Se ha denunciado esta presentación.
Se está descargando tu SlideShare. ×

Hosted Security as a Service - Solution Architecture Design

Anuncio
Anuncio
Anuncio
Anuncio
Anuncio
Anuncio
Anuncio
Anuncio
Anuncio
Anuncio
Anuncio
Anuncio

Eche un vistazo a continuación

1 de 89 Anuncio

Hosted Security as a Service - Solution Architecture Design

Descargar para leer sin conexión

he Hosted Security as a Service session provides in depth discussion on cloud based security services leveraging Cisco security solutions. This session is appropriate for service providers who are interested in delivering managed security services to their customer from their cloud infrastructure. We will provide detailed designs and guidance on: - cloud security services including FW, VPN, web and email services - architecture layers through influence of NfV and SDN - KVM and VMware based solutions - orchestration flexibility and options - Day 0 and Day 1 provisioning - Day 2 monitoring and reporting.

he Hosted Security as a Service session provides in depth discussion on cloud based security services leveraging Cisco security solutions. This session is appropriate for service providers who are interested in delivering managed security services to their customer from their cloud infrastructure. We will provide detailed designs and guidance on: - cloud security services including FW, VPN, web and email services - architecture layers through influence of NfV and SDN - KVM and VMware based solutions - orchestration flexibility and options - Day 0 and Day 1 provisioning - Day 2 monitoring and reporting.

Anuncio
Anuncio

Más Contenido Relacionado

Presentaciones para usted (20)

A los espectadores también les gustó (14)

Anuncio

Similares a Hosted Security as a Service - Solution Architecture Design (20)

Más de Cisco Canada (20)

Anuncio

Más reciente (20)

