VACS
Security for shared infrastructure in Cisco ONE Enterprise Cloud Suite Roxana Diaz TSA, CCIE BRKPCA-2040
@roxadiaz2
Agenda •
Introduction
•
Cisco VACS Overview
•
VACS Configuration
•
Security Use-cases
•
Customers
•
Conclusion
Agenda •
Introduction
•
Cisco VACS Overview
•
VACS Configuration
•
Security Use-cases
•
Customers
•
Conclusion
Introduction
Journey to Cloud Virtualization
Private Cloud
Hybrid Cloud
Enhanced virtual networking
Automation
Segregation of duties
Self Service
Secure DC extension to public cloud
Better visibility
Secure Segmentation
N1KV/VSG
N1KV/VSG/CSR1KV
Standalone
VACS (in CECS)
Ecosystem of public clouds
N1KV Cloud VEM/VSG/CSR1KV (in CECS)
Cloud Services Platform – DC and Cloud Network Function Virtualization Platform CECS – Cisco Enterprise Cloud Suite / VSG – Virtual Security Gateway N1KV – Nexus1000v DVS / CSR1KV – Cloud Services Router 1000v BRKPCA-2040
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
6
Cisco Enterprise Cloud Suite
Automate Compute, Network, ACI, Storage & Virtual (UCSD)
Enterprise Data Center Infrastructure BRKPCA-2040
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
7
Cisco Enterprise Cloud Suite
Automate Compute, Network, ACI, Storage & Virtual (UCSD)
WEB
APP
DB
Enterprise Data Center Infrastructure BRKPCA-2040
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
8
BRKPCA-2040
9
Cisco Enterprise Cloud Suite Self-service Catalog (PSC) Dashboard (UCSD) Secure Application Segmentation (VACS) Automate Compute, Network, ACI, Storage & Virtual (UCSD)
WEB
APP
DB
Enterprise Data Center Infrastructure BRKPCA-2040
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
10
Agenda •
Introduction
•
Cisco VACS Overview
•
VACS Configuration
•
Security Use-cases
•
Customers
•
Conclusion
Cisco VACS Overview
Cisco Virtual Application Cloud Segmentation (VACS) Services
Secure segmentation in minutes on shared infrastructure
Simplified virtual networking and security
BRKPCA-2040
Unified virtual services licensing: cost-effective solution
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
13
Secure Segmentation in Minutes on Shared Infrastructure Current physically segmented architecture
Virtual segmentation with VACS Physical segmentation results in longer provisioning time and under-utilized resources
Virtual segmentation – independent of physical topology
Procure, rack, stack and provision individual devices
Enforced by best in class virtual networking and security services
Secure segmentation in mins on shared infrastructure
Simplified virtual networking and security Vcenter
VACS
VACS
Unified virtual services licensing: cost-effective solution Vcenter
BRKPCA-2040
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
14
Simplified Virtual Networking and Security on Shared Infrastructure Current provisioning model
VACS
Provision subnet / NAT / Routing
Provision VIP
Provision FW rules / GW
Vcenter
BRKPCA-2040
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
15
Simplified Virtual Networking and Security on Shared Infrastructure Current provisioning model
Wizard based provisioning model with full life cycle mgmt. of virtual services
No longer have to configure individual components. VACS does it for you. Provision subnet / NAT / Routing
Provision VIP
VACS
VACS
Provision FW rules / GW
Vcenter
Vcenter
BRKPCA-2040
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
16
Unified Virtual Services Licensing – Per Server Based Current pricing schema makes virtual services cost prohibitive •
Every vendor has different licensing schema
•
Per instance based
•
Expensive as throughout increases
BRKPCA-2040
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
17
Unified Virtual Services Licensing – Per Server Based Current pricing schema makes virtual services cost prohibitive •
Every vendor has different licensing schema
•
Per instance based
•
Expensive as throughout increases
Automated Provisioning and Orchestration Cisco UCS director
Load-balancer HA Proxy
VACS
Routing/Edge FW Cisco CSR 1000V Or Cisco ASAv
Zone based FW Cisco Virtual Security Gateway
Unified Licensing Per Server Based*
Create as many instances as you need with up to 10G throughput!**
Virtual Fabric Cisco Nexus 1000V Platform for Distribute FW
BRKPCA-2040
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
18
VACS Delivering Secure Virtual Network aaS (SvNaaS) Virtual Secure Network aaS with complete Automation and Life-CycleManagement
Load Balancer aaS Out-of-Box HA Proxy Integration
