Monetizing The Enterprise: Borderless Networks

24
© 2010 Cisco and/or its affiliates. All rights reserved. 1 Monetizing The Enterprise: Borderless Networks Michael Geller – Architect, SP Chief Technology Office Kevin Shatzkamer – Distinguished Architect, Sales September 27, 2011

Transcript of Monetizing The Enterprise: Borderless Networks

© 2010 Cisco and/or its affiliates. All rights reserved. 1

Monetizing The Enterprise:Borderless Networks

Michael Geller – Architect, SP Chief Technology OfficeKevin Shatzkamer – Distinguished Architect, Sales

September 27, 2011

© 2010 Cisco and/or its affiliates. All rights reserved. 2

Abstract• The impact of the consumerization of IT and mobility cannot be

understated.  The impact that these two key business elements have on the evolution of Enterprise Architecture and for Service Provider’s ability to offer services to Enterprises, Governments, and Consumers is addressed in this webinar.  The importance of the shift and movement of the secure network edge leads to a very close examination of the changing threat vectors and vulnerabilities impacting our businesses today.  Service delivery and consumption on the three “service horizons,” (Mobile Endpoint and CPE, Virtualized Network Edge/Data Center Edge, and the Cloud) is detailed.

© 2010 Cisco and/or its affiliates. All rights reserved. 3

Visibility and Control

Total Visibility in all aspects of your network.

Complete Control over all traffic in the network & cloud.

Building a Secure Infrastructure for Profitable Services

Guaranteed Availability of all services.

© 2010 Cisco and/or its affiliates. All rights reserved. 4

Visibility & Posture

Telstra Cloud:• Nexus 1kV (Netflow/VSG)• UCS: Software based Security

Services (FW, VPN, …)• Nexus 7k Security Services Mod• vWAAS• Enterprise-Hosted Ironport

Web/Content/Email Security/DLP• Scansafe Web Security• Identity/Policy Service Control

Full Service Branch • Firewall• IDS• Encryption (IPSEC

& SSL)• Trust & Identity• Email Security• Web/Content

Security• NAC• WAN Optimization

Multi-Tenant Access and aggregation:

• Session Border Controller• Firewall• IDS/IPS• IPSEC VPN• BNG (Subscriber Controls)• SSL VPN• Trust and Identity• Web/Content Security• Email Security• DLP

P

P

P

P

PE

P

P

PE(s)L2 Agg.

P P

Data Center/Cloud

ACCESS/AGGREGATION COREEndpt / CPE DC/CLOUD

Internet &Peering Edge

Public, Private & Hybrid Clouds

Service Center:• Remediation (quarantine)• Intrusion Detection/Prevention• VM Security & Nexus 1000V• Anomaly detection/Scrubbing• Policy Control Plane• Firewall & XML Firewall• Web/Content/Email Security

CPE:• Firewall• IDS• IPSEC & SSL VPN• Host Security• Control Plane

Security• Forwarding Plane

Security• Email Security• Web/Content

Security• NAC

Access and aggregation:• Basic infrastructure

security role•Control Plane Security•Data Plane Security

• Firewall• IDS/IPS• IPSEC VPN• DHCP—subscriber• SSL VPN• Trust and Identity• Web/Content Security• Email Security

Data/Service Center

Security Operations and Services

Security Experts SOC Processes SOC Toolsets

Security Operations Center One Time Services

Security Monitoring & Management VA PT Web Assessment & SSO MNAC

Mobility

Cable

Fixed Wireless

DSL

Enterprise

SIO, Platform Telemetry, 3rd party rules and systems, Regulatory Policy & Influence

© 2010 Cisco and/or its affiliates. All rights reserved. 5

Operator Portal Capabilities

SP Operator Portal

• Single pane of glass for all mgmt functions

• White label logo and style branding

• RBAC – Role-based-access-control

• Customizable dashboard for different roles

• Share information between SP & customers

• Services catalogue

• Knowledge base

• Real-time threat dashboard

• SLA tracking dashboard

• Forensic

• Historical reporting

Consolidated Views: Risk Score, Alerts, Top Ten Events, Virus & Compliance Status

Events View: Customized view based on need. More focused approached: Online

Events & Forensic view

© 2010 Cisco and/or its affiliates. All rights reserved. 6

Threat IntelligenceGlobal Visibility

Largest Threat Analysis System - Blended Threat Protection

700K+ Global Sensors

5 Billion Web Requests/Day

35% Of Global Email Traffic

Endpoint Threat Telemetry

Reputation, Spam, Malware and Web Category Analysis, and Applications Classification

