Security at the Speed of the Network

Security at the Speed of the Network:
Automating and Accelerating Security
Through SDN and NfV
BRKSEC-2760
Hantzley Tauckoor – CISSP #472723, CCDE #2015::43
Consulting Systems Engineer – MANO & Programmability
Global Virtual Engineering, Cisco Systems

./about_me
Hantzley Tauckoor
Consulting Systems Engineer – MANO & Programmability
Global Virtual Engineering, Cisco Systems
linkedin.com/in/hantzley
Twitter: @hantzley
htauckoo@cisco.com

• Security from the Service Provider perspective
• Putting SDN/NFV to work – DDoS
• Automating Security in the SP Data Centre
• Generating new revenue streams with hosted security services
• SDN & NFV Infrastructure Security
• Summary
Agenda

• Security from the Service Provider perspective
• Putting SDN/NFV to work - DDoS
• Automating Security in the SP Data Centre
• Generating new revenue streams with hosted security services
• Summary
Agenda

Security from the Service
Provider Perspective

Trends: New Opportunities …
The world has gone mobile Traffic growth, driven by video
Rise of cloud computing Machine-to-Machine
Changing
Customer
Expectations Ubiquitous Access
to Apps & Services
10X Mobile Traffic Growth
From 2013-2019
Changing Enterprise
Business Models
Efficiency & Capacity
Soon to
Change SP
Architectures/
Service Delivery
Emergence of the Internet of Everything
Process ThingsPeople Data
PetabytesperMonth
Other (43%, 25%)120,000
100,000
80,000
60,000
40,000
20,000
0
Internet Video (57%, 75%)
2013 2014 2015 2016 2017 2018
23% Global
CAGR
2013- 2018
Dynamic Threat Landscape
Increasing Threat Sophistication
Risks to Service Providers
and Their Customers

Your Customers Are Being Attacked By DDoS

2015 Verizon Data Breach Investigations Report
Compromise
Detection
~ 84% of initial
compromises
completed within
hours
~ 65% of initial
compromises
undetected for
months

Legacy Security: Costly & Complex
Siloed
Inefficient
Manual
Limited integration, security gaps
Hard-coded processes
Over-provisioned, static, and slow
Hinders
realization of
open and
programmable
networks

SDN Automation: The Speed of The Network
AFTER
DURING
Threat
Analytics
VisibilityControl
BEFORE

How Automated Are You Today?
AFTER
DURING
Threat
Analytics
VisibilityControl
BEFORE
Automated Manual

Managing The Threat Lifecycle
Protecting the Infrastructure and Offering Elastic Managed Services
Orchestration
VMS
Cloud Services Orchestration
Real Time application of the right
service, in the right place, at the right
time
Quantum WAVE
WAN Orchestration
Real time topology and service
health information
BEFOREControl
Enforce
Harden
DURING AFTERDetect
Block
Defend
Scope
Contain
Remediate
Attack Continuum
Firewall
NGFW
NAC + Identity Services
VPN
UTM
NGIPS
Web Security
Email Security
Advanced Malware Protection
Network Behaviour Analysis
Visibility, Context, Autonomics and BCPs
DDoS Visibility/Mitigation Services
Forensic Analytics
HSS
UBIqube – MS Activator
Security Domain Management

Anatomy of the SP network
Access Service Edge
Mobile
Residential
Business
Aggregation/
Transport
CoreData Center
Enterprise WAN
CMTS, DSLAM
Cell Site Router
Video Dist
MACsec
Volumetric DDoS
VPN
FW, VPN,
CGNAT, NGIPS,
AMP
Mobile Inspection
Security
Features
MACsec, FW,
VPN, NGIPS, AMP
App DDoS
FW, VPN,
NGIPS, AMP,
Volumetric DDoS
App DDoS
SP Security Best Practices - http://tools.cisco.com/security/center/serviceProviders.x?i=76

Security for Open & Programmable Networks
Applications
& Services
Evolved
Programmable
Network
Cisco Services
Storage NetworkCompute
Service Broker
SMART
SERVICE
CAPABILITIES
OPENAPIsOPENAPIs
OPENAPIsOPENAPIs
Security
Evolved
Services
Platform Orchestration
Engine
Catalog
of Virtual
Functions
Service
Profile
Benefits:
• New Revenue Streams
• Increased Business Agility
• Lower Operating Costs
Cisco Service Provider Architecture

