Cisco

Datacenter Security
György Ács
Security Consulting Systems Engineer
2016 June
• Evolving Business Needs
& Datacenter Challenges

• Cisco Datacenter Security

Solution

• Cisco ACI Security for

Next Generation
Datacenters
Datacenter Security Challenges

Untimely security coverage

Inconsistent levels of security

Proliferating user & device

access

Compromised configuration 95% of firewall breaches

caused by misconfigurations*

* Greg Young, Gartner Inc

…creates new traffic flows

76% 17% 7%

East-West traffic North-South traffic Inter-data center traffic

Securing the Datacenter

Detect Threats

Block Threats
Discover and onboard
Workloads
Defend Automatically
Define and enforce Policies
Continuous
Apply Policies to new Solution
workloads automatically

Scope the attack

Contain Automatically

Remediate
 Cisco DC Security: Best of Breed Protection…

Clustering
NGIPS

• Control North/South traffic with NGFW

(ASA 5585 – Firepower 4100/9300)
ASA FW

• Scale and HA with Clustering

• Inspect North/South traffic with NGIPS

• Segment and Protect virtual enclave with

ASAv and vNGIPS Physical
Hosts
 …with Best Infrastructure…
Clustering

Cisco (Lancope) Stealthwatch NGIPS

Leverage your Cisco Infrastructure to
fight Advanced Pervasive Threats SGT SGT
SGT

ASA FW
SGT
TrustSec with Security Group Tagging
NGA
SGT SGT

Simplify
SGT SGT
Virtual
FlowSensor
Accelerate
ISE SGT
SGT

Automate

Standardize
Layer 2 Data Center Overview
Core/Edge
Routed core (BGP) and edge connectivity;
Layer 2 connection to Services; Layer 3
connection to Distribution

Services Service device insertion (firewall, IPS, and so

on); East-West services through transparent
mode or VRF hair pinning; North-South
services for edge; Etherchannel/vPC and HA

Distribution/Aggregation First-hop router and other Layer 3 services;

traffic may pass through Services in
transparent mode first (East-West)

Access Endpoint attachment, Layer 2 Etherchannel

connections to Distribution
ASA DC Design: Inter-VDC Insertion
• Firewall services are “sandwiched” between Nexus VDCs (North-South)
• Routed or transparent mode; transparent is more seamless
• IPS, load balancers, and other services can be layered in as needed

• ASA can be virtualized into security contexts for 1:1 mapping to VRFs

• Useful for topologies that require a firewall between Aggregation and Core
• Possible bottleneck as most traffic destined to core traverses the firewall

Core VDC Agg VDC

VRF 1 VRF 1

VRF 2 VRF 2
 ASA as VxLAN Gateway
• ASA 9.4(1) supports one VTEP with multiple tunnels per context
• System VLAN limit applies to combined VLAN and VxLAN count

One static VTEP peer

(i.e. hypervisor) is VxLAN 10000
supported on ASA VLAN 100
ASA bridges or routes
between different
VxLAN 10100
TenGig0/8 network types

Multiple VTEP peers

require multicast- VxLAN 10200
based discovery

interface vni1
segment-id 10000
A Virtual Network Identifier (VNI) interface
interface vni2
on ASA handles decapsulated VxLAN traffic segment-id 10100
for each segment interface vni3
segment-id 10200
Multi-Site Data Centers
 Multi-Site Data Center Security
DC1
Future: Dynamic flow
ownership reassignment
with inter-site clustering
on endpoint mobility.
Future: Stateful ASA+FirePOWER inspection
of LISP encapsulated traffic for cloud edge
protection
ASA 9.1(4): Scalable inter-site
LISP ASA+FirePOWER cluster at tenant edge
(North-South insertion) with stateful connection
preservation on endpoint mobility
A B DC2
ASA Cluster
ASA 9.3(2) and 9.5(1): Scalable inter-site
ASA Cluster ASA+FirePOWER cluster in front of or as first-
hop router on extended data segments (East-
West insertion) with stateful connection
preservation on endpoint mobility
 North-South Inter DC Clustering
Site A
9. On local cluster
failure, connections
traverse remote site
2. EIGRP/OSPF
peering through local
cluster members
8. Connections
normally pass through
local cluster members
(lower metric)
Inside A
Site B ASA 9.1(4)
7. Inside routes from opposite 4. Default route advertised
sites exchanged (higher metric) inbound through local
members
3. EIGRP/OSPF peering
1. CCL is fully extended
between DCs at Layer 2 with
<10ms of latency
3. EIGRP/OSPF peering 5. Inside routes
advertised outbound
through local members
6. Default routes from opposite
sites exchanged (higher metric) Inside B
 Virtual and Cloud Firewalls

