Security at the Speed of the Network

Security at the Speed of the Network: Automating and Accelerating Security

Through SDN and NfVBRKSEC-2760

Hantzley Tauckoor – CISSP #472723, CCDE #2015::43

Consulting Systems Engineer – MANO & Programmability

Global Virtual Engineering, Cisco Systems

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2760 2

./about_me

Hantzley TauckoorConsulting Systems Engineer – MANO & ProgrammabilityGlobal Virtual Engineering, Cisco Systems

linkedin.com/in/hantzley Twitter: @[email protected]

3© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2760

• Security from the Service Provider perspective

• Putting SDN/NFV to work – DDoS

• Automating Security in the SP Data Centre

• Generating new revenue streams with hosted security services

• SDN & NFV Infrastructure Security

• Summary

Agenda



• Putting SDN/NFV to work - DDoS




• Summary

Agenda

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 5BRKSEC-2760

Security from the Service Provider Perspective


Trends: New Opportunities …

The world has gone mobile Traffic growth, driven by video

Rise of cloud computing Machine-to-Machine

Changing Customer

Expectations Ubiquitous Access to Apps & Services

10X Mobile Traffic GrowthFrom 2013-2019

Changing Enterprise Business Models Efficiency & Capacity

Soon to Change SP

Architectures/ Service Delivery

Emergence of the Internet of Everything

Process ThingsPeople Data

Pet

abyt

es p

er M

onth

Other (43%, 25%)120,000

100,000

80,000

60,000

40,000

20,000

0

Internet Video (57%, 75%)

2013 2014 2015 2016 2017 2018

23% Global CAGR 2013-

2018

New Threats

Dynamic Threat Landscape

Increasing Threat Sophistication

Risks to Service Providersand Their Customers


Your Customers Are Being Attacked By DDoS


2015 Verizon Data Breach Investigations Report

Compromise

Detection

~ 84% of initial compromises completed within hours

~ 65% of initial compromises undetected for months


Legacy Security: Costly & Complex

Siloed

Inefficient

Manual

Limited integration, security gaps

Hard-coded processes

Over-provisioned, static, and slow

Hinders realization of

open and programmable

networks


SDN Automation: The Speed of The Network

AFTER DURINGThreatAnalytics

VisibilityControlBEFORE


How Automated Are You Today?

11

AFTER DURINGThreatAnalytics

VisibilityControlBEFORE

Automated Manual


Managing The Threat LifecycleProtecting the Infrastructure and Offering Elastic Managed Services

12

OrchestrationVMS

Cloud Services Orchestration

Real Time application of the right service, in the right place, at the right

time

Quantum WAVEWAN Orchestration

Real time topology and service health information

BEFOREControlEnforceHarden

DURING AFTERDetectBlock

Defend

ScopeContain

Remediate

Attack Continuum

Firewall

NGFW

NAC + Identity Services

VPN

UTM

NGIPS

Web Security

Email Security

Advanced Malware Protection

Network Behaviour Analysis

Visibility, Context, Autonomics and BCPs

DDoS Visibility/Mitigation Services

Forensic Analytics

HSSUBIqube – MS Activator

Security Domain Management


Anatomy of the SP networkAccess Service Edge

Mobile

Residential

Business

Aggregation/ Transport CoreData Center

Enterprise WAN

CMTS, DSLAM

Cell Site Router

Video Dist

MACsecVolumetric DDoSVPN

FW, VPN, CGNAT, NGIPS, AMPMobile Inspection

SecurityFeatures

MACsec, FW, VPN, NGIPS, AMPApp DDoS

FW, VPN, NGIPS, AMP, Volumetric DDoSApp DDoS

SP Security Best Practices - http://tools.cisco.com/security/center/serviceProviders.x?i=76


Security for Open & Programmable Networks

Applications& Services

Evolved Programmable Network

Cisco Services

Storage NetworkCompute

Service Broker

SMARTSERVICE

CAPABILITIES

OP

EN

AP

IsO

PE

N A

PIs

OP

EN

AP

IsO

PE

N A

PIs

Security

Evolved Services Platform Orchestration

Engine

Catalog of Virtual Functions

Service Profile

Benefits:• New Revenue Streams• Increased Business Agility• Lower Operating Costs

