The Three Pillars to Cisco’s Secure Data Center Strategy: Part 1 Segmentation
Last week Cisco announced several new products in it’s Defending the Data Center launch. These included the Cisco Adaptive Security Appliance Software Release 9.0, Cisco IPS 4500 Series Sensors, Cisco Security Manager 4.3, and the Cisco ASA 1000V Cloud Firewall, adding enhanced performance, management, and threat defense capabilities. Core to this launch was also Cisco’s new strategy for developing Secure Data Center Solutions, a holistic approach similar to what Cisco previously did with Secure BYOD. This new strategy integrates Cisco security products into Cisco’s networking and data center portfolio to create validated designs and smart solutions. Organizations that lack bandwidth and resources or the know how to test and validate holistic designs can simply deploy template configurations based on pre-tested environments that cover complete data center infrastructures. These designs enable predictable, reliable deployment of solutions and business services and allow customers infrastructures to evolve as their data center needs change.
In developing this strategy we interviewed numerous customers, partners and field-sales reps to formulate the role of security in the data center and how to effectively get to the next step in the data center evolution or journey, whether you are just beginning to virtualize or have already advanced to exploring various cloud models. Three security priorities consistently came up and became the core of our strategy of delivering the security added value. They are Segmentation, Threat-Defense and Visibility. This blog series, beginning with segmentation, will provide a deeper dive into these three pillars.
Segmentation itself can be broken into three key areas. Perimeters are beginning to dissolve and many environments are no longer trusted, forcing us to segment compute resources, the network, and virtualized environments to create new boundaries, or zones. Along with segmenting physical components, policies must include segmentation of virtual networks and virtual machines, as well as by function, device, and logical association. Lastly, segmenting access control around networks and resources whether they are compute, network or applications offers a higher level of granularity and control. This includes role-based access and context based access. Let’s discuss even deeper.
Segmentation is really about enforcing consistent policy and access control across different boundaries. Customers are focused on protecting data at rest and in motion and control of who has access to data in these various states and locations. In essence, segmentation of boundaries begins at the Fabric level, where the core compute of Cisco’s Unified Computing System (UCS) separates networking from management and servers. Network segmentation virtually partitions physical networks using VLAN and VRF. And, within virtual compute environments segmentation occur with virtual switches and by the creation of tenants and zones.
Firewall segmentation controls connections across different networks or network segments, with the advantage of having awareness over the session’s state. Edge firewalls typically inspect all traffic flowing in and out of the data center or North-South traffic, and separate the good data from the bad data. Data center edge-security appliances, such as the ASA 5585-X, are high performing appliances, which include additional services such as a full intrusion detection and prevention system and VPN that can handle high traffic rates at a single point of enforcement and with full redundancy. Inside the virtualized compute environment traffic flows between virtual machines, that run servers and applications, and is not visible to the edge firewall. This traffic, also referred to as East-West traffic, can be segmented further into tenants and then zones within the tenants. For large-scale, multi-tenant environments the ASA 1000V Cloud Firewall can create multiple virtual network edge segments or tenants that can separate different companies data or different business units. Zones within these tenants separate groups of virtual machines where policy in enforced through the Cisco Virtual Security Gateway (VSG).
As data centers continue to evolve, applications are now dynamic objects moving through the network. Securing and managing access to these applications and the underlying data requires policies that can be effectively implemented at the network level and travel as users constantly migrate and virtual machines are created, moved, and recreated. Current network enforcement (segmentation) techniques do not provide the scalability, agility or efficiency required for consistent policy enforcement in highly dynamic environments.
Cisco’s TrustSec is an innovative solution architecture for security policy enforcement within the campus, branch and data center networks. TrustSec propagates contextual information, in the form of Security Group Tags, across the network and can be used by firewalls and data center switches to provide highly scalable, distributed, and consistent policy enforcement and segmentation.
TrustSec leverages role assignments so that when users or resources change IP addresses, firewall rules and access control lists do not need to change because the underlying policy does not change
TrustSec, along with the Cisco Identity Services Engine (ISE) enhances security, reduces operational expense and removes the management complexity of access control enforcement and administration.
This concludes part one on our series for the Secure Data Center strategy. Come back Wednesday for the next insertion on threat defense.