conquer the cloud | part 3 - enforcing pervasive cloud security

© 2012 Cisco and/or its affiliates. All rights reserved. 1© 2012 Cisco and/or its affiliates. All rights reserved. 1

Conquer the CloudPart 3: Enforcing Pervasive Cloud Security

PresentersRay Wong, Sr. Technical Engineer, Cisco

HostHugo Vliegen, Director of Technical Marketing, Cisco

November 1, 2012, 8 a.m. Pacific Time

© 2012 Cisco and/or its affiliates. All rights reserved. 2

FIVE-PART WEBCAST SERIES

• On-demand: The Cloud and Your Network—Is There a Gap?

• On-demand: Optimizing App Performance from Branch to Cloud

• November 1: How to Enforce Pervasive Security

• November 15: Extending Virtualization to the Branch

• December 11: Designing Next-Generation, Cloud-Ready WAN

Experts Provide Best Practices on How to Accelerate Your Organization’s Journey to the Cloud


New security challenges of cloud computing

Security elements for building a cloud-intelligent network

How to securely connect remote sites to infrastructure-as-a-service (IAAS) cloud

Strategies for enforcing consistency policies to protect against web-based threats

Next steps for securing your connection to the cloud


Conquer the Cloud: Part 3: Enforcing Pervasive Cloud Security

Senior Technical Engineer, Routing

Services

Ray Wong

Director of Technical Marketing, Routing

Services

Hugo Vliegen


Conquer the Cloud: Part 3: Enforcing Pervasive Cloud Security

Senior Technical Engineer, Routing Services

Ray WongNarayan Subbarao

Senior Technical Engineering Manager, Routing Services

Director of Technical Marketing, Routing Services

Hugo Vliegen

Security is the primary reason your company has not been able to embrace cloud computing.

A. Strongly Agree

B. Agree

C. Neutral

D. Disagree

E. Strongly Disagree


Cloud Provider SLAVirtualized DCFollowed by:

60%Performance

66%Security and Policy

60%Management

37%

Consider Cloud Ready WAN to Be the Most Critical Infrastructure

Source: Cisco Cloud Networking Survey:

1300+ global IT professionals

across 13 countries, April, 2012


Private

Vulnerability Architecture LimitationsScaling Assess

Connecting Multiple

Users, Multiple Device

to Multiple Cloud

Shared Infrastructure

Can Compromise

IT Control Points

Yesterday’s Hub and Spoke

Model Creates Choke

Points in the Network

?


Cloud Web Security (Scansafe)

100G FW

Private/Public/Hybrid

Traditional DCBranch/User

Integrated Threat Defense Branch to Cloud SecurityAny-to-Any Secure

Connectivity

• FlexVPN: Converged VPN at scale across branch, mobile user, and cloud

• GETVPN: Encrypted MPLS WAN for added privacy

• Next-generation encryption: Suite-B crypto with hardware acceleration

• Network integrated firewall:

Up to 100 Gbps stateful

inspection for IPv4/v6

• TrustSec with ISE: End-to-

end user-aware access and

policy control

• PCI 2.0 Compliance:

Single box solution including

simplified IPS

• CSR: Any-to-any enterprise

VPN to connect users to

external clouds

• Cloud Web Security

(ScanSafe) Connector:

Secure, direct access to

cloud apps over Internet

FW, IPS

ISR G2

TrustSec

Private WAN/

Internet

GET, FlexVPN,

NGE ASR 1000

CSR


Any to Any Connectivity


Corporate LAN• Launched at Cisco Live 2012,

San Diego, June 2012

• IPv4 connectivity for Hub/Spoke and Spoke to Spoke

• IPv4 connectivity for Cisco AnyConnect Client andWin 7 Client

• 3rd Party VPN device compatibility based on IKEv2

Delivered by 3.7S/15.2(4)M

3rd Party Routers Cisco Routers


Unified Overlay VPN’sIn

tero

p

Dyn

am

ic

Ro

uti

ng

IPsec

Ro

uti

ng

Sp

oke-s

po

ke

dir

ect

(sh

ort

cu

t)