Network Programmability
Controller
Network
Monitoring
Bandwidth
Management
Load
Balancing
Programmatic
Interface
Netconf
OpenFlow
Topological awareness
Policy resolution
:-)
CLI
REST APIs

Programmability Across Multiple Controllers
App
APIC Controller
App
Data Centre
APIC-EM / WAE Controller
Threat Defense
Security Policy
Service Orchestrator
Campus / WAN

A Plethora of Controllers
APIC
Cloud Orchestration
Objective: Extend OpenStack
Neutron’s networking model with
new policy APIs
Openstack “Sister-project” to group
based policy in OpenDaylight
SDN Controller
Under Linux Foundation
Security extensions
Common vendor supported framework
WAE
Traffic Optimization
Monitor for path
constraint violations
Automate network
changes to ensure
path compliance
Service Chaining
Application Network
Flow Profile
SLA, Security, QoS,
Load Balancing
User/Things Network
Profile
QoS, Security, SLA,
Device, Location, Role
Open Source
Projects
Data Center Campus WAN
VTS
Overlay Automation

Offering
Service
System
Product
HW Appliance Virtualise existing functions SAAS-based
solutions
Implementation
Can be leveraged to
offer SAAS
SP infrastructure
services transitioning to
NFV
SP
Video
GWs
CPE
Mobile
services
Ent
Managed
Services
IAAS
Transition to All-virtualised Services?
Drivers:
• Reducing total
OpEx and CapEx
• Increased service
velocity and
agility
• Increasing
revenue
SP
Video
GWs
CPE
Mobile
services
Ent
Managed
Services
L2 / L3
VPN
IAAS
All SP services are virtualising …
Some services move straight to
SAAS
HCS
Scansafe
Webex2
SDVPN
SP
Video
HCS

Network Function Virtualization
• Movement of Network functions to the cloud
• Control, services and data plane components
• NFV is not applicable to all network applications
• However most service functions are in the frame
• High performance plumbing is not at the moment
• NFV is an architecture rather than simply
virtualizing functions
• Virtual services, compute
• service chaining, overlays
• Orchestration and redirection
• Covered a number of use cases
See also: http://www.etsi.org/deliver/etsi_gs/NFV/001_099/002/01.01.01_60/gs_NFV002v010101p.pdf

Evolving The Network Software Stack
…
Application
Software
Infrastructure
Software
Embedded
Software
Network OS:
IOS-XE, NX-OS, …
Plugins:
Puppet, Guest shell,…
Orchestration:
NSO, ..
Management:
Prime, ..
Optimization:
WAE, ..
Base OS:
Linux, …
Base Control
Infrastructure
virtual physical
Protocols:
IETF, IEEE, …
Unified
Communications
…
CCS
Evolved VPN:
CloudVPN,…
Custom
Apps

Summary: The Building Blocks
Service
Orchestration
Traditional
Orchestration
Automation, provisioning and interworking
of physical and virtual resources
NFVSDN
SDN
Separation of control and data plane,
controllers
NFV
Network functions and software running
on any open standards-based hardware
Traditional
Distributed control plane components,
physical entities

Putting SDN/NFV to Work:
Security Services Virtualization
& SDN DDoS Mitigation

Distributed Denial of Service Attack Mitigation
Controller

Controller
Traffic
Statistics

Controller
DoS
Traffic
Statistics

Controller
DoS
Traffic
Statistics Traffic
Redirection

Cisco ASR 9000 vDDoS Protection
Arbor Networks
Threat Management System (TMS)
ASR 9000 with
Virtual Services Module (VSM)
Cisco ASR 9000
vDDoS Protection
“Powered By Arbor Networks”
Architectural
Superiority
Unified
Management
Scalable
Performance
Reduced
OPEX
Flexible
Deployment

ASR 9000 vDDoS Solution Components
Virtualized
Arbor Peakflow
SP
ASR
9000
ASR
9000
VSM running
vDDoS SW
Licenses
• Virtualized Peakflow SP
 Collects Flow records
 Detects abnormal network behavior
and trigger alerts
 Can influence the routing, injecting
BGP routes in the network
 Supports BGP FlowSpec as a
Controller
 Sets up and monitors the TMS
remotely
• Virtual DDoS SW (running on A9K VSM)
 Configured by SP, receives diverted
traffic and proceeds to in-depth packet
analysis
 Discards the attack packets and
transmits the legit ones
 Provides real-time monitoring info to
operators
DDoS
Detection
DDoS
Mitigation

