思科数据中心Datacenter解决方案

©2013Ciscoand/oritsaffiliates.Allrightsreserved.CiscoConfidential1InternalOnly–DonotDistribute©2013Ciscoand/oritsaffiliates.Allrightsreserved.CiscoConfidential1Datacenter安全©2013Ciscoand/oritsaffiliates.Allrightsreserved.CiscoConfidential2InternalOnly–DonotDistribute数据中心的“云化”趋势及安全挑战虚拟化安全域的实现及虚拟安全产品部署边界防火墙技术进展混合云场景及安全技术接入层安全技术的改善©2013Ciscoand/oritsaffiliates.Allrightsreserved.CiscoConfidential3InternalOnly–DonotDistributePHYSICALWORKLOADVIRTUALWORKLOADCLOUDWORKLOAD•OneappperServer•Static•Manualprovisioning•ManyappsperServer•Mobile•Dynamicprovisioning•Multi-tenantperServer•Elastic•AutomatedScalingHYPERVISORVDC-1VDC-2Nexus1000V,VM-FEXvWAAS,VSG,ASA1000v,vNAMUCSforVirtualizedWorkloadsNexus7K/5K/3K/2KWAAS,ASA,NAMUCSforBareMetalCloudServicesRouter(CSR1000V)ASR,ISR©2013Ciscoand/oritsaffiliates.Allrightsreserved.CiscoConfidential4InternalOnly–DonotDistributeNexus1000V•Distributedswitch•NX-OSconsistencyVSG•VM-levelcontrols•Zone-basedFWASA1000V•Edgefirewall,VPN•ProtocolInspectionvWAAS•WANoptimization•ApplicationtrafficMulti-HypervisorWANRouterServersTenantAASA1000VCloudFirewallNexus1000VvPathPhysicalInfrastructureVirtualized/CloudDataCentervWAASCiscoVirtualSecurityGatewayVXLANCSR1000V(CloudRouter)•WANL3gateway•RoutingandVPNSwitchesEcosystemServices•CitrixNetScalerVPXvirtualADC•ImpervaWebApp.FirewallCloudNetworkServicesCitrixNetScalerVPXImpervaSecureSphereWAFCloudServicesRouter1000VZoneAZoneB©2013Ciscoand/oritsaffiliates.Allrightsreserved.CiscoConfidential5InternalOnly–DonotDistribute©2013Ciscoand/oritsaffiliates.Allrightsreserved.CiscoConfidential5•计算/存储资源虚拟化•资源位置虚拟化•虚拟资源的互联•虚拟资源的使用•云：从服务的角度看待已经被虚拟化的资源•DC：从物理资源角度看虚拟资源上的服务©2013Ciscoand/oritsaffiliates.Allrightsreserved.CiscoConfidential6InternalOnly–DonotDistribute为什么需要数据中心安全CEO视角保护企业声誉和股价确保合规保障经营连续性帮助提高工作效率CIO视角保证IT安全，保障企业经营避免由于攻击或人为失误导致的业务和经营中断保护核心应用、业务和设备的安全IT管理者视角确保在全网范围内的可视化和控制安全地开展新业务维护数据安全和完整性部署和强化安全策略避免性能瓶颈优化网速、带宽和运行服务级别保护基础架构设施，避免过载和攻击安全合规要求战术：数据中心战略：云©2013Ciscoand/oritsaffiliates.Allrightsreserved.CiscoConfidential7InternalOnly–DonotDistributeCEO：云就是生产力，就是利润！CIO:数据量越来越大，存储不够用…访问量越来越大，带宽不够用…使用者越来越多，安全策略不够用…CFO:安全也必须经得起ROI的考验。“云数据中心”是不是经济&安全的方式？