CISCO SOLUTION

ISPs, Partners, Sensors

IPS ASA WSA

SIO GLOBAL INTELLIGENCEResearchers, Analysts, Developers

ESA

Applied Mitigation Bulletins

Researchers, Analysts,

Developers

ESACisco AnyConnect

© 2010 Cisco and/or its affiliates. All rights reserved. 7

INFRASTRUCTURE

DEVICE SECURITY

DEVICE

CONTENT/ DATA SECURITY

NETWORK SECURITY

SECURESYSTEMS

NETWORK/ SYSTEMMANAGEMENT

Asset MgmtAV Lock/Wipe Zero Day Encryption

Security Services Delivered To The Enterprise

Device Compute StorageTRUSTED SYSTEMNetworkPhysical

AlertingLogging Monitoring

Web ApplicationCoding/Hardening PenetrationAPPLICATION SECURITY

Directories

Remote Access

* Based on common industry models by Gartner, SANs Institute and various customer interviews

DATA GOV.

SERVICE MGMT.

AUDIT

POLICY

IDENTITY

FORENSICS

APIs VPNFirewall IDS/IPS

Email Web DLP Encryption

Collaboration Virtualization Mobility Cloud

© 2010 Cisco and/or its affiliates. All rights reserved. 888

Corporate Office

ASA IronPort WSA

Branch Office

Cisco IntegratedServices Routers

ISE

TrustSec

Anyconnect Secure Mobility (Enterprise)

© 2010 Cisco and/or its affiliates. All rights reserved. 9

Unified Anywhere+/AnyConnect

Simplified remote access

Connection and app persistence

Always-on VPN enforcement

Location-aware policy

Application controls

SaaS Access Control

Per User Subscription Model

Portal for Provisioning/Forensics

Web/Email Security From The Cloud

Scan Safe

AnyConnect Secure Mobility Client1 2

Email/Web Security from the CloudMulti-Tenant Edge Services Gateway

VPN, FW, SBC, Visibility, DPI

AnyConnect

HCS & IaaS vOptimizationvLoad Balancing

3Secure GW + Network + DCEnhanced Customer Experience via End-to-End

Seamless Security & Assurance

Cloud Offering PerCustomer Application Experience with SLA

Policy + Identity

Cius / SmartPhone

Smart Branch

Anyconnect Secure Mobility-SP Mgd.

© 2010 Cisco and/or its affiliates. All rights reserved. 10

Secure Places In The Network: Summary

Security Services• Firewall & IPS• VPN (IPSEC & SSL)• Trust & Identity• Email Security• Web/Content Security• Anti-Malware• WAN Optimization• SBC (CUBE Ent.)• WaaS• DPI

Mobility

Cable

Fixed Wireless

DSL

Enterprise

Private Cloud

Public & Partner Cloud

SP DC/Cloud

Anyconnect(Policy)

Consumer/SoHo

VirtualizedNetwork/DC

Edge

Internet &Inter-Cloud

MobileEndpoint

&CPE

SIO, SecOps (SmartOps, Tools, Ecosystem)

Defense In Depth - Common ASA Code Base

Security Infrastructure

Policy, Trust & Identity Services

© 2010 Cisco and/or its affiliates. All rights reserved. 11

Secure Places In The Network: Horizon 1Mobile Endpoint & CPE

Security Services• Firewall & IPS• VPN (IPSEC & SSL)• Trust & Identity• Email Security• Web/Content Security• Anti-Malware• WAN Optimization• SBC (CUBE Ent.)• WaaS• DPI

Mobility

Cable

Fixed Wireless

DSL

Enterprise

Anyconnect(Policy)

Consumer/SoHo

MobileEndpoint

&CPE

Platform/Area of Interest• MDM and Partners• Evolution of The ISR G2• Connecting the CPE to

the cloud• ASA & Identity FW• Ironport ESA/WSA• DPI & Visibility• Identity Services & Policy

© 2010 Cisco and/or its affiliates. All rights reserved. 12

Connecting the CPE To The CloudLeveraging Cisco Product Multi-service capability

Threat Protection Security Services

End to end security service via optimized hybrid on-premise / cloud services On-Premise encryption, Firewall,

intrusion protection Hosted Web content protection

(ScanSafe) & Email Protection … Managed Identity Services

Service Virtualization -UCS Express

Lowering Capex / Opex for on premise application services

Mission critical on-premise application hosting

Integration into IaaS Service Orchestration

Optimized experience for the Application Consumer

App Visibility & Optimization (WaaS)

Improving end user quality of experience End to end application visibility &

SLA Focus on Application Optimization

… Security services upsell

opportunity

WAAS Express

Dedicated Router Module

DC + vWaaS

© 2010 Cisco and/or its affiliates. All rights reserved. 13

Connecting the CPE To The Cloud - 2Leveraging Cisco Product Multi-service capability