How Peakflow works?
Peering
Point
Core
Router
PE
Enterprise A
Enterprise B
Arbor Peakflow
SP6000
PE
Peering
Point
ASR 9K
ACL
ACL
2 – Volumetric DDoS: ACL, BGP FlowSpec
1 – Anomaly detection
3 – L4-L7 DDoS: redirect to ASR 9K for intelligent mitigation
4 – Identify and filter
the malicious
requests
5 – Forward
the legitimate traffic:
GRE, MPLS, …
Enterprise C

Integrated Security Services
“at Scale”

Legacy Security: Siloed, Inefficient & Expensive
1001
0001011
1100010
1110
1001
0001011
1100010
1110
1001
0001011
1100010
1110
1001
0001011
1100010
1110
1001
0001011
1100010
1110
Data
Packet
1001
0001011
1100010
1110
/
1001
0001011
1100010
1110
DDoS Platform
SSL Platform FW Platform
WAF Platform
IPS Platform
Sandbox
Platform
SSL
DDoS WAF
FW IPS
Sandbo
x
Reduced Effectiveness Increased Latency Slows Network Static & Manual

Cisco Transforms Security Service Integration
Data
Packet
1001
0001011
1100010
1110
DDoS Platform
SSL Platform FW Platform
WAF Platform
IPS Platform
Sandbox
SSL
DDoS WAF
FW IPS
Sandbo
x
Limited effectiveness Increased latency Slows network Static & ManualUnified Platform
Data
Packet
1001
000101
111000
101110
DDoS FW WAF NGIPSSSL AMP
Integrated
Maximum protection Highly efficient Scalable processing Dynamic
Siloed
Key:
Cisco Service
3rd Party Service

Carrier-Class
Firepower 9300 Platform
High-Speed, Scalable Security
Modular
Multi-Service
Security
Benefits
• Integration of best-of-breed security
• Dynamic service stitching
Features*
• ASA container
• Firepower Threat Defense containers
• NGIPS, AMP, URL, AVC
• 3rd Party containers
• Radware DDoS
• Other ecosystem partners
Benefits
• Standards and interoperability
• Flexible Architecture
Features
• Template driven security
• Secure containerization for customer
apps
• Restful/JSON API
• 3rd party orchestration/management
Benefits
• Industry Leading Performance / RU
• 600% Higher Performance
• 30% higher port density
Features
• Compact, 3RU form factor
• 10G/40G I/O; 100G ready
• Terabit backplane
• Low latency, Intelligent fastpath
• NEBS ready
NEW

Security Services Architecture
Supervisor
Ethernet 1/1-8 Ethernet 2/1-4
ASA Cluster
Security Module 1
Ethernet 3/1-4
Security Module 2 Security Module 3
Application
Image Storage
PortChannel1
DDoS DDoS DDoS
Ethernet1/7
(Management)
Data Inside
Logical
Device
Logical
Device Unit
Link
Decorator
Application
Connector
External
Connector
Primary
Application
Decorator
Application
On-board 8x10GE
interfaces
4x40GE NM
Slot 1
4x40GE NM
Slot 2
Logical
Packet Flow
PortChannel1
ASA ASA ASA
Data Outside
Radware Vision
Manager
Chassis Manager
& ASDM

Cisco DDoS Positioning
SP
SP
Radware
Defense Pro
Threat
Defense
Firepower
9300
Radware
Vision
SP Scrubbing Center
Various 3rd Party Options for
Hosted : Arbor Cloud, Radware
Cloud, Prolexic /Akamai
Radware
Defense Pipe
• Complete DDoS system can be complemented
w/Cisco Lancope Threat Defense
SP Edge Router Based DDoS with ASR –
• (Volumetric) on ASR 9K + VSM+ Arbor TMS Peak
Flow . SP Backbone detection and mitigation
SP ASR PE
w/PeakFlow
MSSP Services
• Various 3rd Party Options for Hosted Services
Firepower
9300
Mobile
users
SP Mobility Edge w/FP 9300
and Radware DDoS
Applications,
Services &
Databases
Data Center
Data Center FW Based DDoS with Firepower 9300
• Firepower 9300 + SM running Radware Defense Pro
• Application Attack detection and mitigation

