Solution Overview

THE CISCO BUSINESS READY DATA CENTER DATA CENTER SECURITY SOLUTIONS
An integrated, defense-in-depth approach to securing consolidated data centers

EXECUTIVE SUMMARY
Data center managers consolidating data center resources for greater efciency must consider how these changes affect security. Cisco Systems offers an integrated, defense-in-depth data center security strategy that enables managers to partition data centers into security zones that apply appropriate security policies to each application, while containing the potential impact of virus or worm attacks. This strategy takes advantage of the Business Ready Data Center architecture and integrated security in Cisco networking platforms.

CHALLENGES Data centers are attractive targets for malicious activity. Improperly secured data centers are targets of hackers and worms, which can cause considerable havoc and costly damage. Unfortunately, data centers assembled quickly during the economic boom of the 1990s were rarely built with an emphasis on security, and the many application and storage islands resulting from these efforts are often vulnerable to attack and compromise. Internet worms and viruses proliferate in part because of inconsistent, inadequate security technologies and procedures in data centers worldwide. In support of management goals to protect, optimize and grow the business, many IT organizations are consolidating data center resources, such as servers, storage, networks, and applications. IT and network managers must consider how these changes affect both security posture and application resilience. In the past, managers relied upon physical application isolation or perimeter defense for security. This is inadequate to defend resources and applications from attacks, which continuously become more sophisticated and dangerous. Any script kiddie can download hacker tools from a Web site and inict considerable damage to poorly protected data centers. Attacks progress faster than ever. More damage occurs in a few seconds today than was possible in a few days ve years ago. The Slammer, Blaster, and MyDoom worms took only minutes to circle the globe. Therefore, data centers need defenses that provide day-zero attack mitigation. Threats from inside the enterprise can be even more damaging because hackers exploit detailed knowledge of the organization to wreak serious nancial damage inadvertently or deliberately. These hackers can include employees, temporary workers, and consultants. To protect applications, data center managers must use modern technologies that limit user access to only those resources they need to do their job. It is essential that security and network managers collaborate to understand the particular vulnerabilities and threats to data center resources, so that they can develop a robust network security architecture. Vulnerabilities and threats can prevent users from accessing mission-critical applications, directly disrupt application operation, or compromise condential and valuable information. Threats can include the following: Attacks on mission-critical applications, application servers, databases, database servers, and storage resources through buffer overows, malicious worms, viruses, and administrative access breaches Vulnerabilities resulting from miscongured systems and incorrect or outdated software expose IT managers to the time-consuming task of operating system and patch updates, resulting in possible system downtime and productivity loss

Cisco Systems, Inc. All contents are Copyright 19922004 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement. Page 1 of 10

 Attacks on network systems and devices such as routers, switches, and rewalls through administrative access breaches Threats to the network infrastructure through distributed denial of service (DDoS) and syn ood attacks CISCO BUSINESS READY DATA CENTER The Cisco Business Ready Data Center is a cohesive network architecture that supports immediate data center demands such as consolidation, business continuance and security, while enabling the data center for emerging service-oriented and utility computing technologies such as blade servers, virtualization, Web services, and GRID. Through this architecture Cisco Systems, the worldwide leader in data center networking, offers IT and network managers the end-to-end, defense-in-depth security strategies and solutions they need to prevent or contain data center attacks. Based on an intelligent network foundation, the Cisco Business Ready Data Center addresses immediate security threats and provides a roadmap to achieve advanced networking systems such as self-defending networks. Cisco helps IT managers adopt this architecture to reduce risk, time, and investment with tested and validated reference architectures, proven design best practices, and both generic and partner-specic conguration templates. Its exibility allows enterprises to deploy the compute, storage, and software technologies that best support their business goals and enables more efcient implementation of new services, and applications. By taking action to implement this adaptive data center networking architecture, IT organizations are well positioned to advance management goals to protect, optimize, and grow the business. It protects critical applications and condential data; it enhances data center operational efciencies, and rapidly creates new secure application environments to support new business processes. With a highly resilient, efcient, and adaptive data center network in place, businesses can realign resources for growth by addressing competitive pressures, extending market reach, and speeding time-to-market of new services. The Cisco Business Ready Data Center architecture is comprised of three tiers (Figure 1): The FOUNDATION INFRASTRUCTURE includes the intelligent IP network infrastructure, intelligent storage networking and data center interconnect NETWORK SYSTEM INTELLIGENCE includes security, delivery optimization, manageability, and availability EMBEDDED APPLICATION AND STORAGE SERVICES include, storage virtualization, data replication and distribution and advanced application services