Services Led Selling

Removing NOC /SOC complexity and allocation of people, process and tools –GTM acceleration SmartOps for Security – SOC

BOT Models SmartOps for CPE – NOC White

labeling or BOT Models Testing and validation

Video

Providing End to End Video Service insurance IPSLA Video Probe for Video SLA Video Optimized ISR G2 Bundle Integration of ISR G2 into Video

Architectures like Telepresence Optimized delivery of Video ISR G2 ad-hoc video conferencing

Energy Wise

Minimize energy consumption and costs of delivered Managed Services

The “Green WAN / LAN” Service The “Energy Optimized” Data

Center

© 2010 Cisco and/or its affiliates. All rights reserved. 14

Aspiration: Policy Governed Networks

Centralized View

Central Dashboard, Reports, Measurements,

Troubleshooting

Applications in Data Center or Cloud

Product Bookings

SalesForce.com

Customer Data

Router/SwitchASR/ISR/ASA

MPLS

Encrypt

Service, Context

Application, Context

Device, LocationUser, Role

iPad

Corporate Laptop

Policy Teams

IT Systems Mgmt, Cisco Network Mgmt Policy & Rules

Security ComplianceBusiness

Identity Services Engine (ISE)

Centralized Policy Platform

Full

Restricted

Third-Party Applications

© 2010 Cisco and/or its affiliates. All rights reserved. 15

Context-Based Security Services

Prevent uncontrolled mobile

devices from accessing servers with confidential

information• Media Actors• E2E Flow

Characteristics• Real-Time Metering

Security

wwwwww

Phased ExecutionCentralized Policy Platform

Identity Services Engine (ISE)

Policy Use Case

TrustSecISE

Authenticated &Authorized Access

Authenticate Guests and provide only

Internet access

• User• Device• Health• Location• Reputation

(future)

VXIVDS/ISE

Optimize Virtual Desktop Service

DeliveryProvide predictable

quality for audio, video on virtual

desktop(VDI)

• Virtual Desktop

+

Prioritized Branch Service Delivery

Prioritize point-of-sale transactions over Video

(YouTube …)

Branch Office

• Application• Network Services

+

CCN

Agile Virtual Service Delivery

Move WebEx from RTP DC to SP US

Cloud with Premium Service Level

• Server• DC Resources• Service Level+ +

© 2010 Cisco and/or its affiliates. All rights reserved. 16

Secure Places In The Network: Horizon 2&3Network and DC Edge + DC/Cloud

Security Services• Firewall & IPS• VPN (IPSEC & SSL)• Trust & Identity• Email Security• Web/Content Security• Anti-Malware• WAN Optimization• SBC (CUBE Ent.)• WaaS• DPI

Mobility

Cable

Fixed Wireless

DSL

Enterprise

Consumer/SoHo

Platform/Area of Interest-2

• MDDC & CCN• ASR 1k – Multitenancy

and DC Edge• IOS-XE on a VM• Virtual Appliance +

Physical Application• Hosted Content, Email,

Web Security• DPI & Visibility

Private Cloud

Public & Partner Cloud

SP DC/Cloud

VirtualizedNetwork/DC

Edge

Internet &Inter-Cloud

Platform/Area of Interest-3

• Nexus 1kV• VSG and vASA• IOS-XE on a VM• vWaaS• CCN & Service

Orchestration• vESA/vWSA• DPI & Visibility• Network Proximity• Partner Ecosystem

© 2010 Cisco and/or its affiliates. All rights reserved. 17

Applications /Desktop OS

MS Office

End-to-End Security, Management and Automation

Cisco VXI:Virtualized End-to-End System

VirtualizedData Center

Virtualized Collaborative Workspace

Thin Client Ecosystem

Generic VDI

No support for UC or

Rich Media

ACEUnified

CM

QuadASA

Nexus 1000v

Virtual Security Gateway

WAAS

Cisco CollaborationApplications

Hypervisor

Desktop Virtualization Software

Storage

Cisco Clients

Cisco Virtualization Experience Clients

Cius Business Tablets

AnyConnect

Compute

UCS

Cisco Products

WAAS

Virtualization-Aware Borderless Network

Routing PoE

Switching

SiSi

CDN

© 2010 Cisco and/or its affiliates. All rights reserved. 18

Borderless Network VXI Components

Campus

Access Security Data Center

EmployeeContractor Finance

Secure VXI Data Center

VSG

N1K

App Data BaseWeb

VSG

N1K

Cisco ACE

WAAS DC

DC Network

McAfee MOVE-AV

VXI Network

CampusCat4K

Dot1x/MAB

Dot1x/MAB

UPoE/P

oE+

Anyconnectw/ Split Tunnel

Internet

ASA

SecureDisplay Traffic

Remote/Home User

Branch One

Branch Two

DMVPN

DMVPN

WAAS Express

ISR-G2

Display Traffic

Vo

ice/V

ide

o

WAE

• ASA and Anyconnect provide single secure remote access solution for large device footprint

