Building NextGen Secure Data

Center
Positioning Secure Data Center
R Krishnan
TME DC Security
March 2015

2015 Cisco and/or its affiliates. All rights reserved.

2015 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential
Cisco Confidential

1
1

What Youll Learn From This Presentation

Ciscos data center security strategy and
its business benefits
Positing the Ciscos New Security model
in DC Architecture

DC Security Use Cases

How to leverage Partner Programs to Increase the
DC Security Opportunity
2015 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

Ciscos Data Center Security Strategy and

Business Benefits

2015 Cisco and/or its affiliates. All rights reserved.

2015 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential
Cisco Confidential

3
3

Data Center Security Challenges

Agility, Reduce complexity and
fragmentation of security
solutions

Maintain security and

compliance while the data
center evolves

Stay ahead of
the evolving threat
landscape

95% of firewall breaches

caused by misconfigurations*

3000% increase in network

connections per second
by 2015

Over 100,000 new threats

every day

Provisioning

Performance

Protection

* Greg Young, Gartner Inc

2015 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

Trends impacting the Data Center

2015 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

Cisco Security Supports DC Purchasing Drivers

Virtualization: Cisco can secure east-west traffic in multi-hypervisor environments
Scalability: Cisco delivers policy enforcement at data center speeds
Resiliency: Cisco provides high availability and dynamic clustering
Expanded Deployment Options: Cisco can enforce policy across inter-DC traffic
Segmentation: Cisco supports strong, policy-based data center segmentation
Threat Management: Global/local threat correlation with contextual analysis

Cisco Security is Designed for the Data Center

Ease of Provisioning

Optimum Performance

Actionable Protection

Can be deployed dynamically

and quickly

Optimized for DC performance

to handle data bursts

Before, During, and After

protection

Ties data center and security

policy together

Highly available and resilient

Matches security performance

to network performance

Can inspect both north-south

and east-west traffic

Custom application inspection

Protects traditional, virtual, ACI,

and cloud environments

Gives the right tool

to the right team

Supports asymmetrical
traffic flows

Ciscos New Security Model

Attack Continuum

BEFORE

DURING

AFTER

Discover
Enforce
Harden

Detect
Block
Defend

Scope
Contain
Remediate

Firewall

VPN

NGIPS

Advanced Malware Protection

NGFW

UTM

Web Security

Retrospective Security

Email Security

IoCs/Incident Response

NAC + Identity Services

Visibility and Context

Secure DC, Enterprise Licensing Agreement, Enterprise Mobility
2015 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

Cisco Validated Design Process

Innovation and Quality Through System-Level Design and Validation
Critical customer engagements
consider end-to-end view
Product development
Cross-platform collaboration

System
Development
Fundamentals

Thought leadership
System-level innovations
System delivery
Tested and validated designs

System Development Guidelines

2015 Cisco and/or its affiliates. All rights reserved.

Documentation

Customer

System

Integration

End-to-End Validation
Feature

Design

Unit

Planning

Cisco Confidential

10

New Secure Data Center CVDs

Five Secure DC CVD Solutions
Focused on integrated solutions and Cyber
Threat Defense
-

Fully Tested and Validated Architectures

Best Practices Designs and Blueprints
Support physical, virtual, cloud, and hybrid
environments

Integrate Cisco and Sourcefire

Technologies

Secure Enclave
Architecture
2015 Cisco and/or its affiliates. All rights reserved.

Single Site
Clustering

Threat Mgmt

Cyber Threat
Defense

Secure Cloud
Data Center
Cisco Confidential

11

Positing the Ciscos New Security model in

DC Architecture

2015 Cisco and/or its affiliates. All rights reserved.

2015 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential
Cisco Confidential

12
12

Cisco ASA with FirePOWER Services

16 Way Clustering with

State Synchronization

Next-Generation Security for the Internet Edge and Data Center

ASA 5585-S60F60
ASA 5585-S40F40
ASA 5585-S20F20

ASA 5585-S10F10

4.5 Gbps AVC

2 Gbps AVC + IPS
500,000 connections
40,000 CPS

7 Gbps AVC
4.5 Gbps AVC + IPS
1 million connections
75,000 CPS

Medium Internet Edge

2015 Cisco and/or its affiliates. All rights reserved.

10 Gbps AVC
6 Gbps AVC + IPS
1.8 million connections
120,000 CPS

15 Gbps AVC
10 Gbps AVC + IPS
4 million connections
160,000 CPS

Large Internet Edge/Data Center

Cisco Confidential

13

ASA with Firepower Module

Comprehensive Capabilities to Solve the Threat Problem

Worlds most widely deployed,

enterprise-class ASA stateful
firewall

Granular Cisco Application

Visibility and Control (AVC)

