3. Data centers require specialized security
Standard edge security Data center security
Sees symmetric traffic only
Scales statically for predictable data
volume, limited by edge data connection
Monitors ingress and egress traffic
Deployed typically as a physical
appliance
Deploys in days or weeks
Requires asymmetric traffic
management
Must scale dynamically to secure high
volume data bursts
Needs to secure intra-data-center traffic
Requires both a physical and virtual
solution
Must deploy in hours or minutes
4. It’s tempting to sacrifice security
to achieve agility
Incomplete security coverage
Inconsistent levels of security
Compromised configuration
Proliferating user access
5. Deploy security where you need it most
East-west traffic
76%
North-south traffic
17%
Inter-data center traffic
7%
6. Without specialized security, your data center
is more exposed to sophisticated threats
of data is stolen in hours;
detection can take weeks
or months
60%
of data center breaches
can be tied to misconfigured
security solutions
95%
of companies connect
to domains that host
malicious files or services
100%
Well-funded. They are part of massive operations
Inventive. They rapidly change their tactics and tools,
finding new vulnerabilities to exploit
Insidious. They blend in with the targeted organization,
sometimes taking weeks or months to establish multiple
footholds in infrastructure and user databases
Today’s hackers are more advanced than ever
Sources: Verizon 2014 Data Breach Investigations Report (DBIR); Gartner; Cisco Annual Security Report 2015
7. Only Cisco offers the agility, protection, and
control you need to truly protect the DC
Unmatched agility Integrated protection Dynamic control
8. Unmatched agility
Achieve the flexibility and performance required without compromising security
Unmatched agility
Deploy and operate consistently
across data center designs, geographies and
physical, virtual and cloud environments
Increase resource flexibility
with security policies that adjust as workloads
shift
Scale dynamically
to apply the right security at the right time, aligned
to each workload’s varying demands
9. Through link scalability
Multiple Uplink Routers
Multiple Physical Links
OSPF/BGP routing for rapid failure detection
Equal Cost Multipath (ECMP)
Full Flow Asymmetry Support
Port Aggregation (EtherChannel)
LACP for dynamic bundling and failure detection
10. Cluster
Single Logical Firewall
Clustering with full state backup
vPC/VSS
Single Virtual Switch
Virtual PortChannel (vPC) on Nexus
Virtual Switch System (VSS) on Catalyst
Device scalability
Complete Fault Tolerance
Spanned Etherchannel with LACP for ports
Non-Stop Forwarding (NSF) for OSPF/BGP
Redundant Switches
Redundant Firewalls
11. And site scalability
Local Traffic Processing
Endpoint Mobility
VLAN Segment Extension
Overlay Transport Virtualization (OTV)
Clustering retains connection state
Clustering with full state backup
Site-specific switch connections
Inter-site Clustering
Site A Site B
Virtual
12. Unified Platform
Or through ACI service chaining
Data
Packet
1001
0001011
1100010
1110
1001
0001011
1100010
1110
1001
0001011
1100010
1110
1001
0001011
1100010
1110
1001
0001011
1100010
1110
1001
0001011
1100010
1110
1001
0001011
1100010
1110
SSL
Metadata
tagging
Service 1 Service 2 FW IPS
Specialized
Security
Service
Policy Scripting | Management | Reporting | Logging ꞁ Analytics
13. All with elastic scale and performance
On demand security
scales up and down as
traffic increases and
decreases
16-way load distribution
with state synchronization**
Pool across physical
security appliances
14. Integrated protection
Benefit from robust, purpose-built security that won’t slow you down
Integrated protection
Secure east-west data center traffic flows
without crippling data center operations
Prioritize high-risk events automatically
so you can focus on the potential threats that are
most likely to be problems
Defend critical resources in real-time
including custom applications, mission-critical
infrastructure and sensitive data
Remediate and adapt intelligently
by efficiently understanding and cleaning up
breaches
16. Stay protected against the latest threats with
regular updates pushed automatically
Identify advanced threats quickly with
industry-leading threat data and research
Get industry-specific threat intelligence
tailored to your business
Catch advanced threats endpoints miss with
Cisco’s threat engineers and analysts
With the smartest threat defense available
