The Cisco Borderless Network Architecture is the technical architecture that allows organizations to connect anyone, anywhere, anytime, and on any device - securely, reliably, and seamlessly. Learn more about an infrastructure of scalable and resilient hardware and software in this presentation. Keywords: Service Provider, enterprise, Mobile Endpoint and CPE, Virtualized Network Edge/Data Center Edge, Cloud

1. Monetizing The Enterprise:Borderless Networks Michael Geller – Architect, SP Chief Technology Office Kevin Shatzkamer – Distinguished Architect, Sales September 27, 2011

2. Abstract The impact of the consumerization of IT and mobility cannot be understated. The impact that these two key business elements have on the evolution of Enterprise Architecture and for Service Provider’s ability to offer services to Enterprises, Governments, and Consumers is addressed in this webinar. The importance of the shift and movement of the secure network edge leads to a very close examination of the changing threat vectors and vulnerabilities impacting our businesses today. Service delivery and consumption on the three “service horizons,” (Mobile Endpoint and CPE, Virtualized Network Edge/Data Center Edge, and the Cloud) is detailed.

3. Visibility and Control Building a Secure Infrastructure for Profitable Services Total Visibilityin all aspects of your network. Complete Control over all traffic in the network & cloud. Guaranteed Availability of all services.

5. Firewall

6. IDS/IPS

7. IPSEC VPN

8. BNG (Subscriber Controls)

9. SSL VPN

10. Trust and Identity

11. Web/Content Security

12. Email Security

14. Control Plane Security

15. Data Plane Security

16. Firewall

17. IDS/IPS

18. IPSEC VPN

19. DHCP—subscriber

20. SSL VPN

21. Trust and Identity

22. Web/Content Security

24. IDS

25. Encryption (IPSEC & SSL)

26. Trust & Identity

27. Email Security

28. Web/Content Security

29. NAC

31. IDS

32. IPSEC & SSL VPN

33. Host Security

34. Control Plane Security

35. Forwarding Plane Security

36. Email Security

37. Web/Content Security

39. UCS: Software based Security Services (FW, VPN, …)

40. Nexus 7k Security Services Mod

41. vWAAS

42. Enterprise-Hosted Ironport Web/Content/Email Security/DLP

43. Scansafe Web Security

45. Intrusion Detection/Prevention

46. VM Security & Nexus 1000V

47. Anomaly detection/Scrubbing

48. Policy Control Plane

49. Firewall & XML Firewall

50. Web/Content/Email SecurityOne Time Services Security Operations Center Enterprise Security Experts SOC Processes SOC Toolsets SIO, Platform Telemetry, 3rd party rules and systems, Regulatory Policy & Influence

52. White label logo and style branding

53. RBAC – Role-based-access-control

54. Customizable dashboard for different roles

55. Share information between SP & customers

56. Services catalogue

57. Knowledge base

58. Real-time threat dashboard

59. SLA tracking dashboard

60. Forensic

61. Historical reportingConsolidated Views: Risk Score, Alerts, Top Ten Events, Virus & Compliance Status Events View: Customized view based on need. More focused approached: Online Events & Forensic view

62. Threat IntelligenceGlobal Visibility SIO GLOBAL INTELLIGENCE Researchers, Analysts, Developers ISPs, Partners, Sensors Researchers, Analysts, Developers Applied Mitigation Bulletins ESA ESA WSA IPS ASA Cisco AnyConnect CISCO SOLUTION Largest Threat Analysis System - Blended Threat Protection 700K+ Global Sensors 5 Billion Web Requests/Day 35% Of Global Email Traffic Endpoint Threat Telemetry Reputation, Spam, Malware and Web Category Analysis, and Applications Classification

63. Security Services Delivered To The Enterprise Remote Access Collaboration Virtualization Mobility SECURESYSTEMS Cloud DEVICE FORENSICS Asset Mgmt DEVICE SECURITY Lock/Wipe Zero Day AV Encryption AUDIT APPLICATION SECURITY Web Application Coding/Hardening Penetration SERVICE MGMT. Encryption CONTENT/ DATA SECURITY Email Web DLP DATA GOV. NETWORK/ SYSTEMMANAGEMENT IDENTITY Alerting Logging Monitoring Directories POLICY VPN Firewall IDS/IPS NETWORK SECURITY APIs TRUSTED SYSTEM INFRASTRUCTURE Device Compute Storage Network Physical * Based on common industry models by Gartner, SANs Institute and various customer interviews