Industry-leading FirePOWER
next-generation IPS (NGIPS)

Scalable Segmentation

Advanced malware protection

Cisco Talos Enabled

Clustering &
High Availability

Network Firewall
Routing | Switching

Intrusion
Prevention
(Subscription)

Application
Visibility & Control

FireSIGHT
Analytics &
Automation

Advanced
Malware
Protection
(Subscription)

Built-in Network
Profiling

WWW
URL Filtering
(Subscription)

Identity-Policy
Control & VPN

Cisco ASA + FirePOWER

Cisco Virtual ASA (ASAv) Firewall

ASA Feature Set

ASAv

Removed clustering and

multiple context mode

Parity to physical form-factor feature-set

Scaling through virtualization
Up to 10 virtual NIC interfaces
Hypervisor-agnostic
vSwitch-independent
Restful API support
SDN and traditional management tools
Scales to 4 virtual CPUs and 8 GB of memory
Performance 1 to 2Gbps
Ability to manage one policy on both
physical and virtual ASAs

Cisco ASAv Data Sheet: Performance and Scale

Data Sheet Metric

Cisco ASAv10

Cisco ASAv30

1 Gbps

2 Gbps

500 Mbps

1 Gbps

Concurrent Sessions

100,000

500,000

Connections per Second

20,000

60,000

VLANS

50

200

Cisco Cloud Web Security Users

100

500

3DES and AES VPN Throughput

50 Mbps

300 Mbps

S2S IPsec IKEv1 Client VPN User Sessions

250

750

Cisco AnyConnect or Clientless User

Sessions

250

750

Unified Communications Phone Proxy

250

1,000

Stateful Inspection Throughput (Maximum)

Stateful Inspection Throughput (Multiprotocol)

Tested on Hardware
Cisco UCS C260 M2
Cisco UCS B200 M3
Intel Xeon processor E5-2640

Reservation Limits
5000 kHz on Cisco ASAv10
20,000 kHz on Cisco ASAv30
(Cisco ASAv reboots on violation)

FirePOWER NGIPS/vNGIPS with AMP

Industry-Best NG Intrusion Prevention
Real-Time Contextual Awareness
Full Stack Visibility

Unparalleled Performance and Scalability

Physical and Virtual Form Factors
Traditional DC and ACI/APIC Integration

Detects and Inspects Custom Applications

Easily add Application Control, URL Filtering,
and Advanced Malware Protection (AMP) with
optional subscription licenses

FirePOWER NGIPS Appliance Range and Performance

Model #

60Gbps
45 Gbps
40 Gbps

8390*
8370*
8290

30 Gbps

8270/8360*
8260
8350*
8250
8140

15Gbps

20 Gbps
10 Gbps
6 Gbps
4 Gbps
2 Gbps

8130
8120/ (8150 > AMP)

Appliances & SFR on ASA Managed via (Defense Center) FireSight Management Center
Appliances-10, 35, 150 devices. VM- 2, 10 or 25 devices

Stackable

IPS Throughput

Cisco ISE With TrustSec Policy Segmentation

Scalable Segmentation
Desired Policy

Simplifies Policy with Security Group Tagging

Who can talk to whom?

Who can talk to which systems?

Reduces ACL and Firewall Rule Complexity

Which systems can talk to other systems?

Allows for Segmentation without VLANs

Streamlines Secure Data Center Provisioning

Employee/ Laptop
Employee/ iPad
Guest / Laptop
Guest / iPad

Intellectual
Property

Employee
Intranet

Internet

Switch

Router

ASA

DC
Switch

Wireless
Controller

Flexible and Scalable Policy Enforcement

Design 1# : Cisco Secure Data Center for the Enterprise

Scaling the Data Center in Single Site (ASA with FirePOWER Module)
WAN
DC Core Layer
Advanced Real-time
Threat Defense

QFP

Management and
Operations

QFP

ISE Policy
Manager

vPC/vPC+

DC Aggregation
and Service Layer

Cluster Control Link

NGFW
ASA+FP
Cluster

Cisco Security
Manager

Identity Services
Engine

Virtual Network and

Access
Physical
Access

Physical
Access

Compute

App

App

App

App

OS

OS

OS

OS

Nexus
1000V
vSphere

Tier1
App

App

App

App

OS

OS

OS

OS

Defense
Center/FirePO
WER
Management
Center

Nexus
1000V
vSphere

Tier2

Storage

Converged Network Stack

Rack Server Deployment

App

App

App

App

OS

OS

OS

OS

Nexus
1000V
vSphere

TierN

Physical-Virtual-Mixed Workload Environments

UCS Director

ASA5585-X (SSP with FP)