Recap - Cisco DDoS Offerings for Service Provider
• DDoS target is bandwidth
• Volumetric attacks
• Part of SP Clean Pipes solution
• Traffic diverted to scrubber
within router backplane
• Clean traffic reinjected locally
• Additional Arbor products can
protect enterprise assets
• DDoS target is firewall and
devices behind it, NOT
bandwidth
• vDP sits inline and sees all
traffic going to firewall
• Other Radware capabilities in
the cloud can help with
bandwidth-based attacks
Arbor TMS on ASR9k Radware vDP on FP9300

Automating Security in the
SP Data Centre

Programmable NetworkProgrammable FabricApplication Centric
Infrastructure
DB DB
Web Web App Web App
VxLAN-BGP EVPN
standard-based
3rd party controller support
Modern NX-OS with enhanced
NX-APIs
Automation Ecosystem
(Puppet, Chef, Ansible etc.)
Common NX-API
across N2K-N9K
Turnkey integrated solution with
security, centralized management,
compliance and scale
Automated application centric-policy
model with embedded security
Broad and deep ecosystem
Cisco SDN: Providing Choice in Automation and Programmability
Mass Market
(commercial, enterprises, public sector)
Service Providers Mega Scale Datacenters
VTS for software overlay
provisioning and management
across N2K-N9K

Introducing Application Centric Infrastructure
Application
Network Profile
Orchestration
Frameworks
Hypervisor
Management
OVM
Systems
Management
Centralized Policy Management
Open APIs, Open Source,
Open StandardsAPIC
Fabric
Automation Enterprise
MonitoringACI
Ecosystem
Partners
End Points
Physical &
Virtual
Physical
Networking
Nexus 2K
Nexus 7K
Hypervisors and
Virtual Networking
Compute L4–L7
Services
Storage Multi DC
WAN and Cloud
Integrated
WAN Edge

Typical Service Chain
• Full abstraction within the service chain
• Every device only knows its function and exchanges packets with the fabric as instructed
• High degree of modularity with low coupling, specific devices are interchangeable
• ACI maintains flow symmetry through the same device instance
SSL Firewall
Policy rules, NAT, Inspection
IPS
Analyzer
EPG
“Users”
EPG
“Web”
EPG
“Files”

ACI and OpenStack
OpenStack
Orchestration
Cisco ACI
Controller 1 Controller 2 Controller 3
Hypervisor
Multi-vendor
Open Source
APIC Plugins
APIC
Nexus 9000
Open vSwitch
OpFlex
Project 2
v
m
v
m
v
m
v
m
Hypervisor
vm4
Project 1 Project 2 Project 3
vm5
vm6
vm3
vm4 vm4
vm5
vm6
Hypervisor
vm4
Project 1 Project 2 Project 3
vm5
vm6
vm3
vm4 vm4
vm5
vm6
Project 1
v
m
v
m
v
m
v
m
Project 3
v
m
v
m
v
m
v
m
Plugin Plugin Plugin
OpFlex OpFlex

Virtual Topology System (VTS) Introduction
Automated
DCI / WAN
VM
OS
VM
OS
NX-API
Netconf/
YANG
Physical ToR
Virtual
Overlay DCI/WAN
Bare Metal
workload
Virtualized
workload
BGP-EVPN VXLAN Fabric
VTS
VTS for overlay provisioning and management across Virtual Overlays and Physical Fabric
(Cisco Nexus & multivendor)
Flexible Overlays
Open and Programmable
Automated
Scalable VXLAN Mgmt.
Seamless Integration with Orchestrators
Automated Overlay Provisioning
Automated DCI/WAN Integration
REST-Based Northbound APIs
Multi-protocol Support
Multi-hypervisor Support
MP-BGP EVPN Control Plane
Virtual Tenant Networks
High Performance Virtual Forwarding
Physical and Virtual Overlays
Bare-metal and Virtualized Workloads
Service Chaining
VMware vCenter
REST API
GUI
Cisco Network
Services Orchestrator
(Tail-f)