64. Anyconnect Secure Mobility (Enterprise) Branch Office Corporate Office IronPort WSA ASA Cisco IntegratedServices Routers ISE TrustSec

66. Simplified remote access

67. Connection and app persistence

68. Always-on VPN enforcement

69. Location-aware policy

70. Application controls

71. SaaS Access Control

72. Per User Subscription Model

73. Portal for Provisioning/ForensicsAnyConnect Cius / SmartPhone Smart Branch vOptimization vLoad Balancing HCS & IaaS Anyconnect Secure Mobility-SP Mgd.

75. VPN (IPSEC & SSL)

76. Trust & Identity

77. Email Security

78. Web/Content Security

79. Anti-Malware

80. WAN Optimization

81. SBC (CUBE Ent.)

82. WaaS

83. DPISecure Places In The Network: Summary Anyconnect (Policy) Private Cloud Mobility Mobile Endpoint & CPE Internet & Inter-Cloud Virtualized Network/DC Edge DSL Public & Partner Cloud SP DC/Cloud Fixed Wireless Cable Security Infrastructure Policy, Trust & Identity Services Consumer/SoHo Enterprise Defense In Depth - Common ASA Code Base SIO, SecOps (SmartOps, Tools, Ecosystem)

85. VPN (IPSEC & SSL)

86. Trust & Identity

87. Email Security

88. Web/Content Security

89. Anti-Malware

90. WAN Optimization

91. SBC (CUBE Ent.)

92. WaaS

94. Evolution of The ISR G2

95. Connecting the CPE to the cloud

96. ASA & Identity FW

97. IronportESA/WSA

98. DPI & Visibility

99. Identity Services & PolicySecure Places In The Network: Horizon 1Mobile Endpoint & CPE Anyconnect (Policy) Mobility Mobile Endpoint & CPE DSL Fixed Wireless Cable Consumer/SoHo Enterprise

101. Integration into IaaS Service Orchestration

103. Hosted Web content protection (ScanSafe) & Email Protection …

105. Focus on Application Optimization …

106. Security services upsell opportunityWAAS Express Dedicated Router Module DC + vWaaS

108. SmartOps for CPE – NOC White labeling or BOT Models

111. Video Optimized ISR G2 Bundle

112. Integration of ISR G2 into Video Architectures like Telepresence

113. Optimized delivery of Video

116. E2E Flow Characteristics

117. Real-Time Metering

118. User

119. Device

120. Health

121. Location

122. Reputation (future)

123. Application

124. Network Services

125. Server

126. DC Resources

127. Service Level

128. Virtual Desktop+ + + +

130. VPN (IPSEC & SSL)

131. Trust & Identity

132. Email Security

133. Web/Content Security

134. Anti-Malware

135. WAN Optimization

136. SBC (CUBE Ent.)

137. WaaS

139. ASR 1k – Multitenancy and DC Edge

140. IOS-XE on a VM

141. Virtual Appliance + Physical Application

142. Hosted Content, Email, Web Security

144. VSG and vASA

145. IOS-XE on a VM

146. vWaaS

147. CCN & Service Orchestration

148. vESA/vWSA

149. DPI & Visibility

150. Network Proximity

151. Partner EcosystemSecure Places In The Network: Horizon 2&3Network and DC Edge + DC/Cloud Private Cloud Mobility Internet & Inter-Cloud Virtualized Network/DC Edge DSL Public & Partner Cloud SP DC/Cloud Fixed Wireless Cable Consumer/SoHo Enterprise

