conquer the cloud | part 3 - enforcing pervasive cloud security
DESCRIPTION
Conquer the Cloud - Webcast Series Experts Provide Best Practices on How to Accelerate Your Organization’s Journey to the Cloud © 2012 Cisco and/or its affiliates. All rights reserved.TRANSCRIPT
© 2012 Cisco and/or its affiliates. All rights reserved. 1© 2012 Cisco and/or its affiliates. All rights reserved. 1
Conquer the CloudPart 3: Enforcing Pervasive Cloud Security
PresentersRay Wong, Sr. Technical Engineer, Cisco
HostHugo Vliegen, Director of Technical Marketing, Cisco
November 1, 2012, 8 a.m. Pacific Time
© 2012 Cisco and/or its affiliates. All rights reserved. 2
FIVE-PART WEBCAST SERIES
• On-demand: The Cloud and Your Network—Is There a Gap?
• On-demand: Optimizing App Performance from Branch to Cloud
• November 1: How to Enforce Pervasive Security
• November 15: Extending Virtualization to the Branch
• December 11: Designing Next-Generation, Cloud-Ready WAN
Experts Provide Best Practices on How to Accelerate Your Organization’s Journey to the Cloud
© 2012 Cisco and/or its affiliates. All rights reserved. 3
New security challenges of cloud computing
Security elements for building a cloud-intelligent network
How to securely connect remote sites to infrastructure-as-a-service (IAAS) cloud
Strategies for enforcing consistency policies to protect against web-based threats
Next steps for securing your connection to the cloud
© 2012 Cisco and/or its affiliates. All rights reserved. 4
Conquer the Cloud: Part 3: Enforcing Pervasive Cloud Security
Senior Technical Engineer, Routing
Services
Ray Wong
Director of Technical Marketing, Routing
Services
Hugo Vliegen
© 2012 Cisco and/or its affiliates. All rights reserved. 5
Conquer the Cloud: Part 3: Enforcing Pervasive Cloud Security
Senior Technical Engineer, Routing Services
Ray WongNarayan Subbarao
Senior Technical Engineering Manager, Routing Services
Director of Technical Marketing, Routing Services
Hugo Vliegen
Security is the primary reason your company has not been able to embrace cloud computing.
A. Strongly Agree
B. Agree
C. Neutral
D. Disagree
E. Strongly Disagree
© 2012 Cisco and/or its affiliates. All rights reserved. 6
Cloud Provider SLAVirtualized DCFollowed by:
60%Performance
66%Security and Policy
60%Management
37%
Consider Cloud Ready WAN to Be the Most Critical Infrastructure
Source: Cisco Cloud Networking Survey:
1300+ global IT professionals
across 13 countries, April, 2012
© 2012 Cisco and/or its affiliates. All rights reserved. 7
Private
Vulnerability Architecture LimitationsScaling Assess
Connecting Multiple
Users, Multiple Device
to Multiple Cloud
Shared Infrastructure
Can Compromise
IT Control Points
Yesterday’s Hub and Spoke
Model Creates Choke
Points in the Network
?
© 2012 Cisco and/or its affiliates. All rights reserved. 8
Cloud Web Security (Scansafe)
100G FW
Private/Public/Hybrid
Traditional DCBranch/User
Integrated Threat Defense Branch to Cloud SecurityAny-to-Any Secure
Connectivity
• FlexVPN: Converged VPN at scale across branch, mobile user, and cloud
• GETVPN: Encrypted MPLS WAN for added privacy
• Next-generation encryption: Suite-B crypto with hardware acceleration
• Network integrated firewall:
Up to 100 Gbps stateful
inspection for IPv4/v6
• TrustSec with ISE: End-to-
end user-aware access and
policy control
• PCI 2.0 Compliance:
Single box solution including
simplified IPS
• CSR: Any-to-any enterprise
VPN to connect users to
external clouds
• Cloud Web Security
(ScanSafe) Connector:
Secure, direct access to
cloud apps over Internet
FW, IPS
ISR G2
TrustSec
Private WAN/
Internet
GET, FlexVPN,
NGE ASR 1000
CSR
© 2012 Cisco and/or its affiliates. All rights reserved. 9© 2012 Cisco and/or its affiliates. All rights reserved. 9
Any to Any Connectivity
© 2012 Cisco and/or its affiliates. All rights reserved. 10
Corporate LAN• Launched at Cisco Live 2012,
San Diego, June 2012
• IPv4 connectivity for Hub/Spoke and Spoke to Spoke