Cisco Service Provider Architecture


Network Programmability

Controller

NetworkMonitoring

BandwidthManagement

LoadBalancing

ProgrammaticInterface

Netconf

OpenFlow

Topological awareness

Policy resolution

:-)

CLI

REST APIs


Programmability Across Multiple Controllers

App

APIC Controller

App

Data Centre

APIC-EM / WAE Controller

Threat DefenseSecurity Policy

Service OrchestratorCampus / WAN


A Plethora of Controllers

APIC

Cloud OrchestrationObjective: Extend OpenStack Neutron’s networking model with new policy APIs

Openstack “Sister-project” to group based policy in OpenDaylight

SDN ControllerUnder Linux FoundationSecurity extensionsCommon vendor supported framework

WAE

Traffic Optimization

Monitor for path constraint violations

Automate network changes to ensure path compliance

Service Chaining

Application Network Flow Profile

SLA, Security, QoS, Load Balancing

User/Things Network Profile

QoS, Security, SLA, Device, Location, Role

Open Source Projects Data Center Campus WAN

VTS

Overlay Automation


Offering

Service

System

Product

HW Appliance Virtualise existing functions SAAS-basedsolutions

Implementation

Can be leveraged to offer SAAS

SP infrastructure services transitioning to

NFV

SP Video

GWs

CPE

Mobile services

Ent Managed Services

IAAS

Transition to All-virtualised Services?

Drivers:

• Reducing total OpEx and CapEx

• Increased service velocity and agility

• Increasing revenue

SP Video

GWs

CPE

Mobile services

Ent Managed Services

L2 / L3 VPN

IAAS

All SP services are virtualising …

Some services move straight to SAAS

HCS

Scansafe

Webex2SDVPN

SP Video

HCS


Network Function Virtualization• Movement of Network functions to the cloud

• Control, services and data plane components

• NFV is not applicable to all network applications• However most service functions are in the frame• High performance plumbing is not at the moment

• NFV is an architecture rather than simply virtualizing functions• Virtual services, compute• service chaining, overlays• Orchestration and redirection

• Covered a number of use cases

See also: http://www.etsi.org/deliver/etsi_gs/NFV/001_099/002/01.01.01_60/gs_NFV002v010101p.pdf

http://www.etsi.org/deliver/etsi_gs/NFV/001_099/002/01.01.01_60/gs_NFV002v010101p.pdf

http://www.etsi.org/deliver/etsi_gs/NFV/001_099/002/01.01.01_60/gs_NFV002v010101p.pdf


Evolving The Network Software Stack

…ApplicationSoftware

InfrastructureSoftware

EmbeddedSoftware

Network OS: IOS-XE, NX-OS, …

Plugins:Puppet, Guest shell,…

Orchestration:NSO, ..

Management:Prime, ..

Optimization:WAE, ..

Base OS: Linux, …

Base Control Infrastructure

virtual physical Protocols: IETF, IEEE, …

Unified Communications

…

CCSEvolved VPN:CloudVPN,…

CustomApps


Summary: The Building Blocks

ServiceOrchestration

Traditional

OrchestrationAutomation, provisioning and

interworking of physical and virtual resources

NFVSDN

SDNSeparation of control and data plane,

controllers

NFVNetwork functions and software

running on any open standards-based hardware

Traditional Distributed control plane

components, physical entities







• Summary

Agenda


Putting SDN/NFV to Work: Security Services Virtualization

& SDN DDoS Mitigation


Distributed Denial of Service Attack Mitigation

Controller



Controller

Traffic Statistics



ControllerDoS

Traffic Statistics



ControllerDoS

Traffic Statistics Traffic

Redirection


Cisco ASR 9000 vDDoS Protection

Arbor Networks Threat Management System (TMS)

ASR 9000 with Virtual Services Module (VSM)

Cisco ASR 9000 vDDoS Protection

“Powered By Arbor Networks”

=

Architectural Superiority

Unified Management

Scalable Performance

Reduced OPEX

Flexible Deployment


ASR 9000 vDDoS Solution Components

Virtualized Arbor Peakflow SP

ASR 9000

ASR 9000

VSM running vDDoS SW

Licenses

Netflow stats

Netflow statsNetflow stats

• Virtualized Peakflow SP Collects Flow records Detects abnormal network behavior

and trigger alerts Can influence the routing, injecting

BGP routes in the network Supports BGP FlowSpec as a

Controller Sets up and monitors the TMS

remotely

• Virtual DDoS SW (running on A9K VSM) Configured by SP, receives diverted

traffic and proceeds to in-depth packet analysis

Discards the attack packets and transmits the legit ones

Provides real-time monitoring info to operators

DDoSDetection

DDoSMitigation

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2760

How Peakflow works?