Cisco Systems, Inc. All contents are Copyright 19922004 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement. Page 2 of 10

Figure 1 Security: Integral to the Business Ready Data Center Architecture

Embedded Application and Storage Services Network System Intelligence

Data Replication and Distribution Virtualization Services Advanced Application Services Security Delivery Optimization Manageability Availability

Foundation Infrastructure

50G 50G 50G 50G

Intelligent Storage Networking

Intelligent IP Network Infrastructure

50G

Storage Resources

Compute Resources

Users

A DEFENSE-IN-DEPTH DATA CENTER SECURITY STRATEGY Cisco data center security strategies recognize that security is a continuous process that should be integrated with data center operations, communicated to the user community, and incorporated into the organizations culture and way of doing business. Successful security strategies employ the concept of defense in depth, which uses multiple layers and complementary functions to mitigate threats throughout the data center. Any security strategy begins with a security policy, which aligns business needs with security goals and denes how to implement them through processes and technologies. One component of the security policy should address the particular requirements of the data center, its specic application requirements, and user group authentication and authorization permissions for each application. An effective security policy results from collaboration among all stakeholders in the data center, which includes its management teams, the executive board, and user groups throughout the organization. The policy determines security design, management processes, and technologies that enable policy implementation and enforcement. The policy is not static and should be rened and adjusted as the security posture changes. A security posture assessment can identify specic vulnerabilities and risks within the existing environment and recommend ways to mitigate them. These recommendations should be incorporated into the security policy and consistently enforced. The network is an essential component of the security posture because it connects applications and users. The network should provide a solid rst layer of defense, complementing operating system and application level security. The network creates a secure environment not only at the perimeter but also in security zones throughout the data center. Separating the network into virtual compartments allows security managers to consolidate resources in a cost-effective manner and control user access to each application. The Cisco Business Ready Data Center achieves optimal end-to-end security, performance, and manageability by integrating security directly into the network infrastructure. It takes advantage of the advanced integrated security capabilities of the Cisco Catalyst switching and Cisco MDS intelligent storage networking platforms. Integrated security software and service

Cisco Systems, Inc. All contents are Copyright 19922004 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement. Page 3 of 10

modules for the Cisco Catalyst 6500 Series switch offer rewall, intrusion detection system (IDS), Secure Sockets Layer (SSL), and IP Security (IPSec) virtual private network (VPN) services at the higher performance levels required for bandwidth-intensive data center environments. In the storage network, the Cisco MDS 9000 Series Multilayer Director Switch offers virtual storage area network (VSAN) and advanced security services. Complementing these integrated security products is a variety of additional security technologies in the following categories: Threat defenseWatches for improper behavior in the network; examples include rewalls and intrusion detection/ prevention systems (IDS/IPS) Trust and identity managementPermits or denies services to devices and users based on policies; examples include RADIUS access control servers Secure connectivityProvides condentiality across links; for example, a VPN with encryption These solutions are detailed below in the section titled Cisco Security Solutions. BUSINESS BENEFITS The Cisco security strategy for the data center delivers the following business benets: Defense in depthMitigates known and unknown risks and threats at many layers Secured consolidationSegments consolidated infrastructures into security zones that contain the spread of an attack and provide strong access controls Day-zero attack mitigationBy looking for and stopping suspicious behaviors Greater service integrityProtects and validates condential data on servers and storage devices Easier management and lower cost of ownershipThrough centralized management tools that automate conguration and monitoring, enable consistent technology deployment, and enforce security policies throughout the data center FlexibilityRapidly adapting to ever-changing threats Lower capital expendituresBy consolidating and virtualizing security functions across fewer physical devices SECURITY ARCHITECTURE Implementing data center security requires the management staff to prioritize security goals for cost reasons. With a clearly dened security policy, security managers and data center and network managers can collaborate to prepare security architecture that protects the consolidated data center. For optimal data center design using integrated security services modules, Cisco recommends that data center managers implement a dedicated services layer between the access and core layers, enabling distributed security services in the most cost-effective, high-performance manner.