00I00 I00I0I II0I0I 0II0I I0I00I0I0 0II0I0II 0I00I0I I0 00
II0III0I 0II0II0I II00I0I0 0I00I0I00 I0I0 I0I0 I00I0I00
III00II 0II00II I0I0II0II0 I0 I0 I00 00I0 I000 0II0 00
III00II I000I0I I000I0I I000I0I II 0I00 I0I000 0II0 00
00I I0I0I0 I0I0III000 I0I00I0I 0II0I0 I00I0I0I0I 000
II0II0I0I0I I0I0I0I 0I0I0I0I 0I0I00I0 I0I0I0I 0II0I0I0I
0II00 I00I0I0 0I00I0I I00I0I0 I0I0I0I 0I0I0I 0I0I0I0
00I0I0 0I0I0I0 I0I0I00I 0I0I 0I0I 0I0I I0I0I 0I00I0I
III00II 0II00II I0I000 0II0 00I0I00 I0 I000I0I 0II 0I0I0I
III00II 0II00II 0I0I0I0I 0I I0 I00 000II0 I0I0 0II0 00
Email Endpoints Web Networks NGIPS Devices
WWW
24 7 365 Operations
Jan
600+ Researchers
Research Response
Threat Intelligence
• Monitors 35% of
the world’s email
traffic
• Receives 1.1
million incoming
malware samples
daily
• Performs 4.9
billion AV and web
filtering blocks per
month
• Processes 100
terabytes of
security
intelligence daily
Talos
17. Market-leading ASA NGFW
Deploy consistent policy between virtual and physical devices
Support Traditional and Next-Gen Data Centers (SDN, NFV, ACI)
Fully integrated into ACI – APIC-based provisioning, orchestration, and management
Cisco ASA Virtual Firewall
• Full ASA Feature Set
• Hypervisor Agnostic
• vSwitch Independent
• Dynamic Scalability
Cisco ASA 5585-X Series
• Now with FirePOWER NGIPS services
• Up to 640 Gbps throughput
• 16-node, multi-site clustering
• Clusters managed as a single device
18. FirePOWER Next Generation IPS
Easily add Application Control, URL Filtering, and
Advanced Malware Protection (AMP) with optional
subscription licenses
Industry-Best NG Intrusion Prevention
Real-Time Contextual Awareness
Full Stack Visibility
Unparalleled Performance and Scalability
Physical and Virtual Form Factors
Detects and Inspects Custom Applications
19. And Cisco Advanced Malware Protection
All detection is less than 100% effective
Reputation Filtering and File Sandboxing
Dynamic
Analysis
Machine
Learning
Fuzzy
Finger-printing
Advanced
Analytics
One-to-One
Signature
20. With continuous attack analysis
0001110 1001 1101 1110011 0110011 101000 0110 00 0111000 111010011 101 1100001 110
1000111010011101 1100001110001110 1001 1101 1110011 0110011 101000 0110 00
0100001100001 1100 0111010011101 1100001110001110 1001 1101 1110011 0110011 101000 0110 00
Web
WWW
Endpoints NetworkEmail DevicesIPS
File Fingerprint and Metadata
Process Information
Continuous feed
Continuous analysis
File and Network I/O
Breadth and Control points:
Telemetry Stream
Talos + Threat Grid Intelligence
TrajectoryBehavioral
Indications
of Compromise
Threat
Hunting
Retrospective
Detection
21. Introducing Firepower 9300
Multi-service security
Benefits
• Integration of best-of-breed security
• Dynamic service stitching
Features*
• Firepower Threat Defense containers
- NGIPS, AMP, URL, Application,
Visibility & Control (AVC)
• ASA container
- Stateful FW, Virtual Private Network
(VPN), CGNAT
• 3rd Party containers
- Radware DDoS
- Other ecosystem partners
Carrier-class
Benefits
• Industry Leading Performance/RU
- 600+% Higher Performance
- 30% higher port density
Features
• Compact, 3RU form factor
• 10G/40G I/O; 100G ready
• Terabit backplane
• Low latency, Intelligent fastpath
• NEBS in process
Modular
Benefits
• Standards and interoperability
• Flexible Architecture
Features
• Template driven security
• Secure containerization for customer
apps
• Restful/JSON API
• 3rd party orchestration/management
* Contact Cisco for services availability
22. Enables a revolution in data center security
Superior Threat
Defense
Security Policy
Follows Workloads
Flexible &
Cost Effective
Validated superior by
independent labs and
industry analysts.
The only platform with Gartner-
defined NGIPS* with automated
threat impact analysis.
Partner ecosystem enables
additional, tightly integrated,
security services (e.g., DDoS
mitigation)
Highest performance and
port density per RU in the
industry.
Single appliances up to:
240Gbps throughput —
30Gbps+ per flow, sub-5
microsecond latency,
100Gbps interface-ready.
Need more? Cluster up to five
units for 1.2 Tbps of power
Maintain consistent security
policy across physical,
virtualized, and cloud
topologies.
Firepower 9300 interoperates
with virtualized Cisco ASAv
and NGIPSv.
Moving to SDN/ACI? Let’s talk
about orchestration and
microsegmentation.
Investment protection with a
balanced mix of hardware
acceleration and x86 complex
optimization to address
evolving threats and protocols.
Modular architecture for both
security modules and
interfaces.
Lower power consumption.