• IPv4 connectivity for Cisco AnyConnect Client andWin 7 Client
• 3rd Party VPN device compatibility based on IKEv2
Delivered by 3.7S/15.2(4)M
3rd Party Routers Cisco Routers
© 2012 Cisco and/or its affiliates. All rights reserved. 11
Unified Overlay VPN’sIn
tero
p
Dyn
am
ic
Ro
uti
ng
IPsec
Ro
uti
ng
Sp
oke-s
po
ke
dir
ect
(sh
ort
cu
t)
Rem
ote
Access
Sim
ple
Fail
over
So
urc
e F
ail
over
Co
nfi
gp
ush
Per-
peer
co
nfi
g
Per-
Peer
Qo
S
Fu
ll A
AA
Man
ag
em
en
t
No No Yes No Yes Yes No Yes Yes Yes Yes
No Yes No Yes No partial No No No group No
Yes No Yes No Yes poor No No No No No
Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes
Easy VPN
DMVPN
Crypto Map
Flex VPN
One VPN to Learn and Deploy Everything Works—No Questions Asked
VPN
© 2012 Cisco and/or its affiliates. All rights reserved. 12
Dual-Stack
Clients
Datacenter
CSR1000v
Remote Access
Users Secure
Access
Branch
Office
ISR G2
FlexVPN3rd Party
VPN Router
Site-to-Site
Dual-stack
Clients
Solution Overview Solution CharacteristicsProblem Statement
• Connecting Enterprise
securely to the Cloud
• Converging Site-Site and
Remote Access in one
solution
Scalability
• Based on latest IKEv2
standards
• Centralized VPN Policy
Management via
AAA server
• Better performance and
scaling with IKEv2
• Per-Tunnel HQoS Support
• 3rd party end-point
compatibility (using IKEv2)
• Up to 30G of hardware
accelerated
encryption—AES
• Up to 4000 FlexVPN
Remote connections
• Further scale increase
by Server Clustering
(3.8S, Nov 2012)
InternetCorporate
ApplicationsASR1K
HQ
SaaS/IaaS
Provider
FlexVPN
FlexVPN
Cloud
Connector
© 2012 Cisco and/or its affiliates. All rights reserved. 13
Solution Overview Solution CharacteristicsProblem Statement
• Secure Enterprise WAN
connectivity over
Public Internet
• Difficulty in deploying
and managing large
scale installation
Scalability
• Reduced CapEx and OpEx
• Simplified branch to
branch communications
• Dynamic Multipoint VPN
allows connectivity over
public internet
• Simplified Deployment
• Enables Hub-Spoke and
Spoke-Spoke connectivity
• Up to 30G of hardware
accelerated
encryption—AES
• Up to 4000 DMVPN/BGP
or EIGRP Adjacencies
Dual-stack
Clients
Datacenter
CSR1000v
IPv4 Clients
Secure
Access
Branch Office
ISR G2
Cloud
Connector
DVPN
Site-to-Site
InternetCorporate
ApplicationsASR1K
HQ
SaaS/IaaS
Provider
DVPN
Cloud Connector
Branch Office
ISR G2
IPv6 Clients
© 2012 Cisco and/or its affiliates. All rights reserved. 14
Solution Overview Solution CharacteristicsProblem Statement
• Fully-meshed largescale connectivity
• Secure access over MPLS backbone
Scalability
• Most scalable site to site secure access solution
• Group based encryption
• Centralized Key Management
• Tunelless—nooverlay routing
• Native multicast support
• VRF support
• 4000 Group membersper key server
• Up to 30G of hardware accelerate encryption
Dual-stack
Clients
Datacenter
CSR1000v
IPv4 Clients
Secure
Access
Branch Office
ISR G2
Cloud
Connector
GETVPN
GM
Site-to-Site
L2/L3
Access/MPLSCorporate
ApplicationsASR1K
HQ
SaaS/IaaS
Provider
GETVPN
GM
Cloud Connector
Branch Office
ISR G2
IPv6 Clients
© 2012 Cisco and/or its affiliates. All rights reserved. 15
Public Internet Transport
Hub-Spoke, Spoke-Spoke
DMVPN
• Large Scale Hub-
Spoke with dynamic
spoke-to-spoke
• Proven Technology
and widely deployed
worldwide
• Scale up to 4000 Sites
Converged Site to Siteand Remote Access
FlexVPN
• Flexible for site-to-site
and remote-access VPNs
• Centralized Policy
Management with AAA
• Latest IKEv2 Protocol
• 3rd Party Compatible
• Scale up to 10,000 Sites
(currently 4000)
Private IP Transport
Any-to-Any Connectivity
GETVPN
• Most scalable
site-to-site solution
• Tunneless Any-to-Any
Encryption
• Solution Integration with
TrustSec and LISP
• Native Multicast Support
• 24,000 Group Members
per Key Server
(currently 4000)
© 2012 Cisco and/or its affiliates. All rights reserved. 16
Do you route all your cloud traffic through the data center?
