Transcript Security

Right-size your Network without Compromise
Michael Waas
Systems Engineer
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
1
Where You Engage Customers
Source of Business Intelligence
Up to 80% of Your Employees Reside
To Grow Your Business & Innovate Your Remotes Sites Must Keep Pace with HQ
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
2
The Application Landscape Is Changing
Applications are Moving to the Data Center and Cloud
Cloud
Internet Edge Is Moving to the Branch
Branch
Data Centers
Pressures on the WAN
Cloud
of CIOs Expect to
Operate via the
Cloud by 2015
© 2013 Cisco and/or its affiliates. All rights reserved.
Mobility
More Mobile Data
Traffic by 2015
Fat Apps
Of Mobile Traffic
will be Video
Cisco Confidential
3
WAN
Demands
BUDGET
USER SUFFERING
Rethink your Branch-WAN Strategy
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
4
Low Cost Alternative
Of organizations
do are planning to
transition to
connections
1. Internet Transit Pricing based on surveys & informal data collection primarily from Internet
Operations Forums – ‘street pricing’ estimates
2. Packet delivery based on 15 years of ping data from PingER for WORLD (global server sample)
from EDU.STANFORD.SLAC in California
Source: William Norton (DrPeering.net); Stanford ping end-to-end reporting (PingER)
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
5
Commodity Transports Viable Now
Dramatic Bandwidth, Price Performance Benefits
Higher Network Availability
Improved Performance Over Internet
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
6
Dual MPLS
Dual Internet
Hybrid
Public
Public
Enterprise
Internet
MPLS MPLS
Dual MPLS

ẋ
ẋ
Highest reliability, security & availability
Inflexible for new services
Expensive
Internet Internet
Internet MPLS
Hybrid



Enable SaaS and/or high BW apps
Balanced availability
Dual WAN+Dual Router = 99.999% Reliability
Dual Internet



Best price/performance
Least dependent on contracts
Dual WAN+Dual Router = 99.999% Reliability
Consistent VPN Overlay enables Security across Transition
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
7
Enhanced Connectivity over any Transport
AVC
Internet
3G/4G-LTE
Branch
Transport
Independent
• DMVPN IPsec overlay design
• Consistent operational model
• Simple transport migrations
• Scalable and Modular design
WAAS
PfR
Intelligent Path
Control
• Performance Routing (PfR)
full utilization of all bandwidth
• Application best path based
on delay, loss, jitter and path
preference
• Improved network availability
Data Center
MPLS
Secure
Connectivity
• Suite-B strong encryption
• ASA & IOS Firewall/IPS
comprehensive threat
defense
• Cloud Web Security (CWS)
for direct Internet Access
Application
Optimization
• Application Visibility &
Control (AVC)
• WAAS Application
Acceleration and bandwidth
savings
8
Optimize Application
Performance
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
10
What about these?
HTTP
FTP
80
Are these
applications?
20/21
POP3
110
IMAP
143
Or just ports?
HTTPS
443
SMTP
25
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
11
What is Application Visibility and Control (AVC)
What is Needed
App Visibility &
User Experience Report
NFv9/IPFIX
App
BW
Transaction …
Time
SAP
3M
150 ms
…
Sharepoint 10M 500 ms
…
High
Med
Low
Reporting Tools
Application
Recognition
Identify applications
using L3 to L7
information
© 2013 Cisco and/or its affiliates. All rights reserved.
Reporting
Tool
Perf. Collection
&
Exporting
Collect application
performance
metrics, and export
to management tool
Management
Tool
Advanced reporting
tool aggregates and
reports application
performance
Control
Control application
network usage to
improve application
performance
Cisco Confidential
12
What is Application Visibility and Control (AVC)
Enabled Technologies
App Visibility &
User Experience Report
NFv9/IPFIX
App
BW
Transaction …
Time
SAP
3M
150 ms
…
Sharepoint 10M 500 ms
…
High
Med
Low
Reporting Tools
Application
Recognition
Reporting
Tool
Perf. Collection
&
Exporting
• Unified Monitoring
• NBAR2
• Metadata
-
© 2013 Cisco and/or its affiliates. All rights reserved.