Low Latency,
High Speed
* Contact Cisco for services availability
23. With the most powerful solution in the industry
NGFW
Block and monitor
unauthorized
access and
activity at L2-7
NGIPS
Detect, prevent,
and respond to
real-time threats
to your network
URL Filtering
Restrict access to
specific sites and
sub-sites, as well
as categories of
sites
VPN
Protect both
remote users and
site-to-site
connections with
granular control
WWW
Integrated Intelligent Services Framework
Intelligent processing for more effective detection, higher performance, and simplified management
AMP
Identify and target
breaches and
malware for
analysis and
response
Third Party
Open API enables
a range of
additional tools
for customized
protection
25. Cisco transforms Security Service Integration
Data
Packet
1001
00010111
10001011
10
DDoS Platform
SSL Platform FW Platform
WAF Platform
IPS Platform
Sandbox
SSL
DDoS WAF
FW IPS
Sandbox
Limited effectiveness Increased latency Slows network Static & ManualUnified Platform
Data
Packet
1001
000101
111000
101110
DDoS FW WAF NGIPSSSL AMP
Integrated
Maximum protection Highly efficient Scalable processing Dynamic
Siloed
Key:
Cisco Service
3rd Party Service
26. Unified Platform
Looking forward: intelligent service stitching
Metadata
tag
Data
Packet
1001
0001011
1100010
1110
DDoS SSL WAF NGIPS AMPFW
Smart tags eliminate
needless re-inspection
Automates security service
intelligence
Optimize security via
dynamic service stitching
xxx
Key:
Cisco Service
3rd Party Service
27. Operational
Efficiency
Integrated
Security
Enhanced
Agility
High speed, scalable security
Dynamic service stitching
Dynamic provisioning across
physical, virtual, and cloud
Automated and consistent
security policies
Lower integration costs
and complexity
RESTful APIs
and 3rd party tool integration
Best of Breed security =
Cisco + 3rd party
Security services in a
consolidated platform
Visibility and correlation
Firepower 9300 threat-centric security
benefits
28. Malware
Client applications
Operating systems
Mobile Devices
VOIP phones
Routers & switches
Printers
C & C
Servers
Network Servers
Users
File transfers
Web applications
Application
protocols
Threats
No other solution offers this level of visibility
The more infrastructure you see, the better protection you get
Typical IPS
Typical NGFW
Cisco Firepower 9300 Multi-Service Appliance
29. Dynamic control
Save time with intelligent and consistent management
Dynamic control
Provision security seamlessly
along with other data center resources
Increase security effectiveness
by simplifying policy creation and enforcement
Manage everything centrally
from one controller*, enabling consistent policies
across users and applications
*ACI functionality only
30. Through Trustsec secure provisioning
Master
Slaves
Cisco ASA 5585-X
Firewall Cluster
Cisco Security
Manager
Cisco UCS
Director
Physical
Access
Compute
Storage
Converged Network
Stack
vSphere
App
OS
App
OS
App
OS
App
OS
Tier 1
Cisco
Nexus
1000V
vSphere
App
OS
App
OS
App
OS
App
OS
Tier 2
Cisco
Nexus
1000V
App
OS
App
OS
App
OS
App
OS
Tier N
Cisco
Nexus
1000V
Vblocks/
FlexPods
Cisco
Nexus
IT managed devices
Personal devices
Wired user
Wireless user
Remote VPN user
Identity
Services
Engine
User
identity
Role-based
policies
Datacenter
SG tags
Policies
ASA firewall learns when a new
workload is provisioned and
automatically applies security policy
Administrator assigns workload
to proper group. Switches send
update to devices for policy maps
31. Or through ACI’s unified operations
Global data center
locations
Traditional
datacenter
Next Gen
APIC*
Private
VirtualPhysical VirtualPhysicalPhysical
Datacenter administration
Public
Datacenter
Consistent security
Data
Architect
Storage
Admin
Business
App DevOps
*ACI functionality only
32. And APIC’s simplified provisioning
Manual, complex and time-consuming Automated, simplified and efficient
FirewallFirewallFirewallFirewall
APIC*
Security
Policies
Before After
Security
Policies
FirewallFirewallFirewallFirewall
*ACI functionality only
33. Cisco is the clear leader here…
IT decision-makers have selected Cisco as the top data
center security solution supplier, across all 10 separate
categories, three years in a row.
Infonetics Research Report Experts: Data Center Security Strategies and Vendor Leadership: North American Enterprise Surveys - 2013, 2014, 2015
“ ”
Trust the market leader
34. With a proven Validated Design portfolio
Cyber Threat Defense
for Data Center
Threat Management
with NextGen IPS
ASA Clustering with
FirePOWER Services
Secure Enclave
Architecture
Cisco Secure Data Center for the Enterprise Solution Portfolio
Converged Infrastructure
• Compute
• Storage
• Hypervisor (Flexpod,
Vblock, VSPEX)
Virtualization
Infrastructure Mgmt
Access Layer
Secure Enclaves
Firewall Clustering
Intrusion Prevention
Real Time Updates
Management
TrustSec
• SXP
• Secure Group Tags
• Policy Enforcement
• SGACLs
• FWACLS
NextGen IPS in
ASA Cluster
Defense Center
FireSIGHT
User Context
Application Control
URL Filtering
Network-Based AMP
End Point AMP
(Client and Server)
Lancope Stealthwatch
• FlowCollector
• FlowSensor
NetFlow
NSEL (Network Security
Event Logging)
ASA Clustering with
FirePOWER Services
Threat Management
with NextGen IPS
Cyber Threat Defense
for Data Center
Cisco
Verified
Design
Cisco
Verified
Design
Cisco
Verified
Design
Cisco
Verified
Design
35. With Cisco you get…
Superior agility,
protection and control
Service from the #1 ranked data
center security vendor
Proven design and
implementation guidance
36. End-to-End
Network Visibility
from SP Core to
Customer Premise
Unmatched
Visibility
Consistent
Control
Consistent Policies
Across Network,
Data Center, and
Workloads
Complexity
Reduction
Reduce IT Silos,
Respond Faster to
New Opportunities
& Business Models
Detect & Mitigate
Advanced Threats
across CPE, Cloud,
and Network
Advanced Threat
Protection
Cisco’s Differentiated Value
37. Learn more
Visit the Secure Data Center Solutions site
Visit the Design Zone site
Obtain a Capabilities Gap Assessment from Cisco
Services to help maximize your Cisco investment
Cisco Secure Data Center Solutions
Thanks for joining me today.