Routing aaS Out-of-Box CSR1000Vor ASAv routes and GW
VACS
Edge Firewall aaS Out-of-Box ASAv or CSR1000V IOS XE FW
Web application Web-1
Public Design App-1 (VM3)
w w w
w w w
Web-1 zone
App-1 zone
Web-2 zone
App-2 zone
Web application Web-2
Micro Segmentation aaS Create Security Group VXLAN or VLAN based
Confidential Design App-2 (VM4)
BRKPCA-2040
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
19
Agenda •
Introduction
•
Cisco VACS Overview
•
VACS Configuration
•
Security Use-cases
•
Customers
•
Conclusion
VACS Configuration
Deeper View: VACS Containers – 3-Tier (Internal) Template Upstream Router Routing – EIGRP or Static
CSR 1000V
VACS – 3 Tier App Container (Internal)
VLAN 10/ VXLAN 101
VSG Zone-based FW
HA Proxy HTTP(s) LB
Web Zone
App Zone
DB Zone
BRKPCA-2040
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
22
Deeper View: VACS Containers – 3-Tier (Internal) Template Upstream Router Routing – EIGRP or Static
CSR 1000V
VACS – 3 Tier App Container (Internal)
VLAN 10/ VXLAN 101
Permit
VSG
• • • • •
10G Throughput NAT (Optional) L3 Routing – EIGRP or Static Edge FW Monitoring Features
Deny
Zone-based FW
HA Proxy HTTP(s) LB
Web Zone
App Zone
DB Zone
BRKPCA-2040
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
23
Deeper View: VACS Containers – 3-Tier (External) Template Upstream Router Routing – EIGRP or Static
CSR 1000V
VACS – 3 Tier App Container (External)
VLAN 10/ VXLAN 101
VSG Zone-based FW
HA Proxy HTTP(s) LB
Web Zone
App Zone
DB Zone
BRKPCA-2040
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
24
Deeper View: VACS Containers – 3-Tier (External) Template Upstream Router Routing – EIGRP or Static
CSR 1000V
VACS – 3 Tier App Container (External)
VLAN 10/ VXLAN 101
• • • • •
10G Throughput NAT (Optional) L3 Routing – EIGRP or Static Edge FW Monitoring Features
VSG Zone-based FW
HA Proxy HTTP(s) LB
Web Zone
App Zone
DB Zone
BRKPCA-2040
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
25
Custom VACS Containers Template Upstream Router Routing – EIGRP or OSPF or Static
CSR 1000V
VACS – Custom Container
VLAN 10/ VXLAN 101
• NAT (Optional) • L3 Routing – EIGRP or OSPF (P2) • Edge FW • Monitoring Features
VSG Zone-based FW
HA Proxy Any Zone LB
Zone 1
Zone 2
BRKPCA-2040
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
26
Gateway choices with VACS Flexibility in combining VACS services with user-deployed services
Built-In Virtual GW
V M
V M V M
Physical Gateway
V M
Other Virtual Gateway
V M
V M
V M
VACS
VACS
V M V M
VACS
OR CSR 1000v
ASAv
Physical GW ASA/Checkpoint, PAN
External Virtual GW vPAN, vGW
• Full firewall capabilities via ASAv integration with up to 2Gbps throughput • BYOL license for ASAv BRKPCA-2040
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
27
VACS – Holistic Approach to Workload Segmentation Rich Ecosystem with Simple Setup •
Based on UCS Director (included with Cisco Enterprise Cloud Suite license) • Nexus 1000V, Virtual Security Gateway, ASAv, CSR1000v •
ASA, FirePOWER Threat Defense – roadmap items
1
2
3
BRKPCA-2040
4
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
28
How to Segment the Virtual Switch Wizard Driven with Template Based Policy Definitions
BRKPCA-2040
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
29
How to Segment the Virtual Switch Wizard Driven with Template Based Policy Definitions
BRKPCA-2040
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
30
Completed VACS Template Summary
BRKPCA-2040
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
31
Auto-Documentation Dynamically Track Services and Virtual Machines
Real-time Report of Container Configuration
Organized by Policy, Per VM Mapping/Tracking BRKPCA-2040
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
32
Holistic Environment Control Simplified Day-2 Operations Spin Environment Up/Down
Reclaim Resources
Seamlessly Add VM’s to Tiers
Manage Firewall Rules from Same Console
(Tie VM into Services) BRKPCA-2040
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
33
Agenda •
Introduction
•
Cisco VACS Overview
•
VACS Configuration
•
Security Use-cases
•
Customers
•
Conclusion
Security Use-cases
Traditional approach to Security o Traditional firewalls designed to keep threats out of the network
o Virtualization lateral movement 1
o M&M model Once across the perimeter firewall, malware is essentially free to propagate across the entire data center o Hackers are increasingly piggybacking malicious payloads atop legitimate traffic.