Rem

ote

Access

Sim

ple

Fail

over

So

urc

e F

ail

over

Co

nfi

gp

ush

Per-

peer

co

nfi

g

Per-

Peer

Qo

S

Fu

ll A

AA

Man

ag

em

en

t

No No Yes No Yes Yes No Yes Yes Yes Yes

No Yes No Yes No partial No No No group No

Yes No Yes No Yes poor No No No No No

Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes

Easy VPN

DMVPN

Crypto Map

Flex VPN

One VPN to Learn and Deploy Everything Works—No Questions Asked

VPN


Dual-Stack

Clients

Datacenter

CSR1000v

Remote Access

Users Secure

Access

Branch

Office

ISR G2

FlexVPN3rd Party

VPN Router

Site-to-Site

Dual-stack

Clients

Solution Overview Solution CharacteristicsProblem Statement

• Connecting Enterprise

securely to the Cloud

• Converging Site-Site and

Remote Access in one

solution

Scalability

• Based on latest IKEv2

standards

• Centralized VPN Policy

Management via

AAA server

• Better performance and

scaling with IKEv2

• Per-Tunnel HQoS Support

• 3rd party end-point

compatibility (using IKEv2)

• Up to 30G of hardware

accelerated

encryption—AES

• Up to 4000 FlexVPN

Remote connections

• Further scale increase

by Server Clustering

(3.8S, Nov 2012)

InternetCorporate

ApplicationsASR1K

HQ

SaaS/IaaS

Provider

FlexVPN

FlexVPN

Cloud

Connector



• Secure Enterprise WAN

connectivity over

Public Internet

• Difficulty in deploying

and managing large

scale installation

Scalability

• Reduced CapEx and OpEx

• Simplified branch to

branch communications

• Dynamic Multipoint VPN

allows connectivity over

public internet

• Simplified Deployment

• Enables Hub-Spoke and

Spoke-Spoke connectivity

• Up to 30G of hardware

accelerated

encryption—AES

• Up to 4000 DMVPN/BGP

or EIGRP Adjacencies

Dual-stack

Clients

Datacenter

CSR1000v

IPv4 Clients

Secure

Access

Branch Office

ISR G2

Cloud

Connector

DVPN

Site-to-Site

InternetCorporate

ApplicationsASR1K

HQ

SaaS/IaaS

Provider

DVPN

Cloud Connector

Branch Office

ISR G2

IPv6 Clients



• Fully-meshed largescale connectivity

• Secure access over MPLS backbone

Scalability

• Most scalable site to site secure access solution

• Group based encryption

• Centralized Key Management

• Tunelless—nooverlay routing

• Native multicast support

• VRF support

• 4000 Group membersper key server

• Up to 30G of hardware accelerate encryption

Dual-stack

Clients

Datacenter

CSR1000v

IPv4 Clients

Secure

Access

Branch Office

ISR G2

Cloud

Connector

GETVPN

GM

Site-to-Site

L2/L3

Access/MPLSCorporate

ApplicationsASR1K

HQ

SaaS/IaaS

Provider

GETVPN

GM

Cloud Connector

Branch Office

ISR G2

IPv6 Clients


Public Internet Transport

Hub-Spoke, Spoke-Spoke

DMVPN

• Large Scale Hub-

Spoke with dynamic

spoke-to-spoke

• Proven Technology

and widely deployed

worldwide

• Scale up to 4000 Sites

Converged Site to Siteand Remote Access

FlexVPN

• Flexible for site-to-site

and remote-access VPNs

• Centralized Policy

Management with AAA

• Latest IKEv2 Protocol

• 3rd Party Compatible

• Scale up to 10,000 Sites

(currently 4000)

Private IP Transport

Any-to-Any Connectivity

GETVPN

• Most scalable

site-to-site solution

• Tunneless Any-to-Any

Encryption

• Solution Integration with

TrustSec and LISP

• Native Multicast Support

• 24,000 Group Members

per Key Server

(currently 4000)


Do you route all your cloud traffic through the data center?