Cisco Systems, Inc. All contents are Copyright 19922004 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement. Page 4 of 10

Implementing Data Center Security With a security policy in place that aligns asset protection with business goals, Cisco recommends that security managers take the following steps to secure their data centers: Dene security zones and set security levels for each zoneThese separate the data center into areas that are logically separated from one another to contain an attack at minimal impact. Zones can support individual applications or application tiers, groups of servers, database servers, Web servers, e-commerce zones, and storage resources (Figure 2). User access can be limited to Web servers, protecting the application and database tiers from accidental or malicious damage. Communication between applications can be limited to specic trafc required for application integration, data warehousing, and Web services. Zones can provide logical separation of each applications storage environment across a scalable, consolidated storage network. To achieve this efciently, rewalls can be integrated and virtualized to provide secure connectivity between application and server environments (Figure 2).
Figure 2 Security Zones with Integrated and Virtualized Firewalls Ensure Protected Applications on Consolidated Infrastructure

Internet Perimeter Security Enterprise Campus Network Core Internet Server Farm

Access Security

DMZ

Web

Web Security Zones (Virtual LANs and Virtual SANs) Horizontal and Vertical Inter-zone Security Integrated Firewalls and IDS

App

App

DB DB ERP HR Fin E-Mail Web DW SCM Enterprise Data Center with Consolidated Infrastructure

Perform a security posture assessment to identify vulnerabilities and risks, with specic breakdown by host, operating system, application, data, network devices, and links. This assessment provides vital information for determining appropriate risk levels for each asset and the maintenance requirements for maintaining each one to the desired security level and should be incorporated into the security policy.

Cisco Systems, Inc. All contents are Copyright 19922004 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement. Page 5 of 10

 Implement endpoint protection for critical servers and hosts. This functionality discovers attacks in progress, protects operating systems and applications, and sends alarms to the management console when an exploit is detected. Cisco Security Agent, a behavior-based endpoint protection solution, successfully stopped both the Slammer and Blaster worms. Implement network IDS for critical network segments, analyzing trafc streams to identify and thwart attacks such as DDoS and hacker activity. The system alerts the management console and/or invokes an automated response within the network infrastructure to shun or block attacks as they are identied. IDS can also dynamically command rewalls or routers to block packets from identied malicious sources, reducing the effort needed to mitigate the attack. Control access between zones with rewalls and routers. Firewalls provide perimeter control for stateful inspection of connections to and from the data center while blocking access to nonpublic services and hosts through ingress and egress ltering. Routers provide Layer 3 segmentation between zones, inter-VLAN routing, bandwidth rate limiting, and trafc analysis. Implement containment with private VLANs on switches. When each host or segment has its own VLAN, security managers can quarantine attacks and prevent their spread to other hosts; hosts on each VLAN can communicate only with the default gateway, not with other hosts. Cisco Catalyst Integrated Security features provide comprehensive protection against hackers trying to gain access to non-authorized VLANs through false addressing mechanisms. Secure the storage networkTraditional storage environments were considered secure because they were a dedicated extension to the computing systems they serviced. As dedicated storage and smaller SANs are consolidated into larger SANs, storage managers cannot depend on security through isolation. Where storage networks are extended beyond the data center environment, security is required across metropolitan and wide-area networks. Managers must consider SAN security from four angles: Securing the SAN from external threats, such as hackers and people with malicious intent Securing the SAN from internal threats, such as unauthorized staff and compromised devices Securing the SAN from unintentional threats by authorized users, such as miscongurations and human error Securing and isolating each storage environment from other storage environments even if they share the same physical network Deploy Trust and Identity Management services to permit only authorized users and administrators to access data center resources. Implement efcient management and monitoring tools for centralized policy provisioning, monitoring, and troubleshooting of security components and Cisco IOS Software features. This solution should include event monitoring and correlation to lter alerts sent to the management console. Communication with data center network devices is most secure using an out-of-band network or through a dedicated administration VLAN. Cisco recommends encrypting management trafc with SSL, Simple Network Management Protocol (SNMP) version 3, or Secure Shell (SSH) technology.