Public Web application Web-1
Public DB (DB-1)
www
Bob www
Alice
Confidential Web application Web-2
Confidential DB (DB-2)
Physical Infrastructure
o Need for double protection strategy – make security ubiquitous
BRKPCA-2040
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
36
Introducing Micro-segmentation
Web application VM1
Public DB (VM3)
Granular Control
ww w
+ Operationally Simpler
www
Web application VM2
Confidential DB (VM4)
= micro-segmentation strategy
Prevent Lateral (server-server/ VM - VM) threat movement BRKPCA-2040
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
37
Micro-segmentation with VACS Micro-segmentation in a few Clicks Web application Web-1
Public DB DB-1 (VM3)
Define Zones
ww w
www
Web-1 zone
DB-1 zone
Web-2 zone
DB-2 zone
Web application Web-2
Add VMs Apply zone based policies
Confidential DB DB-2 (VM4)
BRKPCA-2040
Source
Destinatio n
Policy
Web-1
DB-1
Allow
Web-2
DB-2
Allow
Web-1
DB-2
Drop
Web-2
DB-1
Allow
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
38
Demo
BRKPCA-2040
40
ASAv Support in VACS Upstream Router VACS – 3 Tier App Container (Custom)
ASAv
• Up to 2G Throughput • L3 Routing • Edge FW
VLAN 10/VXLAN 101
VSG Zone-based FW
HA Proxy HTTP(s) LB
Web Zone
App Zone
DB Zone
• All ASAv Day 0 operations supported with VACS Custom containers • Support for all ASAv license levels (ASAv5, ASAv10, ASAv30) BRKPCA-2040
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
41
CSR1Kv vs ASAv Gateway features CSR1Kv
ASAv
License
•
Included as part of VACS license
•
BYOL Smart License, not included as part of VACS
Throughput
•
10 Gbps
•
Up to 2Gbps based on ASAv license
Features
• •
All IP features Basic Security featurs : ACL, AAA, RADIUS, and TACACS+, ZBFW, ALG
•
Full-feature ASAv with complete perimeter firewall functionality
High Availability
•
Using HSRP
•
Stateful HA
VACS container support
•
Internal, External, Custom
•
Custom
VACS Container Sizing
•
N/A
•
Default ALG support
• • •
Depends on ASAv license level o Small – ASAv5 o Medium – ASAv10 o Large – ASAv30
Supported only in non-HA mode • Default : HTTP, HTTPS, FTP, DNS, ICMP Additional : SQLNET, MSSQL, LDAP •
Default : FTP, DNS, SQLNET, H323 H225, H323 RAS, IP-OPTIONS, NETBIOS, RSH, RTSP, SKINNY, ESMTP, SUNRPC, TFTP, SIP, XDMCP Additional : ICMP, HTTP, IPv6, MGCP and more
BRKPCA-2040
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
42
Evolution of truly Secure Segmentation
VACS domain + physical ( mixed environment)
Existing customer base with TrustSec (Cisco ISE) focused on Physical Network Elements (NX7k/6k/5k, Catalyst) Extend the segmentation to virtualized applications
Why Secure Group Tags are not effective with virtualization
Physical segmentation will reach to Presentation Tier Physical segmentation extended across all Application Tiers is NOT secure from folks like “Bob”
BRKPCA-2040
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
46
Extend Cisco TrustSEC to Virtual Infrastructure with VACS Security Group – Combined Virtual & Physical •
Data Center Core Layer
Micro Segmentation defined in a simple policy table or matrix – automated with VACS or ISE
•
Scalable architecture w/out increase in operational
DC Aggregation Layer
complexity •
Applied across Catalyst (Campus and Branch) and Nexus (Data Center) with VACS independent of the topology