I’m ____, and I’m excited to talk to you about Cisco Secure Data Center Solutions, and how your organization can benefit from it.
As you are probably well aware, it’s getting increasingly difficult to achieve the data center agility that your business requires, due to a number of obstacles.
One problem is how time-consuming provisioning can be. Many data center designs provide flexible, business-agile solutions and other services that can be deployed in minutes. However, assigning security policies can take hours or days, thereby undermining the advantages an agile modern data center provides.
Another problem is that data flows are more complex than they used to be, with north-south and intra-data-center traffic, as well as traffic flows between different data centers. Many solutions attempt to secure intra-data-center, or east-west, traffic by rerouting it through north-south security. However, this can cripple data center performance and open you up to potential vulnerabilities.
At the same time, data volume is increasingly unpredictable. Data traffic flow can be erratic, and most security solutions designed for Internet edge deployments are simply incapable of processing the high-volume data bursts that data centers can produce. In fact, 73 percent of data center administrators believe that current firewall or Intrusion Prevention System technology cannot meet today’s performance requirements.
T: With all these increasing demands on the data center…
<click>
Security has to be able to accommodate data center-specific needs. But what most organizations have is internet edge security.
Internet edge security only sees symmetric data, meaning it only secures data that enters and exits in one predictable way. But in today’s data centers, data is flowing in unpredictable patterns across different architectures.
Internet edge security can only handle predictable data volume, but today’s data center security must be able to accommodate the high-volume data bursts.
Internet edge security only monitors ingress and egress traffic, but today, 76% of traffic flows laterally in an east-west fashion, never leaving the data center. Internet edge security is not protecting your data once it is inside the data center.
Internet edge security typically has to be deployed as a physical appliance, but the data center requires a combined physical and virtual solution for best protection.
Finally, internet edge security takes days or weeks to deploy. There isn’t time to wait while your sensitive data is exposed to hackers.
T: So you’re having problems achieving agility while maintaining security, AND the security you have isn’t cutting it. You are opening up your company to all sorts of risks.
<click>
It’s tempting to intentionally limit security in order to minimize the negative impact it has on data center agility and performance. Sometimes resources are left completely unsecured to avoid the potential performance impacts.
Even if this isn’t the case, security policy implementation and enforcement is not automatic. Deployment can take hours or days.
For example, Utah State Public Health Department lost 150,000 medical records to hackers because it took them 3 hours to provision security after their data center was deployed. This is a huge window of opportunity for hackers.
Another problem is that with the growing migration of traditional data centers to next-gen data centers, such as Software Defined Network (SDN) or Cisco’s Application Centric Infrastructure (ACI). Old and new data centers existing side-by-side creates security silos and inconsistency in enforcement of policies and rules.
In addition, with traditional and next-gen data centers operating side-by-side, administrators often use the current security they have, which is not designed to meet today’s unique data center requirements.
Last but not least, the exponentially growing number of users needing access is now at an all-time high. More users are connected directly to critical data center resources than ever before, creating more potential attack points for hackers. Administrators do not have an easy way to quickly grant and remove access as needed.
T: Not only are temptations present to limit security, but…
<click>
The reason it’s so important to avoid compromising security is that today is a time where hackers are more sophisticated than ever. They are…
Well funded: Hackers are part of massive operations working together to infiltrate large data centers
Inventive: They aren’t attacking your data centers in the same way they used to
Insidious: They are patiently waiting for the right time to attack to minimize detection
Many users and IT teams are being lulled into a false sense of security by these hackers, and they have become unwitting parts of the security problem.
The results of inadequate security in the face of sophisticated threats are, unsurprisingly, vulnerabilities and breaches:
60% of data is stolen in hours and detection can take weeks or months
95% of datacenter breaches are tied to misconfigurations either accidentally or purposely
100% of companies connect to domains that host malicious files or services
With the threat landscape ever-expanding and more dangerous than ever, leaving your data exposed is not an option.
You need security that effectively protects and that does so without impacting data center performance and or reducing flexibility.
T: The good news is, Cisco Secure Data Center solutions are up to that task.
<click>
Only Cisco Secure Data Center solutions offer the agility, protection and control you need. They enable data center agility, while delivering integrated protection along with dynamic, intelligent control.
T: Let’s dive a little deeper into each of these benefits.
<click>
First is unmatched agility. As we mentioned before, we understand your pain. It is hard to achieve the performance that you want without compromising security somewhere along the way. Cisco can help you achieve that agility that you have been searching for without security being a bottleneck.
We can help you deploy security and operate consistently across all the various data center designs and environments that you currently have. And the best part is that you will be able to deploy secure services in a matter of hours or even minutes. No more waiting days or weeks for deployment.
Next, we’ll increase your resource flexibility. With traffic flows constantly fluctuating and applications running on different machines at different times, you constantly have to move your resources around to accommodate. Cisco Secure Data Center Solution enables the workload mobility you need. You are able to adjust resources along with security policies, without disrupting data center performance.
Cisco Secure Data Center solutions will also let you scale dynamically. Firewalls scale up and down as needed based on varying workload demands, so you can apply the right security at the right time. This way your data center is not overloaded and can operate efficiently. This is also where your business can benefit from optimized TCO.
T: Let me show you how Cisco delivers on this pillar.