Hosted Security as a Service - Solution Architecture Design

  1. 1. Cisco Confidential© 2016 Cisco and/or its affiliates. All rights reserved. 1 Hosted Security as a Service – Solution Architecture and Design Albra Welch – Security Solutions Architect, SBG Michael Geller – Principal Engineer, CTAO May 19, 2016 T-SP-30-I
  2. 2. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2 Objectives • This session targets hosted security services for Enterprises and Service Providers • Understand the impact of orchestration and automation for hosted security • Cool applications of elastic security services delivered from the cloud • Performance and scalability considerations • Security services with NfV and SDN • Future thinking applications of security from the Cloud to YOUR network © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
  3. 3. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3 Agenda • Introduction • The Hosted Security Service Architecture • Architecture • HSS: Architecture • vMS: Architecture • vMS: Demo • HSS: Demo • Conclusion © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3
  4. 4. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4 Agenda • Introduction • The Hosted Security Service Architecture • Architecture • HSS: Architecture • vMS: Architecture • vMS: Demo • HSS: Demo • Conclusion © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4
  5. 5. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5 Session Description This session provides in depth discussion on cloud based security services leveraging Cisco security solutions. This session is appropriate for service providers who are interested in delivering managed security services to their customer from their cloud infrastructure. We will provide detailed designs and guidance on: • Cloud security services including FW, VPN, Web, Email and Routing services • Architecture layers through influence of NfV and SDN • Orchestration flexibility and options • Day 0 and Day 1 provisioning • Day 2 monitoring and reporting
  6. 6. OSS/BSS Integration Service Intent Orchestration Security Services Public IP Addresses Public Internet Local LAN WSAv ESAv ASAv and/or CSR1000v CPE CPE Managed Access (IPSec VPN) IPSec VPN IPSec VPN AnyConnect AnyConnect UnManaged Access (Remote Access VPN) SSL VPN SSL VPN Amazon Salesforce Internet Sites IP Connectivity IP Connectivity Internet - Public IP Address Space Public IP Addresses DDoSaaSIDaaSESaaSWSaaSIPSaaSFWaaSVPNaaS Security as a Service Architecture
  7. 7. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7 IT Transformation More devices and more apps mean the attack surface has increased, and attack tools are evolving too Do more with less Users will get stuff done any way they can The hardware we use has never changed so fast
  8. 8. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8 MSSP Market Segmentation Source: Frost and Sullivan, Global Managed Security Services Market, March 2015 SAMM (Security Asset Monitoring and Management) Managed Security Services TRIDR (Threat Research, Intelligence, Detection and Remediation) RCM (Risk and Compliance Management) AEM (Advanced and Emerging MSS) Computer Premises Equipment (CPE)-based SAMM Hosted SAMM
  9. 9. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9 Where Do Managed Security Services Live? Public AWS, Google, Azure, etc Private (SP Infrastructure) Hybrid Mix of Public and Private Seamless End-to-End Experiences, Cross Workload Size and Type Required Regardless of App, Service or Environment; Secure Flexibility Critical Requirement
  10. 10. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10 Evolution of Managed Security Services Premise to Cloud CloudHybridCPE Managed CPE SP IPS WEB EMAIL MALWARE CONTEXT W W W NGFW VPN IPS WEB EMAIL MALWARE CONTEXT SWITCHING NAT DHCP AP VOICE ROUTING W W W SWITCHING AP VOICE SWITCHING AP VOICEROUTING NAT DHCP NGFW VPN NGF W VP N IPS WE B EMAI L MALWAR E CONTEX T W W W NAT DHCP ROUTING
  11. 11. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11 Cloud Based Security Service Offerings SaaS or Hosted Cisco Managed Security Cloud SP Hosted Security Cloud VPN, FW, NGFW, NGIPS, AMP, Web Security, Email Security as a Service NGFW VPN IPS WEB EMAIL MALWARE CONTEXT W W W Cloud Web Security (CWS) Cloud Email Security (CES) WEB EMAIL W W W Pre-Packaged NFV Security Service Bundles (vMS) A La Carte Hosted Security as a Services (HSS) SP/MSSP Resell to Enterprises
  12. 12. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12 Comparison of Cloud-Based Security Service Offerings Attribute Solutions for SP Managed Security Cloud Cisco Managed Security Cloud ServicesHSS vMS (e.g. Cloud VPN) Services Flexible A la Carte Security Services: VPN, Firewall, Web Security, Email Security or any combination bundles Pre-Packaged NFV Security Services: Cloud VPN, Cloud VPN + Web Security SaaS: Web Security or Email Security Delivery Model SP hosted within a virtual private cloud SP Hosted within a virtual private cloud Public Cloud – Cisco hosted SP acts as a reseller or MSSP Pricing Model SP price per bandwidth usage with per user add-on SP price per bandwidth usage with per user add-on Price per user SP CapEx Costs Infrastructure + security software + orchestration Infrastructure + Security software + orchestration None SP OpEx Costs Yes. Data center operation + service operation Yes. Data center operation + service operation Reduced Reporting / log data Owned by SP, stays at SP DC Owned by SP, stays at SP DC Centralized in Cisco Cloud/Local log Orchestration / Management With third-party tools (e.g. Ubiqube) Cisco Tail-F orchestration, with NFV service chaining Cisco turnkey service. Transparent to SP Cloud Platform Cisco VMDC/VSA, VMware Openstack with KVM Transparent to SP
  13. 13. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13 $0 $2 $4 $6 $8 $10 $12 $14 CY10 CY11 CY12 CY13 CY14 CY15 CY16 CY17 CY18 CY19 Revenue(US$Billions) Worldwide Cloud-Based Service Revenue Share by Technology Content security Managed firewalls Other security services DDoS mitigation IDS/IPS $7.2B Market Opportunity Cloud Service Delivery Shows Higher Growth, but CPE Based Still Growing © 2015 IHS / Infonetics Research: Cloud and CPE Managed Security Services Market Size and Forecasts; March 2015 $0 $2 $4 $6 $8 $10 $12 CY10 CY11 CY12 CY13 CY14 CY15 CY16 CY17 CY18 CY19 Revenue(US$Billions) Worldwide CPE-Based Service Revenue Share by Technology Content security Managed firewalls Other security services DDoS mitigation IDS/IPS
