Escolar Documentos
Profissional Documentos
Cultura Documentos
Center
Positioning Secure Data Center
R Krishnan
TME DC Security
March 2015
Cisco Confidential
Cisco Confidential
1
1
Cisco Confidential
Cisco Confidential
Cisco Confidential
3
3
Stay ahead of
the evolving threat
landscape
Provisioning
Performance
Protection
Cisco Confidential
Cisco Confidential
Optimum Performance
Actionable Protection
Supports asymmetrical
traffic flows
BEFORE
DURING
AFTER
Discover
Enforce
Harden
Detect
Block
Defend
Scope
Contain
Remediate
Firewall
VPN
NGIPS
NGFW
UTM
Web Security
Retrospective Security
Email Security
IoCs/Incident Response
Cisco Confidential
System
Development
Fundamentals
Thought leadership
System-level innovations
System delivery
Tested and validated designs
Documentation
Customer
System
Integration
End-to-End Validation
Feature
Design
Unit
Planning
Cisco Confidential
10
Secure Enclave
Architecture
2015 Cisco and/or its affiliates. All rights reserved.
Single Site
Clustering
Threat Mgmt
Cyber Threat
Defense
Secure Cloud
Data Center
Cisco Confidential
11
Cisco Confidential
Cisco Confidential
12
12
ASA 5585-S60F60
ASA 5585-S40F40
ASA 5585-S20F20
ASA 5585-S10F10
7 Gbps AVC
4.5 Gbps AVC + IPS
1 million connections
75,000 CPS
10 Gbps AVC
6 Gbps AVC + IPS
1.8 million connections
120,000 CPS
15 Gbps AVC
10 Gbps AVC + IPS
4 million connections
160,000 CPS
13
Industry-leading FirePOWER
next-generation IPS (NGIPS)
Scalable Segmentation
Clustering &
High Availability
Network Firewall
Routing | Switching
Intrusion
Prevention
(Subscription)
Application
Visibility & Control
FireSIGHT
Analytics &
Automation
Advanced
Malware
Protection
(Subscription)
Built-in Network
Profiling
WWW
URL Filtering
(Subscription)
Identity-Policy
Control & VPN
ASAv
Cisco ASAv10
Cisco ASAv30
1 Gbps
2 Gbps
500 Mbps
1 Gbps
Concurrent Sessions
100,000
500,000
20,000
60,000
VLANS
50
200
100
500
50 Mbps
300 Mbps
250
750
250
750
250
1,000
Tested on Hardware
Cisco UCS C260 M2
Cisco UCS B200 M3
Intel Xeon processor E5-2640
Reservation Limits
5000 kHz on Cisco ASAv10
20,000 kHz on Cisco ASAv30
(Cisco ASAv reboots on violation)
60Gbps
45 Gbps
40 Gbps
8390*
8370*
8290
30 Gbps
8270/8360*
8260
8350*
8250
8140
15Gbps
20 Gbps
10 Gbps
6 Gbps
4 Gbps
2 Gbps
8130
8120/ (8150 > AMP)
Appliances & SFR on ASA Managed via (Defense Center) FireSight Management Center
Appliances-10, 35, 150 devices. VM- 2, 10 or 25 devices
Stackable
IPS Throughput
Employee/ Laptop
Employee/ iPad
Guest / Laptop
Guest / iPad
Intellectual
Property
Employee
Intranet
Internet
Switch
Router
ASA
DC
Switch
Wireless
Controller
QFP
Management and
Operations
QFP
ISE Policy
Manager
vPC/vPC+
DC Aggregation
and Service Layer
NGFW
ASA+FP
Cluster
Cisco Security
Manager
Identity Services
Engine
Physical
Access
Compute
App
App
App
App
OS
OS
OS
OS
Nexus
1000V
vSphere
Tier1
App
App
App
App
OS
OS
OS
OS
Defense
Center/FirePO
WER
Management
Center
Nexus
1000V
vSphere
Tier2
Storage
App
App
App
App
OS
OS
OS
OS
Nexus
1000V
vSphere
TierN
UCS Director
Advanced Real-time
Threat Defense
QFP
DC Core Layer
Management and
Operations
QFP
ISE Policy
Manager
vPC/vPC+
DC Aggregation
and Service Layer
Physical
Access
Compute
App
App
App
App
OS
OS
OS
OS
Nexus
1000V
vSphere