A. Yes

B. No


Branch to Cloud Security


Centralized Policy and Granular Reporting

User Granularity Policy Control Security

• Integration with existing

network infrastructure

(e.g. routers, firewalls)

• Integration with

Directory Services

• Numerous deployment

options

• Web 2.0 content control

• Bi-directional

content control

• Dynamic Web

Classification

• HTTP/HTTPS scanning

• SearchAhead

• Outbreak Intelligence

• Billions of Web requests

every day

• Real-time content

analysis of all Web

content

• Effective zero-day threat

protection

Web

Mobile

Roaming User

Office Base User

Administrator

ScanSafe offers consistent, enforceable, high performance web securityand policy, regardless of where or how users access the Internet

• Flexible reporting with over

75 attributes

• Deep, drill down visibility

• Overview, trending and

forensic data

AnyConnect


Cisco IOS® IPS

Cisco IOS® ZBFW

Enterprise branch offices using split tunneling interfacing directly to Internet

Cisco® ISR G2

with ScanSafe

POSLocal LAN

Wired Security Zone

Guest Users

Wireless Security Zone

IPsec VPN

Internet

Secure Split Tunneling

• Available in Cisco IOS® Software (SEC) licenses

in Cisco IOS Software Release 15.2(4)M1

• Supports redirection of HTTP and HTTPS traffic.

• ISR Connector works independently with or without Cisco IOS

Software security services such as Cisco IOS Firewall, IPS, and VPN.

Head Office


Internet

Branch

Blocked Content

AD Server

(can also be located at Branch)

Client PC Cisco ISR G2with ScanSafe

Connector

Approved Content

Key Highlights of Topology

• ScanSafe enabled at branch ISR G2

• Direct Internet access from the branch; Split tunneling enabled

• 2 options for Active Directory (AD) server deployment

Deployed at the headquarters—Authentication requests go to head end AD server

Deployed at branch—Authentication requests go to local AD server at branch

• After successful authentication, ScanSafe Connector on ISR G2 requests the http/https

session and passes user info to the ScanSafe tower

Corporate HQ


Key Highlights of Topology

• ScanSafe enabled at head end ISR G2

• No direct Internet access from branch

• All traffic from the branch goes over VPN tunnel terminating at the head end

• Branch traffic must travel to headquarters first before back-hauling to the Internet

• AD typically deployed at headquarters but can also be deployed at the branch

• After successful authentication, ScanSafe Connector on ISR G2 requests the http/https

session and passes user info to the ScanSafe tower

Internet

Branch

Blocked Content

AD Server

Client PC Approved Content

Corporate HQ

Cisco ISR G2with ScanSafe

Connector

VPN Tunnel


Supported users with ScanSafe ISR G2 Connector

• The scalability of the ISR Web Security with ScanSafe is a collectivefunction of user behavior, authentication methods, features onISR G2, and throughput requirements