  14. 14. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14 Technical Drivers and Challenges Driver Challenge Scalability Scale to support increasingly large numbers of transactions and sites Sizing capacity planning Challenges in sizing the service delivery platform, virtual CPE platforms Pay as you grow solution High cost / upfront investment impact on service ROI Ease of deployment and service agility Complexity limits service adoption and the addressable market Ease of operation Implementing a set of management solutions that require that service operation people perform complex and frustrating task using disparate management systems Business and technical view Business focused reporting versus technical oriented
  15. 15. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15 Service Needs Category Requirement Management Multi-Tenant / Multi-Role / API for integration with existing SP OSS/BSS tools Customer Web Portal Customer self service portal for service monitoring and self care change management Hardware Low CapEx / OpEx integrated solution Bandwidth Up to multi-Gb per customer tenant Malware / Anti-Virus Update In-Service upgrades without service interruption Performance Monitoring Monitor traffic profile and virtual appliance health for capacity planning purpose Security Policy Management Centralized management of security policies Virtualization Solution must be available as virtual appliance for private and public cloud deployment Data Retention Service management platform need to support data retention policies Security Event and Incident Management Centralized event and incident management Security Reporting Custom security reports for security appliances
  16. 16. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16 Cisco Business Case Modeling to Predict ROI, TCO, Profit Market segments (Tenant) input parameters Business and system input parameters Service pricing Service provider revenue and profit
  17. 17. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17 Focus of Service Creation Team Service Discovery and Service Creation Workshops Part of the Wider Process of Building Services Service Portfolio Country Planning Service Discovery Workshop Per Service Exec sponsorship SC Workshop Partner Selection Solution Design Operation and Service Delivery Marketing Plan Marketing Sales Enablement Sales Engagement Business Case Partner Qualification Service Development Lifecycle Cisco leads Joint CSP and Cisco CSP or Cisco AS leads Proposal Cloud Service Market and Sell Cloud Service Build Cloud Service Envision Cloud Service Discovery Identify/Qualify the Opportunity Stages
  18. 18. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18 Cisco Security Vision and Strategy Covering the Entire Attack Continuum DDoS Visibility / Mitigation Services Firewall NGFW Secure Access + Identity Services VPNUTM NGIPS Web Security Email Security Advanced Malware Protection Network Behavior Analysis Malware Sandboxing Vulnerability Assessment Attack Continuum Before Control Enforce Harden After Scope Contain Remediate Detect Block Defend During
  19. 19. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19 Agenda • Introduction • The Hosted Security Service Architecture • Architecture • HSS: Architecture • vMS: Architecture • vMS: Demo • HSS: Demo • Conclusion © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19
  20. 20. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20 Security as a Service Architecture Hypervisor Compute Storage FWaaS WSaaS ESaaS Tenant 1 NGFW/IPSaaS VPNaaS IDaaS Tenant 2 FWaaS DDoSaaS Tenant 3 Policy Analytics Reporting Security Service Examples: FWaaS – Firewall as a Service VPNaaS – Virtual Private Networking as a Service NGFW/IPSaaS – Next Generation Firewall and Intrusion Prevention System as a Service WSaaS – Web Security as a Service ESaaS – Email Security as a Service IDaaS – Identity as a Service DDoSaaS –Distributed Denial of Service Mitigation as a Service ORCH.LAYER SERVICES LAYER INFRA-STRUCTURE
  21. 21. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21 Firewall as a Service: FW-aaS Centralized Management and Reporting ASAv or CSR1000v Firewall Support • Stateful inspection • Application inspection • Network address translation • Encrypted traffic inspection • Protocol inspection Advanced Firewall • Identity-aware policy enforcement • Malware traffic detection and blocking • Botnet traffic filter • Voice and video security Per throughput and per feature service pricing
  22. 22. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22 Firewall-aaS Tiers Example Feature Category Service Tiers Bronze Silver Gold NAT Address Translation Stateful Inspection High Availability Advanced Management          BEFORE DURING AFTER  Included
  23. 23. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23 Firewall-aaS Tiers Example Category Feature Service Tiers Bronze Silver Gold Network Address Translation NAT/PAT    Stateful Inspection L3 firewall    Transparent firewall Proxy authentication   Application hosting private zone Application control (IM, peer to peer) Voice security support High Availability Within SP data center   Between SP data centers Management Customer self service portal   Streamlined management  Auto generated reporting    Custom reporting  Data log retention (1 month)    Extended data log retention (>1 month)  … … …… … … … … … …  Included … Option Reference Slide BEFORE DURING AFTER
  24. 24. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24 VPN as a Service: VPN-aaS Centralized Management and Reporting ASAv or CSR1000v Per throughput per user service pricing VPN Services • Site-to-site VPN through Internet FW VPN Services •Remote access VPN • IPSec, SSL VPN • Session persistence (always on VPN)
  25. 25. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25 VPNaaS Tiers Example Feature Category Service Tiers Bronze Silver Gold Customer Site to Cloud IPSec VPN Service Remote Access VPN High Availability Advanced Management           Included BEFORE DURING AFTER
  26. 26. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26 VPNaaS Tiers Example Category Feature Service Tiers Bronze Silver Gold Customer Site to Cloud IPSec VPN Service Support for multiple crypto policies (DES, 3DES, AES …)    Pre-shared key VPN authentication    Digital certificate VPN authentication Multiple class of services / traffic prioritization policies   Remote Access VPN IPSec based remote access VPN    Client-less SSL remote access VPN    Client-based SSL remote access VPN Authentication integration with enterprise's radius, LDAP, AD servers Basis authentication (username and password based)    Strong authentication / Token based authentication Digital certificate based authentication High Availability Active / Passive within SP data center  Active / Active within SP data center  Active / Passive between SP data center Active / Active between SP data center Management Customer self service portal   Streamlined management  Auto generated reporting    Custom reporting  Data log retention (1 month)    Extended data log retention (> 1 month)  … … … … … … … … … … … … Reference Slide  Included …Option BEFORE DURING AFTER
