About the Authors
re his current role, he supported and administered Nortel's worldwide training network structure. John holds a Master's degree in computer engineering from Clemson University.
t, Solutions Architect, Infrastructure and Cloud Engineering, NetApp
is a Solutions Architect in the NetApp Infrastructure and Cloud Engineering team. She architecture, implementation, compatibility, and security of innovative vendor develop competitive and high-performance end-to-end cloud solutions for customers. her career in 2006 at Nortel as an interoperability test engineer, testing customer roperability for certification. Lindsey has her Bachelors of Science degree in Computer d her Masters of Science in Information Security from East Carolina University.
About the AuthorsChris O'Brien, Technical Marketing Manager, Server Access Virtualization Business Unit, Cisco Systems
Chris O'Brien is currently focused on developing infrastructure best practices and solutions that are designed, tested, and documented to facilitate and improve customer deployments. Previously, O'Brien was an application developer and has worked in the IT industry for more than 15 years.
John George, Reference Architect, Infrastructure and Cloud Engineering, NetApp
John George is a Reference Architect in the NetApp Infrastructure and Cloud Engineering team and is focused on developing, validating, and supporting cloud infrastructure solutions that include NetApp products. Befoand VPN infra
Lindsey Stree
Lindsey Streetfocuses on thetechnologies toLindsey startedequipment inteNetworking an
3
4About Cisco Validated Desig
About the Authors
n (CVD) Program
IM ALL WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE WARRANTY OF
ILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING
SE OF DEALING, USAGE, OR TRADE PRACTICE. IN NO EVENT SHALL CISCO OR ITS
LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES,
ITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF
ABILITY TO USE THE DESIGNS, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED
IBILITY OF SUCH DAMAGES.
ARE SUBJECT TO CHANGE WITHOUT NOTICE. USERS ARE SOLELY RESPONSIBLE FOR
TION OF THE DESIGNS. THE DESIGNS DO NOT CONSTITUTE THE TECHNICAL OR
SSIONAL ADVICE OF CISCO, ITS SUPPLIERS OR PARTNERS. USERS SHOULD CONSULT
CHNICAL ADVISORS BEFORE IMPLEMENTING THE DESIGNS. RESULTS MAY VARY
N FACTORS NOT TESTED BY CISCO.
Cisco Eos, Cisco Lumin, Cisco Nexus, Cisco StadiumVision, Cisco TelePresence, Cisco
co logo, DCE, and Welcome to the Human Network are trademarks; Changing the Way We
y, and Learn and Cisco Store are service marks; and Access Registrar, Aironet, AsyncOS,
eeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, CCVP, Cisco, the
Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital,
ems logo, Cisco Unity, Collaboration Without Limitation, EtherFast, EtherSwitch, Event Cen-
ollow Me Browsing, FormShare, GigaDrive, HomeLink, Internet Quotient, IOS, iPhone,
onPort, the IronPort logo, LightStream, Linksys, MediaTone, MeetingPlace, MeetingPlace
MGX, Networkers, Networking Academy, Network Registrar, PCNow, PIX, PowerPanels,
criptShare, SenderBase, SMARTnet, Spectrum Expert, StackWise, The Fastest Way to
nternet Quotient, TransPath, WebEx, and the WebEx logo are registered trademarks of
, Inc. and/or its affiliates in the United States and certain other countries.
arks mentioned in this document or website are the property of their respective owners.
word partner does not imply a partnership relationship between Cisco and any other com-
Systems, Inc. All rights reserved
About Cisco Validated Design (CVD) Program
The CVD program consists of systems and solutions designed, tested, and documented to facilitate
faster, more reliable, and more predictable customer deployments. For more information visit
http://www.cisco.com/go/designzone.