©2013Ciscoand/oritsaffiliates.Allrightsreserved.CiscoConfidential8InternalOnly–DonotDistributeInternetPartnersApplicationSoftwareVirtualMachinesVSwitchAccessAggregationandServicesCoreEdgeIP-NGNBackboneStorageandSANComputeVPNApplicationControl(SLB+)ServiceControlFirewallServicesVirtualDeviceContextsFibreChannelForwardingFabricExtensionFabric-HostedStorageVirtualizationStorageMediaEncryptionVirtualContextsforFW&SLBPortProfiles&VN-LinkPortProfiles&VN-LinkLine-RateNetFlowVirtualDeviceContextsSecureDomainRoutingServiceProfilesVirtualMachineOptimizationVirtualFirewallEdgeandVMIntrusionDetectionPhysicalVirtual©2013Ciscoand/oritsaffiliates.Allrightsreserved.CiscoConfidential9InternalOnly–DonotDistribute©2013Ciscoand/oritsaffiliates.Allrightsreserved.CiscoConfidential91.流量模型的转变：从分散走向高度集中，设备性能面临压力？2.安全边界消失；云计算/云服务环境下的安全部署边界在哪里？3.虚拟化要求：虚拟网络和虚拟主机的安全怎么保证？4.集中化管理：管理界面由物理变为虚拟，如何清晰界定和实现？5.虚拟化机会：安全作为一种服务（SaaS），如何实现虚拟化交付？6.……©2013Ciscoand/oritsaffiliates.Allrightsreserved.CiscoConfidential10InternalOnly–DonotDistribute可视化威胁防御安全隔离•基础架构安全保护数据中心控制和数据层面的安全。•防止数据丢失，顺从性，失败保护•流量隔离以及认证授权审计（“纵向隔离”和“横向隔离”）•基于特征的网络入侵检测和阻挡•面向应用层的安全防御和流量规划•异常行为检测•日志，事件信息，集中认证和策略下发管理•取证•应用分析和报表•安全合规©2013Ciscoand/oritsaffiliates.Allrightsreserved.CiscoConfidential11InternalOnly–DonotDistributeANexus7000Nexus7000Nexus5000Nexus5000Nexus50001GigServerRack10GigServerRackDataCenterPODDataCenterCoreInternetNexus2000Nexus2000vPCvPCvPCASA5585-XvPC*vPCNexus2000CiscoUCSCiscoUCSvPCvPCvPC*ASA5585-X10GigServerRackExternalZoneInternalZoneEdgeDMZ©2013Ciscoand/oritsaffiliates.Allrightsreserved.CiscoConfidential12InternalOnly–DonotDistribute©2013Ciscoand/oritsaffiliates.Allrightsreserved.CiscoConfidential12•边界安全o互联网边界防护（uRPF，NAT，DDOS，IDS）o内部互联边界要求（VPN，Firewall，IDS）•多租户隔离和防护（模块化服务：标准化、高扩展、可复制、可预测）o租户域内L2安全（ARPFlooding，ARPSpoofingetc.）o虚拟安全设备的正确、适度部署o远程VPNo虚拟机隔离及加固o租户数据保密o租户维护域设置及安全•系统维护域设置及安全©2013Ciscoand/oritsaffiliates.Allrightsreserved.CiscoConfidential13InternalOnly–DonotDistributeNexus700010GEAggrNetworkServicesvPC+FabricPathNexus700010GECoreCatalyst6500End-of-RowNexus550010GENexus2248End-of-RowCBS31xxBladeswitchNexus7000End-of-RowNexus5500FCoENexus2232Top-of-RackUCSFCoENexus3000Top-of-RackNexus4000FIP-Snoop.IBMBladeCenter1GbEServerAccess&4/8GbFCviadualHBA(SANA//SANB)10GbDCB/FCoEServerAccessor10GbEServerAccess&4/8GbFCviadualHBA(SANA//SANB)L3L2C6500B22FEXHPBladeC-classFCSANAFCSANBMDS9200/9100Nexus5500FCoE核心交换域•L2安全•跨域访问控制维护域•带外管理系统•安全运维中心•远程VPN计算和数据资源域•虚机L2安全•子系统划分和隔离•负载均衡•应用层保护•虚拟机安全•数据加密和保护互联和接入域互联网接入区内部互联区内部VPN©2013Ciscoand/oritsaffiliates.Allrightsreserved.CiscoConfidential14InternalOnly–DonotDistributeNexus700010GEAggrNetworkServicesvPC+FabricPathNexus700010GECoreCatalyst6500End-of-RowNexus550010GENexus2248End-of-RowCBS31xxBladeswitchNexus7000End-of-RowNexus5500FCoENexus2232Top-of-RackUCSFCoENexus3000Top-of-RackNexus4000FIP-Snoop.IBMBladeCenter1GbEServerAccess&4/8GbFCviadualHBA(S