Cisco Systems, Inc. All contents are Copyright 19922004 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement. Page 6 of 10

CISCO SECURITY SOLUTIONS Cisco security solutions take an integrated, systematic approach to enterprise data center security to defend and protect the organizations business processes and assets. Cisco separates its security products into three categories: threat defense, trust and identity management, and secure connectivity. Much of this functionality is available through Cisco IOS Software, integrated security services modules for the Cisco Catalyst 6500 platform, and integrated security on the Cisco MDS 9000 Series switches. Following is a partial list of Cisco security products that are most relevant to securing the data center. Security hardware modules for the Cisco Catalyst 6500 platform add much-needed security services to the network without affecting performance. The integration of advanced network services offers many advantages over multiple standalone appliances. Integration into the Catalyst chassis conserves rack space and minimizes the required number of interconnections, simplifying deployment. Modules typically offer greater performance and more ports than their appliance counterparts, increasing scalability. Unlike appliances, integrated modules can use native Cisco IOS Software and Catalyst intelligence, such as VLANs and quality of service (QoS), allowing tighter integration of advanced network services for an efcient, responsive infrastructure. Threat Defense Threat defense security solutions mitigate network and host attacks caused by viruses, worms, DDoS attacks, and other malicious network trafc. Deploying these solutions throughout the data center isolates and blocks intruders, rogue applications, and other unwanted trafc. Some of these products include: Cisco Catalyst 6500 Series Firewall Services Module (FWSM)Based on Cisco PIX rewall technology, the FWSM delivers security, reliability, and performance with the leading rewall data rates in the industry: 5-Gbps throughput, 100,000 connections per second, and up to one million concurrent connections. Up to four FWSMs can be installed in a single chassis, providing scalability to 20 Gbps per chassis. Catalyst 6500 Series Intrusion Detection System (IDSM-2) Services ModuleAn essential intrusion protection solution for safeguarding organizations from costly and debilitating network breaches from malicious Internet worms, DoS attacks, and e-business application attacks. Cisco IDSM-2 works with other integrated components, increasing the operating efciency of intrusion protection to secure the data center network. Cisco Security Agent protects endpoints through behavioral-based intrusion detection to protect hosts from system level attacks. Trust and Identity Management These solutions enable access to network services and data center resources by authorized users, administrators, and applications. Examples of these solutions follow: Embedded Cisco IOS Software technologiesA wealth of features enable appropriate access control and other security functions. Cisco Secure Access Control Server (ACS)Enables central administration of user authentication, authorization, and accounting (AAA) services. The ACS is also the central administration for the pending Network Admission Control solution.

