Beruflich Dokumente
Kultur Dokumente
1 1
Experts Provide Best Practices on How to Accelerate Your Organizations Journey to the Cloud FIVE-PART WEBCAST SERIES
On-demand: The Cloud and Your NetworkIs There a Gap?
On-demand: Optimizing App Performance from Branch to Cloud
Cloud-Ready WAN
New security challenges of cloud computing Security elements for building a cloud-intelligent network How to securely connect remote sites to infrastructure-as-a-service (IAAS) cloud
Conquer the Cloud: Part 3: Enforcing Pervasive Cloud Security Security is the primary reason your company has not been Ray Wong Narayan Subbarao Hugo Vliegen able to embrace cloud computing.
A. Strongly Agree B. Agree C. Neutral
D. Disagree
Senior Technical Engineering E. Manager, Routing Services
Strongly Disagree
60%
Performance
66%
Security and Policy
37%
Virtualized DC Cloud Provider SLA
60%
Management
Followed by:
Source: Cisco Cloud Networking Survey: 1300+ global IT professionals across 13 countries, April, 2012
2012 Cisco and/or its affiliates. All rights reserved.
Scaling Assess
Vulnerability
Architecture Limitations
Private
Yesterdays Hub and Spoke Model Creates Choke Points in the Network
7
TrustSec
FW, IPS
ASR 1000
ISR G2
Branch/User
FlexVPN: Converged VPN at scale across branch, mobile user, and cloud GETVPN: Encrypted MPLS WAN for added privacy Next-generation encryption: Suite-B crypto with hardware acceleration
Network integrated firewall: Up to 100 Gbps stateful inspection for IPv4/v6 TrustSec with ISE: End-toend user-aware access and policy control PCI 2.0 Compliance: Single box solution including simplified IPS
CSR: Any-to-any enterprise VPN to connect users to external clouds Cloud Web Security (ScanSafe) Connector: Secure, direct access to cloud apps over Internet
9 9
Delivered by 3.7S/15.2(4)M
Launched at Cisco Live 2012,
Corporate LAN
10
Per-peer config
Per-Peer QoS
VPN
Easy VPN DMVPN Crypto Map Flex VPN No No Yes Yes No Yes No Yes Yes No Yes Yes
No Yes No Yes
No No No Yes
Yes No No Yes
Yes No No Yes
Config push
Dynamic Routing
IPsec Routing
Interop
CSR1000v
SaaS/IaaS Provider
FlexVPN
Remote Access Users Site-to-Site
Branch Office ISR G2 3rd Party VPN Router Secure Access
Cloud Connector
Datacenter
FlexVPN FlexVPN
HQ
Dual-stack Clients
Internet
ASR1K
Corporate Applications
Dual-Stack Clients
Problem Statement
Connecting Enterprise
Solution Overview
Based on latest IKEv2
Solution Characteristics
Better performance and
Scalability
Up to 30G of hardware
securely to the Cloud Converging Site-Site and Remote Access in one solution
scaling with IKEv2 Per-Tunnel HQoS Support 3rd party end-point compatibility (using IKEv2)
accelerated encryptionAES Up to 4000 FlexVPN Remote connections Further scale increase by Server Clustering (3.8S, Nov 2012)
12
CSR1000v
SaaS/IaaS Provider
IPv4 Clients
Site-to-Site
Secure Access
Cloud Connector
Datacenter
HQ
DVPN
Internet
ASR1K
DVPN
Corporate Applications
IPv6 Clients
Dual-stack Clients
Problem Statement
Secure Enterprise WAN
Solution Overview
Reduced CapEx and OpEx Simplified branch to
Solution Characteristics
Dynamic Multipoint VPN
Scalability
Up to 30G of hardware
connectivity over Public Internet Difficulty in deploying and managing large scale installation
branch communications
allows connectivity over public internet Simplified Deployment Enables Hub-Spoke and Spoke-Spoke connectivity
13
Cloud Connector
Branch Office ISR G2
CSR1000v
SaaS/IaaS Provider
IPv4 Clients
Site-to-Site GETVPN GM
Secure Access
Cloud Connector
Datacenter
L2/L3 Access/MPLS
ASR1K
HQ
GETVPN GM
Corporate Applications
IPv6 Clients
Dual-stack Clients
Problem Statement
Fully-meshed large
Solution Overview
Most scalable site to site
Solution Characteristics
Tunellessno
Scalability
4000 Group members
scale connectivity
Secure access over
overlay routing
Native multicast support VRF support
MPLS backbone
accelerate encryption
Management
14
DMVPN
Public Internet Transport Hub-Spoke, Spoke-Spoke
Large Scale Hub-
FlexVPN
Converged Site to Site and Remote Access
GETVPN
Private IP Transport Any-to-Any Connectivity
Most scalable
site-to-site solution
Tunneless Any-to-Any
Encryption
Solution Integration with
(currently 4000)
15
Do you route all your cloud traffic through the data center?