  27. 27. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27 Web Security as a Service: WS-aaS Centralized Management and Reporting WSAV • Anti-Malware protection • Web content analysis • Web usage controls • Application visibility • Bi-Directional control Per user pricing model driven by features
  28. 28. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28 Web Security-aaS Tiers Example Feature Category Service Tiers Bronze Silver Gold Real Time Threat Protection Services Acceptable Use Services Policy Control High Availability Advanced Management             Included BEFORE DURING AFTER
  29. 29. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 29 Web Security-aaS Tiers Example Category Feature Service Tiers Bronze Silver Gold Real Time Threat Protection Services Web reputation filtering    Malware scanning    Acceptable Use Services Web URL monitoring by category   Web URL filtering (blocking) Web application monitoring  Web application control SaaS access control Transparent user authentication Advanced Malware Protection  Policy Control Granular access and control policies  Remote access user control policies High Availability Within SP data center   Between SP data centers Management Customer self service portal   Streamlined management    Auto generated reporting  Custom reporting  Data log retention (>1 month)    Extended data log retention (>month) … … … … … … …… …… …… Reference Slide  Included …Option BEFORE DURING AFTER
  30. 30. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 30 Email Security as a Service: ES-aaS Inbound and Outbound Security Control ESAV Inbound Security Virus and Malware Defense Spam Defense Data Loss Prevention Secure Messaging (Encryption) Outbound Control Centralized Management and Reporting Per user pricing model driven by features
  31. 31. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 31 Email Security-aaS Tiers Example Feature Category Service Tiers Bronze Silver Gold Inbound Email Protection Outbound Email Protection Policy Control High Availability Advanced Management  Included BEFORE DURING AFTER           
  32. 32. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 32 Email Security-aaS Tiers Example Category Feature Service Tiers Bronze Silver Gold Inbound Email Protection Reputation scoring and SMTP blocking    Anti-spam    Outbreak filters, Sophos anti-virus   Inbound email content filtering  Quarantine Advanced Malware Protection  Outbound Email Protection Anti-virus  Outbound email content filtering  Integrated RSA data loss prevention DLP RSA enterprise manager integration (enterprise provided) Large volume Quarantine Policy Control Granular policy control Roaming users protection High Availability Within SP data center   Between SP data centers  Management Self service portal   Streamlined management  Auto generated reporting    Custom reporting option  Data log retention (1 month)    Extended data log retention (> 1 month) … … … … … … …… … … … …… Reference Slide  Included …Option BEFORE DURING AFTER
  33. 33. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 33 NGFW/IPSaaS Tiers Example Feature Category Service Tiers Bronze Silver Gold Application Visibility and Control (NGFW) Threat Protection (NGIPS) High Availability Advanced Management           Included
  34. 34. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 34 Category Feature Service Tiers Bronze Silver Gold Application Visibility and Control (NGFW) Network, user and application discovery    Application traffic filtering   URL filtering  File blocking (block xyz file type)  Threat Protection (NGIPS) IPS Basic Threat Protection Services (SNORT signatures)    IPS premium security signatures and content    Security intelligence feeds  AMP (Advanced Malware Protection – disposition from the cloud/policy)  High Availability Configurable “fail open” – Appliance only  “Fastpath” and Trust Rules – Exclude/Include velocity  Management Streamline management   IPS signature update    Advanced/Custom reporting  Automated policy tuning – Advanced/Custom policy tuning  Event correlation – Customized event correlation services   Impact analysis  … NGFW/IPSaaS Tiers Example Reference Slide  Included …Option BEFORE DURING AFTER
  35. 35. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 35 Agenda • Introduction • The Hosted Security Service Architecture • Architecture • HSS: Architecture • vMS: Architecture • vMS: Demo • HSS: Demo • Conclusion © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 35
  36. 36. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 36 Hosted Security as a Service (HSS) • Enables Cisco partners to deliver security services from their Cloud infrastructure or as a managed private cloud offering • Cisco’s virtual security appliance product (ESAV, WSAV, ASAV, CSR1000v, …) and third party products • Comprehensive management system using UBIqube as a security domain manager • Fulfillment • Assurance • Northbound API for integrating with Cloud Orchestration Solutions • Solution supported with IaaS solutions: VMDC 2.3 and VSA 1.0 • Platform based on Cisco Unified Computing System (UCS) • Flexible deployment models
  37. 37. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 37 Orchestration Layer Services Layer Infrastructure HSS Architecture • Delivered from service provider’s infrastructure • UBIqube MSActivator used as the Security Domain Manager • Orchestration SW interfaces with native appliance configuration mechanisms • All customer data lives inside the SP Cloud environment • Security on virtual form factor available today VMware ESXi Cisco UCS Storage WSAv WSAv ASAv Tenant 1 ESAv WSAv ASAv Tenant 2 ESAv CSR1Kv Tenant 3 Policy Analytics Reporting SP existing orchestration, reporting, billing infrastructure • Provisioning API • Reporting API • Billing API Multi-Tenant Security Appliance