North-South Traffic Protection
Scale upto 16 Unit in a Cluster
Support Spanned (L2) and ECMP (L3)
Mode
640G/196G Max Throughput
50 Million Concurrent connection
2.8 Million Connection Per second
250 Context for Multitenant support
Integrated with vPC/vPC+
TrustSec to define policy based on SGT
Firewall on Stick

ASAv and IPSv

East-West Traffic Protection
ASAv in the edge and between Application
tiers with VLAN stitching
Multi-Hypervisor and Multi-vSwitch
Open APIs
Throughput up to 2Gb
Same Management tool to Configure both
Physical and Virtual appliance

Design 2# : Cisco Secure Data Center for the Enterprise

Scaling the Data Center in Single Site (ASA with SourceFIRE Appliance)
WAN

Advanced Real-time
Threat Defense

QFP

DC Core Layer

Management and
Operations

QFP

ISE Policy
Manager

vPC/vPC+

DC Aggregation
and Service Layer

Cluster Control Link

Virtual Network and

Access
Physical
Access

Physical
Access

Compute

App

App

App

App

OS

OS

OS

OS

Nexus
1000V
vSphere

Cisco Security
Manager

Tier1
App

App

App

App

OS

OS

OS

OS

Nexus
1000V
vSphere

Tier2

Storage

Converged Network Stack

Rack Server Deployment

App

App

App

App

OS

OS

OS

OS

Nexus
1000V
vSphere

TierN

Physical-Virtual-Mixed Workload Environments

Defense

Center/FirePO
WER
Management
Center

Identity Services
Engine

NGFW ASA+IPS Cluster

UCS Director

ASA5585-X and SourceFIRE Appliance

North-South Traffic Protection
Scale upto 16 Unit in a Cluster
Support Spanned (L2) and Individual (L3)
Mode
640G/160G Max Throughput
2.8 Million Connections Per Second
96 Million Concurrent Connections
Integrated with vPC/vPC+
ASA Cluster Sandwich with Embedded
FirePOWER
IPS can work in Inline or in SPAN mode

Design 3#: Cisco Secure Data Center

Scaling Across Multiple Sites - Planned
WAN

QFP

QFP

Cluster Data Link

Cluster Control Link

NGFW ASA+IPS Cluster

vPC/vPC+

QFP

LAN Extensions: OTV, VXLAN (L2 and L3)

SAN Extensions: MetroCluster, VPLEX
Path Optimization: LISP

NGFW ASA+IPS Cluster

Cluster Data Link

QFP

Advanced Real-time
Threat Defense

Cluster Control Link

Advanced Real-time
Threat Defense

vPC/vPC+

Switching Fabric:
Traditional or FabricPath

Up to 16 nodes
FW+IPS

Up to 16
nodes
FW+IPS
Physical
Access Physical
Access

App

App

App

App

App

App

App

App

OS

OS

OS

OS

OS

OS

OS

OS

Nexus
1000V

Nexus
1000V
vSphere

vSphere

Tier1

Compute

Physical
Access

Physical
Access

Tier1

App

App

App

App

App

App

OS

OS

OS

OS

OS

OS

Nexus
1000V

App

App

OS

OS

Compute

Nexus
1000V
vSphere

vSphere

Tier2

Tier2

Storage

Converged Network Stack

Storage

Rack Server Deployment

App

App

App

App

App

App

OS

OS

OS

OS

OS

OS

Nexus
1000V

App

OS

OS

Nexus
1000V
vSphere

TierN

Physical-Virtual-Mixed Workload Environments

App

vSphere

TierN

Rack Server Deployment

Converged Network Stack

Physical-Virtual-Mixed Workload Environments

Mapping Attack Continuum to Functional Capabilities

BEFORE

DURING

AFTER

Threat Containment
and Remediation

Access Control
and Segmentation

Identity
Management

Application Visibility
and Control

Logging and Traceability

Management

File, packet, and flowbased inspection and

analysis for threats

Access control
policies, segmentation,
secure separation

User identity and access

posturing, network-based
user context

Threat forensics
and compliance

Before, During, After

Before, During

File control and trajectory,

network file trajectory,
application quarantine,
data loss prevention
Before, During

Products

Products

Products

Products

Products

FirePOWER with
FireSIGHT, Intrusion
Protection, Network-based
AMP, Email AMP, CWS
AMP, FireAMP for End
User and Mobile

