A new paradigm Networking in Healthcare - VDE ITG...Digital Business Agility Hyper-awareness...

Preview:

Citation preview

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

A new paradigmNetworking in Healthcare

Christian Korff

Cisco Deutschland

September 2017

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

For 30 years, we’ve focused on helping to change the way the world works, lives, plays, and learns.

Our Vision

Digitalisierungals Essenz

StückkostenKopierfähigkeit

Kosten gegen 0

Wiederverwendungvon InnovationRapid Prototyping

Moore‘s LawMiniaturisierung

exponentielle Verbreitung

Stückkosten

Modularisierung

Rapid

Prototyping

Miniaturisierung

„Leben und Arbeiten

im Computer?“

© Prof. Dr. Ing. Andreas Schrader

Digital Business Agility

Hyper-

awareness

Informed

Decision-

MakingDigitalBusiness

Agility

Fast

Execution

A company’s ability

to detect and monitor

changes in its

business environment

A company’s ability to

make the best decision in

a given situation

A company’s ability to carry

out its plans quickly and

effectively

Digital Business Agility

So What?

Start with the Core

! "#$%&' ( $#

Add in theDistribution Layer …

! "#$%&' ( $#

) *+,#*- . / "0%&' ( $#

Traditional Multi-Layer Distribution …

! "#$%&' ( $#

) *+,#*- . / "0%&' ( $#

VSS-basedDistribution …

! "#$%&' ( $#

) *+,#*- . / "0%&' ( $#

122

Add in theAccess Layer …

! "#$%&' ( $#

) *+,#*- . / "0%&' ( $#

122

344$++&' ( $#

Multi-Layer Access …L3 terminated at Dist.

! "#$%&' ( $#

) *+,#*- . / "0%&' ( $#

122

344$++&' ( $#

Routed Access …L3 terminated at Access

! "#$%&' ( $#

) *+,#*- . / "0%&' ( $#

122

344$++&' ( $#

Converged Access …Wired / Wireless

! "#$%&' ( $#

) *+,#*- . / "0%&' ( $#

122

344$++&' ( $#

Instant Access …

! "#$%&' ( $#

) *+,#*- . / "0%&' ( $#

122

344$++&' ( $#

Add inWired clients ...

! "#$%&' ( $#

) *+,#*- . / "0%&' ( $#

122

344$++&' ( $#

Add inAccess Points …

! "#$%&' ( $#

) *+,#*- . / "0%&' ( $#

122

344$++&' ( $#

… and someWireless clients …

! "#$%&' ( $#

) *+,#*- . / "0%&' ( $#

122

344$++&' ( $#

Add in a CampusServices Layer …

! "#$%&' ( $#

) *' #$+! ' , - . /) $#012$/

31/4#15. 6"7%&' ( $#

8) )

922$//&' ( $#

… with some WirelessLAN Controllers (WLCs)

! "#$%&' ( $#

) *' #$+! ' , - . /) $#012$/

31/4#15. 6"7%&' ( $#

8) )

922$//&' ( $#

! "# ! "#

… and some Firewalls

! "#$%&' ( $#

) *' #$+! ' , - . /) $#012$/

31/4#15. 6"7%&' ( $#

8) )

922$//&' ( $#

! "#

$%&' ( ) **

! "#

$%&' ( ) **

Form the WLCs intoa Mobility Group …

! "#$%&' ( $#

) *' #$+! ' , - . /) $#012$/

31/4#15. 6"7%&' ( $#

8) )

922$//&' ( $#

! "#

$%&' ( ) **

! "#

$%&' ( ) **

Create the CUWN CAPWAP overlay …

! "#$%&' ( $#

) *' #$+! ' , - . /) $#012$/

31/4#15. 6"7%&' ( $#

8) )

922$//&' ( $#

! "#

$%&' ( ) **

! "#

$%&' ( ) **

Add in Converged Access to the mix …… and add in theData Center for the siteInternet access, dual-homed, with RA VPNGuest wireless access,terminated in DMZNow, let’s move outto the WAN …First, we may haveMAN connectivity …We may also have atraditional WAN (T1, etc)