A. Yes
B. No
© 2012 Cisco and/or its affiliates. All rights reserved. 17© 2012 Cisco and/or its affiliates. All rights reserved. 17
Branch to Cloud Security
© 2012 Cisco and/or its affiliates. All rights reserved. 18
Centralized Policy and Granular Reporting
User Granularity Policy Control Security
• Integration with existing
network infrastructure
(e.g. routers, firewalls)
• Integration with
Directory Services
• Numerous deployment
options
• Web 2.0 content control
• Bi-directional
content control
• Dynamic Web
Classification
• HTTP/HTTPS scanning
• SearchAhead
• Outbreak Intelligence
• Billions of Web requests
every day
• Real-time content
analysis of all Web
content
• Effective zero-day threat
protection
Web
Mobile
Roaming User
Office Base User
Administrator
ScanSafe offers consistent, enforceable, high performance web securityand policy, regardless of where or how users access the Internet
• Flexible reporting with over
75 attributes
• Deep, drill down visibility
• Overview, trending and
forensic data
AnyConnect
© 2012 Cisco and/or its affiliates. All rights reserved. 19
Cisco IOS® IPS
Cisco IOS® ZBFW
Enterprise branch offices using split tunneling interfacing directly to Internet
Cisco® ISR G2
with ScanSafe
POSLocal LAN
Wired Security Zone
Guest Users
Wireless Security Zone
IPsec VPN
Internet
Secure Split Tunneling
• Available in Cisco IOS® Software (SEC) licenses
in Cisco IOS Software Release 15.2(4)M1
• Supports redirection of HTTP and HTTPS traffic.
• ISR Connector works independently with or without Cisco IOS
Software security services such as Cisco IOS Firewall, IPS, and VPN.
Head Office
© 2012 Cisco and/or its affiliates. All rights reserved. 20
Internet
Branch
Blocked Content
AD Server
(can also be located at Branch)
Client PC Cisco ISR G2with ScanSafe
Connector
Approved Content
Key Highlights of Topology
• ScanSafe enabled at branch ISR G2
• Direct Internet access from the branch; Split tunneling enabled
• 2 options for Active Directory (AD) server deployment
Deployed at the headquarters—Authentication requests go to head end AD server
Deployed at branch—Authentication requests go to local AD server at branch
• After successful authentication, ScanSafe Connector on ISR G2 requests the http/https
session and passes user info to the ScanSafe tower
Corporate HQ
© 2012 Cisco and/or its affiliates. All rights reserved. 21
Key Highlights of Topology
• ScanSafe enabled at head end ISR G2
• No direct Internet access from branch
• All traffic from the branch goes over VPN tunnel terminating at the head end
• Branch traffic must travel to headquarters first before back-hauling to the Internet
• AD typically deployed at headquarters but can also be deployed at the branch
• After successful authentication, ScanSafe Connector on ISR G2 requests the http/https
session and passes user info to the ScanSafe tower
Internet
Branch
Blocked Content
AD Server
Client PC Approved Content
Corporate HQ
Cisco ISR G2with ScanSafe
Connector
VPN Tunnel
© 2012 Cisco and/or its affiliates. All rights reserved. 22
Supported users with ScanSafe ISR G2 Connector
• The scalability of the ISR Web Security with ScanSafe is a collectivefunction of user behavior, authentication methods, features onISR G2, and throughput requirements
• ISR G2 integrated ScanSafe connector positioned for branch/regional offices
Platforms/Supported
User Count3945E 3945 3925E 3925 2951 2911 2901 1941 1921 891
NTLM
Authentication1200 1200 1200 900 600 500 350 350 300 120
HTTP Basic
Authentication1200 1200 1200 900 600 500 350 350 300 120
Web Proxy
Authentication1200 1200 1200 900 600 500 350 350 300 120
No
Authentication5000 1200 5000 900 600 500 350 350 300 120
© 2012 Cisco and/or its affiliates. All rights reserved. 23
Public Cloud
VCP/vDC
VCP/vDC
Lack of Consistency Creates Barriers to Adoption
Integration Issues User ExperienceSecurity Risks
• Inconsistent VPN policies