<click>
Service chaining provides the capability to define multiple network services in a specific order that network traffic must follow to reach the end application.
This may resemble your typical service chaining; however, with Cisco, you control the end-to-end solution from a single unified platform.
From a security standpoint, the key benefit is that you can provision security along with your other services. It’s no longer a separate hassle.
Cisco’s service chaining can support multiple data center designs, regardless of your implementation.
T: In addition to simplified security provisioning, Cisco also provides elastic scaling.
<click>
Here you have your physical and virtual data centers with fluctuating data flows. Instead of having static firewalls in a fixed location in the network that is always on, you now have a pool of firewall resources that can be applied anywhere. And the network can spin firewall resources up and down as needed based on the varying workload.
And with ACI, the APIC fabric controller can intelligently track the location of your physical and virtual resources, and automatically synchronize state. If an application moves or changes, the controller automatically redirects traffic to a different firewall.
T: And that is how you are able to achieve superior performance without cutting any security corners along the way.
<click>
The next pillar is integrated protection. Security is woven into your data center so that it protects without slowing you down. So how exactly do you benefit from this purpose-built security?
Cisco Secure Data Center Solution secures east-west traffic flows without crippling data center operations. As I mentioned earlier, 76% of data center traffic flows laterally. Without securing this type of traffic flow, threats can enter the data center, roam freely and collect valuable information without any detection for weeks or months at a time.
In addition, the Secure Data Center Solution prioritizes high-risked events so you can spend your time addressing the threats that matter most.
With your security tightly woven into the data center, you are able to detect threats in real-time. This allows you to get rid of the threats faster and protect all of your custom apps, mission critical infrastructure and sensitive data.
You can also rest assured knowing that all threats are effectively cleaned up and will stay that way. Cisco Secure Data Center learns from past threats and intelligently adapts so you’re better protected in the future. This threat intelligence is shared with other resources in the environment to ensure you’re protected everywhere.
T: Cisco’s solutions delivers integrated protection along the entire attack continuum.
<click>
The Cisco Secure Data Center Solution goes beyond point-in-time detection to provide protection across the attack continuum. So you are protected before, during and after an attack.
Before an attack, you are able to discover the threats and block them from entering your data center. By blocking threats, you are able to enforce the policies more and potentially harden the policy. This is so that these types of threats wont be able to attack your data center in the future.
During an attack, you’ll detect, block and defend against attacks that have already penetrated the network and are in progress.
After an attack, you can scope and contain the attack in order to minimize damages and bring the data center operations back to normal. Remediate is the last feature in this attack continuum. Only Cisco offers retroactive scanning. Once a threat is detected with our solution, you can see exactly where the malicious file travelled from the minute it entered the data center to identify which files were affected. This enables you to get smarter and learn how to better block it next time.
T: Cisco security solutions are scalable to support even the largest global organizations. Deploy these solutions when and how they’re needed—as physical and virtual appliances or as cloud-based services—gaining continuous visibility and control across the extended network and all attack vectors.
<click>
Talos is a big part of our complete security architecture. It includes the largest threat detection network in the world, providing proven, zero-day threat protection to all users wherever they are, while providing four key benefits that competitors cannot match.
1. Talos is a recognized leader in threat detection as validated by NSS Labs, with industry-leading threat research that identified breaches before anyone else (String of Paerls, Stan and Kyle bot nets).
2. Get industry-leading threat intelligence tailored to your business through unequaled visibility from an unrivalled amount of processed data.
3. With 600+ highly skilled malware reverse engineers, threat analysts, and zero-day vulnerability research engineers, Talos catches threats traditional security infrastructure and analysis systems can’t. These analysts are conducting threat engine development and detection research on the largest open source intelligence network on the planet for End-Point-, Email-, and Network-based threats.
4. Talos identifies 50,000 network intrusions per day and automatically updates Cisco solutions every 3-5 minutes, meaning your company is always up-to-date and protected by the latest information
Talos provides a 24x7 view into global traffic activity, enabling Cisco to analyze anomalies and uncover new threats.
No other company can offer this benefit.
T: Talos forms an important component of the Cisco security foundation. Let’s discuss the protection ASA with FirePOWER Services offers before an attack occurs.
<Click>
17
18
Additionally, you’re going to have things that give you simple one-to-one signature based matching, you’re going to want to catch the low-hanging fruit quickly so that you don’t have to go hunting for signs of breach or indications of breach. You’re going to be able to catch those things and move forward. But then there are other technologies that play into this space such as multi-fingerprinting, which looks for families of malware, and machine learning, which looks at how files execute and their behavior and detects things like zero day malware as it enters your environment. And there are other point-in-time technologies that we could spend discussing, such as advanced analytics and dynamic analysis. But these are all considered point-in-time solutions. They’re going to provide some value at a moment in time, but you need to be looking beyond that moment.
All point-in-time detection is less than 100% effective.
Whether the traffic is deemed malicious or harmless, the AMP solution will still track every single thing that comes into the system from a wide array of attack vectors, including the network, the endpoint, virtual, and mobile. Continuous analysis is going to be watching and recording everything it sees. Basically, you can think of it as a video recorder that constantly records and gives you the ability to rewind, fast forward, see where a file has been, where its going, and what it’s doing.