  38. 38. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 38 ASR9000 Global Tenant 1 Site AD DNS MS Exchange Customer VRF MPLS VPN or IPSec VPN Internet Tenant 1 Private Zone Tenant 1 DMZ Zone Global Nexus 5000/7000/9000 L2 Fabric UBIqube vCenter ASA5585X M1 M1 gi0/6 gi0/7 gi0/5 mgmt0/0 gi0/2 gi0/3 gi0/4 WSAv ESAv VSA 1.0 Expanded Gold Container ASAv, WSAV, ESAV ASAv Tenant 1 Expanded Gold Container Virtual Machine on UCS Shared Transit VLAN Per-Tenant VLAN Note: Not showing redundant notes P1 gi0/1 Tenant 1 Mobile Worker SP Management Zone Private Tier 1 VMs Private Tier 2 VMs Private Tier 3 VMs
  39. 39. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 39 ASR9000 Nexus 5000/7000/9000 L2 Fabric ASA5585X VSA 1.0 Expanded Gold Container CSR1Kv, WSAV, ESAV Global UBIqube vCenterM1 M1 Customer VRF Virtual Machine on UCSInternet gi6 gi7 gi5 gi8 gi2 gi3 gi4 Tenant 1 Expanded Gold Container WSAv ESAv CSR1Kv Shared Transit VLAN Per-Tenant VLAN Note: Not showing redundant notes gi1 P1 Tenant 1 Mobile Worker Tenant 1 Site AD DNS MS Exchange MPLS VPN or IPSec VPN Tenant 1 Private Zone Tenant 1 DMZ Zone SP Management Zone Private Tier 1 VMs Private Tier 2 VMs Private Tier 3 VMs
  40. 40. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 40 ASR9000 GlobalCustomer VRF Internet Global Nexus 5000/7000/9000 L2 Fabric UBIqube vCenter ASA5585X M1 M1 gi6 gi7 gi5 gi8 ESAv CSR1Kv Tenant 1 Expanded Gold Container VSA 1.0 Expanded Gold Container CSR1Kv, ASAv, WSAV, ESAV gi0/2 gi0/3 gi0/4 WSAv ASAV Virtual Machine on UCS Shared Transit VLAN Per-Tenant VLAN Private Tier 1 VMs Private Tier 2 VMs Private Tier 3 VMs Note: Not showing redundant notes gi1 gi0/5 P1 mgmt0/0 Tenant 1 Mobile Worker Tenant 1 Site AD DNS MS Exchange MPLS VPN or IPSec VPN Tenant 1 Private Zone Tenant 1 DMZ Zone SP Management Zone
  41. 41. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 41 ASR9000 Global Tenant 1 Site AD DNS MS Exchange Customer VRF MPLS VPN or IPSec VPN Internet Global Nexus 5000/7000/9000 L2 Fabric UBIqube vCenter ASA5585X M1 M1 gi0/6 gi0/7 gi0/5 mgmt0/0 gi0/2 gi0/3 gi0/4 WSAv ESAv VSA 1.0 Expanded Gold Container Customer Hosted Email Inbound Flow ASAv Tenant 1 Expanded Gold Container Virtual Machine on UCS Shared Transit VLAN Per-Tenant VLAN Note: Not showing redundant notes P1 gi0/1 Tenant 1 Mobile Worker Tenant 1 Private Zone Tenant 1 DMZ Zone SP Management Zone Private Tier 1 VMs Private Tier 2 VMs Private Tier 3 VMs
  42. 42. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 42 ASR9000 Global Tenant 1 Site AD DNS Customer VRF MPLS VPN or IPSec VPN Internet Global Nexus 5000/7000/9000 L2 Fabric UBIqube vCenter ASA5585X M1 M1 gi0/6 gi0/7 gi0/5 mgmt0/0 gi0/2 gi0/3 gi0/4 WSAv ESAv VSA 1.0 Expanded Gold Container SP Hosted Email Inbound Flow ASAv Tenant 1 Expanded Gold Container Virtual Machine on UCS Shared Transit VLAN Per-Tenant VLAN Note: Not showing redundant notes P1 gi0/1 Tenant 1 Mobile Worker MS Exchange Tenant 1 Private Zone Tenant 1 DMZ Zone SP Management Zone Private Tier 2 VMs Private Tier 3 VMs
  43. 43. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 43 ASR9000 Global Tenant 1 Site AD DNS MS Exchange Customer VRF MPLS VPN or IPSec VPN Internet Global Nexus 5000/7000/9000 L2 Fabric UBIqube vCenter ASA5585X M1 M1 gi0/6 gi0/7 gi0/5 mgmt0/0 gi0/2 gi0/3 gi0/4 WSAv ESAv VSA 1.0 Expanded Gold Container ASAv Web traffic flow – Explicit Proxy ASAv Tenant 1 Expanded Gold Container Virtual Machine on UCS Shared Transit VLAN Per-Tenant VLAN Note: Not showing redundant notes P1 gi0/1 Tenant 1 Mobile WorkerWSAv is setup as the web proxy on user’s endpoint Tenant 1 Private Zone Tenant 1 DMZ Zone SP Management Zone Private Tier 1 VMs Private Tier 2 VMs Private Tier 3 VMs
  44. 44. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 44 ASR9000 Global Tenant 1 Site AD DNS MS Exchange Customer VRF MPLS VPN or IPSec VPN Internet Global Nexus 5000/7000/9000 L2 Fabric UBIqube vCenter ASA5585X M1 M1 gi0/6 gi0/7 gi0/5 mgmt0/0 gi0/2 gi0/3 gi0/4 WSAv ESAv VSA 1.0 Expanded Gold Container ASAv Web traffic flow – Transparent Redirection with Policy Based Routing ASAv Tenant 1 Expanded Gold Container Virtual Machine on UCS Shared Transit VLAN Per-Tenant VLAN Note: Not showing redundant notes P1 gi0/1 Tenant 1 Mobile Worker Policy Based Routing in ASAv provides transparent redirection Tenant 1 Private Zone Tenant 1 DMZ Zone SP Management Zone Private Tier 1 VMs Private Tier 2 VMs Private Tier 3 VMs
  45. 45. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 45 ASR9000 Global Tenant 1 Site AD DNS MS Exchange Customer VRF MPLS VPN or IPSec VPN Internet Global Nexus 5000/7000/9000 L2 Fabric UBIqube vCenter ASA5585X M1 M1 gi6 gi7 gi5 gi8 gi2 gi3 gi4 WSAv ESAv VSA 1.0 Expanded Gold Container CSR1Kv Web traffic flow – Transparent Redirection with WCCP CSR1Kv Tenant 1 Expanded Gold Container Virtual Machine on UCS Shared Transit VLAN Per-Tenant VLAN Note: Not showing redundant notes P1 gi1 Tenant 1 Mobile Worker WCCP in CSR1Kv provides transparent redirection Tenant 1 Private Zone Tenant 1 DMZ Zone SP Management Zone Private Tier 1 VMs Private Tier 2 VMs Private Tier 3 VMs
  46. 46. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 46 HSS VSA 1.0 Components HSS Components Version Required/Recommended/Optional ASAv 9.52(204) Required WSAV 9-0-1-162 Required ESAV 9-7-1-066 Required AnyConnect 4.2 Required UBIqube MSActivator 15.3.2 Recommended Virtual Services Architecture 1.0 Recommended
  47. 47. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 47 VSA 1.0 Expanded Gold Container VSA 1.0 Component Version HSS Required/Recommended/Optional Unified Computing System (UCS) B-Series 2.2(3d) UCS B or C Required UCS C-Series 1.5(1f) UCS B or C Required ASR 9000 IOS XE 5.1.2 Cisco 7600/ASR 1000/ASR 9000 Recommended Nexus 7000 NX-OS 6.2(2) Nexus 7000/Nexus 9000 Recommended Nexus 5000 NX-OS 6.0(2)N2(6) Recommended UCS 6200 NX-OS 5.2(3)N2(2.23g) Recommended NetApp FAS8020 ONTAP 8.1 NetApp, EMC or VMware virtual SAN Recommended VMware vSphere 5.5.0 Build 1623387 Required VMware vCenter 5.5.0 Build 2183111 Required
  48. 48. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 48 Customer Site AD DNS ASR1006Customer VRF MS Exchange Global VMDC 2.3 Expanded Gold Container Nexus 7004 ASA5555 ASA5585X Customer PVT Outside VRF Customer PVT Inside VRF Global Customer DMZ VRF Remote Access VPN Customer Private Context ASA5585X Customer DMZ Context Customer Private Context UCS Citrix/F5 UCS UCS Citrix/F5 Citrix/F5 UBIqubeESAV vCenterESAV M1 WSAV M1 UCS M1 M1 UCS ASA5585X UCS WSAV VM VM VM VM VM VM * Not showing redundant notes Shared Transit VLAN Per-Tenant VLAN Private Zone 3 VLANs DMZ 2 - 1 VLANDMZ 1 - 1 VLAN SP Management MPLS VPN Internet
