The Cisco Borderless Network Architecture is the technical architecture that allows organizations to connect anyone, anywhere, anytime, and on any device - securely, reliably, and seamlessly. Learn more about an infrastructure of scalable and resilient hardware and software in this presentation.
Keywords: Service Provider, enterprise, Mobile Endpoint and CPE, Virtualized Network Edge/Data Center Edge, Cloud
1. Monetizing The Enterprise:Borderless Networks Michael Geller – Architect, SP Chief Technology Office Kevin Shatzkamer – Distinguished Architect, Sales September 27, 2011
2. Abstract The impact of the consumerization of IT and mobility cannot be understated. The impact that these two key business elements have on the evolution of Enterprise Architecture and for Service Provider’s ability to offer services to Enterprises, Governments, and Consumers is addressed in this webinar. The importance of the shift and movement of the secure network edge leads to a very close examination of the changing threat vectors and vulnerabilities impacting our businesses today. Service delivery and consumption on the three “service horizons,” (Mobile Endpoint and CPE, Virtualized Network Edge/Data Center Edge, and the Cloud) is detailed.
3. Visibility and Control Building a Secure Infrastructure for Profitable Services Total Visibilityin all aspects of your network. Complete Control over all traffic in the network & cloud. Guaranteed Availability of all services.
61. Historical reportingConsolidated Views: Risk Score, Alerts, Top Ten Events, Virus & Compliance Status Events View: Customized view based on need. More focused approached: Online Events & Forensic view
62. Threat IntelligenceGlobal Visibility SIO GLOBAL INTELLIGENCE Researchers, Analysts, Developers ISPs, Partners, Sensors Researchers, Analysts, Developers Applied Mitigation Bulletins ESA ESA WSA IPS ASA Cisco AnyConnect CISCO SOLUTION Largest Threat Analysis System - Blended Threat Protection 700K+ Global Sensors 5 Billion Web Requests/Day 35% Of Global Email Traffic Endpoint Threat Telemetry Reputation, Spam, Malware and Web Category Analysis, and Applications Classification
63. Security Services Delivered To The Enterprise Remote Access Collaboration Virtualization Mobility SECURESYSTEMS Cloud DEVICE FORENSICS Asset Mgmt DEVICE SECURITY Lock/Wipe Zero Day AV Encryption AUDIT APPLICATION SECURITY Web Application Coding/Hardening Penetration SERVICE MGMT. Encryption CONTENT/ DATA SECURITY Email Web DLP DATA GOV. NETWORK/ SYSTEMMANAGEMENT IDENTITY Alerting Logging Monitoring Directories POLICY VPN Firewall IDS/IPS NETWORK SECURITY APIs TRUSTED SYSTEM INFRASTRUCTURE Device Compute Storage Network Physical * Based on common industry models by Gartner, SANs Institute and various customer interviews
160. WAAS and ISR together accelerate performanceSecure VXI Data Center Remote/Home User N1K N1K Internet Anyconnectw/ Split Tunnel SecureDisplay Traffic VSG VSG Campus ASA Contractor Finance Data Base Web Cat4K Employee App Dot1x/MAB DC Network Dot1x/MAB WAAS DC Campus UPoE/PoE+ Branch One DMVPN WAE Display Traffic Voice/Video ISR-G2 Branch Two DMVPN WAAS Express McAfee MOVE-AV Cisco ACE
163. Provide end-to-end security – access control, DAR encryption, app/ user/ content visibility, IPS, web security – and unified mgmt
164.