AMP continuously monitors that information using tools such as file trajectory and behavioral indications of compromise which give an organization’s IT security team an increased contextual awareness and understanding of the health of their systems and can provide complete visibility of an attack from beginning to end.
Purpose: Introduce the product
We organize the benefits and features of FP9300 by three values:
Modular
Carrier-class
Multi-service security
All performance-related figures are related to the previous speed champion ASA 5500.
This provides a list of available and soon-to-be available features. A broader list and timeline is described in the section after the use cases.
Our standard features (basic firewalling, Application Visibility and Control, and VPN capabilities) with URL Filtering and NGIPS all protect before an attack occurs.
Basic firewalling controls traffic flow to prevent unauthorized user activity.
AVC grants unmatched visibility into the applications used over your network and enables admins to prioritize business-critical traffic.
URL Filtering, available as a subscription, blocks specific URLs based on 80+ pre-defined categories.
When it comes to VPN, our next-gen firewall is tightly integrated with AnyConnect – the world’s most widely deployed VPN client. If you don’t have AnyConnect, our ASA models include 3rd party VPN support, sparing you from costly migrations. Whether you have multiple office locations, need mobile protection, or already have a VPN client, Cisco enables you to extend ASA protection and control through your VPN.
<Click>
Next-Gen IPS provides enhanced visibility and control to detect and prevent threats from entering your network.
T: And NGIPS continues to protect your environment while an attack is in progress.
<Click>
As you can see illustrated here, when you have to send packets through multiple security services, it’s slow. What’s more, today whether you are a SP or datacenter, staff is spending hours provisioning security services and it is just not a scalable approach that enables business agility.
So in contrast, we’re offering a unique design that consolidates security services onto a single platform, and unlike past attempts to do this, this is with best-of-breed services.
Going further forward, we’re going to be able to intelligently stich services together. We do this with metadata tagging so we know how packets gave already been analyzed. If security policy does not require re-inspection, then we can intelligently eliminate that redundancy and speed up the network.
When we talk about integration of security services, it’s about taking and tightly integrating best-of-breed services, those from Cisco and third parties. As much as we invest in security, and as much as we have leading threat defense capabilities as acknowledged by third party validation from places like NSS Labs, Cisco is never going to do everything. A great example of this is with DDoS mitigation capability, where today we have Radware DefensePro DDoS mitigation tightly integrated with our security services. Our approach leverages security services that are containerized with a common high performance Cisco platform Where we’re headed is with security policies that consistently follow workloads across physical, virtualized, and cloud infrastructure. Also, the value proposition here includes much more performant hardware – up to 6X faster (without clustering) than our previous high-end models.
With Cisco’s carrier-class agility, you will:
Preserve reliability and uptime with no single failure point
Scale with technology trends through modular compute
Secure infrastructure regardless of environment
28
So far you’ve learned about how Cisco delivers unmatched agility and integrated protection. The last value pillar we’ll discuss is dynamic control. With this pillar, you are able to save time with an intelligent and consistent way of management.
First, you are able to provision security seamlessly. This means that you are finally able to set up both your data center AND security simultaneously. By doing this provision side by side, your data center is secured from the beginning rather than leaving your data center unsecured for hours or even days while valuable data can easily be accessed. This enables you to have better control over your data center and its security from the get go.
Cisco Secure Data Center Solution significantly increases the effectiveness of your security by simplifying policy creation and enforcement. So many breaches occur due to misconfigurations; consistency is key. Cisco ensures consistent policy enforcement so data center admins don’t have to. And with ACI it’s automated. You create a security policy template for a given application or traffic flow, then the intelligent fabric executes it dynamically without further intervention.
And security management is a lot simpler. Another ACI specific benefit is the ability to manage security from one central controller. The APIC controller enables you to consistently deploy and apply policies across the entire distributed network.
T: This next slide shows how Cisco security solutions bridge across all the different environments in your organization and protect each and everyone of them.
<click>
Here’s a simplified view of Cisco Trust Sec. Enforcement is set in the switches and routers along with the Secure Group Tagging information. This is forwarded to Cisco UCS Director, which forwards it to the virtual servers for tagging.
Different departments in an organization, along with managed and unmanaged devices, can all have different tagging. Those devices that need extra protection can go through the ASA firewall for additional tagging.
Each data center is uniquely complex, and that’s what makes it so hard to consistently apply security across data centers. There’s a traditional data center operating side-by-side with a next-gen. You have a mixture of physical and virtual devices within, and you have data bursting from your private to public cloud to accommodate for increased data flows. And on top of that, the data centers are geographically scattered, making it even harder to deploy security policies consistently at once.
You have all of these different components that make up a highly efficient and intelligent data center, but the process of deploying your security policies one by one is definitely causing your data center to be much less efficient and much less intelligent.
Cisco data center security solution delivers a dynamic controller that helps you both manage all of your data centers centrally while deploying consistent security sand give back the efficiency and intelligence your data center once had.
T: Let me show you how Cisco will simplify your provisioning process.
<click>
Before, you had dozens of security policies. Each time a policy changes or an app or firewall moves, security policies have to be provisioned again. Then it has to be manually applied to every single firewall one by one. It is complex and time consuming, and it definitely opens up a lot of security holes to potential threats.
Now, provisioning is easy. And with ACI security, you have a single controller that will provision your security policies and deliver them to each firewall simultaneously. It is automatic, simplified and very efficient. It significantly decreases inconsistency errors that you would have by provisioning each policy one by one.