Generating new revenue
streams with Hosted
Security Services

Evolution of Security Services
CloudHybridCPE Managed
CPE
SP
IPS WEB EMAIL MALWARE CONTEXT
W W W
NGFW VPN IPS WEB EMAIL MALWARE CONTEXT
SWITCHING NAT DHCP AP VOICE ROUTING
W W W
SWITCHING AP VOICE
SWITCHING AP VOICEROUTING
NAT DHCP NGFW VPN
NGFW VPN IPS WEB
EMAIL MALWARE CONTEXT
W W W
NAT DHCP ROUTING
Premise to Cloud

Market Opportunity
Cloud Service Delivery Shows Higher Growth, but CPE Based Still Growing
© 2015 IHS / Infonetics Research: Cloud and CPE Managed Security Services Market Size and Forecasts; March 2015
$0
$2
$4
$6
$8
$10
$12
$14
CY10 CY11 CY12 CY13 CY14 CY15 CY16 CY17 CY18 CY19
Revenue(US$Billions)
Worldwide CPE-Based Service
Revenue Share by Technology
IDS/IPS DDoS mitigation
Other security services Managed firewalls
$0
$2
$4
$6
$8
$10
$12
CY10 CY11 CY12 CY13 CY14 CY15 CY16 CY17 CY18 CY19
Revenue(US$Billions)
Worldwide Cloud-Based Service
Revenue Share by Technology
IDS/IPS DDoS mitigation
Other security services Managed firewalls

Cloud Based Security Service Offerings
Cisco Managed Security Cloud SP Hosted Security Cloud
VPN, FW, NGFW, NGIPS, AMP,
Web Security, Email Security
as a Service
NGFW VPN IPS WEB
EMAIL MALWARE CONTEXT
W W W
Cloud Web Security (CWS)
Cloud Email Security (CES)
WEB EMAIL
W W W
Pre-Packaged NFV
Security Service Bundles
(vMS)
A La Carte Hosted Security
as a Services (HSS)
SP/MSSP Resell
to Enterprises
SaaS or Hosted

Hosted Security as a Service Architecture
51
Security Service Examples:
FWaaS – Firewall as a Service
VPNaaS – Virtual Private Networking as a
Service
NGFW/IPSaaS – Next Generation Firewall and
Intrusion Prevention System as a Service
WSaaS – Web Security as a Service
ESaaS – Email Security as a Service
IDaaS – Identity as a Service
DDoSaaS – Distributed Denial of Service as a
Service
INFRA-
STRUCTURE
Hypervisor
Compute
Storage
SERVICES
LAYER
WSaaS
FWaaS
Tenant 1
ESaaS
WSaaS
FWaaS
Tenant 2
FWaaS
IDaaS
Tenant 3
ORCH.
LAYER
Policy Analytics Reporting
NGFW/IPSaaS VPNaaS

Feature Category
Service Tiers
Bronze Silver Gold
NAT Address Translation
Stateful Inspection
High Availability
Advanced Management
Firewall-aaS Tiers Example
Included
BEFORE DURING AFTER

Category Feature
Service Tiers
Bronze Silver Gold
NAT Address Translation NAT / PAT
Stateful Inspection
L3 firewall
Transparent firewall
Proxy authentication
Application hosting private zone
Application control (IM, peer to peer)
Voice security support
High availability
Within SP data centre
Between SP data centres
Management
Customer self service portal
Streamlined management
Auto generated reporting
Custom reporting
Data log retention (1 month)
Extended data log retention (> 1 month)
Firewall-aaS Tiers Example
Included
Option
Reference
Slide
BEFORE DURING AFTER

Feature Category
Service Tiers
Bronze Silver Gold
Customer site to Cloud IPSec VPN service
Remote Access VPN
High Availability
Advanced Management
VPNaaS Tiers Example Tiers Example
Included
Reference
Slide
BEFORE DURING AFTER

Feature Category
Service Tiers
Bronze Silver Gold
Real Time Threat Protection Services
Acceptable Use Services
Policy Control
High Availability
Advanced Management
Web Security-aaS Tiers Example
Included
Reference
Slide
BEFORE DURING AFTER

Feature Category
Service Tiers
Bronze Silver Gold
Inbound Email Protection
Outbound Email Protection
Policy control
High availability
Advanced Management
Email Security-aaS Tiers Example
Included
Reference
Slide
BEFORE DURING AFTER