31

PeeringPoint

Core Router

PE

Enterprise A

Enterprise B

Arbor Peakflow SP6000

PE

PeeringPoint

ASR 9KACL

ACL

2 – Volumetric DDoS: ACL, BGP FlowSpec

1 – Anomaly detection

3 – L4-L7 DDoS: redirect to ASR 9K for intelligent mitigation

4 – Identify and filter the malicious requests

5 – Forward the legitimate traffic: GRE, MPLS, …

Enterprise C


Integrated Security Services “at Scale”


Legacy Security: Siloed, Inefficient & Expensive

10010001011110001011

10

10010001011110001011

10

10010001011110001011

10

10010001011110001011

10

10010001011110001011

10

Data Packet

10010001011110001011

10

/

10010001011110001011

10

DDoS Platform

SSL Platform FW Platform

WAF Platform

IPS Platform

Sandbox Platform

SSL

DDoS WAF

FW IPS

Sandbox

Reduced Effectiveness Increased Latency Slows Network Static & Manual


Cisco Transforms Security Service IntegrationData Packet

10010001011110001011

10

DDoS Platform

SSL Platform FW Platform

WAF Platform

IPS Platform

Sandbox

SSL

DDoS WAF

FW IPS

Sandbox

Limited effectiveness Increased latency Slows network Static & ManualUnified Platform

Data Packet

100100010111100010

1110DDoS FW WAF NGIPSSSL AMP

Inte

grat

ed

Maximum protection Highly efficient Scalable processing Dynamic

Silo

ed

Key:Cisco Service

3rd Party Service


Carrier-Class

Firepower 9300 PlatformHigh-Speed, Scalable Security

ModularMulti-Service Security

Benefits• Integration of best-of-breed security• Dynamic service stitching

Features*• ASA container• Firepower Threat Defense containers

• NGIPS, AMP, URL, AVC• 3rd Party containers

• Radware DDoS• Other ecosystem partners

Benefits• Standards and interoperability• Flexible Architecture

Features• Template driven security• Secure containerization for customer

apps• Restful/JSON API• 3rd party orchestration/management

Benefits• Industry Leading Performance / RU

• 600% Higher Performance• 30% higher port density

Features• Compact, 3RU form factor• 10G/40G I/O; 100G ready• Terabit backplane• Low latency, Intelligent fastpath• NEBS ready

NEW


Security Services Architecture

Supervisor

Ethernet 1/1-8 Ethernet 2/1-4

ASA Cluster

Security Module 1

Ethernet 3/1-4

Security Module 2 Security Module 3

Application Image Storage

PortChannel1

DDoS DDoS DDoS

Ethernet1/7(Management)

Data Inside

Logical Device

Logical Device Unit

Link Decorator

Application Connector

External Connector

Primary Application

Decorator Application

On-board 8x10GE

interfaces

4x40GE NMSlot 1

4x40GE NMSlot 2

Logical Packet Flow

PortChannel1

ASA ASA ASA

Data Outside

Radware Vision Manager

Chassis Manager& ASDM


Cisco DDoS Positioning

SP

SP

Radware Defense Pro

Threat Defense

Firepower 9300

Radware Vision

SP Scrubbing CenterVarious 3rd Party Options for Hosted : Arbor Cloud, Radware Cloud, Prolexic /Akamai

Radware Defense Pipe

• Complete DDoS system can be complemented w/Cisco Lancope Threat Defense

SP Edge Router Based DDoS with ASR – • (Volumetric) on ASR 9K + VSM+ Arbor TMS Peak

