuning – Advanced/Custom Policy Tuning
Event Correlation – Customized Event Correlation Services
Impact Analysis
BRKSPG 2004 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Agenda
• Introduction
• The Hosted Security Service
Architecture
– Architecture
– HSS: Architecture and
Demonstration
– CloudVPN: Architecture and
Demonstration
• Conclusion
BRKSEC-2004 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 27
Hosted Security as a Service Architecture
Hypervisor
INFRA-
BRKSPG 2004 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
Two Hosted Security as a Service Solutions Converging
Hosted Security as a
Service (HSS)
VMware based
Virtual Managed Business Services
HSS
CloudVPN
OpenStack based
Today Future
BRKSPG 2004 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
Hosted Security as a Service
Hosted Security as a Service (HSS)
• Enables Cisco partners to deliver security services from their Cloud infrastructure
or as a managed private cloud offering
• Cisco’s virtual security appliance product (ESAV, WSAV, ASAV, …)
and third party products
• Comprehensive management system using UBIqube as a security domain manager
– Fulfillment
– Assurance
– Northbound API for integrating with Cloud Orchestration Solutions
• Solution supported with IaaS solution VMDC 2.3, testing with VSA 1.0 now
• Platform based on Cisco Unified Computing System (UCS)
• Flexible deployment models
BRKSPG 2004 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
HSS Architecture
• Provisioning SP existing
LAYER
ORCH
API orchestration,
• Reporting API reporting, billing
Policy Analytics Reporting • Billing API infrastructure
VMware ESXi
INFRA-
BRKSPG 2004 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
VMDC 2.3 Expanded Gold Container
MPLS
Internet Shared Transit VLAN
VPN Per-Tenant VLAN
Customer Site
Customer
VRF ASR1006 Global
ASA5555 Remote
Access
VPN
Global
Customer PVT Nexus 7004
Outside VRF
Citrix/F5
Customer VSG
Nexus1000v ASA5585X
Private Context
Citrix/F5
Customer M1 M1
Private Context
Citrix/F5 Citrix/F5 ASA5585X
WSAV ESAV M1 UBIqube
Nexus1000v M1
VSG
UCS UCS UCS ESAV vCenter UCS
UCS WSAV
UCS
Private Zone 3 VLANs DMZ 1 - 1 VLAN DMZ 2 - 1 VLAN SP Management
Citrix/F5
Customer M1 M1
Private Context
Citrix/F5 Citrix/F5 ASA5585X
WSAV ESAV M1 UBIqube
Nexus1000v M1
VSG
UCS UCS UCS ESAV vCenter UCS
UCS WSAV
UCS
Private Zone 3 VLANs DMZ 1 - 1 VLAN DMZ 2 - 1 VLAN SP Management
Citrix/F5
Customer Citrix/F5 M1 Citrix/F5 ASA5585X
M1
Private Context
Nexus1000v WSAV M1 ESAV M1 UBIqube
VSG
UCS
UCS UCS
Private UCS WSAV UCS ESAV vCenter UCS
Zone 3
MS Exchange
VLANs DMZ 1 - 1 VLAN DMZ 2 - 1 VLAN SP Management
Citrix/F5
Customer M1 M1
Private Context
Citrix/F5 Citrix/F5 ASA5585X
WSAV ESAV M1 UBIqube
Nexus1000v M1
VSG
UCS UCS UCS ESAV vCenter UCS
UCS WSAV
UCS
Private Zone 3 VLANs DMZ 1 - 1 VLAN DMZ 2 - 1 VLAN SP Management
VMDC Expanded Gold Container 2.3 Cisco Intelligent Automation for Cloud (CIAC) 4.0
ESAV 8.0
BRKSPG 2004 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
VMDC 2.3 Expanded Gold Container
VMDC 2.3 Component Version HSS Required/Recommended/Optional?