•
DC Service Layer
Security Firewalling with ASA or ASAv
• Segmentation defined in a simple policy table or matrix VACS Integration with Cisco TrustSEC • Applied across Nexus • VACS can Consume or Create7000/5500/2000/ the SecureGroupTags VACS independent of the topology
DC Access Layer
deployed on the switches through ISE
•
ASAv is aware of all the zones
•
Stop attack at the virtual perimeter
Physical Servers SGACL enabled Device SGACL enabled Device
Virtual Enforcement w/ VACS BRKPCA-2040
SG Firewall enabled Device
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
47
Extending micro-segmentation to physical domain 1. VACS creates a container with Web and App Tiers 2. Get the “Zone to IP” mapping for both zones from VSG 3. Program the NX1kV with “IP to SecureGroupTag” mapping 4. Program the Bare Metal DB zone SecureGroupTags on N5K to be granular 5. Program firewall rules (ACLs) on N5K
Web application VM1
App VM3
Public Design DB (DB1)
www
www
Web application VM2
App VM4 Confidential Design DB (DB2)
VACS Nexus 5000 ASAv SXP Cisco ISE ( Identity Services Engine) BRKPCA-2040
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
48
Agenda •
Introduction
•
Cisco VACS Overview
•
VACS Configuration
•
Security Use-cases
•
Customers
•
Conclusion
VACS Customers
Cedacri Cloud service provider in Italy
VACS through Cisco Enterprise Cloud Suite enabled Cedacri to onboard new customers 90 percent faster while ensuring security compliance
“ Cisco VACS gives us the speed and agility we need to stay ahead in a competitive cloud market.”
Customer benefits: • Multi-tenancy in minutes • Zero trust security using microsegmentation • Differentiating the service provider cloud
- Alessandro Spigaroli, Head of Architecture & Innovation, Cedacri
http://www.cisco.com/c/dam/en/us/solutions/collateral/data-center-virtualization/one-enterprise-suite/cedacri-voc-case-study.pdf BRKPCA-2040
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
51
Lightedge Solutions IT service provider to businesses in United States
“With UCSD + VACS we were able to take a complex, multi-zone IT platform with over 20 unique security zones and deploy a fully functional replica of this environment in hours. Prior to UCSD+VACS this same deployment, using manual procedures and physical security devices, took well over 60 days to deliver to our customer”
Customer benefits: • Building a custom cloud environment with self-service capabilities • Secure Segmentation for their business customers • Security policy compliance
- Mike McHenry VP Cloud and Cloud Architecture, LightEdge • http://www.cisco.com/c/dam/en/us/solutions/collateral/data-center-virtualization/one-enterprise-suite/lightedge-case-study.pdf • http://www.lightedge.com/cisco-vacs/ BRKPCA-2040
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
52
Agenda •
Introduction
•
Cisco VACS Overview
•
VACS Configuration
•
Security Use-cases
•
Customers
•
Conclusion
Conclusion
Summary
VACS is the security pillar of the Cisco Enterprise Cloud Suite
VACS provides micro-segmentation today across a common hypervisor environment (Cisco NX1kV)
VACS is the most Effective Tool to achieve Secure Segmentation and enhanced automation in a journey to ITaaS
Reach out to your Cisco account team for further assistance!
