Conquer The Cloud

Conquer the Cloud
Part 3: Enforcing Pervasive Cloud Security

Presenters Ray Wong, Sr. Technical Engineer, Cisco Host Hugo Vliegen, Director of Technical Marketing, Cisco
November 1, 2012, 8 a.m. Pacific Time
2012 Cisco and/or its affiliates. All rights reserved. 2012 Cisco and/or its affiliates. All rights reserved.
1 1
Experts Provide Best Practices on How to Accelerate Your Organizations Journey to the Cloud FIVE-PART WEBCAST SERIES
On-demand: The Cloud and Your NetworkIs There a Gap?
On-demand: Optimizing App Performance from Branch to Cloud
November 1: How to Enforce Pervasive Security

November 15: Extending Virtualization to the Branch December 11: Designing Next-Generation,
Cloud-Ready WAN
2012 Cisco and/or its affiliates. All rights reserved.
New security challenges of cloud computing Security elements for building a cloud-intelligent network How to securely connect remote sites to infrastructure-as-a-service (IAAS) cloud
Strategies for enforcing consistency policies to protect against web-based threats

Next steps for securing your connection to the cloud
Conquer the Cloud: Part 3: Enforcing Pervasive Cloud Security

Ray Wong Hugo Vliegen
Senior Technical Engineer, Routing Services
Director of Technical Marketing, Routing Services
Conquer the Cloud: Part 3: Enforcing Pervasive Cloud Security Security is the primary reason your company has not been Ray Wong Narayan Subbarao Hugo Vliegen able to embrace cloud computing.
A. Strongly Agree B. Agree C. Neutral
D. Disagree
Senior Technical Engineering E. Manager, Routing Services
Strongly Disagree
Senior Technical Engineer, Routing Services
Director of Technical Marketing, Routing Services
60%
Performance
66%
Security and Policy
37%
Virtualized DC Cloud Provider SLA
60%
Management
Consider Cloud Ready WAN to Be the Most Critical Infrastructure
Followed by:
Source: Cisco Cloud Networking Survey: 1300+ global IT professionals across 13 countries, April, 2012
Scaling Assess
Vulnerability
Architecture Limitations
Private
Connecting Multiple Users, Multiple Device to Multiple Cloud

Shared Infrastructure Can Compromise IT Control Points
Yesterdays Hub and Spoke Model Creates Choke Points in the Network
7
100G FW GET, FlexVPN, NGE Private WAN/ Internet
TrustSec
FW, IPS
ASR 1000
ISR G2
Branch/User
Traditional DC CSR Private/Public/ Hybrid
Cloud Web Security (Scansafe)
Any-to-Any Secure Connectivity
Integrated Threat Defense
Branch to Cloud Security
FlexVPN: Converged VPN at scale across branch, mobile user, and cloud GETVPN: Encrypted MPLS WAN for added privacy Next-generation encryption: Suite-B crypto with hardware acceleration
Network integrated firewall: Up to 100 Gbps stateful inspection for IPv4/v6 TrustSec with ISE: End-toend user-aware access and policy control PCI 2.0 Compliance: Single box solution including simplified IPS
CSR: Any-to-any enterprise VPN to connect users to external clouds Cloud Web Security (ScanSafe) Connector: Secure, direct access to cloud apps over Internet
Any to Any Connectivity

9 9
Delivered by 3.7S/15.2(4)M
Launched at Cisco Live 2012,
San Diego, June 2012

IPv4 connectivity for Hub/Spoke
Corporate LAN
and Spoke to Spoke

IPv4 connectivity for Cisco
AnyConnect Client and Win 7 Client

3rd Party VPN device
compatibility based on IKEv2

3rd Party Routers Cisco Routers
10
Unified Overlay VPNs

Spoke-spoke direct (shortcut) Source Failover
Simple Failover Remote Access
Per-peer config
Per-Peer QoS
VPN
Easy VPN DMVPN Crypto Map Flex VPN No No Yes Yes No Yes No Yes Yes No Yes Yes
No Yes No Yes
Yes No Yes Yes
Yes partial poor Yes
No No No Yes
Yes No No Yes
Yes No No Yes
Yes group No Yes
One VPN to Learn and Deploy