Flow . SP Backbone detection and mitigation

SP ASR PE w/PeakFlow

MSSP Services • Various 3rd Party Options for Hosted Services

Firepower 9300

Mobile users

SP Mobility Edge w/FP 9300 and Radware DDoS Applications,

Services & Databases

Data Center

Data Center FW Based DDoS with Firepower 9300 • Firepower 9300 + SM running Radware Defense Pro• Application Attack detection and mitigation


Recap - Cisco DDoS Offerings for Service Provider

• DDoS target is bandwidth

• Volumetric attacks

• Part of SP Clean Pipes solution

• Traffic diverted to scrubber within router backplane

• Clean traffic reinjected locally

• Additional Arbor products can protect enterprise assets

• DDoS target is firewall and devices behind it, NOT bandwidth

• vDP sits inline and sees all traffic going to firewall

• Other Radware capabilities in the cloud can help with bandwidth-based attacks

Arbor TMS on ASR9k Radware vDP on FP9300







• Summary

Agenda


Automating Security in the SP Data Centre


Programmable NetworkProgrammable FabricApplication Centric Infrastructure

DB DB

Web Web App Web App

VxLAN-BGP EVPN standard-based

3rd party controller support

Modern NX-OS with enhanced NX-APIs

Automation Ecosystem (Puppet, Chef, Ansible etc.)

Common NX-API across N2K-N9K

Turnkey integrated solution with security, centralized management,

compliance and scale

Automated application centric-policy model with embedded

security

Broad and deep ecosystem

Cisco SDN: Providing Choice in Automation and Programmability

Mass Market (commercial, enterprises, public sector)

Service Providers Mega Scale Datacenters

VTS for software overlay provisioning and management

across N2K-N9K

41


Introducing Application Centric Infrastructure

Application Network Profile

Orchestration Frameworks

Hypervisor Management

OVM

Systems Management

Centralized Policy ManagementOpen APIs, Open Source, Open StandardsAPIC

Fabric

Automation Enterprise MonitoringACI

Ecosystem Partners

End PointsPhysical &

Virtual

Physical Networking

Nexus 2K

Nexus 7K

Hypervisors and Virtual Networking

Compute L4–L7Services

Storage Multi DC WAN and Cloud

Integrated WAN Edge


Typical Service Chain• Full abstraction within the service chain

• Every device only knows its function and exchanges packets with the fabric as instructed• High degree of modularity with low coupling, specific devices are interchangeable

• ACI maintains flow symmetry through the same device instance

SSL Firewall

Policy rules, NAT, Inspection IPS

Analyzer

EPG “Users”

EPG “Web”

EPG “Files”


ACI and OpenStack

OpenStack Orchestration

Cisco ACI

Controller 1 Controller 2 Controller 3

Hypervisor

Multi-vendorOpen SourceAPIC Plugins

APICNexus 9000

Open vSwitchOpFlex

Project 2v

mvm

vm

vm

Hypervisor

vm4

Project 1

Project 2

Project 3

vm5vm6

vm3

vm4 vm4vm5vm6

Hypervisor

vm4

Project 1

Project 2

Project 3

vm5vm6

vm3

vm4 vm4vm5vm6

Project 1v

mvm

vm

vm

Project 3v

mvm

vm

vm

Plugin Plugin Plugin

OpFlex OpFlex


Virtual Topology System (VTS) Introduction

Automated DCI / WAN

VM

OS

VM

OS

NX-APINetconf/YANG

Physical ToRVirtual

Overlay DCI/WAN

Bare Metal workload

Virtualized workload

BGP-EVPN VXLAN Fabric

VTS

VTS for overlay provisioning and management across Virtual Overlays and Physical Fabric(Cisco Nexus & multivendor)

Flexible Overlays

Open and Programmable

Automated

Scalable VXLAN Mgmt.