Cisco Security
Manager
Tier1
App
App
App
App
OS
OS
OS
OS
Nexus
1000V
vSphere
Tier2
Storage
App
App
App
App
OS
OS
OS
OS
Nexus
1000V
vSphere
TierN
Defense
Center/FirePO
WER
Management
Center
Identity Services
Engine
UCS Director
QFP
QFP
vPC/vPC+
QFP
QFP
Advanced Real-time
Threat Defense
Advanced Real-time
Threat Defense
vPC/vPC+
Switching Fabric:
Traditional or FabricPath
Up to 16 nodes
FW+IPS
Up to 16
nodes
FW+IPS
Physical
Access Physical
Access
App
App
App
App
App
App
App
App
OS
OS
OS
OS
OS
OS
OS
OS
Nexus
1000V
Nexus
1000V
vSphere
vSphere
Tier1
Compute
Physical
Access
Physical
Access
Tier1
App
App
App
App
App
App
OS
OS
OS
OS
OS
OS
Nexus
1000V
App
App
OS
OS
Compute
Nexus
1000V
vSphere
vSphere
Tier2
Tier2
Storage
Storage
App
App
App
App
App
App
OS
OS
OS
OS
OS
OS
Nexus
1000V
App
OS
OS
Nexus
1000V
vSphere
TierN
App
vSphere
TierN
DURING
AFTER
Threat Containment
and Remediation
Access Control
and Segmentation
Identity
Management
Application Visibility
and Control
Access control
policies, segmentation,
secure separation
Threat forensics
and compliance
Before, During
Products
Products
Products
Products
Products
FirePOWER with
FireSIGHT, Intrusion
Protection, Network-based
AMP, Email AMP, CWS
AMP, FireAMP for End
User and Mobile
Cisco ISE,
FirePOWER with
FireSIGHT
FirePOWER with
FireSIGHT,
Access Control,
FirePOWER NGFW
FireSIGHT Mgmt.
for short-term logs,
Lancope Stealthwatch
for longer term
NetFlow analysis logs,
SIEM for
log management
compliance
Before, During
Flexible Insertion
Every device is one hop away,
microsecond latency, no power or port
availability constraints, ease of scaling
Unified Orchestration
and Visibility
Cisco ACI controller manages all
participating devices; change control
and audit capabilities
Files
Users
Logical
Physical
EPG Ext
Nexus 7000
EPG Ext
ACI Fabric
ACI
ASA
ASA
Cluster
EPG Web
EPG DB
EPG Web
Physical
ASAv
standby
EPG Web
ASAv
active
EPG DB
Logical
EPG Web
ACI
ASA
EPG DB
Use Cases
Cisco Confidential
27
Nexus 7K
ASA 5585-X
CTX1
CTX2
VLANx1
VLANx2
VLANy1
VLANy2
SGT SGT
SGT
SGT
SERVER
Zone A
Zone B
ASAv
ASAv
vIPS
28
APP Tier 2
APP Tier 1
APP Tier 2
VM 1
VM 3
VM 5
VM 7
VM 1
VM 3
VM 5
VM 7
VM 2
VM 4
VM 6
VM 8
VM 2
VM 4
VM 6
VM 8
VLAN 10
Cisco VSG
VLAN 20
vPath-Enabled Services
Cisco Nexus1000V
Cisco ASAv
Bridges
VLANs/vNICs
Cisco
ASAv VM
Bridges up to 4 interfaces
Allows for 8 BVIs per Cisco ASAv
Centralized policy on a VM
Required Vlan Stitching
All inter-VLAN traffic passes through Cisco ASAv
Securing
Virtualization
Service Provider
Solution
Drivers Provides
Drivers
Solution Provides
Drivers
Solution Provides
Support
existing virtual
Frequentfor
expansion
requires
infrastructure
elasticity
Visibility
virtual network for
Intrusioninto
detection/prevention
communications
virtual network
Rapid,
low-overhead
deployment
Disconnected
environments
Virtualized
workloadsfor
in PCI
scope
Single pane-of-glass
physical
and
virtual environments
Virtual hosted desktop deployments
Virtualizing
network
functions
Cost-effective
intrusion
detection/prevention
Providers looking to provide IDP
service environment
value-added
Support for virtual-only
Single
pane-of-glass for
physical
Small
PoS) and
2013-2014 environments
Cisco and/or its affiliates. All(e.g.
