Upload
cisco-data-center
View
964
Download
2
Embed Size (px)
DESCRIPTION
Creating a more flexible, functional, and secure application environment
Citation preview
Private Cloud on Cisco Integrated Infrastructures with Cisco UCS Director
Chris O’Brien
Technical Marketing Manager
Creating a more flexible, functional, and secureapplication environment
Cisco Confidential 2© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Today’s SecurityMultiple products, policies, unmanaged devices and cloud access
Comm. / SMB / Branch
WWW
Enterprise DC
UCSGlobal
Orchestration
Connect
Branch
Campus
Cellular
Internet
Edge
WWW
Edge
WWW
SaaS
CSR
SP Cloud
SP-1
SP-2
SP Core/ Edge
ASR
CSRWeb
SecurityGateway
WWW
WWW
WWWUCS
Global Orchestration
Multiple Management Paradigms
Multiple IdentityStores
IsolatedThreat Intelligence
InconsistentEnforcement
ANYANY
Cisco Confidential 3© 2013-2014 Cisco and/or its affiliates. All rights reserved.
DC | CLOUD TRANSITION
Unifying the network services Securing multi-tenancy designs
Extending security posture# ! %
AGILITY FLEXIBITY AUTOMATION AGILITYAUTOMATION
EFFICIENCYVISIBILITYCONSISTENCY CONSISTENCY
CONSOLIDATION COST REDUCTION ELASTIC CONSOLIDATIONELASTIC
AGILITY FLEXIBITY AUTOMATION AGILITYAUTOMATION
EFFICIENCYVISIBILITYCONSISTENCY CONSISTENCY
CONSOLIDATION COST REDUCTION ELASTIC CONSOLIDATIONELASTIC
Physical
Virtual Cloud
Cisco Confidential 4© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Erodes efficiency gains and delays new services implementation by months
“Bolted on” Security Inhibits Data Center Acceleration
Cannot scale to today’s data center network performance requirements
Cannot proactively defend against emerging threats
Cisco Confidential 5© 2013-2014 Cisco and/or its affiliates. All rights reserved.
The New Security Model - Cisco
BEFOREDetect Block Defend
DURING AFTERControlEnforce Harden
ScopeContain
Remediate
Attack Continuum
Network Endpoint Mobile Virtual Cloud
Point in time Continuous
Cisco Confidential 6© 2013-2014 Cisco and/or its affiliates. All rights reserved.
The Secure Enclave Architecture (SEA)
Cisco Confidential 7© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Tenant
BTenant
C
Virtualized and Bare-Metal
Compute and Hypervisor
B CANetwork and
Services
VM VM BareMetal
Tenant
A
Cisco and our technology partners (NetApp, EMC, Lancope, etc.) working together
Consistent design and documentation
Builds on top of existing FlexPod Data Center
Strong focus on applications
Secure Enclave ArchitectureSecurity Services on Cisco Integrated Systems
ContinuousPoint in time
•Scope•Contain•Remediate
•Detect•Block•Defend
•Control•Enforce•Harden
Before
During
After
Cisco Confidential 8© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Least common mechanism: To globalize common/shared modules (enforcement) as it has the effect of reducing duplicates which can result in less opportunities for compromise. Potential performance and maintenance benefits
Minimized Sharing: Sharing should be limited to reduce potential encroachment. Only explicitly requested and granted access
Efficient Mediated Access: States that functions of access control should be allocated to the lowest possible level (closer to hardware) while still meeting flexibility requirements.