Seamless Integration with Orchestrators

Automated Overlay Provisioning

Automated DCI/WAN Integration

REST-Based Northbound APIs

Multi-protocol Support

Multi-hypervisor Support

MP-BGP EVPN Control Plane

Virtual Tenant Networks

High Performance Virtual Forwarding

Physical and Virtual Overlays

Bare-metal and Virtualized Workloads

Service Chaining

VMware vCenter

REST API

GUI

Cisco Network Services Orchestrator

(Tail-f)







• Summary

Agenda


Generating new revenue streams with Hosted

Security Services


Evolution of Security Services

CloudHybridCPE Managed

CPE

SPIPS WEB EMAIL MALWARE CONTEXT

W W W

NGFW VPN IPS WEB EMAIL MALWARE CONTEXT

SWITCHING NAT DHCP AP VOICE ROUTING

W W W

SWITCHING AP VOICE

SWITCHING AP VOICEROUTING

NAT DHCP NGFW VPN

NGFW VPN IPS WEB

EMAIL MALWARE CONTEXT

W W W

NAT DHCP ROUTING

Premise to Cloud


Market OpportunityCloud Service Delivery Shows Higher Growth, but CPE Based Still Growing

© 2015 IHS / Infonetics Research: Cloud and CPE Managed Security Services Market Size and Forecasts; March 2015

CY10 CY11 CY12 CY13 CY14 CY15 CY16 CY17 CY18 CY19$0

$2,000,000,000

$4,000,000,000

$6,000,000,000

$8,000,000,000

$10,000,000,000

$12,000,000,000

$14,000,000,000

Worldwide CPE-Based Service Revenue Share by Technology

IDS/IPS DDoS mitigationOther security services Managed firewalls

Rev

enue

(US$

Bill

ions

)

CY10 CY11 CY12 CY13 CY14 CY15 CY16 CY17 CY18 CY19$0

$2,000,000,000

$4,000,000,000

$6,000,000,000

$8,000,000,000

$10,000,000,000

$12,000,000,000

Worldwide Cloud-Based Service Revenue Share by Technology

IDS/IPS DDoS mitigationOther security services Managed firewalls

Rev

enue

(US$

Bill

ions

)


Cloud Based Security Service Offerings

Cisco Managed Security Cloud SP Hosted Security Cloud

VPN, FW, NGFW, NGIPS, AMP,Web Security, Email Security as a Service

NGFW VPN IPS WEB

EMAIL MALWARE CONTEXT

W W WCloud Web Security (CWS)Cloud Email Security (CES)

WEB EMAIL

W W W

Pre-Packaged NFV Security Service Bundles (vMS)

A La Carte Hosted Security as a Services (HSS)

SP/MSSP Resell to Enterprises

SaaS or Hosted


Hosted Security as a Service Architecture

51

Security Service Examples:

FWaaS – Firewall as a Service

VPNaaS – Virtual Private Networking as a Service

NGFW/IPSaaS – Next Generation Firewall and Intrusion Prevention System as a Service

WSaaS – Web Security as a Service

ESaaS – Email Security as a Service

IDaaS – Identity as a Service

DDoSaaS – Distributed Denial of Service as a ServiceIN

FRA

-S

TRU

CTU

RE

Hypervisor

Compute

Storage

SE

RV

ICE

SLA

YE

R WSaaS

FWaaS

Tenant 1

ESaaS

WSaaS

FWaaS

Tenant 2

FWaaS

IDaaS

Tenant 3

OR

CH

.LA

YE

R

Policy Analytics Reporting

NGFW/IPSaaS VPNaaS


Feature CategoryService Tiers

Bronze Silver Gold

NAT Address Translation

Stateful Inspection

High Availability

Advanced Management

Firewall-aaS Tiers Example

Included

BEFORE DURING AFTER


Category FeatureService Tiers

Bronze Silver Gold

NAT Address Translation NAT / PAT

Stateful Inspection

L3 firewall

Transparent firewall

Proxy authentication

Application hosting private zone

Application control (IM, peer to peer)

Voice security support

High availabilityWithin SP data centre

Between SP data centres

Management

Customer self service portal

Streamlined management

Auto generated reporting

Custom reporting

Data log retention (1 month)

Extended data log retention (> 1 month)

Firewall-aaS Tiers Example

Included

Option

Reference Slide

BEFORE DURING AFTER



Bronze Silver Gold

Customer site to Cloud IPSec VPN service

Remote Access VPN

High Availability

Advanced Management

VPNaaS Tiers Example Tiers Example

Included

Reference Slide

BEFORE DURING AFTER



Bronze Silver GoldReal Time Threat Protection Services

Acceptable Use Services

Policy Control

High Availability

Advanced Management

Web Security-aaS Tiers Example

Included

Reference Slide

BEFORE DURING AFTER



Bronze Silver Gold

Inbound Email Protection

Outbound Email Protection

Policy control

High availability

Advanced Management

Email Security-aaS Tiers Example

Included

Reference Slide

BEFORE DURING AFTER



Bronze Silver Gold

Application Visibility and Control (NGFW)