Everything WorksNo Questions Asked

11
Full AAA Management Yes No No Yes
Config push
Dynamic Routing
IPsec Routing
Interop
CSR1000v
SaaS/IaaS Provider
FlexVPN
Remote Access Users Site-to-Site
Branch Office ISR G2 3rd Party VPN Router Secure Access
Cloud Connector
Datacenter
FlexVPN FlexVPN
HQ
Dual-stack Clients
Internet
ASR1K
Corporate Applications
Dual-Stack Clients
Problem Statement
Connecting Enterprise
Solution Overview
Based on latest IKEv2
Solution Characteristics
Better performance and
Scalability
Up to 30G of hardware
securely to the Cloud Converging Site-Site and Remote Access in one solution
standards Centralized VPN Policy Management via AAA server
scaling with IKEv2 Per-Tunnel HQoS Support 3rd party end-point compatibility (using IKEv2)
accelerated encryptionAES Up to 4000 FlexVPN Remote connections Further scale increase by Server Clustering (3.8S, Nov 2012)
12
Cloud Connector Branch Office ISR G2
CSR1000v
SaaS/IaaS Provider
IPv4 Clients
Site-to-Site
Secure Access
Cloud Connector
Datacenter
HQ
Branch Office ISR G2
DVPN
Internet
ASR1K
DVPN
IPv6 Clients
Dual-stack Clients
Problem Statement
Secure Enterprise WAN
Solution Overview
Reduced CapEx and OpEx Simplified branch to
Dynamic Multipoint VPN
Scalability
connectivity over Public Internet Difficulty in deploying and managing large scale installation
branch communications
allows connectivity over public internet Simplified Deployment Enables Hub-Spoke and Spoke-Spoke connectivity
accelerated encryptionAES Up to 4000 DMVPN/BGP or EIGRP Adjacencies
13
Cloud Connector
CSR1000v
SaaS/IaaS Provider
IPv4 Clients
Site-to-Site GETVPN GM
Secure Access
Cloud Connector
Datacenter
L2/L3 Access/MPLS
ASR1K
HQ
GETVPN GM
IPv6 Clients
Dual-stack Clients
Problem Statement
Fully-meshed large
Solution Overview
Most scalable site to site
Tunellessno
Scalability
4000 Group members
scale connectivity
Secure access over
secure access solution

Group based encryption Centralized Key
overlay routing
Native multicast support VRF support
per key server

MPLS backbone
accelerate encryption
Management
14
DMVPN
Public Internet Transport Hub-Spoke, Spoke-Spoke
Large Scale Hub-
FlexVPN
Converged Site to Site and Remote Access
GETVPN
Private IP Transport Any-to-Any Connectivity
Most scalable
Flexible for site-to-site
Spoke with dynamic spoke-to-spoke

Proven Technology
and remote-access VPNs

Centralized Policy
site-to-site solution
Tunneless Any-to-Any
Management with AAA

Latest IKEv2 Protocol 3rd Party Compatible Scale up to 10,000 Sites
Encryption
Solution Integration with
and widely deployed worldwide

Scale up to 4000 Sites
TrustSec and LISP

Native Multicast Support 24,000 Group Members
(currently 4000)
per Key Server (currently 4000)
15
Do you route all your cloud traffic through the data center?
A. Yes
B. No
16
Branch to Cloud Security

17 17
Centralized Policy and Granular Reporting
Flexible reporting with over
75 attributes
Deep, drill down visibility
Administrator
Overview, trending and
forensic data
Office Base User
User Granularity
Integration with existing
Policy Control
Web 2.0 content control Bi-directional
Security
Outbreak Intelligence Billions of Web requests Web
AnyConnect
network infrastructure (e.g. routers, firewalls)

Integration with
content control
Dynamic Web
every day
Real-time content
Roaming User
Directory Services
Numerous deployment
Classification
HTTP/HTTPS scanning SearchAhead
analysis of all Web content

Effective zero-day threat
options
protection
Mobile
ScanSafe offers consistent, enforceable, high performance web security and policy, regardless of where or how users access the Internet
18
Enterprise branch offices using split tunneling interfacing directly to Internet

Cisco ISR G2 with ScanSafe
IPsec VPN
Secure Split Tunneling
Cisco IOS ZBFW
Head Office
Local LAN
POS
Wired Security Zone
Cisco IOS IPS
Available in Cisco IOS Software (SEC) licenses
in Cisco IOS Software Release 15.2(4)M1

Guest Users
Supports redirection of HTTP and HTTPS traffic. ISR Connector works independently with or without Cisco IOS
Internet
Wireless Security Zone

Software security services such as Cisco IOS Firewall, IPS, and VPN. 19
Branch
Corporate HQ
Internet
Client PC
Cisco ISR G2 with ScanSafe Connector
Approved Content Blocked Content AD Server (can also be located at Branch)
Key Highlights of Topology

ScanSafe enabled at branch ISR G2 Direct Internet access from the branch; Split tunneling enabled 2 options for Active Directory (AD) server deployment
Deployed at the headquartersAuthentication requests go to head end AD server Deployed at branchAuthentication requests go to local AD server at branch
After successful authentication, ScanSafe Connector on ISR G2 requests the http/https session and passes user info to the ScanSafe tower 20
Branch
VPN Tunnel
Corporate HQ
Internet
Client PC
Approved Content Blocked Content
Cisco ISR G2 with ScanSafe Connector
AD Server
Key Highlights of Topology

ScanSafe enabled at head end ISR G2 No direct Internet access from branch All traffic from the branch goes over VPN tunnel terminating at the head end Branch traffic must travel to headquarters first before back-hauling to the Internet
AD typically deployed at headquarters but can also be deployed at the branch

After successful authentication, ScanSafe Connector on ISR G2 requests the http/https session and passes user info to the ScanSafe tower 21
Supported users with ScanSafe ISR G2 Connector