Feature Category
Service Tiers
Bronze Silver Gold
Application Visibility and Control (NGFW)
Threat Protection (NGIPS)
High Availability
Advanced Management
NGFW/IPSaaS Tiers Example
Included
Reference
Slide
BEFORE DURING AFTER

Hosted Security as a Service
(HSS)

HSS Architecture
59
• Delivered from service provider’s
infrastructure
• UBIqube MSActivator used as the
Security Domain Manager
• Orchestration SW interfaces with native
appliance configuration mechanisms
• All customer data lives inside the SP
Cloud environment
• Security on virtual form factor available
today
INFRA-
STRUCTURE
VMware ESXi
Cisco UCS
Storage
SERVICES
LAYER
WSAv
WSAv
ASAv
Tenant 1
ESAv
WSAv
ASAv
Tenant 2
ESAv
CSR1Kv
Tenant 3
ORCH.
LAYER
Policy Analytics Reporting
SP existing
orchestration,
reporting, billing
infrastructure
• Provisioning
API
• Reporting API
• Billing API

VSA 1.0 Expanded Gold Container
ASR9000 Global
SP Management
Tenant 1 Site
AD DNS
MS Exchange
Customer VRF
Internet
Tenant 1 Private Zone Tenant 1 DMZ Zone
Nexus 5000/7000/9000
L2 Fabric
UBIqube
vCenter
ASA5585X
M1 M1
P1
ESAV WSAV
MPLS VPN or
IPSec VPN
ASAv
Tenant 1 Expanded Gold Container
Customer Hosted Email Inbound Flow
gi0/6 gi0/7
gi0/5 mgt 0/0
gi0/2
gi0/3
gi0/4
Virtual Machine on UCS
Shared Transit VLAN
Per-Tenant VLAN
Private
Tier 1 VMs
Private
Tier 2 VMs
Private
Tier 3 VMs
Note: Not showing redundant notes

VSA 1.0 Expanded Gold Container
ASR9000 Global
SP Management
Tenant 1 Site
AD DNS
Customer VRF
MPLS
VPN
Tenant 1 Private Zone Tenant 1 DMZ Zone
Global
Nexus 5000/7000/9000
L2 Fabric
UBIqube
vCenter
ASA5585X
M1 M1
P1
ESAV WSAV
ASAv
Tenant 1 Expanded Gold Container
gi0/6 gi0/7
gi0/5 mgt 0/0
gi0/2
gi0/3
gi0/4
SP Hosted Email Inbound Flow
MS Exchange
Internet Virtual Machine on UCS
Shared Transit VLAN
Per-Tenant VLAN
Private
Tier 2 VMs
Private
Tier 3 VMs
Note: Not showing redundant notes

MPLS
VPN
Customer Site
AD DNS
ASR1006Customer VRF
MS Exchange
Global
VMDC 2.3 Expanded Gold Container
Nexus 7004
ASA5555
ASA5585X
Customer PVT
Outside VRF
Customer PVT
Inside VRF
Global
Customer
DMZ VRF
Remote
Access
VPN
Customer
Private Context
ASA5585X
Customer DMZ Context
Customer Private
Context
UCS
Citrix/F5
UCS
UCS
Citrix/F5 Citrix/F5
UBIqubeESAV
vCenterESAV
M1
WSAV
M1
UCS
M1
M1
UCS
ASA5585X
UCS
WSAV
VM
VM
VM
VM VM
VM
* Not showing redundant notes
Internet
Shared Transit VLAN
Per-Tenant VLAN
Private Zone 3 VLANs DMZ 2 - 1 VLANDMZ 1 - 1 VLAN SP Management

HSS Security Domain Manager
UBIqube MSActivator
Southbound Interface
SSH SNMPTELNET SyslogHTTP OpenflowFTP
OBMF Mediation Layer
Netflow TR069
Web Portal GUI
Service
Profiles
Service Designer
Templates
and Objects
3rd Party OSS/BSS
Web Services
Verbs and Web Services API, Order Stack Management
Device Adaptor
Update Conf Restore Conf
Get Asset Update Firmware
Device Adaptor (SDK)
Update Conf Restore Conf
Get Asset Update Firmware
VOIP