ASA 5585-X, SGTs,

SGACLs, SXP, and
TrustSec capable
switching fabric

Cisco ISE,
FirePOWER with
FireSIGHT

FirePOWER with
FireSIGHT,
Access Control,
FirePOWER NGFW

FireSIGHT Mgmt.
for short-term logs,
Lancope Stealthwatch
for longer term
NetFlow analysis logs,
SIEM for
log management
compliance

Before, During

Before, During, After

Cisco Application Centric Infrastructure

Flat Hardware
Accelerated Network

Cisco ACI Fabric

Full abstraction, decoupled from

VLANs and dynamic routing, low
latency, built-in QoS

Fabric Port Services

Hardware filtering and bridging; default
gateway; transparent service insertion,
service farm aggregation

Flexible Insertion
Every device is one hop away,
microsecond latency, no power or port
availability constraints, ease of scaling

Logical Endpoint Groups

by Role

Unified Orchestration
and Visibility
Cisco ACI controller manages all
participating devices; change control
and audit capabilities

Files

Users

Heterogeneous clients, servers,

external clouds; fabric controls
communication

PHYSICAL NORTH TO SOUTH DEPLOYEMNT

Graph

Logical

Units added as capacity needs

increase

Physical

EPG Ext

Nexus 7000
EPG Ext

Physical appliances provide

more power

ACI Fabric
ACI

Fabric programs interface,

VLAN, or tag pair and policies
for new inter-EPG flows

ASA
ASA
Cluster

EPG Web

EPG DB

EPG Web

Fabric instantiates contexts for

new tenants

VIRTUAL EAST TO WEST DEPLOYMENT

ASAv deployed in failover pairs
ACI Fabric

New instances can be created on

demand for new tenants

Physical
ASAv
standby

EPG Web

ASAv
active

EPG DB

Fabric programs VLAN and VxLAN

tag pairs for inter-EPG flows
Graph

Logical

EPG Web

ACI

ASA

EPG DB

APIC uses API to instantiate

additional ASAv based on health
and oversubscription monitoring

Use Cases

2015 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

27

Cisco ASA5585-X Uses Cases

Physical to Virtual
Segmentation Building Blocks

Segmentation VRF-VLAN-Virtual Context

Nexus 7K

North-South Traffic Protection

Network Virtualization and
Zone/Tenant based flow control.
Unique policies and traffic decisions
applied to each zone
Physical Infrastructure mapped per
zone
VRF, Nexus Virtual Device Context,
VLANs, SGT
ASA 5585-X supports Max of 256
Context
ASA Context supports mix of Router
and Transparent mode

ASA 5585-X

CTX1

CTX2

VLANx1
VLANx2

VLANy1
VLANy2

SGT SGT

SGT

SGT

SERVER

Zone A

Zone B
ASAv

ASAv
vIPS

28

Cisco ASAv Use Cases

APP Tier 1

APP Tier 2

APP Tier 1

APP Tier 2

VM 1

VM 3

VM 5

VM 7

VM 1

VM 3

VM 5

VM 7

VM 2

VM 4

VM 6

VM 8

VM 2

VM 4

VM 6

VM 8

VLAN 10

Cisco VSG

VLAN 20

vPath-Enabled Services

Cisco Nexus1000V
Cisco ASAv
Bridges
VLANs/vNICs

Cisco ASAv for East-West Traffic Policy

Vswitch or Cisco Nexus 1000v

VLAN
10

Cisco
ASAv VM

Cisco ASAv as Tenant Edge

Cisco ASA Firewall Policy per VLAN

Security Policy and ACL Using VLAN

Security policy per vNIC or VLAN

Includes per-interface IPv4/v6 ACLs,
NAT66/NAT64/NAT46, etc.
Suits a large tenant on multiple VLAN zones
10 vNICs and 200 VLAN subinterfaces
Provide Remote VPN for secure connectivity

Bridges up to 4 interfaces
Allows for 8 BVIs per Cisco ASAv
Centralized policy on a VM
Required Vlan Stitching
All inter-VLAN traffic passes through Cisco ASAv

NGIPSv Use Cases

Virtualizing Security

Securing
Virtualization

Service Provider

Solution
Drivers Provides

Drivers
Solution Provides

Drivers
Solution Provides

Support
existing virtual
Frequentfor
expansion
requires
infrastructure
elasticity

Visibility
virtual network for
Intrusioninto
detection/prevention
communications
virtual network

Rapid,
low-overhead
deployment
Disconnected
environments

Virtualized
workloadsfor
in PCI
scope
Single pane-of-glass
physical
and
virtual environments
Virtual hosted desktop deployments

Virtualizing
network
functions
Cost-effective
intrusion
detection/prevention
Providers looking to provide IDP
service environment
value-added
Support for virtual-only