BRKSPG 2004 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 39
VSA 1.0 Gold Container with HSS
VSA 1.01 Gold
Use Case Container
– CSR1Kv, with HSS
WSAV, ESAV
AD DNS
MS Exchange
CSR1Kv
P1
M1 M1 UBIqube
WSAV ESAV
vCenter
BRKSPG 2004 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
VSA 1.0 Gold Container with HSS
VSA 1.02 Gold
Use Case – ASAV,Container
WSAV, ESAV with HSS
AD DNS
MS Exchange
ASAv
P1
M1 M1 UBIqube
ESAV WSAV
vCenter
BRKSPG 2004 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
VSA 1.0 Gold Container with HSS
VSA 1.03 Gold
Use Case Container
– CSR1Kv, with
ASAv, WSAV, ESAVHSS
AD DNS
MS Exchange
CSR1Kv
ASAV
P1
M1 M1 UBIqube
ESAV WSAV
vCenter
BRKSPG 2004 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
HSS Security Domain Management
BRKSPG 2004 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 44
BRKSPG 2004 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 45
BRKSPG 2004 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 46
Demo: HSS
HSS References
• Hosted Security as a Service Documentation
– www.cisco.com/go/hss
• Cisco Content Security Virtual Appliance Installation Guide
– www.cisco.com/en/US/docs/security/content_security/virtual_appliances/Cisco_Content
_Security_Virtual_Appliance_Install_Guide.pdf
• Knowledge Base and Support Tools
– www.cisco.com/en/US/products/ps10154/tsd_products_support_series_home.html
BRKSPG 2004 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 48
CloudVPN
CloudVPN at a Glance
• Provisioning SP existing
LAYER
ORCH
API orchestration,
• Reporting API reporting, billing
Svc. Lifecycle Policy • Billing API infrastructure
Mgt. Provisioning Net+Svc. Analytics Reporting
KVM
INFRA-
Internet
Ubiquitous Controller
Ethernet Access L2 VPN
Node L3 VPN
Customer Satellite, EoMPLS, Elastic Service
Residential MPLS-TP, etc A9K Cluster Cloud
UCS
IronPort
Same virtual services on the edge and in the cloud, managed through a
BRKSPG 2004 © 2015 Ciscocommon
and/or its affiliates. Allcentral
rights reserved. monitoring
52Cisco Public and orchestration system
NBI
NfV Security Services and Securing NfV
4 OSS/BSS 3 CLOUD SERVICE ORCHESTRATION – NVFO
• Components: REAL TIME OSS
– Real-time OSS
– Virtual service “on-
boarding”
2 NVFI VIRTUAL INFRASTRUCTURE MANAGEMENT (VIM)
DC infra
VIRTUAL + Virtualisation
COMPUTE / STORAGE / NETWORK COMPUTE / STORAGE NETWORK CONTROL
CONTROL
Solution
PHYSICAL COMPUTE / STORAGE / NETWORK
AWS
VMware
APIC
vPE
Openstack Openstack
Nova
1
PHYSICAL PACKET / OPTICAL NETWORK
Core + Access
BRKSPG 2004 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 53
How To Dynamically Build and Test Services
The Innovation Pod Program
BRKSPG 2004 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Secure Cloud Services
Fully Flexible, Modular & Pluggable into Your Existing Infrastructure Customer
Portal
Customer Portal
BRKSPG 2004 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
cisco
cisco
Service Design
Service Design
My Designs My Deployments
My Designs My Deployments
Deployment Wizard
Deployment Wizard
Create
Operator BSS
Create
End-User
Select Scope
Select Scope
Optimize Optimize
vMS Architecture
– A Deeper Look RESTCONF / UICONF
service
models
ESC
confd
NCS fastmap
reactive
fastmap virt infra
device
Tailflow models lifecycle
NEDs O/S
component
APIs
VR_CSR VFW_vASA
Data Centre
BRKSPG 2004 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
vMS
– A deeper view
Portal & Service Catalog (PSC)
Billing
VTC ESC
Service
Provisioning
cycle
Openstack
VNFLife
Inject Routes
Into L3VPN
VM Lifecycle
NFV -
CPE NFV - DCI NFV - Fabric
IP/MPLS Compute
BRKSPG 2004 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Centre of vMS Orchestration
Tail-f Network Control System Overview
Management Network Multi-vendor service orchestrator
Applications Engineer for existing and future networks
REST, Java, NETCONF Network-wide CLI, Web UI Single pane of glass for:
L2-L7 networking
Tail-f Network Control System Service
Hardware Devices
Models
Service Manager Virtual Appliances
Device Manager OpenFlow Switches
BRKSPG 2004 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
vMS Service Bundles
• (1) Internet Access (IA), FWaaS, VPNaaS
CSR1kv, vASA with NAT, FW, RA.