Threat Protection (NGIPS)

High Availability

Advanced Management

NGFW/IPSaaS Tiers Example

Included

Reference Slide

BEFORE DURING AFTER


Hosted Security as a Service (HSS)


HSS Architecture

59

• Delivered from service provider’s infrastructure

• UBIqube MSActivator used as the Security Domain Manager

• Orchestration SW interfaces with native appliance configuration mechanisms

• All customer data lives inside the SP Cloud environment

• Security on virtual form factor available today

INFR

A-

STR

UC

TUR

E

VMware ESXi

Cisco UCS

Storage

SE

RV

ICE

SLA

YE

R WSAv

WSAv

ASAv

Tenant 1

ESAv

WSAv

ASAv

Tenant 2

ESAv

CSR1Kv

Tenant 3

OR

CH

.LA

YE

R

Policy Analytics Reporting

SP existing orchestration, reporting, billing infrastructure

• Provisioning API

• Reporting API• Billing API


VSA 1.0 Expanded Gold Container

ASR9000 Global

SP Management

Tenant 1 Site

AD DNS

MS Exchange

Customer VRF

Internet

Tenant 1 Private Zone Tenant 1 DMZ Zone

Nexus 5000/7000/9000L2 Fabric

UBIqube

vCenter

ASA5585X

M1 M1P1

ESAV WSAV

MPLS VPN or

IPSec VPN

ASAv

Tenant 1 Expanded Gold Container

Customer Hosted Email Inbound Flow

gi0/6 gi0/7

gi0/5 mgt 0/0

gi0/2gi0/3 gi0/4

Virtual Machine on UCS

Shared Transit VLAN

Per-Tenant VLAN

Private Tier 1 VMs

Private Tier 2 VMs

Private Tier 3 VMs

Note: Not showing redundant notes


VSA 1.0 Expanded Gold Container

ASR9000 Global

SP Management

Tenant 1 Site

AD DNS

Customer VRF

MPLS

VPN

Tenant 1 Private Zone Tenant 1 DMZ Zone

Global

Nexus 5000/7000/9000L2 Fabric

UBIqube

vCenter

ASA5585X

M1 M1P1

ESAV WSAV

ASAv

Tenant 1 Expanded Gold Containergi0/6 gi0/7

gi0/5 mgt 0/0

gi0/2gi0/3 gi0/4

SP Hosted Email Inbound Flow

MS Exchange

Internet Virtual Machine on UCS

Shared Transit VLAN

Per-Tenant VLAN

Private Tier 2 VMs

Private Tier 3 VMs

Note: Not showing redundant notes

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSPG 2517

MPLS VPN

Customer Site

AD DNS

ASR1006Customer VRF

MS Exchange

Global

VMDC 2.3 Expanded Gold Container

Nexus 7004

ASA5555

ASA5585X

Customer PVTOutside VRF

Customer PVT Inside VRF

Global

Customer DMZ VRF

Remote Access VPN

Customer Private Context

ASA5585X

Customer DMZ Context

Customer Private Context

UCS

Citrix/F5

UCSUCS

Citrix/F5 Citrix/F5

UBIqubeESAV

vCenterESAV

M1

WSAV

M1

UCS

M1

M1

UCS

ASA5585X

UCS

WSAV

VMVM

VMVM VM

VM* Not showing redundant notes

Internet

Shared Transit VLAN

Per-Tenant VLAN

Private Zone 3 VLANs DMZ 2 - 1 VLANDMZ 1 - 1 VLAN SP Management

62


HSS Security Domain Manager UBIqube MSActivator

Southbound Interface

SSH SNMPTELNET SyslogHTTP OpenflowFTP

OBMF Mediation Layer

Netflow TR069

Web Portal GUI

Service Profiles

Service Designer Templates and Objects

3rd Party OSS/BSS

Web Services

Verbs and Web Services API, Order Stack Management

Device Adaptor

Update Conf Restore Conf

Get Asset Update Firmware

Device Adaptor (SDK)