Try it out in dCloud (access available to those with a cisco.com login)
BRKPCA-2040
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
55
Q&A
Complete Your Online Session Evaluation •
Please complete your Online Session Evaluations after each session
•
Complete 4 Session Evaluations & the Overall Conference Evaluation (available from Thursday) to receive your Cisco Live T-shirt
•
All surveys can be completed via the Cisco Live Mobile App or the Communication Stations
Don’t forget: Cisco Live sessions will be available for viewing on-demand after the event at CiscoLive.com/Online
BRKPCA-2040
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
57
There has never been a better time to effectively segment workloads…
Thankyou
@roxadiaz2
Agenda •
Introduction
•
Cisco VACS Overview
•
VACS Configuration
•
Security Use-cases
•
Customers
•
Conclusion
Agenda •
Introduction
•
Cisco VACS Overview
•
VACS Configuration
•
Security Use-cases
•
Customers
•
Conclusion
Introduction
Journey to Cloud Virtualization
Private Cloud
Hybrid Cloud
Enhanced virtual networking
Automation
Segregation of duties
Self Service
Secure DC extension to public cloud
Better visibility
Secure Segmentation
N1KV/VSG
N1KV/VSG/CSR1KV
Standalone
VACS (in CECS)
Ecosystem of public clouds
N1KV Cloud VEM/VSG/CSR1KV (in CECS)
Cloud Services Platform – DC and Cloud Network Function Virtualization Platform CECS – Cisco Enterprise Cloud Suite / VSG – Virtual Security Gateway N1KV – Nexus1000v DVS / CSR1KV – Cloud Services Router 1000v BRKPCA-2040
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
6
Cisco Enterprise Cloud Suite
Automate Compute, Network, ACI, Storage & Virtual (UCSD)
Enterprise Data Center Infrastructure BRKPCA-2040
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
7
Cisco Enterprise Cloud Suite
Automate Compute, Network, ACI, Storage & Virtual (UCSD)
WEB
APP
DB
Enterprise Data Center Infrastructure BRKPCA-2040
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
8
BRKPCA-2040
9
Cisco Enterprise Cloud Suite Self-service Catalog (PSC) Dashboard (UCSD) Secure Application Segmentation (VACS) Automate Compute, Network, ACI, Storage & Virtual (UCSD)
WEB
APP
DB
Enterprise Data Center Infrastructure BRKPCA-2040
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
10
Agenda •
Introduction
•
Cisco VACS Overview
•
VACS Configuration
•
Security Use-cases
•
Customers
•
Conclusion
Cisco VACS Overview
Cisco Virtual Application Cloud Segmentation (VACS) Services
Secure segmentation in minutes on shared infrastructure
Simplified virtual networking and security
BRKPCA-2040
Unified virtual services licensing: cost-effective solution
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
13
Secure Segmentation in Minutes on Shared Infrastructure Current physically segmented architecture
Virtual segmentation with VACS Physical segmentation results in longer provisioning time and under-utilized resources
Virtual segmentation – independent of physical topology
Procure, rack, stack and provision individual devices
Enforced by best in class virtual networking and security services
Secure segmentation in mins on shared infrastructure
Simplified virtual networking and security Vcenter
VACS
VACS
Unified virtual services licensing: cost-effective solution Vcenter
BRKPCA-2040
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
14
Simplified Virtual Networking and Security on Shared Infrastructure Current provisioning model
VACS
Provision subnet / NAT / Routing
Provision VIP
Provision FW rules / GW
Vcenter
BRKPCA-2040
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
15
Simplified Virtual Networking and Security on Shared Infrastructure Current provisioning model
Wizard based provisioning model with full life cycle mgmt. of virtual services
No longer have to configure individual components. VACS does it for you. Provision subnet / NAT / Routing
Provision VIP
VACS
VACS
Provision FW rules / GW
Vcenter
Vcenter
BRKPCA-2040
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
16
Unified Virtual Services Licensing – Per Server Based Current pricing schema makes virtual services cost prohibitive •
Every vendor has different licensing schema
•
Per instance based
•
Expensive as throughout increases
BRKPCA-2040
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
17
Unified Virtual Services Licensing – Per Server Based Current pricing schema makes virtual services cost prohibitive •
Every vendor has different licensing schema
•
Per instance based
•
Expensive as throughout increases
Automated Provisioning and Orchestration Cisco UCS director
Load-balancer HA Proxy
VACS
Routing/Edge FW Cisco CSR 1000V Or Cisco ASAv
Zone based FW Cisco Virtual Security Gateway
Unified Licensing Per Server Based*
Create as many instances as you need with up to 10G throughput!**