CPE
Internet
SP CLOUD
Overlay Packet Tunnels
Keyed IPv6 tunnels - mesh, hub&spoke;
IPSec tunnels – mesh, hub&spoke if
keyed IPv6 tunnels not supported;
CPE
CPE
BRKSPG 2004 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
CloudVPN Business Services:
Use Case 2: CloudVPN with Internet, FW, RA and Enhanced Web Security
WSAv
CPE
Internet
SP CLOUD
Overlay Packet Tunnels
Keyed IPv6 tunnels - mesh, hub&spoke;
IPSec tunnels – mesh, hub&spoke if
keyed IPv6 tunnels not supported;
CPE
CPE
BRKSPG 2004 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
CloudVPN Business Services:
Use Case 3: CloudVPN with Internet, FW, RA and Next-Gen-IPS
CPE
BRKSPG 2004 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Virtual
Security
Workflows
Reference
Slide
BRKSPG 2004 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Open Daylight
Brings up Compute and Receives attack information out of the Admin to book the
SDN & NfV DDoS Topology
Storage
Installer is used
Used for provisioning of the chain service,
Interface for automation & for OSS system
network, reprograms the network and
DefencePro App to
service, triggers the
Spin up of the chain
Infrastructure Protection & MSSP Mitigate automatically
vDP
TeraVM Per Tenant
Attack Gen Orchestration Plugin vDP
Detection
Network & Application
DDoS Protection
vDP
Perimeter Protection
Data Centre
“Hosting”
Service PE VRF Red
vDP
WWW SP Backbone Network & Application
DCI Router DDoS Protection
Service PE
Customer
Network 1
VRF Blue
Customer
Network 2
vDP
vDP+vFW+vIPS
Scrubbing Centre
BRKSPG 2004 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public VRF Green
SDN Controller Visibility Application
BRKSPG 2004 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 65
SDN Controller: QoS Management Application
BRKSPG 2004 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 66
Self Learning Networks
Network as a Sensor for Ubiquitous Security
Server
Attack!
Distributed Analytics
for Security Internet
Private Cloud
• DoS attacks get extremely
hard to combat (“Subtle” and Link
saturated!
highly impactful)
• Highly Distributed Server
Attack!
BRKSPG 2004 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 67
Demo: CloudVPN
Agenda
• Introduction
• The Hosted Security Service
Architecture
– Architecture
– HSS: Architecture and
Demonstration
– CloudVPN: Architecture and
Demonstration
• Conclusion
BRKSEC-2004 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 69
Cisco Cloud Security Services Solution Guidance
Do you want
Do you plan
to own, host Yes to deploy in a KVM Deploy Cisco CloudVPN, a virtual
and license
KVM or Managed Service (vMS)
cloud security
VMware
services
environment?
yourself?
No VMware
BRKSPG 2004 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Summary
BRKSPG 2004 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 71
Call to Action
• Visit the World of Solutions for
– Cisco Campus – Security and Service Provider areas
– Campus Theatre Presentation on Wednesday at 6:30pm by Terri Quinn
• Meet the Expert
• Lunch time Table Topics
• DevNet Zone related labs and sessions
– CloudVPN
• Recommended Reading:
– HSS CVD link, www.cisco.com/go/hss
• We want to work with you, please contact us if you need help:
– Michael Geller – mgeller@cisco.com
– Albra Welch – albra@cisco.com
BRKSPG 2004 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 72
Q&A
Complete Your Online Session Evaluation
Give us your feedback and receive a
Cisco Live 2015 T-Shirt!
Complete your Overall Event Survey and 5 Session
Evaluations.
BRKSPG 2004 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public