ALL DESIGNS, SPECIFICATIONS, STATEMENTS, INFORMATION, AND RECOMMENDATIONS (COLLEC-
TIVELY, "DESIGNS") IN THIS MANUAL ARE PRESENTED "AS IS," WITH ALL FAULTS. CISCO AND ITS SUP-
PLIERS DISCLA
MERCHANTAB
FROM A COUR
SUPPLIERS BE
INCLUDING, W
THE USE OR IN
OF THE POSS
THE DESIGNS
THEIR APPLICA
OTHER PROFE
THEIR OWN TE
DEPENDING O
CCDE, CCENT,
WebEx, the Cis
Work, Live, Pla
Bringing the M
Cisco Certified
the Cisco Syst
ter, Fast Step, F
iQuick Study, Ir
Chime Sound,
ProConnect, S
Increase Your I
Cisco Systems
All other tradem
The use of the
pany. (0809R)
2014 Cisco
http://www.cisco.com/go/designzone
FlexPod Datacenter with Cisco Secure Enclaves
OverviewThe increased scrutiny on security is being driven by the evolving trends of mobility, cloud computing, and advanced targeted attacks. More than the attacks themselves, a major consideration is the change in what defines a network, which goes beyond traditional walls and includes data centers, endpoints, virtual and mobile to make up the extended network.
Today most converged infrastructures are designed to meet performance and function requirements with little or no attention to security. Furthermore, the movement toward optimal use of IT resources through virtualization has resulted in an environment in which the true and implied security accorded by physical separation has essentially vanished. System consolidation efforts have also accelerated the movement toward co-hosting on converged platforms, and the likelihood of compromise is increased in a highly shared environment. This situation presents a need for enhanced security and an opportunity to create a framework and platform that instills trust.
The FlexPod Data Center with Cisco Secure Enclaves solution is a threat-centric approach to security allowing customers to address the full attack continuum, before during and after the attack on a standard platform with a consistent approach. The solution is based on the FlexPod Data Center integrated system and augmented with services to address business, compliance and application requirements. The FlexPod Data Center with Cisco Secure Enclaves is a standard approach to delivering a flexible, functional and secure application environment that can be readily automated.
Solution Components FlexPod Datacenter with Cisco Secure Enclaves uses the FlexPod Data Center configuration as its foundation. The FlexPod Data Center is an integrated infrastructure solution from Cisco and NetApp with validated designs that expedite IT infrastructure and application deployment, while simultaneously reducing cost, complexity, and project risk. FlexPod Data Center consists of Cisco Nexus Networking, Cisco Unified Computing System (Cisco UCS), NetApp FAS Series storage systems. One especially significant benefit of the FlexPod architecture is the ability to customize or "flex" the environment to suit a customer's requirements, this includes the hardware previously mentioned as well as operating systems or hypervisors it supports.
Audience
The Cisco Secure Enclaves design extends the FlexPod infrastructure by using the abilities inherit to the integrated system and augmenting this functionality with services to address the specific business and application requirements of the enterprise. These functional requirements promote uniqueness and innovation in the FlexPod, augmenting the original FlexPod design to support these prerequisites. The result is a region, or enclave, and more likely multiple enclaves, in the FlexPod built to address the unique workload activities and business objectives of an organization.
FlexPod Data Center with Cisco Secure Enclaves is developed using the following technologies:
FlexPod Data Center from Cisco and NetApp
VMware vSphere
Cisco Adaptive Security Appliance (ASA)
Cisco NetFlow Generation Appliance (NGA)
Cisco Virtual Security Gateway (VSG)
Cisco Identity Services Engine (ISE)
Cisco Network Analysis Module
Cisco UCS Director
Lancope StealthWatch System
Note The FlexPod solution is hypervisor agnostic. Please go to the Reference Section of this document for URLs providing more details about the individual components of the solution.
AudienceThis document describes the architecture and deployment procedures of a secure FlexPod Data Center infrastructure enabled with Cisco and NetApp technologies. The intended audience for this document includes but is not limited to sales engineers, field consultants, professional services, IT managers, partner engineering, and customers interested in making security an integral part of their FlexPod infrastructure.
FlexPod Data Center with Cisco Secure Enclaves
FlexPod Data Center with Cisco Secure Enclaves OverviewThe FlexPod Data Center with Cisco Secure Enclaves is a standardized approach to the integration of security services with a FlexPod Data Center based infrastructure. The design enables features inherit to the FlexPod platform and calls for its extension through dedicated physical or virtual appliance implementations. The main design objective is to help ensure that applications in this environment meet their subscribed service-level agreements (SLAs), including confidentiality requirements, by using the validated FlexPod infrastructure and the