Virtual Fabric Cisco Nexus 1000V Platform for Distribute FW
BRKPCA-2040
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
18
VACS Delivering Secure Virtual Network aaS (SvNaaS) Virtual Secure Network aaS with complete Automation and Life-CycleManagement
Load Balancer aaS Out-of-Box HA Proxy Integration
Routing aaS Out-of-Box CSR1000Vor ASAv routes and GW
VACS
Edge Firewall aaS Out-of-Box ASAv or CSR1000V IOS XE FW
Web application Web-1
Public Design App-1 (VM3)
w w w
w w w
Web-1 zone
App-1 zone
Web-2 zone
App-2 zone
Web application Web-2
Micro Segmentation aaS Create Security Group VXLAN or VLAN based
Confidential Design App-2 (VM4)
BRKPCA-2040
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
19
Agenda •
Introduction
•
Cisco VACS Overview
•
VACS Configuration
•
Security Use-cases
•
Customers
•
Conclusion
VACS Configuration
Deeper View: VACS Containers – 3-Tier (Internal) Template Upstream Router Routing – EIGRP or Static
CSR 1000V
VACS – 3 Tier App Container (Internal)
VLAN 10/ VXLAN 101
VSG Zone-based FW
HA Proxy HTTP(s) LB
Web Zone
App Zone
DB Zone
BRKPCA-2040
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
22
Deeper View: VACS Containers – 3-Tier (Internal) Template Upstream Router Routing – EIGRP or Static
CSR 1000V
VACS – 3 Tier App Container (Internal)
VLAN 10/ VXLAN 101
Permit
VSG
• • • • •
10G Throughput NAT (Optional) L3 Routing – EIGRP or Static Edge FW Monitoring Features
Deny
Zone-based FW
HA Proxy HTTP(s) LB
Web Zone
App Zone
DB Zone
BRKPCA-2040
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
23
Deeper View: VACS Containers – 3-Tier (External) Template Upstream Router Routing – EIGRP or Static
CSR 1000V
VACS – 3 Tier App Container (External)
VLAN 10/ VXLAN 101
VSG Zone-based FW
HA Proxy HTTP(s) LB
Web Zone
App Zone
DB Zone
BRKPCA-2040
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
24
Deeper View: VACS Containers – 3-Tier (External) Template Upstream Router Routing – EIGRP or Static
CSR 1000V
VACS – 3 Tier App Container (External)
VLAN 10/ VXLAN 101
• • • • •
10G Throughput NAT (Optional) L3 Routing – EIGRP or Static Edge FW Monitoring Features
VSG Zone-based FW
HA Proxy HTTP(s) LB
Web Zone
App Zone
DB Zone
BRKPCA-2040
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
25
Custom VACS Containers Template Upstream Router Routing – EIGRP or OSPF or Static
CSR 1000V
VACS – Custom Container
VLAN 10/ VXLAN 101
• NAT (Optional) • L3 Routing – EIGRP or OSPF (P2) • Edge FW • Monitoring Features
VSG Zone-based FW
HA Proxy Any Zone LB
Zone 1
Zone 2
BRKPCA-2040
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
26
Gateway choices with VACS Flexibility in combining VACS services with user-deployed services
Built-In Virtual GW
V M
V M V M
Physical Gateway
V M
Other Virtual Gateway
V M
V M
V M
VACS
VACS
V M V M
VACS
OR CSR 1000v
ASAv
Physical GW ASA/Checkpoint, PAN
External Virtual GW vPAN, vGW
• Full firewall capabilities via ASAv integration with up to 2Gbps throughput • BYOL license for ASAv BRKPCA-2040
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
27
VACS – Holistic Approach to Workload Segmentation Rich Ecosystem with Simple Setup •
Based on UCS Director (included with Cisco Enterprise Cloud Suite license) • Nexus 1000V, Virtual Security Gateway, ASAv, CSR1000v •
ASA, FirePOWER Threat Defense – roadmap items
1
2
3
BRKPCA-2040
4
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
28
How to Segment the Virtual Switch Wizard Driven with Template Based Policy Definitions
BRKPCA-2040
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
29
How to Segment the Virtual Switch Wizard Driven with Template Based Policy Definitions
BRKPCA-2040
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
30
Completed VACS Template Summary
BRKPCA-2040
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
31
Auto-Documentation Dynamically Track Services and Virtual Machines
Real-time Report of Container Configuration
Organized by Policy, Per VM Mapping/Tracking BRKPCA-2040
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
32
Holistic Environment Control Simplified Day-2 Operations Spin Environment Up/Down
Reclaim Resources
Seamlessly Add VM’s to Tiers
Manage Firewall Rules from Same Console
(Tie VM into Services) BRKPCA-2040
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
33
Agenda •
Introduction
•
Cisco VACS Overview
•
VACS Configuration
•
Security Use-cases
•
Customers
•
Conclusion
Security Use-cases
Traditional approach to Security o Traditional firewalls designed to keep threats out of the network
o Virtualization lateral movement 1
o M&M model Once across the perimeter firewall, malware is essentially free to propagate across the entire data center o Hackers are increasingly piggybacking malicious payloads atop legitimate traffic.