  49. 49. Cisco ConfidentialCisco Confidential© 2016 Cisco and/or its affiliates. All rights reserved. 49 HSS Security Domain Management
  50. 50. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 50 Sales Presence in Europe, USA, ME, Far East, India Partners: Network and security vendors, OSS vendors, MSPs Customers: Service Providers, Enterprise (multivendor IT security management) MSActivatorTM = Automated Device configuration and Service orchestration framework Any device, Any service, Any vendor UBIqube is a privately funded Network Software specialist About UBIqube
  51. 51. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 51 HSS Security Domain Manager – UBIqube MSActivator Southbound Interface SSH SNMPTELNET SyslogHTTP OpenflowFTP OBMF Mediation Layer Netflow TR069 Web Portal GUI Service Profiles Service Designer Templates and Objects 3rd Party OSS/BSS Web Services Verbs and Web Services API, Order Stack Management Device Adaptor Update Conf Restore Conf Get Asset Update Firmware Device Adaptor (SDK) Update Conf Restore Conf Get Asset Update Firmware VOIP
  52. 52. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 52 MSActivator Adaptable Framework SDK for Adapting/creating new function over the MSA framework (analytics, services, etc.) (Web based object editor, central repository, couple of days per service) SDK for integrating new devices (physical and virtual)/vendors (syntax) and protocols over the MSA framework (php based, couple of weeks per vendor) Service Provider Third Party Tool Service Designer Service Orchestrator Northbound API Network Provisioning Security Policy Provisioning VIP Provisioning Cloud Provisioning Service Designs SDK OBMFTM Core Engine Adaptor SDKPhysical Device Adaptor Virtual Device Adaptor
  53. 53. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 53 MSA Features Highlighted Platform Mediation Portal • Telco grade scalability • Modular building blocks • Multi vendor • Multi-Tenant (RBAC) • Highly abstracted provisioning • Day 0 (ZTD) to Day 2 change management • Brown field deployment • Comprehensive APIs • Flexible Platform via open SDK • Auto Order -> Activation • Network and Services inventory • Big Data Analytics • Customer self service • Network operation center • Partitioned views • Enable remediation by lower skilled operators • Customizable by language, look and feel • Centralized control and workflow automation
  54. 54. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 54 Multi-Tenant – Multi-Roles Privileged Administrator (ncroot) Administrator A Administrator B Administrator CTenants Customer Site Devices Privileged Manager PM1 Manager M1 Manager M2 Customer Wells Fargo Customer ABC Tech Site1 Site2 Site1 Site4 Operator ABC Operator DEF Privileged Manager PM2 Customer YTT Corp
  55. 55. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 55 Agenda • Introduction • The Hosted Security Service Architecture • Architecture • HSS: Architecture • vMS: Architecture • vMS: Demo • HSS: Demo • Conclusion © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 55
  56. 56. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 56 Securing the Application Delivery • Security is all about two concepts: Visibility & Control • Threats are mitigated as close to the source as possible • Security services are dynamically chained together and instantiated to form a service chain to mitigate a specific threat and/or to provide a managed security service on distributed compute resources • Threat defense provides a distributed capability to mitigate threats – targeted at the network, the Data Center, the Cloud and the applications that they serve Endpoints and Customer Premises Equipment Service Provider Data Center and Cloud SP Virtualized Network Edge Private Cloud Internet and Intercloud Public and Partner Cloud Cable or DSL Enterprise Mobility
  57. 57. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 57 CPE Device CPE Device Orchestration Layer Network Service Lifecycle Mgmt Network Layer Control and Data Planes • Service models • Soft-real time service to device mappings • Event driven • Creation of cloud devices • Discovery of devices • Network topology • Physical devices • Virtual devices • Service immediacy and speed • Freedom of choice, service customization • Personalized experience, user in charge • Consumption based economics • Bring your own device, craft your own design Goal Defined • Automated service delivery simplicity and efficiency (“IT-less”) • Automated service creation, high cadence of new services • Self-service creation and reporting • Elasticity of network and compute resources • Open architecture, extensibility Goal Realised Background
  58. 58. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 58 Evolution of Managed Services – Premise to Cloud Customer Premise Cloud (SP Hosted) Network Functions from the Cloud Network Functions on the CPENetwork Functions Virtual Network Functions Network (Connect Premise to Cloud) Secure IP Overlays MPLS (L2/L3) Carrier Ethernet Intelligent / Hybrid Cisco Cloud SP Private Cloud Cisco Cloud Virtual Private Cloud Public Cloud Cloud Application Containers Applications from the Cloud SP Hosted Cloud Cloud (SP Hosted or Public Cloud) L3 “classic” L2 NIDL3 CPE + x86 on premise Simple L3 CPEx86 on premise
  59. 59. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 59 Virtual Managed Services Common Software Elements - Flexible Network Access Models Common Service Orchestration and Automation Consistent Portal and Service Dashboard Instrumentation vRouter vFirewall vWSA Cloud VPN Cloud IWAN Remote Access vRouter WaaS AVC PfR Branch Offices Private Cloud Public Cloud Internet HQ Dedicated internet Business Locations Private Cloud Public Cloud HQ Secure Broadband Service Provider Cloud Internet Secure MPLS
  60. 60. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 60 Customer Experience in Brief Order / Customize Your Services 1 CPE ships (if needed)2 CPE is connected (if needed) 3 Orchestration occurs automatically 4 10.12.162.x Internet Customer VPN Service is up and running Service Provider Cloud
  61. 61. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 61 vMS Value-Adds Developing Managed Services on Platform • A Service Blueprint is an abstract representation of a service that can be ordered through the UI or NB API • Every Service Blueprint is associated with a given Service Offering A ‘Function Pack’ is the components needed to instantiate a given service request • Service topology, written in Yang, modeling the “Intent” to instantiate a particular service offering A Service API is exposed from the Virto Model northbound (automatically created at compile time) A Service Request is the user calling the model with defined variables according to the service • The orchestrator is already aware of all Service Models that may be requested and these are preloaded into the Orchestrator Service Request Service API Compiled Infrastructure Service Topology Model (Virto) Instantiation Logic Device Models Function Pack Device Drivers