Traffic Statistics
Response Time
Voice/Video
Monitoring
URL Collection
Management
Tool
• Cisco Prime
Infrastructure
• 3rd Party Tools
Control
• QoS (w/ NBAR2)
• PfR
Cisco Confidential
13
AVC Configuration
Prime Infrastructure
• Enable AVC with just ON/OFF
button
• With Cisco Prime Infrastructure
2.0
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
14
14
AVC Configuration
Prime AVC One-Click
• Enable AVC in one-click
One device at a time
• Two simple steps
1.
Select interface(s)
2.
Enable
2
1
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
15
15
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
16
16
Maximize Application Performance
Controls application bandwidth usage and selects optimal path
Stop bittorrent and
netflix.
Prioritize salesforce,
oracle
WAN1
Backup
WAN2
Application-aware QoS
Intelligent Path Selection
Identify 1000+ applications using
NBAR2 and control bandwidth with
Cisco industry leading QoS
Deliver critical applications over the
path which can meet application
performance requirement using PfR
Limit unwanted traffic and prioritize
critical applications
Automatic load share to maximize
bandwidth use on available links
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
17
17
Performance Routing Topologies
ISP2
ISP1
Internet
Edge
WAN1
MC/BR
(IP-VPN)
HQ
BR
Branc
h
Enterprise WAN
BR
MC
MC
BR
BR
MC/BR
WAN2
(IPVPN, DMVPN)
BR
• Full utilization of expensive WAN bandwidth
Efficient distribution of traffic based upon load, circuit cost and path preference
MC/BR
• Improved Application Performance
Per application best path based on delay, loss, jitter measurements
• Increased Application Availability
Protection from carrier black holes and brownouts
© 2013 Cisco and/or its affiliates. All rights reserved.
Optimize by:
• Reachability, Loss,
• Delay, Jitter, MOS,
• Throughput, Load, and/or $Cost
Cisco Confidential
18
Speed and Bandwidth Benefits on top of the IWAN
Users/
Machines
Accelerate Any TCP Connection
Proliferation
of Devices
CSR
Private
Cloud
WAN
vWAAS
AppNav-XE Controller
WAAS Express
WAVE
Branch
DC/Headquarters
Faster Applications, More Users,
Less Bandwidth
•
•
•
90% HD Video optimization and
better user experience
Twice as many Citrix users over
same WAN, 70% faster
Toyota: ROI in less than one year,
65% BW cost savings
Ciscoand/or
and/or its
itsaffiliates.
affiliates.All
Allrights
rightsreserved.
reserved.
© 2013 Cisco
Easy to Deploy
•
Works with existing branch routers
(and existing AX license)
Scalable
•
•
AppNav Controller and WAVE pool
is scalable
Native HA capability
Cisco Confidential
19
Enhancing User Experience and WAN Efficiency
SOLUTION
PROBLEM
• Application latency
• WAN bandwidth
inefficiencies
• Reduce load
Bandwidth
(Mbps)
– Data redundancy elimination
(DRE), compression, and
TCP optimization
Latency
(Seconds)
4
160
Reduction in
bandwidth
• Application optimization
– Fewer protocol messages
3
120
2
80
1
40
0
0
and metadata caching
Reduction
in latency
Application bandwidth natively
Application bandwidth with
Cisco® WAAS
Application latency natively
Application latency with Cisco WAAS
Application
Bandwidth
Ciscoand/or
and/or its
itsaffiliates.
affiliates.All
Allrights
rightsreserved.
reserved.