T: You’ve heard from us about the benefits of our solutions. But what are others saying about Cisco’s data center security?
<click>
According to research conducted by Infonetics, decision-makers think very highly of Cisco data center security solutions.
For three years running, Infonetics survey respondents have given Cisco the highest ratings among 11 data center security vendors.
And this isn’t in just one area - Cisco scores the highest across 10 leadership criteria, which include:
Technology innovation
Security
Management
Performance
Price
Financial stability
Service and support
Product roadmap
Product reliability
Solution breadth
T: Now, let’s take a look at what these high ratings are based on – our offerings.
<click>
Additional information from the Infonetics 2015 survey highlights: “Cisco did very well across the board in respondent data center security solution supplier leadership ratings: its lowest score was higher than any other vendor’s highest score.”
Cisco offers the industry’s most comprehensive security solution. Our solution incorporates a broad set of technologies, features and applications to address customer needs, whether it’s for common use cases or for current engineering system priorities. Each one has been comprehensively tested and documented by Cisco engineers to ensure faster, more reliable and fully predictable deployment.
We have four validated design portfolios to help you minimize risk:
Secure enclave architecture: This solution provides a uniform foundation that can help you protect against threats and compromise while delivering a simplified, standardized and trusted approach for managing shared resources.
ASA clustering with FirePOWER services: With this CVD you can simplify your operations while enhancing security throughout by connecting key technologies, products and different architectures to bring applications to the data center fabric and network services.
Threat management with NextGEN IPS: This portfolio provides a comprehensive set of capabilities for a threat management system by examining how attackers approach data centers; it also illustrates how customers can integrate the FirePOWER NextGen IPS platform into their architectures to defend against various cyber threats
Cyber threat defense for data center: This comprehensive solution provides guidance for detecting threats that are already in the data center. It helps security operators understand the how, what, when and where of network traffic to identify suspicious and anomalous activities
T: At the end of the day, we understand security and we know how to help you diminish risks in your organization through our products.
<click>
With Cisco you get...
Superior agility, protection and control
Service from the #1 ranked vendor. No other company can say this.
A proven design portfolio with extensive implementation guidance
T: Cisco can offer you the security solution you’ve been looking for and help you secure everything that is important to your business.
<click>
For more information on what Cisco Data Center Security has to offer, please visit the Secure Data Center solutions and the Design Zone sites.
Or find out how you can maximize your Cisco investment with our Capabilities Gap Assessment.
Thank You
<Presenter guidance: Present the following slides in addition to the Cisco Secure Data Center Solutions BDM deck if your audience is interested in ACI security>
Now I’d like to provide a little more context on Cisco Data Center Security solutions combined with Application Centric Infrastructure (ACI) specifically.
T: Let’s dive into our first pillar, Unmatched Agility.
<click>
With ACI, you can utilize the right resources at the right time automatically through ASA firewall clustering.
The central ACI controller, known as the Application Policy Infrastructure Controller, or APIC, can manage up to 16 clustered firewalls as one single device, and supports millions of concurrent connections.
Instead of keeping resources always on, the APIC automatically spins firewalls up and down as traffic fluctuates so your data center performance isn’t hindered by security.
T: Another way ACI enables agility is through state synchronization.
<click>
ACI enables adaptability across physical and virtual firewalls, regardless of location, with state synchronization across the entire distributed network.
Automatic state synchronization ensures all devices within the environment carry the same information, even across segments. And devices provide real-time status, so the controller can make intelligent decisions.
For example… <click>
If a threat is detected, the devices in the affected segment automatically close the feedback loop. The APIC knows to modify segmentation rules and quarantine the affected device during remediation to ensure the threat is contained. The network and security share information, so ACI can adjust the network to adapt to potential threats.
T: While resources are adaptable, they are also highly mobile.
<click>
ACI uses location-independent stitching to seamlessly integrate physical and virtual appliances, and applies security policies consistently to both physical and virtual workloads. So you can move resources around without worrying about security policies keeping up. If an application moves or changes, the fabric automatically steers traffic to the right firewall.
You can also… <click>
Reassign a device’s workgroup, and move it to another location. The APIC automatically removes old rules, assigns new ones, and syncs the network.
T: Another agility benefit is the ability to choose the level of inspection you want to perform.
<click>
ACI security enables you to perform full inspection of all traffic, which is the traditional approach. What’s new with ACI is that you also have the option to choose modular inspection when it makes sense.
Modular inspection can increase efficiency and optimize data center performance. Security elements are selected and deployed as a service based on policy, on a per-transaction basis.
Consider the following scenario: You have two devices within a highly secure segment that are communicating non-sensitive data.
You can still choose to perform a full inspection. No problem.
But with ACI security you have another option. The functional separation of ASA and FirePOWER allows for modular inspection and enforcement, meaning data only receives the level of inspection you choose. So, in this particular scenario, you can choose to only apply firewall inspection. That means you’ve set a policy that says services like encryption, IPS, and Advanced Malware Protection aren’t necessary.
T: As you can see, ACI security further increases the agility you get with Cisco’s Data Center Security. Now let’s take a look at the protection benefits.
<click>
The ACI policy model provides flexible segmentation options within the data center, so you can choose how to segment based on business or application requirements. And segmentation is enforced via EPGs and contracts that map to a specific application tier. This makes management much easier, as it removes the headache of having to deal with millions of leftover ACLs that are kept because administrators are unsure of the impact of removing them.