15
Virtual ASA (ASAv)
• Fully featured ASA running as a virtual machine
• Multiple vCPUs (up to 4) and vNICs (up to 10) with VLAN tagging (up to 200)
• Virtualization benefits displace the need for multiple-context mode
• Active/Standby failover only; future clustering for connection state mobility
• Expanding virtual firewall use cases
• Protecting physical and VM communication on any interface
• Routed and transparent firewall modes
• VxLAN routing and bridging in ASA 9.4(1)
• Vmware vSphere and KVM support today, more to follow

16
 TrustSec

17
 access-list 102 permit tcp 37.85.170.24 0.0.0.127 lt 3146 77.26.232.98 0.0.0.127 gt 1462
access-list 102 permit tcp 155.237.22.232 0.0.0.127 gt 1843 239.16.35.19 0.0.1.255 lt 4384
access-list 102 permit icmp 136.237.66.158 255.255.255.255 eq 946 119.186.148.222 0.255.255.255 eq 878
access-list 102 permit ip 129.100.41.114 255.255.255.255 gt 3972 47.135.28.103 0.0.0.255 eq 467

Software-Defined Segmentation with TrustSec

Traditional Security Policy

Security Control Automation

Simplified Access Management

Improved Security Efficacy

TrustSec Security
Policy Network Fabric

Switch Router Wireless DC FW DC Switch

Flexible and Scalable Policy Enforcement
TrustSec Concept
Classification
ISE Directory
Users, Devices Fin Servers SGT = 4
Enforcement

SGT:5 HR Servers SGT = 10

Switch Router DC FW DC Switch

SGT Propagation
• Classification of systems/users based on context 
(user role, device, location, access method)

• Context (role) expressed as Security Group Tag (SGT)

• Firewalls, routers and switches use SGT to make filtering decisions

• Classify once – reuse result multiple times

1
IDS and IPS in Data Center
 Symmetric FirePOWER IDS (Passive) with
RSPAN
3. RSPAN collection switch aggregates
1. Asymmetric traffic flows vPC asymmetric flows and feeds them into an
through data center Etherchannel. Both directions of a flow select
switching infrastructure. same member link with no NAT.

vPC

2. Switches mirror traffic at

key intersection points into a
Remote SwitchPort 4. FirePOWER appliances process
ANalyzer (RSPAN) VLAN aggregated SPAN traffic in passive mode.
Active/Standby FirePOWER NGIPS (Inline)

vPC

1. Inline NGIPS appliances 2. “Standby” NGIPS appliance

VLAN 10 VLAN 11
connect a set of North-South receives HA state updates and does
interfaces. “Active” appliance not pass any production traffic by
HA Updates
passes all traffic by default. default.

VLAN 10
3. North-South traffic is directed
through “active” NGIPS interface
set with floating static or lower-
cost dynamic routed path.
VLAN 11
4. North-South traffic is directed
vPC through “standby” NGIPS interface set
through higher admin-distance static or
higher-cost dynamic routed path after
“active” NGIPS failure.
 ASA Cluster with FirePOWER Services Module
for NGIPS
vPC
1. ASA appliances with FirePOWER 2. Cluster member that gets the first
services modules are deployed as a packet for a connection assumes full
Spanned Etherchannel cluster to processing ownership for all
represent a single logical device. associated packets.

ASA Cluster

3. Clustering automatically redirects 4. Local FirePOWER module has

asymmetrically received packets to vPC full visibility into the flow due to
connection owner for full processing. localized processing.
 ASA Cluster with FirePOWER Appliances for
NGIPS
4. Local FirePOWER appliance has full
visibility into the flow due to localized
processing. Optional EEM script on the
switch speeds up failure detection.
ASA Cluster
2. An inline FirePOWER appliance
attaches to each ASA cluster member
in a context sandwich.
1. ASA appliances are deployed as a
vPC Spanned Etherchannel cluster to
represent a single logical device
operating in multiple-context mode.
vPC
3. Clustering automatically redirects
asymmetrically received packets to ASA
connection owner for full processing.
 NGIDS/NGIPS Solution Comparison
Solution Use Case Pros Cons

Inability to block attacks

FirePOWER IDS with RSPAN Passive threat detection Non-disruptive, easy to deploy
inline, no NAT support

Active/Standby FirePOWER Inline attack prevention, easy to Single active device/path,

Inline NGIPS protection
Appliances deploy routing dependency

ASA Cluster with FirePOWER Integrated inline Threat Scalability, selective inspection, Limited NGFW/NGIPS/AMP
Services Centric Security integration simplicity, CVD performance

ASA Cluster with FirePOWER High performance inline Scalability, NGFW/NGIPS/AMP

Relative complexity, cost
Appliances Threat Centric Security performance, CVD
Firepower Threat Defense
hardware and software
Converged Software – Firepower Threat Defense
New Converged Software Image:
Firepower Threat Defense
• Contains all Firepower Services plus
select ASA capabilities
• Single Manager:
Firepower Management Center*