Cisco Systems, Inc. All contents are Copyright 19922004 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement. Page 7 of 10

 Cisco Network Admission Control (NAC)Cisco dramatically enhances the day-zero antivirus and antiworm functionality of Cisco Security Agent with NAC. Available in mid-2004, NAC allows enterprises to discover operating system patch, antivirus, and hotx status of user devices requesting data center access. It relegates noncompliant and potentially vulnerable systems to environments with limited or no network access. Noncompliant endpoints can be denied access, placed in quarantine, or given restricted access to computing resources, perhaps to allow upgrades and patches to attain policy conformance. Secure Connectivity Securing connections within and between data centers, these solutions offer standards-based VPN and encryption techniques to ensure data integrity. They are appropriate across the optical connections between multiple data centers or to offsite data storage facilities. Following are examples of secure connectivity products: Cisco Catalyst 6500 SSL Services ModuleDramatically accelerates performance and enhances security of Web-enabled applications, providing comprehensive, secure content networking while guaranteeing a persistent customer experience. Cisco IPSec VPN Services ModuleA high-speed module for Cisco Catalyst 6500 Series switches that integrates IPSec VPN services into the infrastructure, meeting the need for secure connectivity at increased bandwidth between data centers. VSANAnalogous to a VLAN, a VSAN allows storage managers to create multiple logical SANs over a common physical infrastructure. Each VSAN runs its own set of fabric services, providing for absolute partitioning between virtual fabrics. This is only one of the security features of the Cisco MDS 9000 Series. Data Center Security Management Security management is essential for spotting and blocking violations before damage occurs. It is impossible to measure the value of user trust in data center resources or the damage to an organization should a security breach compromise data integrity or shut down applications or servers. Therefore, security managers must meet the highest standards for ease of use, automation, data processing, and rapid, appropriate responses. Effective provisioning is vital because it directs devices how to identify and respond to potential intrusions and eliminate vulnerabilities. Change management should be easy, giving security managers automated tools to update devices to watch for threats. Monitoring is the heart of security management, and administrators need tools that digest the massive amount of data generated by security components, identify suspicious activity, and proactively respond to threats. Troubleshooting is necessary for trusting multiple security levels to work together effectively. CiscoWorks accommodates role-based security management services, with workow automation and future service virtualization capabilities that accurately speed and simplify management activities. CiscoWorks standards-based APIs allow integration with third-party management and billing applications. CiscoWorks offers data center managers two powerful security management applications: CiscoWorks VPN/Security Management Solution (VMS) protects organizational productivity by combining Web-based tools for conguring, monitoring, and troubleshooting VPNs, rewalls, and network- and host-based IDSs. CiscoWorks VMS also delivers network device inventory, change audit, and software distribution features.

Cisco Systems, Inc. All contents are Copyright 19922004 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement. Page 8 of 10

 CiscoWorks Security Information Management Solution (SIMS) collects, analyzes, and correlates security event data from across the enterprise, so security managers can detect and respond to suspicious events as they occur. Based on the award-winning netForensics version 3.1 software, SIMS delivers complete event monitoring in multivendor security environments, real-time event correlation to detect both known and unknown threats, advanced visualization for fast and intuitive security monitoring, integrated risk assessment to understand the overall vulnerability of any particular asset within the enterprise, and comprehensive reporting and forensics for all levels of security operations. CiscoView Device Manager for the Cisco Catalyst 6500 Series Switch resides in the switch and manages several Layer 2 and Layer 3 features for a single chassis. A task-based tool, CiscoView Device Manager eases the initial setup and deployment of end-to-end services across modules by offering conguration templates based on recommended practices. SECURITY PARTNERSHIPS Cisco network solutions for the data center form a robust foundation that allows enterprises to transform data centers into strategic assets. Cisco intelligent networking and storage technologies provide the foundation of solutions by leading data center vendors. Cisco also collaborates with security industry leaders to facilitate smooth, integrated delivery of a secure data center infrastructure that enterprises can tailor to their unique requirements today and adjust easily as they grow and change. These partnerships give data center managers the resources they need to design, deploy, and maintain agile, secure data centers that effectively support their business goals. CISCOTHE TRUSTED LEADER IN DATA CENTER SECURITY The enterprise data center is the heart of the enterprise network because it contains the data, applications, and other resources for business. Protecting and ensuring the ongoing availability of these resources is vital to the success of any organization. Customers, partners, and internal users need to trust that condential information remains private and reliable. Maintaining the integrity of the network and its attached resources is vital. As the market leader in networking and security, Cisco delivers enterprise-wide security solutions within the Cisco Business Ready Data Center, including design guides and best practices, such as those described in Cisco SAFE blueprints. Cisco and its partners also offer extensive security professional services to help customers identify their security needs and take appropriate actions. Cisco security solutions efciently protect and optimize data centers while supporting network scalability and performance. With its integrated, defense-in-depth security solutions, Cisco helps protect data centers from increasingly damaging and rapidly spreading attacks from both inside and outside the enterprise. Let Cisco help you protect what is most precious to your businessyour data center.