vMS (CloudVPN) at a Glance
65
INFRA-
STRUCTURE
KVM
Compute
Storage
SERVICES
LAYER
IPSv
ASAv
Tenant 1
ESAV
WSAV
CSR1Kv
Tenant 2
vDDoS
ASAv
Tenant 3
ORCH.
LAYER
Policy
Net+Svc. Analytics Reporting
CSR1kv CSR1Kv
• Rapid provisioning/Ops Portal
• Standard YANG models
• All customer data lives inside the SP Cloud
environment
• Appliance plus Virtual Services chained
together
• Orchestration of Network + Service Topology
• Service lifecycle management + elasticity +
workload placement
• IPv6 deployed here
SP existing
orchestration,
reporting, billing
infrastructure
• Provisioning
API
• Reporting API
• Billing APIProvisioning
Svc. Lifecycle
Mgt.

vMS Architecture
A Deeper Look
VR_CSR
OpenStack
(virt infra mgr)
NSO
(VNF-O)
Create
Deliver
Operate
Optimize
cisco
Service Design
My DeploymentsMy Designs
Deploy
Deployment Wizard
Select Scope
Engineering
New Folder
Testing
End-User
Portal
Cloud Service
IP Network
Data Centre
BSS
Systems
VFW_vASA
ESC
virt infra
Lifecycle
(VNF-M)
confd
service
models
device
models
fastmap
O/S
component
APIs
reactive
fastmap
Config &
Operation
ISR
Create
Deliver
Operate
Optimize
cisco
Service Design
My DeploymentsMy Designs
Deploy
Deployment Wizard
Select Scope
Engineering
New Folder
Testing
Operator
Portal
RESTCONF / UICONF
x86 MPLS WAN
NEDs
SDN
Controller

VMS Release 2.0: Delivering Comprehensive Cloud VPN Services
CPE
Cust-A
CPE
Cust-A
CPE
Cust-B
ASA
Over The Top
Access
Flex-VPN
Internet
VR
VR ASA
CPE
Cust-C
CPE
Cust-C
NSO – NFV Orchestrator
Cloud VPN Services
• 3 Service Models for Enterprise deployment flexibility:
• CloudVPN Foundation
• CloudVPN Advanced
• CloudVPN Advanced w/Web Security
• vIPS option for both Advanced and Advanced
w/Web Security
• CSR1Kv: Virtual Router for Site-to-Site VPN with Secure
IP Overlay using FlexVPN/IKEv2 for IPSec Tunnels
• ASAv: vFW with NAT and Policy (*)
• ASAv: vFW with IPSec/SSL Remote Access (*)
• WSAv for Enhanced Web Security (*)
Management and Orchestration
• Enterprise Admin Service Interface (Portal) driven service
instantiation
• Zero-Touch Deployment of enterprise CPE (ISR G2)
• Model driven Network Services lifecycle management with
Network Service Orchestrator (NSO) from Tail-f
• VNF lifecycle management with Elastic Services
Controller (ESC)
• Virtual Infrastructure Management with Openstack
featuring: OVS and ODL/VPP as SDN Controllers
Advanced
VR
Foundation
CPE
Cust-B
ESC – VNF Manager
WSA
Advanced w/Web Security
PnP RFS VirTo RFS
API
CPE Managed
Orchestration Link
Foundation Service
Direct Internet Access via
“Split Tunnel”
Access Model:
Flex-VPN Links
IPSEC VPN
Service Access
vRouter
Internet Access/
Remote Access
Openstack – Virtual Infrastructure Manager

vMS Service Bundles
• (1) Internet Access (IA), FWaaS, VPNaaS
 CSR1kv, vASA with NAT, FW, RA.
• (2) IA, FWaaS, VPNaaS and WSaaS
 CSR1kv, vASA, vWSA
• (3) IA, FWaaS, VPNaaS and Next-Gen IPSaaS
 CSR1kv, vASA, vWSA, vNG-IPS(SourceFire)
• 4) IA, FWaaS, VPNaaS and IdentityaaS
 CSR1kv, vASA, vISE with NAT, BYOD, Policy, TrustSec
• (5) IA, FWaaS, VPNaaS and ESaaS
 CSR1kv, vASA, vESA
• (6) IA, FWaaS, VPNaaS and DDoSaaS
Flexibility for other variations based on marketing needs

