Professional Documents
Culture Documents
Datacenter Security
György Ács
Security Consulting Systems Engineer
2016 June
• Evolving Business Needs
& Datacenter Challenges
76% 17% 7%
Detect Threats
Block Threats
Discover and onboard
Workloads
Defend Automatically
Define and enforce Policies
Continuous
Apply Policies to new Solution
workloads automatically
Contain Automatically
Remediate
Cisco DC Security: Best of Breed Protection…
Clustering
NGIPS
ASA FW
SGT
TrustSec with Security Group Tagging
NGA
SGT SGT
Simplify
SGT SGT
Virtual
FlowSensor
Accelerate
ISE SGT
SGT
Automate
Standardize
Layer 2 Data Center Overview
Core/Edge
Routed core (BGP) and edge connectivity;
Layer 2 connection to Services; Layer 3
connection to Distribution
• ASA can be virtualized into security contexts for 1:1 mapping to VRFs
• Useful for topologies that require a firewall between Aggregation and Core
• Possible bottleneck as most traffic destined to core traverses the firewall
VRF 1 VRF 1
VRF 2 VRF 2
ASA as VxLAN Gateway
• ASA 9.4(1) supports one VTEP with multiple tunnels per context
• System VLAN limit applies to combined VLAN and VxLAN count
interface vni1
segment-id 10000
A Virtual Network Identifier (VNI) interface
interface vni2
on ASA handles decapsulated VxLAN traffic segment-id 10100
for each segment interface vni3
segment-id 10200
Multi-Site Data Centers
Multi-Site Data Center Security
Future: Stateful ASA+FirePOWER inspection
of LISP encapsulated traffic for cloud edge
protection
15
Virtual ASA (ASAv)
• Fully featured ASA running as a virtual machine
• Multiple vCPUs (up to 4) and vNICs (up to 10) with VLAN tagging (up to 200)
• Virtualization benefits displace the need for multiple-context mode
• Active/Standby failover only; future clustering for connection state mobility
• Expanding virtual firewall use cases
• Protecting physical and VM communication on any interface
• Routed and transparent firewall modes
• VxLAN routing and bridging in ASA 9.4(1)
• Vmware vSphere and KVM support today, more to follow
16
TrustSec
17
access-list 102 permit tcp 37.85.170.24 0.0.0.127 lt 3146 77.26.232.98 0.0.0.127 gt 1462
access-list 102 permit tcp 155.237.22.232 0.0.0.127 gt 1843 239.16.35.19 0.0.1.255 lt 4384
access-list 102 permit icmp 136.237.66.158 255.255.255.255 eq 946 119.186.148.222 0.255.255.255 eq 878
access-list 102 permit ip 129.100.41.114 255.255.255.255 gt 3972 47.135.28.103 0.0.0.255 eq 467
TrustSec Security
Policy Network Fabric
SGT Propagation
• Classification of systems/users based on context
(user role, device, location, access method)
1
IDS and IPS in Data Center
Symmetric FirePOWER IDS (Passive) with
RSPAN
3. RSPAN collection switch aggregates
1. Asymmetric traffic flows vPC asymmetric flows and feeds them into an
through data center Etherchannel. Both directions of a flow select
switching infrastructure. same member link with no NAT.
vPC
vPC
VLAN 10 VLAN 11
3. North-South traffic is directed 4. North-South traffic is directed
through “active” NGIPS interface vPC through “standby” NGIPS interface set
set with floating static or lower- through higher admin-distance static or
cost dynamic routed path. higher-cost dynamic routed path after
“active” NGIPS failure.
ASA Cluster with FirePOWER Services Module
for NGIPS
vPC
1. ASA appliances with FirePOWER 2. Cluster member that gets the first
services modules are deployed as a packet for a connection assumes full
Spanned Etherchannel cluster to processing ownership for all
represent a single logical device. associated packets.
ASA Cluster
ASA Cluster
vPC
2. An inline FirePOWER appliance 3. Clustering automatically redirects
attaches to each ASA cluster member asymmetrically received packets to ASA
in a context sandwich. connection owner for full processing.
NGIDS/NGIPS Solution Comparison
Solution Use Case Pros Cons
ASA Cluster with FirePOWER Integrated inline Threat Scalability, selective inspection, Limited NGFW/NGIPS/AMP
Services Centric Security integration simplicity, CVD performance
Next-Generation Firepower
9300
(60-240 Gbps)
Firepower 4100 (20-60) Gbps
ASA 5555-X
ASA 5516-X (4 Gbps,
(1.8 Gbps, ASA 5545-X 50K conn/sec)
ASA 5508-X 20K conn/s) (3 Gbps,
(1Gbps, 30K conn/s)
10K conn/s) ASA 5525-X
(2 Gbps,
ASA 5506-X
(750 Mbps,
20K conn/s) Virtual
5K conn/s)
NGFWv
(running FTD)
WWW
Advanced Malware
NGIPS Protection URL Filtering
High Availability
Analytics &
Automation
Service Producers
NGFW ADC
OUTSIDE
Contract Contract Contract
Firewall at Each
Leaf Switch L4-7 Security Services
(physical or virtual,
Servers (Physical or Virtual) location independent)
L4−7 Security via Cisco ACI™
► L4 Distributed Stateless Firewall ► Service Graph
Line Rate Policy Enforcement Sizing at Scale: Can add ASA Cluster
L4-7 Security Policy Applied
Policy Follows Workloads Consistently for Any Workload
Cisco ACI Security Benefits
« Zero Trust » Mode ASA 5585-x ACI EMBEDDED SECURITY + CISCO SECURITY
Firepower 4100 & 9300 KEY BENEFITS
Trustsec Integration
Segmentation within ASA Virtual Synch Security and End Point Groups for
End Point Goupsl Consistent Policies