We may have an SP-provided MPLS serviceWe may be using DMVPN over InternetWe may be using GET VPN over WAN/MPLS …… or we may be using DMVPN over 3G/4G/SatBranches may be single-attached to the WAN …Or branches may be dual-WAN-attachedAdd in remote teleworkers …We may have an second, backup Data Center …… using a variety of DCI options for connectivityFinally, all of this may be virtualized “N” times …

Non-Prescriptive Topology (Too many variations)

Complex Addressing(IP Address tied to topology)

Disruptive Device Growth(IOT and mobility)

Static Resource Allocation

Manual Processes

Complex Provisioning

Rigid Policies(Policy based on IP Address)

Networks Today…

Controller

Software Defined Networking

Services

Orchestration

and Policy

Infrastructure

Endpoints

SecurityCollaborationMobility

Branch

Intent / Policy

Configuration

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

I N T E N T CONTEXT

S E C U R I T Y

L E A R N I N G

THE NETWORK.INTUITIVE.Powered by intent, informed by context.

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

THE NETWORK. INTUITIVE.Powered by Intent. Informed by Context.

Intent-based Network Infrastructure

Command and Control Center

AnalyticsPolicy Automation

I N T E N T C O N T E X T

S E C U R I T Y

L E A R N I N G

Programmable

Integrated

Secure

Software Defined Accesspowered by DNA Center

Assurance powered by Network Data Platform

Security Policypowered by Identity Services Engine

C97-739103-00 © 2017 Cisco and/or its affiliates. All rights reserved. Public

Encrypted Traffic is increasing

75 % of web traffic will be encrypted by 2019**

SSL/TLS encrypted traffic grew 90% year

over year from July 2015 to July 2016.*

* Source: NSS Labs

2015

40%

2016

75%

2019

21%

15% of all Malware utilizes TLS and rising*

**Cisco ThreatGrid Analysis 2015

C97-739103-00 © 2017 Cisco and/or its affiliates. All rights reserved. Public

How to identify Malware hidden under TLS?Endpoint Internet

. . .

?

C97-739103-00 © 2017 Cisco and/or its affiliates. All rights reserved. Public

Behavioral Patterns w.r.t. Packet Lengths/Times

Bestafera

Self-Signed Certificate

Data Exfiltration

C2 Message

Google Search

Initial Page LoadPage Refresh

Autocomplete

C97-739103-00 © 2017 Cisco and/or its affiliates. All rights reserved. Public

TLS Client Fingerprinting (Bestafera)

TLS ClientHello Possible Clients True Client

(v: 1.0.1r)

C97-739103-00 © 2017 Cisco and/or its affiliates. All rights reserved. Public

Why This Approach is Successful

(v: 1.0.1r)

(v: 52.0)

+

+

=

=

SD-Access - Two Level Hierarchy

Building Management

VN

Network

Campus Users

VN

First level Segmentation that

ensures zero Communication

between Building Management

and Campus Users

1

2

Virtual Network (VN) VRF

Second level Segmentation

ensures role based access control

between two groups within a

Virtual Network

Scalable Group SGT/SGACL

1

2

Group Policy

CollaborationSecurity Networking

Expanded data usage increases need

for efficient, reliable networks

Business-critical apps require priority

and real-time access

Increased number of mobile devices

requires even better analytics

Network Utilization Growth

iOS and Cisco devices recognize

each other

Enabled with a “handshake”—unique

to Apple and Cisco

Fast roaming and load balancing

automatically enabled

Optimizing Wi-Fi Connectivity

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

• ETA Solution Overview in BRKCRS-1560 -https://www.ciscolive.com/online/connect/sessionDetail.ww?SESSION_ID=95570&backBtn=true

• Research behind ETA BRKSEC-2809 -https://www.ciscolive.com/online/connect/sessionDetail.ww?SESSION_ID=94399&backBtn=true

• Cognitive Analytics overview BRKSEC-3106 -https://www.ciscolive.com/online/connect/sessionDetail.ww?SESSION_ID=95774&backBtn=true

• Hidden Figures - Securing what you cannot see INSSEC-103 -https://www.ciscolive.com/online/connect/sessionDetail.ww?SESSION_ID=95318&backBtn=true

• Overview of ETA https://www.youtube.com/watch?v=JpbL6DC-JlM

• Demo of ETA https://www.youtube.com/watch?v=6f5INflDRto

RessourcesFor YourReference

Recommended