Update Conf Restore Conf

Get Asset Update Firmware

VOIP

63


vMS (CloudVPN)


vMS (CloudVPN) at a Glance

65

INFR

A-

STR

UC

TUR

E

KVM

Compute

Storage

SE

RV

ICE

SLA

YE

R IPSv

ASAv

Tenant 1

ESAV

WSAV

CSR1Kv

Tenant 2

vDDoS

ASAv

Tenant 3

OR

CH

.LA

YE

R

PolicyNet+Svc. Analytics Reporting

CSR1kv CSR1Kv

• Rapid provisioning/Ops Portal

• Standard YANG models

• All customer data lives inside the SP Cloud environment

• Appliance plus Virtual Services chained together

• Orchestration of Network + Service Topology

• Service lifecycle management + elasticity + workload placement

• IPv6 deployed here

SP existing orchestration, reporting, billing infrastructure

• Provisioning API

• Reporting API• Billing APIProvisioning

Svc. LifecycleMgt.


vMS Architecture A Deeper Look

VR_CSR

OpenStack(virt infra mgr)

NSO(VNF-O)

End-UserPortal

Cloud Service

IP Network

Data Centre

BSSSystems

VFW_vASA

ESCvirt infraLifecycle

(VNF-M)

conf

d

servicemodels

device models

fastmap

O/S component

APIs

reactivefastmap

Config &Operation

ISR

OperatorPortal

RESTCONF / UICONF

x86 MPLS WAN

NEDs

SDN Controller


VMS Release 2.0: Delivering Comprehensive Cloud VPN Services

CPECust-A

CPECust-A

CPECust-B

ASA

Over The TopAccess

Flex-VPN

Internet

VR

VR ASA

CPECust-C

CPECust-C

NSO – NFV OrchestratorCloud VPN Services • 3 Service Models for Enterprise deployment flexibility:

• CloudVPN Foundation • CloudVPN Advanced• CloudVPN Advanced w/Web Security• vIPS option for both Advanced and Advanced

w/Web Security• CSR1Kv: Virtual Router for Site-to-Site VPN with Secure

IP Overlay using FlexVPN/IKEv2 for IPSec Tunnels• ASAv: vFW with NAT and Policy (*)• ASAv: vFW with IPSec/SSL Remote Access (*)• WSAv for Enhanced Web Security (*)

Management and Orchestration• Enterprise Admin Service Interface (Portal) driven service

instantiation • Zero-Touch Deployment of enterprise CPE (ISR G2)• Model driven Network Services lifecycle management with

Network Service Orchestrator (NSO) from Tail-f• VNF lifecycle management with Elastic Services

Controller (ESC)• Virtual Infrastructure Management with Openstack

featuring: OVS and ODL/VPP as SDN Controllers

Advanced

VRFoundation

CPECust-B

ESC – VNF Manager

WSAAdvanced w/Web Security

PnP RFS VirTo RFSAPI

CPE Managed Orchestration Link

Foundation ServiceDirect Internet Access via

“Split Tunnel”

Access Model:Flex-VPN Links

IPSEC VPN

Service AccessvRouter

Internet Access/Remote Access

Openstack – Virtual Infrastructure Manager

67


vMS Service Bundles• (1) Internet Access (IA), FWaaS, VPNaaS

CSR1kv, vASA with NAT, FW, RA.

• (2) IA, FWaaS, VPNaaS and WSaaS CSR1kv, vASA, vWSA

• (3) IA, FWaaS, VPNaaS and Next-Gen IPSaaS CSR1kv, vASA, vWSA, vNG-IPS(SourceFire)

• 4) IA, FWaaS, VPNaaS and IdentityaaS CSR1kv, vASA, vISE with NAT, BYOD, Policy, TrustSec