• ISR G2 integrated ScanSafe connector positioned for branch/regional offices

Platforms/Supported

User Count3945E 3945 3925E 3925 2951 2911 2901 1941 1921 891

NTLM

Authentication1200 1200 1200 900 600 500 350 350 300 120

HTTP Basic

Authentication1200 1200 1200 900 600 500 350 350 300 120

Web Proxy

Authentication1200 1200 1200 900 600 500 350 350 300 120

No

Authentication5000 1200 5000 900 600 500 350 350 300 120


Public Cloud

VCP/vDC

VCP/vDC

Lack of Consistency Creates Barriers to Adoption

Integration Issues User ExperienceSecurity Risks

• Inconsistent VPN policies

• Limited connection reliability

• Error-prone topology changes

• Incompatible IP addressing

• Incomplete network services

• Different management tools

• Indirect traffic path through DC

• Few WAN optimization options

• Inability to prioritize traffic

WAN

Data

CenterASR

Branch

ISR

Branch

ISR

Branch

ISR


Extending Enterprise WAN to External Clouds

Network Consistency Traffic ControlSecure Connectivity

• Globally uniform VPN policies

• Scalable and reliable VPNs

• Automatic topology updates

• Datacenter to Cloud IP mobility

• Full range of network services

• Familiar management tools

• Shortest path from any location

• Interception and redirection

• Classification and prioritization

Public Cloud

WAN

VCP/vDC

VCP/vDC

Data

CenterASR

Branch

ISR

Branch

ISR

Branch

ISR


Cisco IOS Software in Virtual Form-factor

Virtual Switch

CSR

1000v

VPC/vDC

OS

App

OS

App

Hypervisor

Server

RP

FP

Cisco IOS XE Cloud Edition

• Selected feature set of Cisco IOS XE

• Virtual Route Processor (RP)

• Virtual Forwarding Processor (FP)

Virtual Private Cloud/Data Center Gateway

• Optimized for single tenant use cases

Agnostic to Other Infrastructure Elements

• Hypervisor agnostic

• Virtual switch agnostic

• Server agnostic


Enterprise

Cloud Provider Data Center

Challenges

Solution

• Inconsistent security

• High network latency

• Limited scalability

• IPSec VPN, DMVPN,

EZVPN, FlexVPN

• Routing and addressing

• Firewall, ACLs, AAA

Benefits

Scalable, Dynamic, and Consistent Connectivity to External Cloud

CSR

1000v

Branch

ISR

VPC/vDCWAN

Router

Distribution

and ToR

Switches Servers

VPC/vDC

DC

ASR

Branch

ISR

• Direct, secure access

• Scalable, reliable VPN

• Operational simplicity

CSR

1000v

Internet

Public WAN

VPN tunnel

Private address

space


Cloud Provider Data Center

Comprehensive Networking Services Gateway in External Cloud

Challenges

Solution

• Response time of apps

• Application prioritization

• Connectivity resiliency

• AppNav for WAAS

• QoS prioritization

• HSRP VPN resiliency

Benefits

• Rich portfolio of network

features and services

• Single point of control

Enterprise

CSR

1000v

Branch

ISR

VPC/vDCWAN

Router

Distribution

and ToR

Switches Servers

VPC/vDC

DC

ASR

Branch

ISR

CSR

1000v

WAN

Optimized TCP connection

HSRP

vWAAS

WAAS

WAAS

WAAS


Reducing Barriers to IaaS Adoption in External Cloud

Network ConsistencySecure Connectivity Traffic Control

• Reduce security vulnerabilities

with uniform VPN access policy

• Eliminate operational overhead

with dynamic VPN scalability

• Facilitate network evolution

with dynamic routing protocols

• Remove integration barriers

with uniform network services

• Prevent connectivity issues

with holistic WAN architecture

• Extend operational practices

into cloud with familiar IOS

• Improve user experience with

WAN optimization and QoS

• Increase service availability

with granular resiliency control

• Minimize risk of threats with

granular inspection policies

VPC/vDC

WAN

ISR

ASR

CSR

IOS

IOS

IOS


Enforce Unified Policy with TrustSec

Implement ApplicationLevel Security to the Cloud

Scale VPN Access Using FlexVPN

Eliminate Backhauling and Extend Your Network to Cloud with CSR 1000V

Protect Branches with Cloud Web Security (ScanSafe) Connector


CONQUER THE CLOUD WEBCAST SERIES

• November 15: Extending Virtualization to the Branch

• December 11: Designing Next-Generation, Cloud-Ready WAN


Thank You

conquer the cloud | part 3 - enforcing pervasive cloud security

Documents