Secure Enclave FrameworkDesign Principles
Cisco Confidential 9© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Domain Managers
OS and Virtual
Machines
Storage
Network
Compute
Cisco UCS Director Integration
Cisco® UCS B-Series Blade Servers, C-Series and UCS Manager
Cisco Nexus® Family Switches
NetApp FAS Series Storage Systems
On-DemandAutomated Delivery
Policy-Driven Provisioning
Integrated
System
VMsComputeNetwork Storage
Single Pane of Glass
End-to-End Automation
and Lifecycle
Management
UCS Director
Tenant
BTenant
C
Virtualized and Bare-Metal
Compute and Hypervisor
B CANetwork and
Services
VM VM BareMetal
Tenant
A
Cisco Confidential 10© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Enclave ModelLogical Structure
Access control point into the secure region (public)
Access control within and between application tiers (private)
Cyber Threat Defense (CTD) operations to expose and identify malicious traffic
Cisco TrustSec (CTS) using Secure Group Access control to identify server roles and to enforce security policy
Out-of-band management for centralized administration of the Enclave and its resources
Optional load balancing capabilities
Enclave Model
Public Access Control
Private Access Control
Cisco TrustSec
Load Balancing
Cisco Cyber Security and
Threat Defense
Database TierWeb Tier Application
Tier
W1 WX App1 AppX DB1 DBx
External Network
Management
Cisco Confidential 11© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Tenant
BTenant
C
Virtualized and Bare-Metal
Compute and Hypervisor
B CANetwork and
Services
VM VM BareMetal
Tenant
A
Latest and greatest Cisco Security capabilities all working together
Consistent design and documentation
Builds on top of Cisco Integrated Systems
Strong focus on enterprise applications
Initial solution Target 2Q CY 2014
Secure Enclave ArchitectureSecurity Services on a Cisco Integrated System
UCS Director
Cisco Confidential 12© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Enclave Framework: Transparent Firewalling
VMware ESXi
VMware HA Cluster
Web Application Database
Enclave-1
Cisco UCS FabricInterconnects
Cisco NexusSwitching
Cisco ISEPolicy Manager
Cisco ASATransparent
Virtual Context
SXPVLAN 3001- Enclave-1 VLAN (Inside)
VLAN 2001- Enclave-1 VLAN (Outside)
VLAN 3253- Common VTEP VLAN
SXP
PAC
PAC
Cisco Nexus 1000V VXLAN 30011
VMware ESXi
VMware ESXi
CiscoVSG
LoadBalancing
vmk4vmk3 vmk4vmk3 vmk4vmk3
• ISE provides centralized authentication and security group table information via PAC file
• SGT applied at the VM port profile• SXP propagates SGT information across
the fabric from Nexus 1000V• ASA virtual context in transparent mode
provides access control• Single VLAN into the Enclave• One or more VXLANs for VM-to-VM traffic• Virtual Security Gateway provides access
control across the Enclave• Vmk4 supports NFS for the Enclave• Vmk5 supports iSCSI for the Enclave• Load balancing services (optional)
Cisco Confidential 13© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Enclave Traffic Patterns
Enclave Model
Public Access Control
Private Access Control
Cisco TrustSec
Load Balancing
Cisco Cyber Security
and Threat Defense
Database TierWeb Tier Applicatio
n Tier
W1 WX App1 AppX DB1 DBx
External Network
Management
Enclave Model
Public Access Control
Private Access Control
Cisco TrustSec
Load Balancing
Cisco Cyber Security
and Threat Defense
Database TierWeb Tier Applicatio
n Tier
W1 WX App1 AppX DB1 DBx
External Network
Management
North South
East West
Enclave Enclave
North South
East West
Cisco Confidential 14© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Builds on top of existing Cisco Integrated Systems (Standardize the physical & logical platforms)
Latest and greatest Cisco Security capabilities all continuously working together (Before, During, After)
Strong focus on applications
Expedite and remove risk through automation
Summary
Tenant
BTenant
C
Virtualized and Bare-Metal
Compute and Hypervisor
B CANetwork and Services
VM VM BareMetal
Tenant
A
UCS Director
Thank you.
Cisco Confidential 16© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Secure Enclaves Architecture Design Guidehttp://www.cisco.com/c/en/us/products/collateral/servers-unified-computing/ucs-manager/whitepaper-c07-731204.html
Secure Data Center for Enterprise Solution Design Guide at http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/sdc-dg.pdf
Cisco Secure Data Center for Enterprise (Implementation Guide) at http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/sdc-ig.pdf
Cisco Cyber Threat Defense for the Data Center Solution: First Look Guide at http://www.cisco.com/en/US/solutions/collateral/ns340/ns414/ns742/ns744/docs/ctd-first-look-design-guide.pdf
Reference Material