Cisco Systems, Inc. All contents are Copyright 19922004 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement. Page 9 of 10

FOR MORE INFORMATION Cisco Data Center Solutions: http://www.cisco.com/go/datacenter Cisco Data Center Design Guides: http://www.cisco.com/en/US/netsol/ns340/ns394/ns224/ns376/networking_solutions_package.html SAFE Blueprints: http://www.cisco.com/go/safe Security Management: http://www.cisco.com/en/US/products/sw/cscowork/ps2330/index.html Identity and Access Control: http://www.cisco.com/en/US/products/sw/secursw/ps2086/index.html Conguration and Monitoring: http://www.cisco.com/en/US/products/sw/cscowork/ps2073/index.html Cisco AVVID (Architecture for Voice, Video and Integrated Data) Partner Program for security product and services vendors: http://www.cisco.com/en/US/partners/pr46/pr13/partners_program_solution09186a00800a3370.html Advanced Services for Network Security: http://www.cisco.com/en/US/netsol/ns340/ns394/ns171/ns267/networking_solutions_package.html

Corporate Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 526-4100

European Headquarters Cisco Systems International BV Haarlerbergpark Haarlerbergweg 13-19 1101 CH Amsterdam The Netherlands www-europe.cisco.com Tel: 31 0 20 357 1000 Fax: 31 0 20 357 1100

Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA www.cisco.com Tel: 408 526-7660 Fax: 408 527-0883

Asia Pacic Headquarters Cisco Systems, Inc. Capital Tower 168 Robinson Road #22-01 to #29-01 Singapore 068912 www.cisco.com Tel: +65 6317 7777 Fax: +65 6317 7799

Cisco Systems has more than 200 ofces in the following countries and regions. Addresses, phone numbers, and fax numbers are listed on the

C i s c o We b s i t e a t w w w. c i s c o . c o m / g o / o f f i c e s
Argentina Australia Austria Belgium Brazil Bulgaria Canada Chile China PRC Colombia Costa Rica Croatia Czech Republic Denmark Dubai, UAE Finland France Germany Greece Hong Kong SAR Hungary India Indonesia Ireland Israel Italy Japan Korea Luxembourg Malaysia Mexico The Netherlands New Zealand Norway Peru Philippines Poland Portugal Puerto Rico Romania Russia Saudi Arabia Scotland Singapore Slovakia Slovenia South Africa Spain Sweden S w i t z e r l a n d Ta i w a n T h a i l a n d Tu r key U k r a i n e U n i t e d K i n g d o m U n i t e d S t a t e s Ve n e z u e l a Vi e t n a m Z i m b a b w e
All contents are Copyright 19922004 Cisco Systems, Inc. All rights reserved. Cisco, Cisco Systems, the Cisco Systems logo, Catalyst, Cisco IOS, and PIX are registered trademarks or trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and certain other countries. All other trademarks mentioned in this document or Web site are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0402R) JM/LW5752 04/04