ACI allows for security policies down to the individual tenant, application or workload. So you can logically separate groups and restrict access to the right people.
Communication between segments is permitted only where explicitly allowed, ensuring policy omissions do not leave security vulnerabilities. In the past, access was always open because you weren’t able to separate users in this way – but now you can segment users based on who needs access to what, and when.
Did you know that over half of data center breaches are caused by hackers moving laterally within the data center? Micro-segmentation will provide the enhanced security you need to protect that intra-data center east-west traffic. Data center micro-segmentation supports both physical and virtual workloads, interoperates seamlessly with bare metal servers, multiple hypervisors, L4-7 security services, and supports tight integration between logical and physical network for provisioning and troubleshooting.
And if you do have a breach, segmentation will ensure the threat is contained to a small area of the network.
T: Segmentation is controlled through the APIC, which has many built-in security features of its own.
<click>
Security is more important than ever when it comes to a single management platform. This is why Cisco has gone to great lengths to ensure the APIC itself has specialized security built in.
The APIC is hardened based on security audit tests by Cisco’s internal security teams, as well as third-party validated for Payment Card Industry, or PCI, compliance. Its GUI is audited against Open Web Application Security Project, or OWASP, guidelines, and includes cross-site-request forgery defenses.
The APIC appliance is configured with secure default settings. HTTP and Telnet are disabled by default. And, because it’s segmented separately from the rest of the Data Center, the APIC has its own, secure communication channel. You can also customize the default security settings - for example, you can install your signed SSL certificates, which prevents what is known as the “man in the middle” attack.
API services are secure and runs all daemons as non-root low-privileged users. The APIC provides secure access via role-based access control and certificate-based authentication. It’s designed with tier management access, making it a very difficult process to hack into the administrative level, so only the right people have access.
Plus, there are alarms set up along the way to notify admins if an unauthorized user is trying to gain access.
The APIC can also provide detailed audit logs of all changes made with the APIC - who, what, and when.
T: Now let’s move onto dynamic control benefits.
<click>
ACI lets you demonstrate compliance more effectively and easily through granular visibility into network operations – a level of awareness that’s never existed before.
Without ACI, demonstrating compliance is a cumbersome, manual process. With ACI, the detailed audit is at your fingertips. You can quickly answer who has accessed what, when and where.
Cisco understands that you need to continuously assess and verify compliance, so we’ve made it easier than ever.
T: In addition to simplified auditing, ACI enables consistent and automatic security management from one central location.
<click>
This is done with a pervasive, policy-driven approach. ACI ties security policies to the resource lifecycle. The resource could be anything: a physical or virtual device, an application, or workflow. This means mobility is no longer an issue at any point in the resource’s security lifecycle. ACI has flipped the OSI model upside-down so you only have to worry about policies, applications, and end-users.
ACI lets you provision security at the same time as other resources. It continuously monitors and enforces policy automatically, and keeps track as workloads move. When a resource is decommissioned, the APIC cleans up policies and rules, storing dormant ones for future use.
Here’s an example of why this is so important – a few years ago, the Utah Department of Health had a massive data breach that occurred while they were adding servers to their server farm. While they were spending 3 hours provisioning security, 150K medical records were stolen. This would not have happened if they were able to provision security along with the servers.
With ACI, you can also maximize your investment value and increase your options with an open framework that enables integration with a broad ecosystem of partners. So you don’t have to spend more money upgrading the devices you already have in place.
T: ACI’s open APIs also help you accelerate threat detection and response.
<click>
The information you need to identify and remediate threats is at your fingertips with the APIC and Advanced Malware Protection dashboards. These dashboards provide transparency into the network fabric, and in-depth forensic capabilities.
The AMP dashboard allows you to see every device, OS, and app in one view. The APIC dashboard delivers deep visibility provided by a rich set of telemetry data from the network fabric so you can drill down and answer the important questions – How did the threat get in? What other devices have it? How long has it been there? How do I get rid of it?
Often with data center breaches, information about the threat has existed in the log files for months. The AMP and APIC dashboards automatically differentiate and surface the most dangerous threats so you don’t miss crucial information – it flags what you need to focus on.
And if your data center does have a security breach, file reputation and retrospection capabilities allow you to turn back the clock so you can see exactly how malicious files have moved across the environment and understand the full extent of an infection.
T: To summarize, ACI security further enhances the agility, protection, and control benefits you get with Cisco’s Secure Data Center Solution. With Cisco security, you can rest assured that your next-gen data center is protected.
Thank you for your time. I’d be happy to answer any questions.
Additionally, you’re going to have things that give you simple one-to-one signature based matching, you’re going to want to catch the low-hanging fruit quickly so that you don’t have to go hunting for signs of breach or indications of breach. You’re going to be able to catch those things and move forward. But then there are other technologies that play into this space such as multi-fingerprinting, which looks for families of malware, and machine learning, which looks at how files execute and their behavior and detects things like zero day malware as it enters your environment. And there are other point-in-time technologies that we could spend discussing, such as advanced analytics and dynamic analysis. But these are all considered point-in-time solutions. They’re going to provide some value at a moment in time, but you need to be looking beyond that moment.
All point-in-time detection is less than 100% effective.