Platforms/Supported User Count
NTLM Authentication HTTP Basic Authentication
3945E
1200
1200 1200 5000
3945
1200
1200 1200 1200
3925E
1200
1200 1200 5000
3925
900
900 900 900
2951
600
600 600 600
2911
500
500 500 500
2901
350
350 350 350
1941
350
350 350 350
1921
300
300 300 300
891
120
120 120 120
Web Proxy Authentication

No Authentication
The scalability of the ISR Web Security with ScanSafe is a collective
function of user behavior, authentication methods, features on ISR G2, and throughput requirements
ISR G2 integrated ScanSafe connector positioned for branch/regional offices
22
Lack of Consistency Creates Barriers to Adoption

Data Center Branch
VCP/vDC
ASR
VCP/vDC
Public Cloud
WAN
ISR
ISR
ISR
Branch Branch
Security Risks
Inconsistent VPN policies Limited connection reliability Error-prone topology changes
Integration Issues
Incompatible IP addressing Incomplete network services Different management tools
User Experience
Indirect traffic path through DC Few WAN optimization options Inability to prioritize traffic
23
Extending Enterprise WAN to External Clouds

Data Center Branch
VCP/vDC
ASR
VCP/vDC
Public Cloud
WAN
ISR
ISR
ISR
Branch Branch
Secure Connectivity
Globally uniform VPN policies Scalable and reliable VPNs Automatic topology updates
Network Consistency
Datacenter to Cloud IP mobility Full range of network services Familiar management tools
Traffic Control
Shortest path from any location Interception and redirection Classification and prioritization
24
Cisco IOS Software in Virtual Form-factor

Cisco IOS XE Cloud Edition
Selected feature set of Cisco IOS XE

Virtual Route Processor (RP) Virtual Forwarding Processor (FP)
App OS
App OS
CSR 1000v RP FP
Virtual Private Cloud/Data Center Gateway
VPC/vDC
Optimized for single tenant use cases
Agnostic to Other Infrastructure Elements
Hypervisor
Virtual Switch
Hypervisor agnostic Virtual switch agnostic Server agnostic
Server
25
Scalable, Dynamic, and Consistent Connectivity to External Cloud

Enterprise
DC
Public WAN VPN tunnel
Private address space
Challenges
Inconsistent security
Cloud Provider Data Center

CSR 1000v
High network latency
Limited scalability
ASR
Solution
VPC/vDC
IPSec VPN, DMVPN,
Branch
Internet
WAN Router
EZVPN, FlexVPN
Routing and addressing Firewall, ACLs, AAA
ISR
Branch
Distribution and ToR Switches
CSR 1000v
Servers
Benefits
VPC/vDC
Direct, secure access Scalable, reliable VPN
ISR
Operational simplicity
26
Comprehensive Networking Services Gateway in External Cloud

Enterprise
DC
WAAS
Optimized TCP connection
Challenges
Response time of apps
Cloud Provider Data Center

CSR 1000v
Application prioritization
Connectivity resiliency
ASR
vWAAS
Solution
AppNav for WAAS QoS prioritization
Branch
WAAS
WAN
WAN Router
CSR 1000v
VPC/vDC
HSRP VPN resiliency
ISR
Branch
WAAS
Distribution and ToR Switches
Servers
HSRP
Benefits
VPC/vDC
Rich portfolio of network
features and services

ISR
Single point of control
27
Reducing Barriers to IaaS Adoption in External Cloud

Secure Connectivity
Reduce security vulnerabilities
Network Consistency
Remove integration barriers
Traffic Control
Improve user experience with
with uniform VPN access policy

Eliminate operational overhead
with uniform network services

Prevent connectivity issues
WAN optimization and QoS

Increase service availability
with dynamic VPN scalability

Facilitate network evolution
with holistic WAN architecture

Extend operational practices
with granular resiliency control

Minimize risk of threats with
with dynamic routing protocols
into cloud with familiar IOS
granular inspection policies
ASR
IOS
IOS ISR
IOS
WAN
CSR
VPC/vDC
28
29
Scale VPN Access Using FlexVPN
Enforce Unified Policy with TrustSec Implement Application Level Security to the Cloud Protect Branches with Cloud Web Security (ScanSafe) Connector
Eliminate Backhauling and Extend Your Network to Cloud with CSR 1000V
30
CONQUER THE CLOUD WEBCAST SERIES

November 15: Extending Virtualization to the Branch
December 11: Designing Next-Generation, Cloud-Ready WAN
31
Thank You
32

Conquer The Cloud - Part 3 - Enforcing Pervasive Cloud Security

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Conquer The Cloud - Part 3 - Enforcing Pervasive Cloud Security

Hochgeladen von

Copyright:

Verfügbare Formate

Part 3: Enforcing Pervasive Cloud Security

November 1: How to Enforce Pervasive Security

2012 Cisco and/or its affiliates. All rights reserved.

Strategies for enforcing consistency policies to protect against web-based threats

2012 Cisco and/or its affiliates. All rights reserved.