Single
pane-of-glass for
physical
Small
PoS) and
2013-2014 environments
Cisco and/or its affiliates. All(e.g.
rights reserved.
virtual environments

Organizations
utilizingCisco
hybrid
cloud30
Rapid, low-overhead
deployment
Confidential
model
Consistent security across on-

Cisco ASA in ACI Use Case

Clients

ASA1
Advanced policies,
limited ACL rules

Network Admin
192.168.1.100

Create standard
ASA advanced
policy templates in
APIC

Servers

Remove client
192.168.1.1

HTTP (TCP/80)
192.168.1.1

Add client 172.18.20.13,

use standard ASA
template

10.1.1.1

Port Rules
Source

EPG

Destination

EPG

Service

Action

Leaf 1, port 1

Users

Leaf 3, port 2

Servers

TCP/80

Redirect, ASA1

Leaf 1, port 10

Users

Leaf 4, port 8

Servers

TCP/443

Redirect, ASA1

Leaf 5, port 12

Servers

TCP/22

Redirect, ASA1

TCP/25

Redirect, ASA1

ICMP

Redirect, ASA1

Users

HTTPS (TCP/443)
SSH (TCP/22)

172.18.20.13
172.16.1.1

Leaf 2, port 12

Security Admin

SMTP (TCP/25)
ICMP

192.168.100.1
Same 5 portlevel
service rules and
actions

Increasing the Opportunity

2015 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

32

Cisco Data Center Security Leadership

Cisco is the #1
leading data center
security supplier

Cisco holds the #1

brand for data center
security

Cisco in top 2
vendors under
evaluation for future
purposes

YOUR CALL TO ACTION: Walk your customer through this report as a standard part of your data
center security sales engagements
http://wwwin.cisco.com/marketing/borderless/security/docs/Infonetics_dcSecSurvey_mar2013.pdf

Security Increases DC Deal Size

Average
DC Deal
$370K
Nexus 7K/5K/3K/2K
UCS
Nexus 1000V
Nexus 1010
VM-FEX
UCS for Virtualized Environments

Incremental
Security
$150K
ASA 5585-X
ASAv
VSG
NGIPS

Secure DC
Total Deal
Size
$520K

41%
Increase in deal size

Connecting the Partner Programs

Security Ignite
Up-Front
Discount

Up-Front
Credit

Back-End
Rebate

Up to 6%

OIP or TIP

Up 50%

TMP

Trade in
Credit

VIP

Extra VIP if Gold

Existing
Rebate
Programs

Important Information
Through Security Ignite,
partners get additional upfront
discounts on new nextgeneration security business
registered through the
Opportunity Incentive Program
(OIP) or Teaming Incentive
Program (TIP).
http://www.cisco.com/web/partner
s/incentives_and_promotions/sec
urity-ignite.html

Eligible Products
Note: Based on Specialization

Products in the following product families are eligible for Security, with
some exceptions.

Cisco Cloud Web Security all products

Cisco Web Security Appliances all products

Cisco Email Security Appliances all products

Cisco Security Management Appliances all products

Cisco Identity Services Engine all products

Cisco FirePOWER Appliances all products

Cisco Next-Generation Firewall select products, refer to the list of Eligible Products on the
Security Ignite page

Summary

2015 Cisco and/or its affiliates. All rights reserved.

2015 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential
Cisco Confidential

37
37

Summary
Cisco Data Center Security Accelerates Your Business

Speeds
adoption of
new services
from weeks to
hours

80% reduction
in manual
firewall rules

Ease of provisioning

Ease of provisioning

2015 Cisco and/or its affiliates. All rights reserved.

Max of 640Gb
firewall
throughput.

Maximized
Performance

vPC and
FabricPath
optimize
traffic flow

16% less input

power versus
competitive
firewalls

Maximized
Performance

Maximized
Performance

ASA with
NGIPS
provides
Applications
Visibility and
Threat
Centric
Approach

Actionable Security
Intelligence

Cisco Confidential

38

Key Takeaways
1

Data Center Security

is a Key Opportunity
Use Ciscos Industry Leadership
and Competitive Differentiators
Leverage Ciscos Partner Programs

2015 Cisco and/or its affiliates. All rights reserved.

2015 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential
Cisco Confidential

39
39

Next Steps
Go to the Secure Data Center

Solutions Web page on cisco.com

Go to the Design Zone Website
Provide a Capabilities Gap
Assessment
to help customers maximize their
Cisco investment
http://www.cisco.com/go/securedc
http://www.cisco.com/go/designzone

Thank You

2015 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

41