165. Enables SPs and Cloud Providers to offer value-added pay-for-use services – networking, security – in virtualized form factor to their customers
166. Enables SPs to move services away from CPE ISRs to the cloud/ provider edgeand minimizing/ simplifying mgmtPHASE 2
167. Network Positioning System 1 Capacity at Multiple DCs 3 National Data Center National Data Center NPS Orchestration System Requests Capacity - available at Multiple DCs 1 National Data Center Core 2 Insufficient Bandwidth and / or sub-optimal location to meet SLA 2 NPS informs bestlocation(s) / PE Routers 3 Improves Experiences, Reduces Operational and Network Costs Phase II – Distributed Placement
168. Using Security Conductor for DDoS Attack Mitigation Forensics SECOPS, NETOPS SECOPS Monitoring Info: Netflow, MIBs, Logs for Baselining, Forensics and Planning 4 Security Apps Visibility Logging & Forensics Incident Control 2 3 1 Access / Aggregation Network DC Control Point 8 Visibility Apps Gather Physical and Virtual Interface traffic information Visibility Apps builds a Network Baseline and monitors and traffic anomalies In case of an anomaly it transfer information to Security Incident Control Application Incident Control Apps informs SECOPS Incident Control performs a RTBH using BGP route insertion at SP DC PE router. “Sinkhole” Apps VMs assigned for analysis Using the Security Conductor, security mitigation policies (ACL, QoSPolicers, etc) are downloaded in the network All Visibility and Mitigation information is sent for Forensic analysis 5 Policy Engine Capabilities Directory Resource Manager Dependency Tracker IP/MPLS Network Security Policy Conductor 7 6 Peering RTBH configured Sinkhole Apps activated on VMs Attack Analysis Other SPs CPE Attack Mitigation Policies are downloaded in all applicable routers
172. VPATH to stitch and control VMotionLoss of Control Secure Cloud Services Scansafe (SAML), DLP, Cisco ID Connect Business Needs Data-in-flight security Data-at-rest security Anyconnect: VDI/VXI VDC, DCI (OTV), VPLS/ VRF ….. Services: Virtual LB, FW Multi-tenant Reference Architecture VN-Link, LISP, SIA tags w/HW assist, N1k, VSG PortProfile, vNetFlow, SAN
173. Putting It All Together: HCS Unified Communications and Collaboration ESX Server ESX Server ESX Server Customer 1 Customer 2 Customer 3 Customer 4 Customer 5 Pure Hosted Remote Managed On Prem Hybrid Dedicated / Private Network
Notas do Editor
To combat these sophisticated and increasing global threats, organizations need global visibility. Cisco Security Intelligence Operations provides a global view into security events that are happening on a global basis, and provides actionable information to provide proactive control and response to threats as they emerge. Cisco has the industy’s largest threat analysis system that can deliver blended protection, across attack techniques and methods. It collects and analyses data from an extensive network of sensors and devices to gather and analyse threat information and provide the context that can stop and prevent new attacks. Cisco SIO collects real-time security information from over 700,000 sensors Cisco has deployed across the globe. Information is gathered in real time across a wide spectrum of data types, including over 5 billion email messages and 3 billion web requests a day, traffic collected from Cisco security and network devices located in Cisco locations and from thousands of customers who have opted to share relevant network data, and data collected from millions of endpoint devices that have also opted in to share information. This data is fed into Cisco’s twenty global security operations centers where is it collated and processed by a series of sophisticated algorithms and then analyzed by Cisco’s team of over 500 security analysts. This information is converted into actionable information (threat vectors, mitigation responses, data integrity, source reputation, etc.) that is pushed out dynamically to Cisco customer security devices to ensure that they are providing the most critical, up-to-date protections against real threats. This information is also provided to IT staff in the form of bulletins that provide detailed information on threats, trends, and appropriate protections and threat mitigation approaches that ought to be implemented.This data provide reputation data on email and web servers, classifies applications and web categories, and delivers this to the context aware enforcement points across the network. So not only are the Cisco devices acting as sensors for SIO (firewall/intrusion prevention system/email/web/AnyConnect), they act as the powerful enforcement points that can block blended threats. And because SIO relies on the power of global correlation of real time sensor data and provides timely updates, organizations are protected against new and fats moving threats well ahead of signature only based approaches or products that do not have the depth of threat intelligence that SIO provides. The results are impressive. For example, by analyzing the sources of dangerous or malicious traffic, Cisco SIO is able to add a reputation profile to the Cisco IPS device that is analyzing traffic on the customer network. When low-level threats are detected, and that information is combined with a reputation profile of the data source which indicates that the source is highly untrustworthy, the IPS device is better able to make a decision about whether or not to monitor or block traffic. With SIO Global Correlation on IPS, they are able to detect and prevent twice as many threats as traditional signature-only IPS. Global Correlation also reduces the window of exposure to threats by 99% with near real-time updates to deployed IPS that help automatically filter out known bad actors while enhancing detection capabilities with the latest information on evolving threats. The addition of reputation scoring has increased the accuracy of IPS analysis by over 300%, making it the most accurate and up-to-date IPS solution in the industry.
This diagram is based on common industry models used by analysts and security professionals. As you can see by the elements in blue, Cisco is uniquely able to leverage both security and network devices, services, and solutions to provide a level of visibility and control simply unmatched in the industry. It is important to recognize that security is far less effective when it exists within its own vacuum, and being able to leverage endpoints and the infrastructure (including mobile devices, virtualized environments, and the cloud) to provide both actionable, context-based intelligence as well as distributed enforcement provides a powerful integrated and collaborative approach to security. This approach is perfectly suited to address the issues and concerns being faced by IT administrators today, which are not about which firewall is best, but which are around how to I control access to my network? How do I secure mobile workers? And how do I securely add new critical services such as cloud, virtualization, and collaboration tools like voice and video to my network?
User might be mobile, in a branch, … linking ISR G2 as a CPE
For example, consider a scenario during the FIFA World Cup.there might be a sudden increase in requests for video highlights from people overseas trying to follow the games<TALK TO SLIDE>
Cloud Computing is Application-centric.Whilst your customers talk about Apps in the cloud and how to transfer workloads, it is essential to ‘talk their language’ but at the same time underpin the your competitive differentiators with your assets and heritage. Your infrastructure assets such as IP NGN and Data Center will allow you to do just that.