Cisco Data Center Security Architecture

---

Cisco Data Center Security Architecture Why Is Data Center Security Important? As the data center spurs higher levels of business growth and opportunities, it becomes more critical to protect it. Threats are increasing in sophistication and the data center is a high-value target. The explosive growth of mobile computing requires an open infrastructure with trusted access to data center resources. New technologies such as virtualization and cloud computing change how workloads are handled, but the larger “attack surface” creates more vulnerability. Compliance mandates such as PCI DSS impose stringent requirements for policy enforcement and controls. Web 2.0 technologies and e-commerce require security that can scale to protect a mission-critical computing environment. More and more, security is becoming an integral part of robust and thriving data center solutions.

Cisco Data Center Security Architecture The Cisco data center security architecture includes the following components to help you meet changing technology and business conditions: threat defense, application and content security, virtualization security, and secure access. Figure 1.

Cisco Data Center Security Architecture

Content Security

Virtualization Security

Virtualization security: The Cisco Virtual Security Gateway (VSG) works with Cisco Nexus® 1000V switches to provide zone-based and policy-driven security at the virtual machine level, extending existing security policies into virtual and cloud environments. The Cisco Nexus 1000V adds additional security and monitoring capabilities at the access layer, including PVLAN, IP Source Guard, DHCP Snooping, ARP inspection, and NetFlow. Secure access: Cisco AnyConnect Secure Mobility and Cisco TrustSec® establish secure and trusted access to data center resources for employees, customers, and partners. Access to virtualized resources as well as access between users and tenants is controlled by the security policy. Cisco policy, identity, and management capabilities are built in to provide controls and visibility. They form a strong foundation for Cisco data center security. With Cisco data center security, you can: • Defend data center availability with threat defense

Cisco Data Center Security

Threat Defense

Content security: Cisco email and web security solutions provide customers with the choice of on-premise, cloud-based and hybrid security services, protecting against known and zero-day malware outbreaks.

Secure Access

•

Secure data center services with application and content security

• •

Prevent business loss with secure access Meet compliance requirements with policy controls in both physical and virtual environments

At-A-Glance

Figure 2. Implementation of Cisco Data Center Security Architecture Internet Edge

Data Center Core VDC Nexus 7018

ASA 5585-X

Implementing Cisco Data Center Security Cisco security can be deployed throughout the data center as follows.

ASA 5585-X

VPC VPC

VPC

Nexus 5000 Series

VPC

VPC

Nexus 2100 Series

Nexus 7000 Series

VPC

VPC

10Gig Server Rack

10Gig Server Rack

VSS

WWW

Unified Computing System

V

Firewall

VSG Zone

VPC Catalyst 6500

Nexus 1000V

Zone

Multi-Zone Unified Compute

NAM

ACE

IPS

Email

WEB

Services Secure Access: Cisco TrustSec and Cisco AnyConnect

Top 5 Reasons to Deploy Cisco Data Center Security Reason #1: Cisco security supports new business initiatives, such as cloud computing, with policy controls, secure access, email security, and web security. Cisco data center security delivers high performance and scalability:

•

The Cisco ASA 5500 Series is built on a modular, extensible architecture to enable a robust suite of highly integrated, market-leading security services that support up to 35 Gbps of line traffic.

•

The Cisco Virtual Security Gateway provides multitenant, zone-based, context-aware security for granular security across the organization.

•

Cisco IronPort Web Security offers rich reporting capabilities to provide flexible, unsurpassed visibility into web usage with around 100 attributes logged for every web request.

Policy, Identity, Management

Threat defense: The Cisco® ASA 5585-X Adaptive Security Appliance provides high-performance, scalable firewall and intrusion prevention services. Cisco Security Intelligence Operations (SIO) arms the ASA appliance with the most up to date threat intelligence information. In addition, Cisco IOS® and switching security further strengthens the data center’s threat defense capabilities.

Data Center Distribution

Nexus 7018

SAN

Cisco Data Center Security Architecture Reason #2: The Cisco security portfolio is purposebuilt for the data center, with protection for many different protocols, traffic patterns, and data types. It spans both physical and virtual environments.

Reason #4: Cisco security enables speedy service delivery for a unique end-user experience. Policy enforcement and controls are based on user and device identity and other conditions.

•

The ASA 5500 Series is available in a wide range of sizes, capabilities, and performance levels to meet specific needs at the lowest possible cost.

•

Cisco AnyConnect Secure Mobility is always on and running, so users are securely connected to the network, wherever they are—“it just works.”

•

The Virtual Security Gateway consolidates physical hardware to provide a comprehensive security solution that spans the organization’s network assets.

•

Cisco TrustSec enables identity and context-aware secure access to the network, based on user, device, and location.

Reason #3: Cisco security is pervasive throughout the data center. Security services are embedded in the network and enabled by appliances.

•

•

•

The ASA 5500 Series takes advantage of Cisco’s 15+ years of proven security expertise to enable a robust suite of highly integrated, market-leading security services. Cisco SIO performs the broadest and deepest global analysis to help data centers track threats, analyze intelligence, and improve their security posture. Cisco IOS and switching security delivers a sophisticated set of security capabilities throughout the data center for a comprehensive and layered security approach.

Reason #5: Cisco security helps achieve simplicity and operational excellence to improve IT efficiency and cost savings.

•

The ASA platform supports data center virtualization efforts, eliminating the need to choose between security and efficient operations.

•

Cisco’s guaranteed intelligence coverage (90% of published security advisories/90% of published security bulletins/90-minute response) simplifies IT operations.

•

Cisco Virtual Security Gateway allows dynamic provisioning and supports separation of duties to improve IT efficiency and responsibility.

At-A-Glance

Where can I find additional resources? Cisco ASA 5585-X in the Data Center http://www.cisco.com/en/US/prod/collateral/vpndevc/ ps6032/ps6094/ps6120/design_guide_c22-624431.pdf Cisco Virtual Security Gateway http://www.cisco.com/go/vsg Cisco Virtualization Security http://www.cisco.com/go/vsec Cisco AnyConnect 3.0 Q&A http://www.cisco.com/en/US/prod/collateral/vpndevc/ ps6032/ps6094/ps6120/qa_c67-622477.pdf Cisco ScanSafe Web Security Data Sheet http://www.scansafe.com/downloads/datasheets/ DS_Web_Security.pdf Cisco IronPort Cloud Email Security Data Sheet http://www.ironport.com/resources/datasheet_cloud_ email_security.pdf Cisco IronPort Hybrid Email Security Data Sheet http://www.ironport.com/resources/datasheet_hybrid_ email_security.pdf Cisco TrustSec http://www.cisco.com/go/trustsec Cisco SAFE Blueprint http://www.cisco.com/go/safe

© 2011 Cisco Systems, Inc. All rights reserved. Cisco, the Cisco logo, and Cisco Systems are registered trademarks or trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries. All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0903R)



C45-647419-01 03/11