O slideshow foi denunciado.
Utilizamos seu perfil e dados de atividades no LinkedIn para personalizar e exibir anúncios mais relevantes. Altere suas preferências de anúncios quando desejar.
Cisco Confidential 1© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Segurança em SDN
Fernando Zamai
Security...
Cisco Confidential 2© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential 3© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential 4© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Arquitetura do Data Center
Físico Virtua...
Cisco Confidential 5© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Data Center Físico
(Antes de 2006)
Cisco Confidential 6© 2013-2014 Cisco and/or its affiliates. All rights reserved.
IDS
DC Físico: Rede com Topo-de-Rack
Int...
Cisco Confidential 7© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Data Center Físico: Ataques Mais Comuns
...
Cisco Confidential 8© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential 9© 2013-2014 Cisco and/or its affiliates. All rights reserved.
DC Físico: Contextos
VLAN1
VLAN2
VLAN3
A...
Cisco Confidential 10© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Data Center Virtual
(2007-2012)
Cisco Confidential 11© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Limitação de PODs ou Racks
DC
POD POD
D...
Cisco Confidential 12© 2013-2014 Cisco and/or its affiliates. All rights reserved.
DC Virtual: Tipos de Ataques
Spyware an...
Cisco Confidential 13© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Host
1
Host
3
Host
2
Host
4
Host
5
Host...
Cisco Confidential 14© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Host
1
Host
3
Host
2
Host
4
Host
5
Host...
Cisco Confidential 15© 2013-2014 Cisco and/or its affiliates. All rights reserved.
DC Virtual: FabricPath
Internet/WAN
Edg...
Cisco Confidential 16© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Firewall Físico
Border
Leaf
Conexão L3
...
Cisco Confidential 17© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Desafios de Redes Virtuais
NIC
Host
App...
Cisco Confidential 18© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Virtual Ethernet Module
vPath
WS2012 Hy...
Cisco Confidential 19© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Data Center Industrial
(Depois de 2013)
Cisco Confidential 20© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential 21© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Tipos de Ataques
APTs Cyberware
2013-Ho...
Cisco Confidential 22© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Perguntas Válidas dos Clientes
Como ter...
Cisco Confidential 23© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Componentes do ACI
APPLICATION CENTRIC ...
Cisco Confidential 24© 2013-2014 Cisco and/or its affiliates. All rights reserved.
P P P
App DBWeb
Clientes
Externos
QoS
F...
Cisco Confidential 25© 2013-2014 Cisco and/or its affiliates. All rights reserved.
ACI e Aplicações de 3 Camadas
Cisco Confidential 26© 2013-2014 Cisco and/or its affiliates. All rights reserved.
ACI e Aplicações de 3 Camadas
Cisco Confidential 27© 2013-2014 Cisco and/or its affiliates. All rights reserved.
ACI e Aplicações de 3 Camadas
Cisco Confidential 28© 2013-2014 Cisco and/or its affiliates. All rights reserved.
DB Tier
Storage Storage
Cliente
Web Tie...
Cisco Confidential 29© 2013-2014 Cisco and/or its affiliates. All rights reserved.
VISIBILIDADE
T h r e a t
i n
p l a i n
...
Cisco Confidential 30© 2013-2014 Cisco and/or its affiliates. All rights reserved.
FirePOWER + ACI
ANTES
Descubra
Proteja
...
Cisco Confidential 31© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential 32© 2013-2014 Cisco and/or its affiliates. All rights reserved.
FirePOWER 9300 - Security Services Plat...
Cisco Confidential 33© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Security Modules (up to 3)
• SM-36 “Ext...
Cisco Confidential 34© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Capítulo 1: Definição de virtualização ...
Segurança em SDN
Próximos SlideShares
Carregando em…5
×

Segurança em SDN

829 visualizações

Publicada em

Apresentação efetuada por Ferando Zamai, consultor em Segurança Cisco no #GartnerSYM.

