Zone A Zone B
Physical Infrastructure
vPath
VXLAN
Nexus 1000V Multi-Hypervisor
Nexus 1000V
• Distributed switch
VSG
• VM-level controls
ASA 1000V
• Edge firewall, VPN
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Internal Only – Do not Distribute 11
• 边界安全
o 互联网边界防护（uRPF，NAT，DDOS，IDS） o 内部互联边界要求（VPN，Firewall，IDS）
Cisco Confidential
Internal Only – Do Confidential not Distribute Cisco
12
互联和接入域
内部互联区 内部VPN 维护域 • 带外管理系统 • 安全运维中心 • 远程VPN
互联网接入区
C6500
Nexus 7000 10 GE Core
Cisco Confidential
Internal Only – Do Confidential not Distribute Cisco
9
可视化
• • • •
日志，事件信息，集中认证和策略下发管理 取证 应用分析和报表 安全合规
威胁防御
• 基于特征的网络入侵检测和阻挡 • 面向应用层的安全防御和流量规划 • 异常行为检测
vWAAS, VSG, ASA 1000v, vNAM
UCS for Virtualized Workloads
Cisco Confidential Internal Only – Do not Distribute 3
Cloud Network Services Virtualized/Cloud Data Center
Datacenter安全
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
Internal Only – Do Confidential not Distribute Cisco
1
数据中心的“云化”趋势及安全挑战
vPC
Nexus 5000
vPC
Nexus 5000
vPC
Nexus 5000
vPC vPC vPC
Cisco UCS
Cisco UCS
Nexus 2000
A
Nexus 2000 Nexus 2000
10Gig Server Rack 1Gig Server Rack 10Gig Server Rack
IT管理者视角
确保在全网范围内的可视化和控制
安全地开展新业务 维护数据安全和完整性 部署和强化安全策略 避免性能瓶颈 优化网速、带宽和运行服务级别 保护基础架构设施，避免过载和攻击
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
FC SAN A
FC SAN B
Nexus 5500 FCoE
Nexus 5500 10GE CBS 31xx Nexus 2248 Blade switch End-of-Row 1 GbE Server Access & affiliates. 4/8Gb FC via dual HBA (SAN A // SAN B) © 2013 Cisco and/or its All rights reserved. Catalyst 6500 End-of-Row
• Application traffic
VPX virtual ADC
• Imperva Web App.
Firewall
Cisco Confidential Internal Only – Do not Distribute
© 2013 Cisco and/or its affiliates. All rights reserved.
Nexus 7000 End-of-Row
Cisco/Confidential Internal Only Do not 10Gb DCB FCoE Server Access or 10 GbE Server Access & 4/8Gb FC via dual HBA (SAN A //– SAN B)Distribute
安全合规要求
Internal Only – Do not Distr， 就是利润！
CFO: 安全也必须经得起 ROI的考验。 “云数据中心”是不是 经济&安全的方式？
CIO: 数据量越来越大，存储不够用… 访问量越来越大，带宽不够用… 使用者越来越多，安全策略不够用…
Partners
Fibre Channel Forwarding
Fabric Extension
Line-Rate NetFlow Application Control (SLB+) Service Control
Physical
© 2013 Cisco and/or its affiliates. All rights reserved.
4
• 计算/存储资源虚拟化 • 资源位置虚拟化 • 虚拟资源的互联 • 虚拟资源的使用 • 云：从服务的角度看待已经被虚拟化的资源 • DC：从物理资源角度看虚拟资源上的服务
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
3. 虚拟化要求：虚拟网络和虚拟主机的安全怎么保证？
4. 集中化管理：管理界面由物理变为虚拟，如何清晰界定和实现？ 5. 虚拟化机会：安全作为一种服务（SaaS），如何实现虚拟化交付？
6. ……
© 2013 Cisco and/or its affiliates. All rights reserved.
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
Internal Only – Do not Distribute
7
IP-NGN Backbone
Edge
Core
Aggregation and Services
Virtual Contexts for FW & SLB Cisco Confidential
Virtual
Internal Only – Do not Distribute 8
1. 流量模型的转变：从分散走向高度集中，设备性能面临压力？ 2. 安全边界消失；云计算/云服务环境下的安全部署边界在哪里？
• 多租户隔离和防护（模块化服务：标准化、高扩展、可复制、可预测）
o 租户域内L2安全（ARP Flooding，ARP Spoofing etc.） o 虚拟安全设备的正确、适度部署 o 远程VPN o 虚拟机隔离及加固 o 租户数据保密
o 租户维护域设置及安全
• 系统维护域设置及安全
© 2013 Cisco and/or its affiliates. All rights reserved.
安全隔离
• 基础架构安全保护数据中心控制和数据层面的安全。 • 防止数据丢失，顺从性，失败保护 • 流量隔离以及认证授权审计（“纵向隔离”和“横向隔离”）
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
Internal Only – Do not Distribute
10
Internet
Edge DMZ
External Zone Internal Zone
Data Center Core
Data Center POD
Nexus 7000
Nexus 7000
vPC*
ASA5585-X
vPC*
ASA5585-X
Nexus 7000 10 GE Aggr
vPC+ 核心交换域 FabricPath • L2安全 • 跨域访问控制
L3 L2
Network Services
MDS 9200 / 9100
• • • • • •
计算和数据资源域 虚机L2安全 子系统划分和隔离 负载均衡 应用层保护 虚拟机安全 数据加密和保护
Nexus 5500 FCoE Nexus 2232 Top-of-Rack
UCS FCoE
Nexus 3000 Top-of-Rack
Nexus 4000 FIP-Snoop. IBM Blade Center
B22 FEX HP Blade C-class
Virtual Device Contexts
Access
Compute
Storage and SAN
VSwitch
Virtual Machines
Application Software
Firewall Services
Internet
Secure Domain Routing
Virtual Device Contexts
WAN Router Servers Switches
Imperva SecureSphere WAF Citrix NetScaler VPX ASA 1000V Cloud Firewall vWAAS Cisco Virtual Security Gateway