© 2013 Cisco
Application
Latency
Cisco Confidential
20
Securing Your IWAN
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
21
Step 1: Secure Transport
IPSec with DMVPN or FlexVPN overlay
Secure transport independent overlay
Add Strong Cryptography: IKEv2 + AES-GCM 256
Data Center
Step 2: Threat Defense
IOS Zone-based Firewall
Minimize exposure
ASR 1000
ASR 1000
ISP C
ISP A
DHCP addressing for Internet and tunnel interfaces
Don’t put tunnel addresses into DNS
Cable
DSL
Step 3: Choose your performance level
Size router based on Encryption with Services and WAN bandwidth
Head-end: ASR1000 or ISR4451X
Branch: ISR-G2
© 2013 Cisco and/or its affiliates. All rights reserved.
ISR-G2
Branch
Cisco Confidential
22
Control the Perimeter:
• External and internal protection: internal network is no longer trusted
• Protocol anomaly detection and stateful inspection
Communicate Securely:
• Call flow awareness (SIP, SCCP, H323)
Data Center
• Prevent DoS attacks
Flexible:
• Split Tunnel-Branch/Remote Office/Store/Clinic
ASR 1000
ASR 1000
ISP C
ISP A
• Internal FW—International or un-trusted locations/segments,
addresses regulatory compliances
Integrated:
Cable
DSL
• No need for additional devices, expenses and power
• Works with other Cisco Services: SRE, Scansafe, WaaS Express
Manageable:
• Supports CLI, SNMP, CCP, and CSM
• Supports Cisco Configuration Engine
© 2013 Cisco and/or its affiliates. All rights reserved.
ISR-G2
Branch
Cisco Confidential
23
Transport Independent
Simplifies WAN
Design
Flexible
Secure
Proven Robust
Security
Dynamic Full Meshed
Connectivity
Easy multi-homing over any carrier
service offering
Consistent design over all transports
Certified crypto and firewall for
compliance
Automatic site-to-site IPsec tunnels
Single routing control plane with
minimal peering to the provider
Zero-touch hub configuration for
new spokes
Scalable design with high
performance cryptography in
hardware
ASR 1000
Internet
ISR-G2
WAN
Branch
ASR 1000
MPLS
Ciscoand/or
and/or its
itsaffiliates.
affiliates.All
Allrights
rightsreserved.
reserved.
© 2013 Cisco
Data Center
Cisco Confidential
24
Why Cisco IWAN?
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
25
Integrated
Platform
for IT Simplicity
Granular Control
Everywhere
Unmatched
Context-based
Routing
Proven Security
at Scale
Quick ROI
Faster than Alternatives
72%
Up to
in Savings
The Alternative:
Many pay off in
6-12 months
•
Branch  ISR-AX
Overlay Appliances
Router
WAN Path Selection
App Visibility & Control
WAN Opt.
Firewall
IP Sec VPN
© 2013 Cisco and/or its affiliates. All rights reserved.
•
Any to Any Security
•
•
Endpoint-Aware
•
Network-Aware
•
DC  ASR1K-AX
•
Protect All Branch
Resources
•
Cloud  CSR1000V
•
Secure Direct
Internet Access
App-Aware
•
Savings enables
Business Innovation
Cisco Confidential
26
IWAN Capabilities Embedded in the Router
One Network
UNIFIED SERVICES
Visibility
ASR1000-AX
L4-L7
Application
Control
Services
Optimization
ISR 4451-X-AX
Simplify
Application
Delivery
Transport
Independent
L2-L3
Secure
Transport
Routing
ISR-AX
Cisco AX Routers 3900 | 2900 | 1900 | 800 | 4451 | ASR1002-X
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
27
Introducing the ISR App License
IP Base
Security
App
U.C.
Extends and replaces the Data license
with application router services. All previous Data license
features included.
All Application Visibility and Control (AVC)
features included. Enables powerful, comprehensive
application monitoring and management.
Right-To-Use license for WAAS
App & Security included
with the ISR-AX!
License enables WAAS Express, WAAS SRE, or WAAS
on UCS-E with no additional software cost.
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
28
Uncompromised Experience Over Any Connection
Lower Costs without Tradeoffs
Maximize Your WAN Investment
Unleash Your Business Potential
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
29
Thank you.
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
30