Publicada em: Tecnologia
  • Seja o primeiro a comentar

Segurança em SDN

  1. 1. Cisco Confidential 1© 2013-2014 Cisco and/or its affiliates. All rights reserved. Segurança em SDN Fernando Zamai Security Consulting fzamai@cisco.com
  2. 2. Cisco Confidential 2© 2013-2014 Cisco and/or its affiliates. All rights reserved.
  3. 3. Cisco Confidential 3© 2013-2014 Cisco and/or its affiliates. All rights reserved.
  4. 4. Cisco Confidential 4© 2013-2014 Cisco and/or its affiliates. All rights reserved. Arquitetura do Data Center Físico Virtual Industrial
  5. 5. Cisco Confidential 5© 2013-2014 Cisco and/or its affiliates. All rights reserved. Data Center Físico (Antes de 2006)
  6. 6. Cisco Confidential 6© 2013-2014 Cisco and/or its affiliates. All rights reserved. IDS DC Físico: Rede com Topo-de-Rack Internet/WAN Conexão L3 Conexão L2 Norte-sul Leste-oeste ACLs Firewall Contexts Vlan Broadcast
  7. 7. Cisco Confidential 7© 2013-2014 Cisco and/or its affiliates. All rights reserved. Data Center Físico: Ataques Mais Comuns Viruses 1990–2000 Worms 2000–2005 • Phishing • Baixa sofisticação • Fama • Destrutivos • Impacto na Rede • Ex: CodeRed
  8. 8. Cisco Confidential 8© 2013-2014 Cisco and/or its affiliates. All rights reserved.
  9. 9. Cisco Confidential 9© 2013-2014 Cisco and/or its affiliates. All rights reserved. DC Físico: Contextos VLAN1 VLAN2 VLAN3 Aplicação 3 Aplicação 2 Aplicação 1 Server Load BalancerFirewall
  10. 10. Cisco Confidential 10© 2013-2014 Cisco and/or its affiliates. All rights reserved. Data Center Virtual (2007-2012)
  11. 11. Cisco Confidential 11© 2013-2014 Cisco and/or its affiliates. All rights reserved. Limitação de PODs ou Racks DC POD POD DC POD POD Data Center Virtualizado DC Virtual: Mobilidade de VMs
  12. 12. Cisco Confidential 12© 2013-2014 Cisco and/or its affiliates. All rights reserved. DC Virtual: Tipos de Ataques Spyware and Rootkits 2005–2013 • Nascimento da industria Hacking • Tecnicas de obfuscação
  13. 13. Cisco Confidential 13© 2013-2014 Cisco and/or its affiliates. All rights reserved. Host 1 Host 3 Host 2 Host 4 Host 5 Host 7 Host 6 Fabric = Grande Switch Non-Blocking Host 1 Host 3 Host 4 Host 5 Host 7 Host 2 Host 6
  14. 14. Cisco Confidential 14© 2013-2014 Cisco and/or its affiliates. All rights reserved. Host 1 Host 3 Host 2 Host 4 Host 5 Host 7 Host 6 LCLCLCLCLC LCLCLCLCLC FMFMFM Fabric ≅ Grande Switch Non-Blocking
  15. 15. Cisco Confidential 15© 2013-2014 Cisco and/or its affiliates. All rights reserved. DC Virtual: FabricPath Internet/WAN Edge Border Leaves Rack Blade Server UCS Spines Conexão L3 Conexão L2 Fabric Path Leaves
  16. 16. Cisco Confidential 16© 2013-2014 Cisco and/or its affiliates. All rights reserved. Firewall Físico Border Leaf Conexão L3 Conexão L2 Fabric Path VPC “Virtual Port Channel” Firewall Clustering Alta Performance com Inspeção Avançada
  17. 17. Cisco Confidential 17© 2013-2014 Cisco and/or its affiliates. All rights reserved. Desafios de Redes Virtuais NIC Host App OS VM App OS VM vSwitch NIC Perímetro de Rede VMs em VLANs erradas Sem Visibilidade Comunicação ilícita entre VMs Políticas diferentes DMZ Virtual? STP para HA???
  18. 18. Cisco Confidential 18© 2013-2014 Cisco and/or its affiliates. All rights reserved. Virtual Ethernet Module vPath WS2012 Hyper-V VXLAN Virtual Ethernet Module vPath KVM/OpenStack VXLAN Virtual Ethernet Module vPath ESX VXLAN Cisco Nexus 1000V para Ambientes Multi-Hypervisor Appliances Virtuais Virtual Supervisor ModulesvWAASVSGASAv NS1000V Appliance Físico: Cloud Service Platform vNAM VSG Primary VSM NS1000V vNAM VSG Secondary VSM NS1000V Rede DC
  19. 19. Cisco Confidential 19© 2013-2014 Cisco and/or its affiliates. All rights reserved. Data Center Industrial (Depois de 2013)
  20. 20. Cisco Confidential 20© 2013-2014 Cisco and/or its affiliates. All rights reserved.
  21. 21. Cisco Confidential 21© 2013-2014 Cisco and/or its affiliates. All rights reserved. Tipos de Ataques APTs Cyberware 2013-Hoje • Códigos sofisticados • Evasão de Defesas • Multiplas técnicas • Espalhamento Horizontal
