Threat-Centric Security for Service Providers Enabling Open & Programmable Networks Sam Rastogi, Service Provider Security Product Marketing, Security Business Group Bill Mabon, Network Security Product Marketing, Security Business Group September 1, 2015
Trends: New Opportunities New Threats The world has gone mobile Traffic growth, driven by video Changing Customer Expectations 10X Mobile Traffic Growth From 2013-2019 Ubiquitous Access to Apps & Services Rise of cloud computing Increasing Threat Machine-to-Machine Sophistication Soon to Change SP Architectures/ Service Delivery 120,000 Other (43%, 25%) 100,000 Internet Video (57%, 75%) Dynamic Threat Landscape 80,000 Changing Enterprise Business Models Efficiency & Capacity Petabytes per Month 60,000 40,000 20,000 Risks to Service Providers and Their Customers 0 People 2013 2014 2015 2016 2017 2018 Emergence of the Internet of Everything Process Data 23% Global CAGR 2013-2018 Things 2
Security for Open & Programmable Networks Cisco Services Benefits: Applications & Services Evolved Services Platform New Revenue Streams Service SMART Profile SERVICE CAPABILITIES Increased Business Agility Lower Operating Costs Evolved Programmable Network Cisco Service Provider Architecture Compute Service Broker Orchestration Engine Storage Catalog of Virtual Functions Network OPEN APIs OPEN APIs OPEN APIs OPEN APIs Security 3
Legacy Security: Costly & Complex Siloed Manual Inefficient Limited integration, security gaps Hard-coded processes Over-provisioned, static, and slow Hinders realization of open and programmable networks 4
Legacy Security: Siloed, Inefficient & Expensive Data Packet 1001 00010111 10001011 10 1001 00010111 10001011 10 1001 00010111 10001011 10 1001 00010111 10001011 10 1001 00010111 10001011 10 DDoS DDoS Platform 1001 00010111 10001011 10 WAF WAF Platform 1001 00010111 10001011 10 Sandbox Sandbox Platform / SSL FW IPS SSL Platform FW Platform IPS Platform Reduced Effectiveness Increased Latency Slows Network Static & Manual 5
Cisco s Covers the Threat-Centric Entire Attack Security Continuum Model BEFORE Discover Enforce Harden DURING Detect Block Defend AFTER Scope Contain Remediate Firewall VPN NGIPS DDoS Advanced Malware Protection Application Control Policy Management Web Security Malware Sandboxing Secure Access Network + Identity Services Endpoint Email Mobile Security Virtual Network Behavior Cloud Analysis Point in Time Security Services Continuous 6
Threat-Centric Security for Service Providers Integrated Security Operational Efficiency Enhanced Agility Best of Breed security = Cisco + 3 rd party Automated and consistent security policies High speed, scalable security Security services in a consolidated platform Lower integration costs and complexity Dynamic service stitching Visibility and correlation RESTful APIs and 3 rd party tool integration Dynamic provisioning across physical, virtual, and cloud 7
Firepower 9300 Platform High-Speed, Scalable Security Multi-Service Security Benefits Integration of best-of-breed security Dynamic service stitching Features* ASA container Firepower Threat Defense containers NGIPS, AMP, URL, AVC 3 rd Party containers Radware DDoS Other ecosystem partners Modular Benefits Standards and interoperability Flexible Architecture Features Template driven security Secure containerization for customer apps Restful/JSON API 3 rd party orchestration/management Carrier-Class Benefits Industry Leading Performance / RU 600% Higher Performance 30% higher port density Features Compact, 3RU form factor 10G/40G I/O; 100G ready Terabit backplane Low latency, Intelligent fastpath NEBS ready * Contact Cisco for services availability 8
Cisco Transforms Security Service Integration Siloed Data Packet DDoS WAF Sandbox Key: DDoS Platform WAF Platform Sandbox Cisco Service 3 rd Party Service Integrated Data Packet SSL SSL Platform 1001 0001011 1100010 1110 SSL FW IPS DDoS FW WAF NGIPS AMP FW Platform IPS Platform 1001 00010111 10001011 10 Limited effectiveness Increased latency Unified Platform Slows network Static & Manual Maximum protection Highly efficient Scalable processing Dynamic 9
Roadmap & Vision Consistent Security Across Physical, Virtual & Cloud Physical Virtual Cloud 10