152. Cisco Products Cisco VXI:Virtualized End-to-End System Virtualized Data Center Virtualized Collaborative Workspace Generic VDI No support for UC or Rich Media Desktop Virtualization Software Cisco Clients WAAS Applications /Desktop OS AnyConnect MS Office Hypervisor Cisco Collaboration Applications Cius Business Tablets Virtualization-Aware Borderless Network Virtual Security Gateway Routing ASA Cisco Virtualization Experience Clients Unified CM Nexus 1000v ACE Thin Client Ecosystem WAAS UCS Quad Storage Hypervisor Compute PoE Switching End-to-End Security, Management and Automation CDN

154. Device profiling and posture assessment using ISE ensures conformance

155. UPoE and PoE+ provide de-cluttered and energy efficient virtual workspace

156. 802.1x based device and user authentication

157. Trustsec allows policy based access to specific applications in Data Center

158. Unmanaged devices (BYOD) only allowed access to specific Virtual desktop pools and applications

159. DMVPN allows secure, dynamic and direct branch to branch collaboration

160. WAAS and ISR together accelerate performanceSecure VXI Data Center Remote/Home User N1K N1K Internet Anyconnectw/ Split Tunnel SecureDisplay Traffic VSG VSG Campus ASA Contractor Finance Data Base Web Cat4K Employee App Dot1x/MAB DC Network Dot1x/MAB WAAS DC Campus UPoE/PoE+ Branch One DMVPN WAE Display Traffic Voice/Video ISR-G2 Branch Two DMVPN WAAS Express McAfee MOVE-AV Cisco ACE

162. Enable secure split tunneling, bypassing expensive MPLS/ private IP network backhauling

163. Provide end-to-end security – access control, DAR encryption, app/ user/ content visibility, IPS, web security – and unified mgmt

165. Enables SPs and Cloud Providers to offer value-added pay-for-use services – networking, security – in virtualized form factor to their customers

166. Enables SPs to move services away from CPE ISRs to the cloud/ provider edgeand minimizing/ simplifying mgmtPHASE 2

167. Network Positioning System 1 Capacity at Multiple DCs 3 National Data Center National Data Center NPS Orchestration System Requests Capacity - available at Multiple DCs 1 National Data Center Core 2 Insufficient Bandwidth and / or sub-optimal location to meet SLA 2 NPS informs bestlocation(s) / PE Routers 3 Improves Experiences, Reduces Operational and Network Costs Phase II – Distributed Placement

168. Using Security Conductor for DDoS Attack Mitigation Forensics SECOPS, NETOPS SECOPS Monitoring Info: Netflow, MIBs, Logs for Baselining, Forensics and Planning 4 Security Apps Visibility Logging & Forensics Incident Control 2 3 1 Access / Aggregation Network DC Control Point 8 Visibility Apps Gather Physical and Virtual Interface traffic information Visibility Apps builds a Network Baseline and monitors and traffic anomalies In case of an anomaly it transfer information to Security Incident Control Application Incident Control Apps informs SECOPS Incident Control performs a RTBH using BGP route insertion at SP DC PE router. “Sinkhole” Apps VMs assigned for analysis Using the Security Conductor, security mitigation policies (ACL, QoSPolicers, etc) are downloaded in the network All Visibility and Mitigation information is sent for Forensic analysis 5 Policy Engine Capabilities Directory Resource Manager Dependency Tracker IP/MPLS Network Security Policy Conductor 7 6 Peering RTBH configured Sinkhole Apps activated on VMs Attack Analysis Other SPs CPE Attack Mitigation Policies are downloaded in all applicable routers

170. Visbility, Forensics, Governance

171. VM-VM security, Routing policies in VM

172. VPATH to stitch and control VMotionLoss of Control Secure Cloud Services Scansafe (SAML), DLP, Cisco ID Connect Business Needs Data-in-flight security Data-at-rest security Anyconnect: VDI/VXI VDC, DCI (OTV), VPLS/ VRF ….. Services: Virtual LB, FW Multi-tenant Reference Architecture VN-Link, LISP, SIA tags w/HW assist, N1k, VSG PortProfile, vNetFlow, SAN

173. Putting It All Together: HCS Unified Communications and Collaboration ESX Server ESX Server ESX Server Customer 1 Customer 2 Customer 3 Customer 4 Customer 5 Pure Hosted Remote Managed On Prem Hybrid Dedicated / Private Network