  22. 22. Cisco Confidential 22© 2013-2014 Cisco and/or its affiliates. All rights reserved. Perguntas Válidas dos Clientes Como ter a mesma política de segurança para máquinas físicas e virtuais? Como provisionar redes de forma automática com segurança? Como ter visibilidade sobre o tráfego de aplicações?
  23. 23. Cisco Confidential 23© 2013-2014 Cisco and/or its affiliates. All rights reserved. Componentes do ACI APPLICATION CENTRIC INFRASTRUCTURE APPLICATION POLICY INFRASTRUCTURE CONTROLLER APIC s SWITCHES NEXUS 9000 ECOSSISTEMA
  24. 24. Cisco Confidential 24© 2013-2014 Cisco and/or its affiliates. All rights reserved. P P P App DBWeb Clientes Externos QoS Filtro QoS Serviço QoS Filtro Podem ser várias VMs Misto de máquinas físicas e virtuais Maioria recursos físicos App Network Profile P = Política de Conectividade “A Aplicação” ACI e Aplicações de 3 Camadas
  25. 25. Cisco Confidential 25© 2013-2014 Cisco and/or its affiliates. All rights reserved. ACI e Aplicações de 3 Camadas
  26. 26. Cisco Confidential 26© 2013-2014 Cisco and/or its affiliates. All rights reserved. ACI e Aplicações de 3 Camadas
  27. 27. Cisco Confidential 27© 2013-2014 Cisco and/or its affiliates. All rights reserved. ACI e Aplicações de 3 Camadas
  28. 28. Cisco Confidential 28© 2013-2014 Cisco and/or its affiliates. All rights reserved. DB Tier Storage Storage Cliente Web Tier App Tier Modelagem da Política Instanciação da Política VM VMVM 10.2.4.7 VM 10.9.3.37 VM 10.32.3.7 VMVM APIC
  29. 29. Cisco Confidential 29© 2013-2014 Cisco and/or its affiliates. All rights reserved. VISIBILIDADE T h r e a t i n p l a i n s i g h t s h i d d e n
  30. 30. Cisco Confidential 30© 2013-2014 Cisco and/or its affiliates. All rights reserved. FirePOWER + ACI ANTES Descubra Proteja DEPOIS Registre Contenha Remedie Detete Bloqueie Defenda DURANTE Segmentação e isolamento via EPGs Visibilidade e controle granular de aplicação Inserção automática de segurança (NGIPS, NGFW) Visibilidade & Deteção Micro-segmentação para quarentena (AVS) Proteção avançada de Malware Servidor Máquina Virtual Containers
  31. 31. Cisco Confidential 31© 2013-2014 Cisco and/or its affiliates. All rights reserved.
  32. 32. Cisco Confidential 32© 2013-2014 Cisco and/or its affiliates. All rights reserved. FirePOWER 9300 - Security Services Platform Multi-Services Best of Breed Cisco Security + 3rd Party ASA | NGFW | NGIPS | DDoS Other Security Apps Performance Industry Leading PERF / RU 600% Higher Performance Intelligent Fastpath Enabled Low Latency Ready Port Density 30% Higher Terabit Backplane 10G/40G I/O; 100G Ready Programmability Restful/JSON API Template Driven Security Service Profiles Secure Containerization for custom apps Power Efficiency Modular Architecture Front-to-Back Airflow NEBS Ready Universal PSU(AC/DC) Compact Form-Factor Multi Services Ultra High Performance High Port Density Flexible Programmability Power Efficiency 3RU NEW
  33. 33. Cisco Confidential 33© 2013-2014 Cisco and/or its affiliates. All rights reserved. Security Modules (up to 3) • SM-36 “Extreme”: 72 x86 CPU cores (up to 80Gbps of firewalled throughput) • SM-24 “Enterprise”: 48 x86 CPU cores (up to 60Gbps of firewalled throughput • Cisco (ASA) and third-party (Radware DDoS) applications Supervisor • Application deployment and orchestration • Network attachment and traffic distribution • Clustering base layer for ASA/FTD Firepower 9300 Overview Network Modules • 10GE/40GE and future 100GE • Hardware bypass for inline NGIPS
  34. 34. Cisco Confidential 34© 2013-2014 Cisco and/or its affiliates. All rights reserved. Capítulo 1: Definição de virtualização e conceitos de Data Center Capítulo 2: Evolução do Ethernet, topologias comuns de rede e norma ANSI/TIA-942 Capítulo 3: VLANs e VRFs Capítulo 4: Balanceamento de servidores e contextos virtuais Capítulo 5: VDCs Capítulo 6: vPC e FabricPath Capítulo 7: FEX Capítulo 8: EoMPLS, VPLS e OTV Capítulo 9: Conceitos de armazenamento, SCSI e virtualização Capítulo 10: Conceitos de Fibre Channel e VSANs Capítulo 11: FCIP, IVR e NPV Capítulo 12: DCB e FCoE Capítulo 13: Evolução de servidores (x86, virtualização e UCS) Capítulo 14: Service Profiles do UCS Capítulo 15: Nexus 1000V, VXLAN e VM-FEX Capítulo 16: vPath, VSG, ASA 1000V, vWAAS e CSR 1000V Capítulo 17: Conceitos de Cloud computing, automação, SDN Referência

×