Public Web application Web-1
Public DB (DB-1)
www
Bob www
Alice
Confidential Web application Web-2
Confidential DB (DB-2)
Physical Infrastructure
o Need for double protection strategy – make security ubiquitous
BRKPCA-2040
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
36
Introducing Micro-segmentation
Web application VM1
Public DB (VM3)
Granular Control
ww w
+ Operationally Simpler
www
Web application VM2
Confidential DB (VM4)
= micro-segmentation strategy
Prevent Lateral (server-server/ VM - VM) threat movement BRKPCA-2040
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
37
Micro-segmentation with VACS Micro-segmentation in a few Clicks Web application Web-1
Public DB DB-1 (VM3)
Define Zones
ww w
www
Web-1 zone
DB-1 zone
Web-2 zone
DB-2 zone
Web application Web-2
Add VMs Apply zone based policies
Confidential DB DB-2 (VM4)
BRKPCA-2040
Source
Destinatio n
Policy
Web-1
DB-1
Allow
Web-2
DB-2
Allow
Web-1
DB-2
Drop
Web-2
DB-1
Allow
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
38
Demo
BRKPCA-2040
40
ASAv Support in VACS Upstream Router VACS – 3 Tier App Container (Custom)
ASAv
• Up to 2G Throughput • L3 Routing • Edge FW
VLAN 10/VXLAN 101
VSG Zone-based FW
HA Proxy HTTP(s) LB
Web Zone
App Zone
DB Zone
• All ASAv Day 0 operations supported with VACS Custom containers • Support for all ASAv license levels (ASAv5, ASAv10, ASAv30) BRKPCA-2040
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
41
CSR1Kv vs ASAv Gateway features CSR1Kv
ASAv
License
•
Included as part of VACS license
•
BYOL Smart License, not included as part of VACS
Throughput
•
10 Gbps
•
Up to 2Gbps based on ASAv license
Features
• •
All IP features Basic Security featurs : ACL, AAA, RADIUS, and TACACS+, ZBFW, ALG
•
Full-feature ASAv with complete perimeter firewall functionality
High Availability
•
Using HSRP
•
Stateful HA
VACS container support
•
Internal, External, Custom
•
Custom
VACS Container Sizing
•
N/A
•
Default ALG support
• • •
Depends on ASAv license level o Small – ASAv5 o Medium – ASAv10 o Large – ASAv30
Supported only in non-HA mode • Default : HTTP, HTTPS, FTP, DNS, ICMP Additional : SQLNET, MSSQL, LDAP •
Default : FTP, DNS, SQLNET, H323 H225, H323 RAS, IP-OPTIONS, NETBIOS, RSH, RTSP, SKINNY, ESMTP, SUNRPC, TFTP, SIP, XDMCP Additional : ICMP, HTTP, IPv6, MGCP and more
BRKPCA-2040
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
42
Evolution of truly Secure Segmentation
VACS domain + physical ( mixed environment)
Existing customer base with TrustSec (Cisco ISE) focused on Physical Network Elements (NX7k/6k/5k, Catalyst) Extend the segmentation to virtualized applications
Why Secure Group Tags are not effective with virtualization
Physical segmentation will reach to Presentation Tier Physical segmentation extended across all Application Tiers is NOT secure from folks like “Bob”
BRKPCA-2040
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
46
Extend Cisco TrustSEC to Virtual Infrastructure with VACS Security Group – Combined Virtual & Physical •
Data Center Core Layer
Micro Segmentation defined in a simple policy table or matrix – automated with VACS or ISE
•
Scalable architecture w/out increase in operational
DC Aggregation Layer
complexity •
Applied across Catalyst (Campus and Branch) and Nexus (Data Center) with VACS independent of the topology
•
DC Service Layer
Security Firewalling with ASA or ASAv
• Segmentation defined in a simple policy table or matrix VACS Integration with Cisco TrustSEC • Applied across Nexus • VACS can Consume or Create7000/5500/2000/ the SecureGroupTags VACS independent of the topology
DC Access Layer
deployed on the switches through ISE
•
ASAv is aware of all the zones