Virtual
Security
Workflows
Reference
Slide

SDN & NfV Infrastructure
Security

SDN Security Components
Security
Application
Third Party
Application
IdentitySecurity
Network
Services
Service Abstraction Layer
Open
Flow
Netconf I2RS Security
Plugin
pxGrid
SDN
Security
Infrastructure
Cisco Cloud
Threat Defence
SDN
Applications
Identity
Services
Engine
Next Generation Defence Centre, PRSM, CSM…
Visibility
CLI

Threat Defence Services
Network Capabilities
Application View
Targeted
Blocking
Targeted
Inspection
Targeted
Rate Limiting
Targeted
Packet
Capture
Targeted
File
Capture
Targeted
Confinement
Targeted
Enforcement
OpenFlow Netconf
Security
Plugin
VLAN SGT VxLAN ISE

Security Services Through SDN
Audit
Recording
Monitoring
Inspection
Rate Limiting
DDoS Scrubbing
Quarantine
Active Web Firewall
Blocking
Effective
Timely
Non-invasive

Network Controller Reconciles Mitigations Against
The Needs of Mission-critical Applications
Mitigations
from
Security
System
Application
and
Network
Requirements

Threats to an SDN System
Controller
App 1 App 2 App 3
Spoofing
Rogue
DoS Attacks

Threats to an SDN System
Controller
App 1 App 2 App 3
Hardening
Secure Provisioning
Authentication
Authorisation/RBAC
Integrity
Secure Storage
Audit

Considerations
 How automated is your
telemetry capture?
 How automated is your
threat analysis?
 Are you limited by
privacy considerations?
 What actions are you
willing to take in real
time?
 What actions should be
one-click for a security
analyst?
 What type of SDN can
you use?
 How SDN-ready is your
network?
 SDN security?
Detection SDNResponse

Summary
• SP Security concerns
• How traditional products/solutions are embracing SDN/NfV
• Security automation in the SP DC
• Revenue generating security solutions for SP
• Is there “One” solution to tackle security end-to-end at the “speed of the
network” ?
• The reality is, each use case is different.
• Technology, People, Processes
• The key enabler “Automation”, through the use SDN, programmability, APIs, NFV…

Related Cisco Live Sessions
• BRKRST-1014 - Introduction to Software-Defined Networking (SDN) and Network Programmability
• BRKSPG-3616 - SDN and NFV for Service Providers
• BRKSDN-2040 - SDN Controllers - A Use Case Driven Approach to the Options
• BRKSDN-2065 - Cisco Virtual Managed Services (vMS)
• BRKSPG-2619 - Cisco Evolved Programmable Networks
• BRKSEC-3010 - Firepower 9300 Deep Dive
• BRKSEC-1205 - Introduction to DC Security
• BRKSDN-1119 - Device Programmability Options with APIs
• BRKSEC-2005 - The Internet of Things: A Double-Edged Sword. How Can You Embrace it Securely?

Where to go next?
• Other complementary security solutions:
• OpenDNS
• Lancope
• Cloud Web Services
• CliQr
• Demos in the Cisco World of Solutions
• Walk-in Self-Paced Labs
• DevOps & DevNet Sessions
• Meet the Engineer 1:1

Complete Your Online Session Evaluation
Learn online with Cisco Live!
Visit us online after the conference
for full access to session videos and
presentations.
www.CiscoLiveAPAC.com
Give us your feedback and receive a
Cisco 2016 T-Shirt by completing the
Overall Event Survey and 5 Session
Evaluations.
– Directly from your mobile device on the Cisco Live
Mobile App
– By visiting the Cisco Live Mobile Site
http://showcase.genie-connect.com/ciscolivemelbourne2016/
– Visit any Cisco Live Internet Station located
throughout the venue
T-Shirts can be collected from Friday 11
March at Registration

• Session Managers – Robert Page, Usen Tulemisov, Stefan Avgoustakis
• Previous BRKSEC-2760 presenters – Mike Geller, David McGrew, Ken Beck
• Collaborators – Kerry Loveless, Sam Rastogi, Siruo Yu, Mike Geller, Albra Welch
Thanks…

Security at the Speed of the Network

Security at the Speed of the Network

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (14)

Similar to Security at the Speed of the Network

Similar to Security at the Speed of the Network (20)

Recently uploaded

Recently uploaded (20)

Security at the Speed of the Network