Securing Mobile and Carrier Networks 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11
Technology trends are driving use cases Trends 3G-to-LTE IPv4-to-IPv6 Hotspots Stateful devices Virtual Applications & smart phones Gi/SGi S1 SWu SP Wi-Fi S8 EPC 12
Securing network edges is critical Gi/SGi Interface Internet EPC S8 Interface Roaming Increase in connected devices and app complexity Growing number of IP addresses Migration from IPv4 to IPv6 protocol S1 Interface Proliferation of microcells, cell stations, Evolved Node Bs (enodebs), or hotspots SWu Interface OTT SP Wi-Fi Subscribers using Mobile SPs networks for their own personal Wi-Fi hotspots Subscribers increasingly access customer EPCs via other operators and untrusted networks Voice over Wi-Fi as a business imperative 13
Security for Carrier and Mobile Edge Use Case HW Requirements Mobile Packet Core Mobile Access Edge Partner Edge Internet Edge Internet Ultra High Performance FW High Port Density, 100Gbps NEBS Power Efficiency SW Requirements Mobile Access: Strong authentication, authorization (IKE v1/v2 & PKI protocols); Data confidentiality w/ IPSec ESP; LTE S1 FW (GTP, S1-SP FW) Partner Edge: GTP, NAT Internet Edge: FW, NAT, IPS, Content Filtering 14
Securing the Data Center 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15
In Data Center Security, Threat Defense, Agility, and Control are Challenges Unique Threats Time- consuming provisioning Complex data flows Unpredictable data volume 16
Data Centers Require Specialized Security Standard edge security Sees symmetric traffic only Data center security Requires asymmetric traffic management Scales statically for predictable data volume, limited by edge data connection Must scale dynamically to secure high-volume data bursts Monitors ingress and egress traffic Needs to secure intra-data-center traffic Is deployed typically as a physical appliance Requires both a physical and virtual solution Deploys in days or weeks Must deploy in hours or minutes 17
Deployed Where You Need It Most 76% 17% 7% East-west traffic North-south traffic Inter-data-center traffic 18
Threat Centric Security to Protect Your Data Center from Sophisticated Attacks Today s adversaries are more advanced than ever Well-funded. Both organized crime and nation states adversaries. Inventive. Agile methodology, and now finding East-West vulnerabilities to exploit. Insidious. They blend in with the targeted organization, sometimes taking weeks or months to establish multiple footholds in infrastructure and user databases. 60% 95% 100% of data is stolen in hours; detection can take weeks or months of data center breaches can be tied to misconfigured security solutions of companies connect to domains that host malicious files or services Sources: Verizon 2014 Data Breach Investigations 2015 Report Cisco and/or (DBIR); its affiliates. Gartner; All rights Cisco reserved. Annual Cisco Security Confidential Report 19 2015
Security for Data Center Global Orchestration Global Orchestration Global Orchestration Global Orchestration Requirements Scalability: High Throughput Multi-Tenancy: Multi-Context Segmentation: Internal/External North-South, East-West traffic Multi-Site Security & Mobility Multi-Vendor Orchestration Benefits High Scale: access rule, TrustSec Network Integration: Routing, switching, inter-site DC extensions High Density: 40G/100G Clustering: Intra-chassis, Interchassis, Inter-site Flow offload Consistent Policy Mgmt 20
Trust The Market Leader Cisco is the clear leader here IT decision-makers consider Cisco the top data center security solution supplier across 10 separate categories. Infonetics Research Report Experts: Data Center Security Strategies and Vendor Leadership: North American Enterprise Survey, March 2014 and April 2015 21
Cisco Difference for Service Providers Unmatched Visibility Consistent Control Advanced Threat Protection Complexity Reduction End-to-End Network Visibility from SP Core to Customer Premise Consistent Policies Across Network, Data Center, and Workloads Detect & Mitigate Advanced Threats across CPE, Cloud, and Network Reduce IT Silos, Respond Faster to New Opportunities & Business Models 22