•
Stop attack at the virtual perimeter
Physical Servers SGACL enabled Device SGACL enabled Device
Virtual Enforcement w/ VACS BRKPCA-2040
SG Firewall enabled Device
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
47
Extending micro-segmentation to physical domain 1. VACS creates a container with Web and App Tiers 2. Get the “Zone to IP” mapping for both zones from VSG 3. Program the NX1kV with “IP to SecureGroupTag” mapping 4. Program the Bare Metal DB zone SecureGroupTags on N5K to be granular 5. Program firewall rules (ACLs) on N5K
Web application VM1
App VM3
Public Design DB (DB1)
www
www
Web application VM2
App VM4 Confidential Design DB (DB2)
VACS Nexus 5000 ASAv SXP Cisco ISE ( Identity Services Engine) BRKPCA-2040
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
48
Agenda •
Introduction
•
Cisco VACS Overview
•
VACS Configuration
•
Security Use-cases
•
Customers
•
Conclusion
VACS Customers
Cedacri Cloud service provider in Italy
VACS through Cisco Enterprise Cloud Suite enabled Cedacri to onboard new customers 90 percent faster while ensuring security compliance
“ Cisco VACS gives us the speed and agility we need to stay ahead in a competitive cloud market.”
Customer benefits: • Multi-tenancy in minutes • Zero trust security using microsegmentation • Differentiating the service provider cloud
- Alessandro Spigaroli, Head of Architecture & Innovation, Cedacri
http://www.cisco.com/c/dam/en/us/solutions/collateral/data-center-virtualization/one-enterprise-suite/cedacri-voc-case-study.pdf BRKPCA-2040
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
51
Lightedge Solutions IT service provider to businesses in United States
“With UCSD + VACS we were able to take a complex, multi-zone IT platform with over 20 unique security zones and deploy a fully functional replica of this environment in hours. Prior to UCSD+VACS this same deployment, using manual procedures and physical security devices, took well over 60 days to deliver to our customer”
Customer benefits: • Building a custom cloud environment with self-service capabilities • Secure Segmentation for their business customers • Security policy compliance
- Mike McHenry VP Cloud and Cloud Architecture, LightEdge • http://www.cisco.com/c/dam/en/us/solutions/collateral/data-center-virtualization/one-enterprise-suite/lightedge-case-study.pdf • http://www.lightedge.com/cisco-vacs/ BRKPCA-2040
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
52
Agenda •
Introduction
•
Cisco VACS Overview
•
VACS Configuration
•
Security Use-cases
•
Customers
•
Conclusion
Conclusion
Summary
VACS is the security pillar of the Cisco Enterprise Cloud Suite
VACS provides micro-segmentation today across a common hypervisor environment (Cisco NX1kV)
VACS is the most Effective Tool to achieve Secure Segmentation and enhanced automation in a journey to ITaaS
Reach out to your Cisco account team for further assistance!
Try it out in dCloud (access available to those with a cisco.com login)
BRKPCA-2040
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
55
Q&A
Complete Your Online Session Evaluation •
Please complete your Online Session Evaluations after each session
•
Complete 4 Session Evaluations & the Overall Conference Evaluation (available from Thursday) to receive your Cisco Live T-shirt
•
All surveys can be completed via the Cisco Live Mobile App or the Communication Stations
Don’t forget: Cisco Live sessions will be available for viewing on-demand after the event at CiscoLive.com/Online
BRKPCA-2040
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
57
There has never been a better time to effectively segment workloads…
Thankyou