  62. 62. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 62 CSR ASAv WSAv VTF (DC Overlay) SDN ControllerOVS (DC Overlay)VNFs vMS Orchestration Component Mapping NSO Orchestrator (VNF-O) ESC (VNF-M) OpenStack Service APIs Operator Portal Physical ISR OSS/BSS Customer Facing Services Resource Facing Services SSHSSH
  63. 63. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 63 End User Portal Exposing Service Blueprints to the Operator • The Orchestration Process can be kicked off through a Portal • The Portal is aware of different Service Blueprints that can be exposed to an operator • The values that are selected in the Service Selection process result in the subsequent API call into NSO • The portal was developed with 2 Modules • Front-End: Skinned to the Customer’s Requirements • Back-end: Modified to support the Service Blueprints that can be orchestrated
  64. 64. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 64 vMS VNF-O; NSO from Tail-F PnP Server Transaction Database (CDB) Open PnP Service Manager Device Manager Network Element Drivers x86ISR Virtual Service Intent Service Intent Service Intent Zero Touch Deployment (ZTD) Open Method for ZTD Access Transactional Datcapabilities abase Allows full CRUD to Services Service Manager Interprets Service Intent with Service Instantiation Rules and derives configuration deltas Device Manager manages derived and validated configurations in a transaction manner towards derived infrastructure Network Element Drivers Abstract the interfaces to the devices allowing 3rd party infrastructure to participate in Service Instantiation Service Models written in Yang Abstract Service from underlying physical devices Domain Controller Rest/NetConf/Yang NSO Mapping ControllerMaps the Service Intent to the Derived Device Topology. Known as “Fastmap”
  65. 65. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 65 vMS VNF-M; Elastic Service Controller Rules Engine Service Monitor Custom DHCP SNMP Ganglia Service Provisioning Scale Up/Down Elasticity Custom Day 0 Config VM Provisioning and Configuration Module VNS Bring-up & Initial Configuration Application. Multi-vendor Support Allows Modular Communication with NSO. Data Model Driven Affinity Rules and Scale Requirements for the VNF components. Also manages the startup sequences ESC uses multidimensional approach to VNF Monitoring/Restartability Programmable Interface to ESC allows Functional Interaction to ESC Subcomponents Elastic Services Controller (ESC) NSO API Confd Public Clouds Open Stack
  66. 66. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 66 VNFVNF vMS VIM; OpenStack, OVS, and SDN Controller • OVS will be supported by ODL in coming release • Common Neutron Plugin gives upgrade path on SDN Controller Nova OVS Plugin Neutron Port OVS ODL Plugin ODL Controller Image Management ML2 Plugins PortPort PortPortPort MGMT External InternalEdge Network Internet VNF PortPortPort NSO Management VNF Port VPP PortPort PortPortPort MGMT External Internal Internet VNF PortPortPort ESC NSO Model Driven (MDSAL)Network Management Edge Network Confd
  67. 67. Cisco ConfidentialCisco Confidential© 2016 Cisco and/or its affiliates. All rights reserved. 67 vMS Use Cases and Its Service Topologies
  68. 68. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 68 vMS Release 2.0: Delivering Comprehensive Cloud VPN Services CPE Cust-A CPE Cust-A CPE Cust-B ASA Over The Top Access Flex-VPN Internet VR VR ASA CPE Cust-C CPE Cust-C NSO – NFV Orchestrator Cloud VPN Services • 3 Service Models for Enterprise deployment flexibility: • CloudVPN Foundation • CloudVPN Advanced • CloudVPN Advanced w/Web Security • vIPS option for both Advanced and Advanced w/Web Security • CSR1Kv: Virtual Router for Site-to-Site VPN with Secure IP Overlay using FlexVPN/IKEv2 for IPSec Tunnels • ASAv: vFW with NAT and Policy (*) • ASAv: vFW with IPSec/SSL Remote Access (*) • WSAv for Enhanced Web Security (*) Management and Orchestration • Enterprise Admin Service Interface (Portal) driven service instantiation • Zero-Touch Deployment of enterprise CPE (ISR G2) • Model driven Network Services lifecycle management with Network Service Orchestrator (NSO) from Tail-f • VNF lifecycle management with Elastic Services Controller (ESC) • Virtual Infrastructure Management with Openstack featuring: OVS and ODL/VPP as SDN Controllers Advanced VR Foundation CPE Cust-B ESC – VNF Manager WSA∂ ∂ ∂ Advanced w/Web Security PnP RFS VirTo RFS API CPE Managed Orchestration Link Foundation Service Direct Internet Access via “Split Tunnel” Access Model: Flex-VPN Links IPSEC VPN Service Access vRouter Internet Access/ Remote Access Openstack – Virtual Infrastructure Manager
  69. 69. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 69 G2 & 4000 Series VPNCPE ISR 800, 1900, 2900, 3900, 4000 Series Managed WAN Managed Security vMS Services Branch Branch vRouter (CSR1Kv) CloudVPN (IPSec) Branch Branch MPLS VPN (MPLS) Firewall (ASAv) Web Security (WSAv) Remote Access Internet CPE Branch Headquarters IWAN Internet (IPSec) MPLS VPN (MPLS) Internet DMVPN MPLS DMVPN IWAN (BR/MC) vMS on CIS
  70. 70. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 70 Cisco Intelligent WAN Solution Components for SPs Intelligent Path Control Load Balancing Policy-Based Path Selection Network Availability Secure Connectivity Scalable, Strong Encryption App-Aware Threat Defense Cloud Web Security Application Optimization Application Visibility App Acceleration Intelligent Caching Hybrid WAN Application-Centric Design Common Operational Model Deployment Flexibility
  71. 71. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 71 vMS Components for IWAN NSO Orchestration Service Assurance Operator Views CFS (Ordering Experience) Identity Management for SSO Portal for Network Visualization Living Objects for Network/App/ Perf View