• Device profiling and posture assessment using ISE ensures conformance

• UPoE and PoE+ provide de-cluttered and energy efficient virtual workspace

• 802.1x based device and user authentication

• Trustsec allows policy based access to specific applications in Data Center

• Unmanaged devices (BYOD) only allowed access to specific Virtual desktop pools and applications

• DMVPN allows secure, dynamic and direct branch to branch collaboration

• WAAS and ISR together accelerate performance

© 2010 Cisco and/or its affiliates. All rights reserved. 1919

From Router to vRouter

Secure Connectivity from Premise to Cloud- Extend enterprise VPN infrastructure into cloud via cloud-based virtual VPN appliance

- Enable secure split tunneling, bypassing expensive MPLS/ private IP network backhauling

- Provide end-to-end security – access control, DAR encryption, app/ user/ content visibility, IPS, web security – and unified mgmt

- This will enable enterprises to move mission-critical data to the cloud, retain control and meet compliance requirements

Networking Services from the Cloud- Provide routing, switching, WAN accel, end-to-end secy, perf monitoring, traff prioritization/

QoS, etc via cloud-based virtual router

- Enables SPs and Cloud Providers to offer value-added pay-for-use services – networking, security – in virtualized form factor to their customers

- Enables SPs to move services away from CPE ISRs to the cloud/ provider edge and minimizing/ simplifying mgmt

PHASE 2

PHASE 1

© 2010 Cisco and/or its affiliates. All rights reserved. 20

NPS

NationalData Center

NationalData Center

NationalData Center

Core

Capacity at Multiple DCs

Improves Experiences, Reduces Operational and Network CostsPhase II – Distributed Placement

Orchestration System Requests Capacity - available at Multiple DCs

1

NPS informs best location(s) / PE Routers

3

2 Insufficient Bandwidth and / or sub-optimal location to meet SLA

3

1

2

Network Positioning System

© 2010 Cisco and/or its affiliates. All rights reserved. 21

Other SPs

IP/MPLS Network

Using Security Conductor for DDoS Attack Mitigation

Monitoring Info: Netflow, MIBs, Logs for Baselining, Forensics and Planning

1

1. Visibility Apps Gather Physical and Virtual Interface traffic information

2. Visibility Apps builds a Network Baseline and monitors and traffic anomalies

3. In case of an anomaly it transfer information to Security Incident Control Application

4. Incident Control Apps informs SECOPS

5. Incident Control performs a RTBH using BGP route insertion at SP DC PE router.

6. “Sinkhole” Apps VMs assigned for analysis

7. Using the Security Conductor, security mitigation policies (ACL, QoS Policers, etc) are downloaded in the network

8. All Visibility and Mitigation information is sent for Forensic analysis

Security Apps

Incident Control

Visibility Logging & Forensics2

5

3

Attack Mitigation Policies are downloaded in all applicable routers

Access / Aggregation

Network

CPE

SECOPS, NETOPS SECOPS

DC Control PointResource

ManagerPolicy Engine

Dependency Tracker

Capabilities Directory

4

Peering

Security Policy Conductor7

8

1. RTBH configured

2. Sinkhole Apps activated on VMs

3. Attack Analysis

6

Forensics

© 2010 Cisco and/or its affiliates. All rights reserved. 22

Cloud Security solution focusMapping

VDC, DCI (OTV), VPLS/ VRF …..

Services: Virtual LB, FW

VN-Link, LISP, SIA tags w/HW assist, N1k, VSG

PortProfile, vNetFlow, SAN

• Policy based control for ID, Data Confidentiality

• Visbility, Forensics, Governance• VM-VM security, Routing policies in VM• VPATH to stitch and control VMotion

Secure Cloud Services

Scansafe (SAML), DLP,

Cisco ID Connect

Loss of Control

Business Needs

Multi-tenantReference

Architecture

Data-in-flight security

Anyconnect: VDI/VXI

Data-at-rest security

© 2010 Cisco and/or its affiliates. All rights reserved. 23Pure Hosted Remote Managed On PremHybrid

Customer 3

Dedicated / Private Network

Customer 1

Customer 2

ESX Server ESX Server ESX Server

Customer 4 Customer 5

Unified Communications and Collaboration

Putting It All Together: HCS

Thank you.