• Limited connection reliability
• Error-prone topology changes
• Incompatible IP addressing
• Incomplete network services
• Different management tools
• Indirect traffic path through DC
• Few WAN optimization options
• Inability to prioritize traffic
WAN
Data
CenterASR
Branch
ISR
Branch
ISR
Branch
ISR
© 2012 Cisco and/or its affiliates. All rights reserved. 24
Extending Enterprise WAN to External Clouds
Network Consistency Traffic ControlSecure Connectivity
• Globally uniform VPN policies
• Scalable and reliable VPNs
• Automatic topology updates
• Datacenter to Cloud IP mobility
• Full range of network services
• Familiar management tools
• Shortest path from any location
• Interception and redirection
• Classification and prioritization
Public Cloud
WAN
VCP/vDC
VCP/vDC
Data
CenterASR
Branch
ISR
Branch
ISR
Branch
ISR
© 2012 Cisco and/or its affiliates. All rights reserved. 25
Cisco IOS Software in Virtual Form-factor
Virtual Switch
CSR
1000v
VPC/vDC
OS
App
OS
App
Hypervisor
Server
RP
FP
Cisco IOS XE Cloud Edition
• Selected feature set of Cisco IOS XE
• Virtual Route Processor (RP)
• Virtual Forwarding Processor (FP)
Virtual Private Cloud/Data Center Gateway
• Optimized for single tenant use cases
Agnostic to Other Infrastructure Elements
• Hypervisor agnostic
• Virtual switch agnostic
• Server agnostic
© 2012 Cisco and/or its affiliates. All rights reserved. 26
Enterprise
Cloud Provider Data Center
Challenges
Solution
• Inconsistent security
• High network latency
• Limited scalability
• IPSec VPN, DMVPN,
EZVPN, FlexVPN
• Routing and addressing
• Firewall, ACLs, AAA
Benefits
Scalable, Dynamic, and Consistent Connectivity to External Cloud
CSR
1000v
Branch
ISR
VPC/vDCWAN
Router
Distribution
and ToR
Switches Servers
VPC/vDC
DC
ASR
Branch
ISR
• Direct, secure access
• Scalable, reliable VPN
• Operational simplicity
CSR
1000v
Internet
Public WAN
VPN tunnel
Private address
space
© 2012 Cisco and/or its affiliates. All rights reserved. 27
Cloud Provider Data Center
Comprehensive Networking Services Gateway in External Cloud
Challenges
Solution
• Response time of apps
• Application prioritization
• Connectivity resiliency
• AppNav for WAAS
• QoS prioritization
• HSRP VPN resiliency
Benefits
• Rich portfolio of network
features and services
• Single point of control
Enterprise
CSR
1000v
Branch
ISR
VPC/vDCWAN
Router
Distribution
and ToR
Switches Servers
VPC/vDC
DC
ASR
Branch
ISR
CSR
1000v
WAN
Optimized TCP connection
HSRP
vWAAS
WAAS
WAAS
WAAS
© 2012 Cisco and/or its affiliates. All rights reserved. 28
Reducing Barriers to IaaS Adoption in External Cloud
Network ConsistencySecure Connectivity Traffic Control
• Reduce security vulnerabilities
with uniform VPN access policy
• Eliminate operational overhead
with dynamic VPN scalability
• Facilitate network evolution
with dynamic routing protocols
• Remove integration barriers
with uniform network services
• Prevent connectivity issues
with holistic WAN architecture
• Extend operational practices
into cloud with familiar IOS
• Improve user experience with
WAN optimization and QoS
• Increase service availability
with granular resiliency control
• Minimize risk of threats with
granular inspection policies
VPC/vDC
WAN
ISR
ASR
CSR
IOS
IOS
IOS
© 2012 Cisco and/or its affiliates. All rights reserved. 29
© 2012 Cisco and/or its affiliates. All rights reserved. 30
Enforce Unified Policy with TrustSec
Implement ApplicationLevel Security to the Cloud
Scale VPN Access Using FlexVPN
Eliminate Backhauling and Extend Your Network to Cloud with CSR 1000V
Protect Branches with Cloud Web Security (ScanSafe) Connector
© 2012 Cisco and/or its affiliates. All rights reserved. 31
CONQUER THE CLOUD WEBCAST SERIES
• November 15: Extending Virtualization to the Branch
• December 11: Designing Next-Generation, Cloud-Ready WAN
© 2012 Cisco and/or its affiliates. All rights reserved. 32
Thank You