A. Yes
B. No
16
17 17
75 attributes
Deep, drill down visibility
Administrator
forensic data
User Granularity
Integration with existing
Policy Control
Web 2.0 content control Bi-directional
Security
Outbreak Intelligence Billions of Web requests Web
AnyConnect
content control
Dynamic Web
every day
Real-time content
Roaming User
Directory Services
Numerous deployment
Classification
HTTP/HTTPS scanning SearchAhead
options
protection
Mobile
ScanSafe offers consistent, enforceable, high performance web security and policy, regardless of where or how users access the Internet
2012 Cisco and/or its affiliates. All rights reserved.
18
IPsec VPN
Secure Split Tunneling
Cisco IOS ZBFW
Head Office
Local LAN
POS
Supports redirection of HTTP and HTTPS traffic. ISR Connector works independently with or without Cisco IOS
Internet
Software security services such as Cisco IOS Firewall, IPS, and VPN. 19
Branch
Corporate HQ
Internet
Client PC
ScanSafe enabled at branch ISR G2 Direct Internet access from the branch; Split tunneling enabled 2 options for Active Directory (AD) server deployment
Deployed at the headquartersAuthentication requests go to head end AD server Deployed at branchAuthentication requests go to local AD server at branch
After successful authentication, ScanSafe Connector on ISR G2 requests the http/https session and passes user info to the ScanSafe tower 20
Branch
VPN Tunnel
Corporate HQ
Internet
Client PC
AD Server
ScanSafe enabled at head end ISR G2 No direct Internet access from branch All traffic from the branch goes over VPN tunnel terminating at the head end Branch traffic must travel to headquarters first before back-hauling to the Internet
3945E
1200
1200 1200 5000
3945
1200
1200 1200 1200
3925E
1200
1200 1200 5000
3925
900
900 900 900
2951
600
600 600 600
2911
500
500 500 500
2901
350
350 350 350
1941
350
350 350 350
1921
300
300 300 300
891
120
120 120 120
function of user behavior, authentication methods, features on ISR G2, and throughput requirements
ISR G2 integrated ScanSafe connector positioned for branch/regional offices
2012 Cisco and/or its affiliates. All rights reserved.
22
VCP/vDC
Public Cloud
WAN
ISR
ISR
ISR
Branch Branch
Security Risks
Inconsistent VPN policies Limited connection reliability Error-prone topology changes
Integration Issues
Incompatible IP addressing Incomplete network services Different management tools
User Experience
Indirect traffic path through DC Few WAN optimization options Inability to prioritize traffic
23
VCP/vDC
Public Cloud
WAN
ISR
ISR
ISR
Branch Branch
Secure Connectivity
Globally uniform VPN policies Scalable and reliable VPNs Automatic topology updates
Network Consistency
Datacenter to Cloud IP mobility Full range of network services Familiar management tools
Traffic Control
Shortest path from any location Interception and redirection Classification and prioritization
24
App OS
App OS
CSR 1000v RP FP
VPC/vDC
Hypervisor
Virtual Switch
Server
25
Challenges
Inconsistent security
Limited scalability
ASR
Solution
VPC/vDC
IPSec VPN, DMVPN,
Branch
Internet
WAN Router
EZVPN, FlexVPN
Routing and addressing Firewall, ACLs, AAA
ISR
Branch
CSR 1000v
Servers
Benefits
VPC/vDC
Direct, secure access Scalable, reliable VPN
ISR
Operational simplicity
26
Challenges
Response time of apps
Application prioritization
Connectivity resiliency
ASR
vWAAS
Solution
AppNav for WAAS QoS prioritization
Branch
WAAS
WAN
WAN Router
CSR 1000v
VPC/vDC
ISR
Branch
WAAS
Servers
HSRP
Benefits
VPC/vDC
Rich portfolio of network
27
Network Consistency
Remove integration barriers
Traffic Control
Improve user experience with
ASR
IOS
IOS ISR
IOS
WAN
CSR
VPC/vDC
28
29
Enforce Unified Policy with TrustSec Implement Application Level Security to the Cloud Protect Branches with Cloud Web Security (ScanSafe) Connector
Eliminate Backhauling and Extend Your Network to Cloud with CSR 1000V
30
31
Thank You
32