• (5) IA, FWaaS, VPNaaS and ESaaS CSR1kv, vASA, vESA

• (6) IA, FWaaS, VPNaaS and DDoSaaS

Flexibility for other variations based on marketing needs


VirtualSecurityWorkflows

Reference Slide







• Summary

Agenda


SDN & NfV Infrastructure Security


SDN Security Components

SecurityApplication

Third PartyApplication

IdentitySecurityNetwork Services

Service Abstraction Layer

OpenFlow Netconf I2RS Security

Plugin

pxGridSDN

Security Infrastructure

Cisco CloudThreat Defence

SDN Applications

Identity Services Engine

Next Generation Defence Centre, PRSM, CSM…

Visibility

CLI


Threat Defence Services

Network Capabilities

Application View

TargetedBlocking

TargetedInspection

TargetedRate Limiting

TargetedPacket Capture

TargetedFile

Capture

TargetedConfinement

TargetedEnforcement

OpenFlow Netconf SecurityPlugin VLAN SGT VxLAN ISE


Security Services Through SDNAudit

Recording

Monitoring

Inspection

Rate Limiting

DDoS Scrubbing

Quarantine

Active Web Firewall

Blocking

EffectiveTimely

Non-invasive


Network Controller Reconciles Mitigations Against The Needs of Mission-critical Applications

Mitigationsfrom

Security System

Applicationand

NetworkRequirements


Threats to an SDN System

Controller

App 1 App 2 App 3

SpoofingRogueDoS Attacks


Threats to an SDN System

Controller

App 1 App 2 App 3 Hardening

Secure ProvisioningAuthenticationAuthorisation/RBACIntegritySecure StorageAudit







• Summary

Agenda


Summary


Considerations

How automated is your telemetry capture?

How automated is your threat analysis?

Are you limited by privacy considerations?

What actions are you willing to take in real time?

What actions should be one-click for a security analyst?

What type of SDN can you use?

How SDN-ready is your network?

SDN security?

Detection SDNResponse


Summary• SP Security concerns

• How traditional products/solutions are embracing SDN/NfV

• Security automation in the SP DC

• Revenue generating security solutions for SP


• Is there “One” solution to tackle security end-to-end at the “speed of the network” ?• The reality is, each use case is different. • Technology, People, Processes

• The key enabler “Automation”, through the use SDN, programmability, APIs, NFV…


Related Cisco Live Sessions• BRKRST-1014 - Introduction to Software-Defined Networking (SDN) and Network Programmability

• BRKSPG-3616 - SDN and NFV for Service Providers

• BRKSDN-2040 - SDN Controllers - A Use Case Driven Approach to the Options

• BRKSDN-2065 - Cisco Virtual Managed Services (vMS)

• BRKSPG-2619 - Cisco Evolved Programmable Networks

• BRKSEC-3010 - Firepower 9300 Deep Dive

• BRKSEC-1205 - Introduction to DC Security

• BRKSDN-1119 - Device Programmability Options with APIs

• BRKSEC-2005 - The Internet of Things: A Double-Edged Sword. How Can You Embrace it Securely?


Where to go next?• Other complementary security solutions:

• OpenDNS• Lancope• Cloud Web Services• CliQr

• Demos in the Cisco World of Solutions

• Walk-in Self-Paced Labs

• DevOps & DevNet Sessions

• Meet the Engineer 1:1


Q & A


Complete Your Online Session Evaluation

Learn online with Cisco Live! Visit us online after the conference for full access to session videos and presentations. www.CiscoLiveAPAC.com

Give us your feedback and receive a Cisco 2016 T-Shirt by completing the Overall Event Survey and 5 Session Evaluations.

– Directly from your mobile device on the Cisco Live Mobile App

– By visiting the Cisco Live Mobile Site http://showcase.genie-connect.com/ciscolivemelbourne2016/

– Visit any Cisco Live Internet Station located throughout the venue

T-Shirts can be collected from Friday 11 March at Registration

http://www.ciscoliveapac.com/

http://showcase.genie-connect.com/ciscolivemelbourne2016/


• Session Managers – Robert Page, Usen Tulemisov, Stefan Avgoustakis

• Previous BRKSEC-2760 presenters – Mike Geller, David McGrew, Ken Beck

• Collaborators – Kerry Loveless, Sam Rastogi, Siruo Yu, Mike Geller, Albra Welch

Thanks…

Thank you


Security at the Speed of the Network

Technology

Transcript of Security at the Speed of the Network