  72. 72. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 72 Hybrid WAN: Leveraging the Internet Secure WAN Transport and Internet Access • Secure WAN transport for private and virtual private cloud access • Leverage local Internet path for public cloud and Internet access • Increased WAN transport capacity; and cost effectiveness • Improve application performance (right flows to right places) Branch Secure WAN Transport Direct Internet Access Virtual Private Cloud Public Cloud Private Cloud MPLS (IP-VPN) Internet
  73. 73. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 73 Operator View Each vMS Use Case Has Orchestration, Portal and Assurance Components Service Name: Cloud VPN service • Portal implements the ordering and self-service management UI as well as APIs • Service provisioning and service change are performed by Orchestration • Health, metrics and consumption data is provided by Assurance Customer View Example
  74. 74. Cisco ConfidentialCisco Confidential© 2016 Cisco and/or its affiliates. All rights reserved. 74 Leveraging Microservices in vMS
  75. 75. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 75 What Are Microservices? • Each microservice is relatively small • Easier for a developer to understand • The web container starts faster, which makes developers more productive, and speeds up deployments • Each service can be deployed independently of other services - easier to deploy new versions of services frequently • Easier to scale development. Each team is responsible a single service • Improved fault isolation. For example, if there is a memory leak in one service then only that service will be affected • Each service can be developed and deployed independently • Eliminates any long-term commitment to a technology stack http://microservices.io/patterns/microservices.html
  76. 76. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 76 Consume Microservices Enable Architecture Extensibility in vMS Portal Consume’ (based on Python) Register Recommendation Service (based on C++) Register • Scale up a service • Replace a service • Add a service • Write a service in any language • Inter-microservice communications also go through the API gateway Custom App Symphony UI Identity Management Manage Monitor API Gateway Example Unregister
  77. 77. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 77 Front End Back End UX/UI SP Fulfillment SP Identity Provider SP BSS vMS Log Aggregation Common Infrastructure Services Identity/RBAC Ticketing SP Helpdesk OSS Analytics SP Assurance vMS Services Orchestration Who is the SP customer? Is there any physical/ un-orchestrated fulfillment? Product/offer definition, pricing, subscription, and customer billing Your system for handling customer support requests Your data collection engine can provide deeper insights for vMS customers as well as operators Designed for SP Environment but Works Fully Standalone
  78. 78. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 78 vMS 2.0 Deployment Architecture HTTP Load Balancer / Router Identity Mgmt. As a Service Cloud Controller HealthManager ESC NCS PaaS-based to deliver manageability, cloud native scalability and resilience API Gateway Service Discovery As a Service Logs/Metrics As a Service Service Assurance Cassandra / Hadoop / Redis As a Service Micro-Services Cloud Storage Identity Mgmt. As a Service Service Discovery As a Service Logs/Metrics As a Service Identity Mgmt. As a Service Service Discovery As a Service Logs/Metrics As a Service
  79. 79. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 79 Agenda • Introduction • The Hosted Security Service Architecture • Architecture • HSS: Architecture • vMS: Architecture • vMS: Demo • HSS: Demo • Conclusion © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 79
  80. 80. Cisco ConfidentialCisco Confidential© 2016 Cisco and/or its affiliates. All rights reserved. 80 Demo: vMS
  81. 81. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 81 CPE ISR 800, 1900, 2900, 3900, 4000 Series VPN Managed WAN Managed Security vMS Demonstration Firewall (ASAv) Web Security (WSAv) Branch Branch vRouter (CSR1Kv) CloudVPN (IPSec) Internet Remote Access CIS: VMS on IaaS
  82. 82. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 82 Agenda • Introduction • The Hosted Security Service Architecture • Architecture • HSS: Architecture • vMS: Architecture • vMS: Demo • HSS: Demo • Conclusion © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 82
  83. 83. Cisco ConfidentialCisco Confidential© 2016 Cisco and/or its affiliates. All rights reserved. 83 Demo: HSS
  84. 84. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 84 Agenda • Introduction • The Hosted Security Service Architecture • Architecture • HSS: Architecture and Demonstration • vMS: Architecture and Demonstration • vMS: Demo • HSS: Demo • Conclusion © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 84
  85. 85. OSS/BSS Integration Service Intent Orchestration Security Services Public IP Addresses Public Internet Local LAN WSAv ESAv ASAv and/or CSR1000v CPE CPE Managed Access (IPSec VPN) IPSec VPN IPSec VPN AnyConnect AnyConnect UnManaged Access (Remote Access VPN) SSL VPN SSL VPN Amazon Salesforce Internet Sites IP Connectivity IP Connectivity Internet - Public IP Address Space Public IP Addresses DDoSaaSIDaaSESaaSWSaaSIPSaaSFWaaSVPNaaS Security as a Service Architecture
  86. 86. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 86 Summary • Lower cost due to virtualization • Faster time to service delivery (zero touch deployment, no truck roll), due to virtualization and service provisioning automation • Operational simplicity due to virtualization • Easy upsell for multi-service strategy for additional services and revenue with no additional truck roll • Value of multi-service strategy for virtualized managed security services and Cloud hosted services © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 86
  87. 87. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 87© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 87 References • Hosted Security as a Service (HSS) Documentation http://www.cisco.com/go/hss • Virtual Managed Services (vMS) Documentation http://www.cisco.com/go/vms • Cisco Adaptive Security Virtual Appliance (ASAv) http://www.cisco.com/c/en/us/support/security/virtual- adaptive-security-appliance-firewall/tsd-products- support-series-home.html • Cisco Web Security Virtual Appliance (WSAV) http://www.cisco.com/c/en/us/support/security/web- security-virtual-appliance/tsd-products-support-series- home.html • Cisco Email Security Virtual Appliance (ESAV) http://www.cisco.com/c/en/us/support/security/email- security-virtual-appliance/tsd-products-support-series- home.html © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 87
  88. 88. Thank you.

×