The Three Pillars to Cisco’s Secure Data Center Strategy: Part 3 Visibility
In this last part of this series I will discuss the top customer priority of visibility. Cisco offers customers the ability to gain insight into what’s happening in their network and, at the same time, maintain compliance and business operations.
But before we dive into that let’s do a recap of part two of our series on Cisco’s Secure Data Center Strategy on threat defense. In summary, Cisco understands that to prevent threats both internally and externally it’s not a permit or deny of data, but rather that data needs deeper inspection. Cisco offers two leading platforms that work with the ASA 5585-X Series Adaptive Security Appliance to protect the data center and they are the new IPS 4500 Series Sensor platform for high data rate environments and the ASA CX Context Aware Security for application control. To learn more go to part 2 here.
As customers move from the physical to virtual to cloud data centers, a challenge heard over is over is that they desire to maintain their compliance, security, and policies across these varying instantiations of their data center. In other words, they want to same controls in the physical world present in the virtual – one policy, one set of security capabilities. This will maintain compliance, overall security and ease business operations.
By offering better visibility into users, their devices, applications and access controls this not only helps with maintaining compliance but also deal with the threat defense requirements in our overall data center. Cisco’s visibility tools gives our customers the insight they need to make decisions about who gets access to what kinds of information, where segmentation is needed, what are the boundaries in your data center, whether these boundaries are physical or virtual and the ability to do the right level of policy orchestration to maintain compliance and the overall security posture. These tools have been grouped into three key areas: management and reporting, insights, and policy orchestration.
Management and reporting allows for simplified operations and compliance disclosure. Cisco enables transparency and visibility into the network and the physical and virtual environment through our management systems that administer and scale security operations efficiently and accurately. Cisco Security Manager (CSM) and Cisco Virtual Network Management Center (VNMC) provide consistent policy enforcement, quick troubleshooting of security events, and summarized reports from across the security deployment.
CSM 4.3 is a comprehensive management solution that enables consistent policy enforcement, rapid troubleshooting of security events, and summarized reports across a security deployment. It manages the Cisco security environment, provides visibility across the deployment, and enables information sharing with other essential network services. Lastly, it maximizes operational efficiency with a powerful suite of automated capabilities. CSM manages the security environment for Cisco ASA 5500 Series Adaptive Security Appliances, Cisco IPS 4500 Series Sensor Appliances, the Cisco AnyConnect Security Mobility Client and Cisco Secure Routers.
Cisco VNMC is a centralized virtual security management console that administers the security policies for the ASA 1000V Cloud Firewall and the Cisco Virtual Security Gateway. Cisco VNMC is a transparent, scalable, multitenant-capable, policy-driven management solution that provides end-to-end security for virtual and cloud environments. It helps enable scalable deployment through dynamic, template-driven policy management based on security profiles. It enhances flexibility through an XML API that helps enable programmatic integration with third-party management and orchestration tools. VNMC allows security administers to control security policies separately from the applications, servers, and networks, for compliance purposes.
The second key area, Inisghts, allows our customers to see and manage security elements in the network. This is accomplished through Cisco Netflow. Netlow is a protocol and visibility tool that provides a rich set of information around application and network users, peak usage times, and traffic routing. Netflow uses this information for planning and allocation of network and application resources. Netflow can also be used to capture data over a long period of time, which enables customers to track and anticipate network growth. It also performs analysis identifying and classifying Denial of Service attacks, viruses, and worms in real-time. Cisco uses an ecosystem approach with Netflow working with a number of partners including Lancope and Arbor to provide additional reporting capabilities including accounting, traffic analysis, security, and network monitoring
Policy orchestration is the third key area and this is accomplished through the Cisco Identity Services Engine (ISE) and Cisco TrustSec Security Group Tags (STG). From the first entry on segmentation we learned that Cisco’s TrustSec, an innovative solution architecture for security policy enforcement within the campus, branch, and data center networks, propagates contextual information in the form of Security Group Tags across the network and can be used by firewalls and data center switches to provide highly scalable, distributed, and consistent policy enforcement and segmentation. TrustSec leverages role assignments so that when users or resources change IP addresses, firewall rules and access control lists do not need to change because the underlying policy does not change. TrustSec, along with the Cisco Identity Services Engine (ISE) enhances security, reduces operational expense and removes the management complexity of access control enforcement and administration.
The figure below shows the integration of visibility tools:
On an orchestration level, visibility combines three functional buying centers and integrated conversation areas around compute, security, and the network. These areas must talk to each other in a collaborative way and share profile information, port information and virtual machine attributes. This will permit the desired visibility from the physical to virtual to cloud throughout the data center.