Same subscriptions as FirePOWER

Services, enabled by Smart Licensing:
• Threat (IPS + SI + DNS)
• Malware (AMP + ThreatGrid)
• URL Filtering
* Also manages Firepower Appliances, Firepower Services (not ASA Software)
 Converging code for Firepower Threat Defense
1 2
ASA FirePOWER
• L2-L4 Stateful Firewall • Threat-centric NGIPS
• Scalable CGNAT, ACL, routing • AVC, URL Filtering for NGFW
• Application inspection • Advanced Malware Protection

3 Firepower Threat Defense (FTD)

• New converged NGFW/NGIPS image
• Full FirePOWER functionality for NGFW/NGIPS deployments
• ASA Datapath with TCP Normalizer, NAT, ACL, dynamic routing, failover functions
Platforms for Firepower Threat Defense

Next-Generation Firepower
9300
(60-240 Gbps)
Firepower 4100 (20-60) Gbps

ASA 5555-X
ASA 5516-X (4 Gbps,
(1.8 Gbps, ASA 5545-X 50K conn/sec)
ASA 5508-X 20K conn/s) (3 Gbps,
(1Gbps, 30K conn/s)
10K conn/s) ASA 5525-X
(2 Gbps,
ASA 5506-X
(750 Mbps,
20K conn/s) Virtual
5K conn/s)

NGFWv
(running FTD)

Teleworker Branch Office Internet Edge Campus Data Center

 Next Generation Firewall (NGFW) Essentials
Cisco Collective Security Intelligence Enabled

WWW
Advanced Malware
NGIPS Protection URL Filtering
High Availability

Analytics &
Automation

Network Firewall Built-in Network Identity-Policy Control

Application
Routing | Switching Profiling & VPN
Visibility & Control

One Operating System + One Management

© 2015 Cisco and/or its affiliates. All rights reserved.
ACI Devices Role

Spine Nodes Bandwidth

Leaf Nodes Ports

Service Producers

APIC Controller Service

Consumers
“DB” “App”
 In summary
CRM WEB
APP
DB
APP

NGFW ADC
OUTSIDE
Contract Contract Contract

WHAT COMPONENTS Endpoint Group: Contract: Service Graph/Chain:

BRING SECURITY TO AN (EPG) A set of endpoints A set of rules governing A set of network services
APPLICATION POLICY? (VMs/servers) with communication between inserted between endpoint
the same policy endpoint groups groups
Cisco ACI Supports Flexible East-West Security Models
L4 Stateless Security L4-7 Visibility and Control
Cisco ACI Services
Graph

Firewall at Each
Leaf Switch L4-7 Security Services
(physical or virtual,
Servers (Physical or Virtual) location independent)
L4−7 Security via Cisco ACI™
► L4 Distributed Stateless Firewall ► Service Graph

L4 Stateless Firewall Attached Advanced Protection with NGFW, IPS/IDS,

to Every Server Port DDoS Services Insertion

Line Rate Policy Enforcement Sizing at Scale: Can add ASA Cluster
L4-7 Security Policy Applied
Policy Follows Workloads Consistently for Any Workload
Cisco ACI Security Benefits
« Zero Trust » Mode ASA 5585-x ACI EMBEDDED SECURITY + CISCO SECURITY
Firepower 4100 & 9300 KEY BENEFITS
Trustsec Integration
Segmentation within ASA Virtual Synch Security and End Point Groups for
End Point Goupsl Consistent Policies

Service Graph Insertion

Firepower IPS Automatic Containment
& Built-in Multi-Tenancy
React on events using API’s to quarantine a
device or insert a new Security Policy
Policy-driven Micro- Identity Services
Segmentation Engine & Trustsec Most Advanced Device Package
Automatic enforcement & removal of
Intra End Point Group StealthWatch Security Policies
Isolation

Automatized threat Single Support

detection and response TAC for both ACI and Security
A Proven Validated Design portfolio
Cisco Secure Data Center Solution Portfolio

Secure Enclave ASA Clustering

ASA with
Clustering with Threat Management
Threat Management Cyber
CyberThreat Defense
Threat Defense
Architecture FirePOWER Services
FirePOWER Services withwith
NextGen IPS IPS
NextGen for Data Center
for Data Center

Cisco Cisco Cisco Cisco

Verified Verified Verified Verified
Design Design Design Design

Converged Infrastructure Firewall Clustering NextGen IPS in Lancope Stealthwatch

• Compute Intrusion Prevention ASA Cluster • FlowCollector
• Storage Defense Center • FlowSensor
Real Time Updates
• Hypervisor (Flexpod, FireSIGHT NetFlow
Vblock, VSPEX) Management
TrustSec User Context NSEL (Network Security
Virtualization Event Logging)
• SXP Application Control
Infrastructure Mgmt
• Secure Group Tags URL Filtering
Access Layer • Policy Enforcement Network-Based AMP
Secure Enclaves • SGACLs
End Point AMP
• FWACLS (Client and Server)
Let’s get started
• A Combined Datacenter+Security
Discussion
• Visit http://www.cisco.com/go/securedc
• Go to the Design Zone site (CVD’s):
http://www.cisco.com/go/designzone
cisco.com/go/security
trust.cisco.com