rights reserved.
virtual environments
Organizations
utilizingCisco
hybrid
cloud30
Rapid, low-overhead
deployment
Confidential
model
Consistent security across on-
ASA1
Advanced policies,
limited ACL rules
Network Admin
192.168.1.100
Create standard
ASA advanced
policy templates in
APIC
Servers
Remove client
192.168.1.1
HTTP (TCP/80)
192.168.1.1
10.1.1.1
Port Rules
Source
EPG
Destination
EPG
Service
Action
Leaf 1, port 1
Users
Leaf 3, port 2
Servers
TCP/80
Redirect, ASA1
Leaf 1, port 10
Users
Leaf 4, port 8
Servers
TCP/443
Redirect, ASA1
Leaf 5, port 12
Servers
TCP/22
Redirect, ASA1
TCP/25
Redirect, ASA1
ICMP
Redirect, ASA1
Users
HTTPS (TCP/443)
SSH (TCP/22)
172.18.20.13
172.16.1.1
Leaf 2, port 12
Security Admin
SMTP (TCP/25)
ICMP
192.168.100.1
Same 5 portlevel
service rules and
actions
Cisco Confidential
32
Cisco is the #1
leading data center
security supplier
Cisco in top 2
vendors under
evaluation for future
purposes
YOUR CALL TO ACTION: Walk your customer through this report as a standard part of your data
center security sales engagements
http://wwwin.cisco.com/marketing/borderless/security/docs/Infonetics_dcSecSurvey_mar2013.pdf
Average
DC Deal
$370K
Nexus 7K/5K/3K/2K
UCS
Nexus 1000V
Nexus 1010
VM-FEX
UCS for Virtualized Environments
Incremental
Security
$150K
ASA 5585-X
ASAv
VSG
NGIPS
Secure DC
Total Deal
Size
$520K
41%
Increase in deal size
Up-Front
Credit
Back-End
Rebate
Up to 6%
OIP or TIP
Up 50%
TMP
Trade in
Credit
VIP
Existing
Rebate
Programs
Important Information
Through Security Ignite,
partners get additional upfront
discounts on new nextgeneration security business
registered through the
Opportunity Incentive Program
(OIP) or Teaming Incentive
Program (TIP).
http://www.cisco.com/web/partner
s/incentives_and_promotions/sec
urity-ignite.html
Eligible Products
Note: Based on Specialization
Products in the following product families are eligible for Security, with
some exceptions.
Cisco Next-Generation Firewall select products, refer to the list of Eligible Products on the
Security Ignite page
Summary
Cisco Confidential
Cisco Confidential
37
37
Summary
Cisco Data Center Security Accelerates Your Business
Speeds
adoption of
new services
from weeks to
hours
80% reduction
in manual
firewall rules
Ease of provisioning
Ease of provisioning
Max of 640Gb
firewall
throughput.
Maximized
Performance
vPC and
FabricPath
optimize
traffic flow
Maximized
Performance
Maximized
Performance
ASA with
NGIPS
provides
Applications
Visibility and
Threat
Centric
Approach
Actionable Security
Intelligence
Cisco Confidential
38
Key Takeaways
1
Cisco Confidential
Cisco Confidential
39
39
Next Steps
Go to the Secure Data Center
Thank You
Cisco Confidential
41