Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Security Operations
• Manual process
• Short on resources
• Long provisioning times
Evolving Threats
• Detect,
understand and
block
Compliance
• Costly
• Complex validation
process
Data Center Security Challenges
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Right Architecture for Data Center Security ?
VIRTUALIZATION
CENTRIC No Physical
Support
Limited
Visibility
Management
Complexity
APPLICATION CENTRIC Any workload and any place Full Visibility Automated
PERIMETER CENTRIC Manual and
Complex Error-Prone Static
Topology
Limited
Places
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
ACI Security: Secure Multi-Tenancy at Scale Policy Based Segmentation and Isolation
Complete Isolation of
Tenant with Security at
Scale
Eco-system (Service
Chaining and L4-7 Policy
Automation) and Open APIs
Centralized Policy
Management, Visibility
and Auditing
Group Policy based
Segmentation,
White list Policy
HPC HR Finance
Open APIs Policy
Engine
APPLICATION
NETWORK PROFILE
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
VM
VM
…
VM
VM
…
VM
VM
…
web app db
applic
ation
The
Outside
a collection of end-
points connecting to
the network… VMs,
physical compute, …
Component
Tier
End Point Group
a set of network requirements
specifying how application
components communicate with
each other
Contract Access Control
QoS
Network Services
rules of how application
communicates to the
external private or public
networks
Network Profile application-centric network policy network Virtual Patch Panel
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
End-points
A compute, storage or service instance attaching to a fabric
NIC
vNIC
.
.
.
end-points [ EP ]
Things that connect to the fabric and use it to interface with other things
ACI Fabric
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
A compute, storage or service instance attaching to a fabric
EP
.
.
.
A collection of end-points with
identical network behavior form a
… End Point Group (EPG)
Things that connect to the fabric and use it to interface with other things
EP
EP
End-points
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
End-point Groups (EPGs)
EP
.
.
EP
EP
… end-point group [ EPG ]
Can flexibly map into
application tier of multi-tier app
segmentation construct (ala VLAN)
a security construct
ESX port group, VM Network, Container
…
Allows to specify rules and policies on
groups of physical or virtual end-points
without understanding of specific
identifiers and regardless of physical
location.
EPG WEB
EPG APP SERVER
policies
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Tenant L3, L2 isolation
EP
.
.
.
EP
EP
EPG WEB
BD
EPG APP SERVER
EPG …
BD
subnet
subnet
L3 context (isolated tenant VRF)
With or
without
flooding
semantics
network profile
Tenant self-contained
tenant definition
representable as a
recursive
structured text
document
outside
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
EXAMPLE: Three-tier APP
EPG WEB EPG APP EPG DB
NW Public
NW Private subnet
subnet
pro
vid
e
pro
vid
e
pro
vid
e
provide provide provide
infra shared services
consume consume consume
L3 context bd bd bd
we
b c
on
tract
java c
on
tract
sql c
ontra
ct
mgmt bundle
Outside consume consume
consume
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
ACI Whitelist Policy Supports “Zero Trust” Model
TRUST BASED ON LOCATION (Traditional DC Switch)
Servers 2 and 3 can
communicate unless blacklisted
1 4 2 3
No communication allowed between
Servers 2 and 3 unless there is a whitelist policy
ZERO TRUST ARCHITECTURE (Nexus 9000 with ACI)
EPG 1
“WEB”
EPG 2
“APP”
1 2 3 4
Whitelist policy = Explicitly configured ACI contract between EPG 1 and EPG 2 allowing traffic between their members
ACI architecture allows flexible EPG membership, enabling wide range of security policies
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Strategic Security Imperatives Addressed By ACI
Policy based Compliance,
Automated Compliance
Management
Secure Multi-tenancy,
Micro-Segmentation Open Security Framework,
L4-7 Security Automation
COMPLIANCE THREAT-MITIGATION AUTOMATION
Network Endpoint Virtual Cloud
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Centralized Compliance and Auditing
Import / Export Policy via API
(Support for External Policy Engines)
Services Chaining Automated
Bio-Chemical Undergrad HPC HR Finance Guests
ACI Security – Networking, Segmentation, Isolation
16
Complete Isolation with
Full Scalability and Security
Policy Separated from Network
Forwarding
Open
APIs Policy
Engine
Undergrad and Guests
APPLICATION
NETWORK PROFILE
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
PRODUCTION
POD DMZ
SHARED
SERVICES
Basic DC Network
Segmentation
VLAN 1 VXLAN 2
VLAN 3
Network centric
Segmentation by VLAN
DEV TEST
PROD
Segment by Application
Lifecycle
WEB APP
DB
Per Application-tier / Service
Level Segmentation
Level of Segmentation/ Isolation/ Visibility
ACI Enables Segmentation based on Business Needs
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Micro-Segmentation for Physical and Virtual with ACI
18
Virtual Virtual Physical
• Micro-segmentation provides security for east/west traffic
• Embedded L4 distributed stateless firewall
• Hardware-assisted stateful firewall for Virtual*
• Automates L4-7 security between application tiers for advanced protection
• Physical and Virtual Apps
• Full visibility of all traffic between segments
* Requires Application Virtual Switch (AVS)
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Hardware Assisted Stateful firewall
Provider
B Consumer
A
Src class Src port Dest Class Dest port Flag Action
A * B 80 * Allow
B 80 A * ACK Allow
• Create flow table entry
• Forward packet to Leaf
Leaf evaluates
stateless policy
Hardware policy
permits the packet
Create flow state only
for TCP SYN packet
received from PNIC
Deliver packet to
destination VM
• Packet received from VM
• Lookup flow table
VLAN Proto Src ip Src port Dst IP Dst port
A tcp IP_A 1234 IP_B 80
A tcp IP_B 80 IP_A 1234
VLAN Proto Src ip Src port Dst IP Dst port
B tcp IP_A 1234 IP_B 80
B tcp IP_B 80 IP_A 1234
On flow table hit
forward packet to Leaf
Policy Enforcement
done at Leaf
Connection
Tracking at vLeaf
Response from VM
Perform flow table lookup
New in 1.1 Release
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
ACI Supports Flexible East-West Security Models
L4 Stateless Security
Firewall at Each
Leaf switch
Servers (Physical or Virtual)
L4 Distributed Stateless Firewall
L4 Stateless Firewall Attached to Every Server Port
Line Rate Policy Enforcement
Policy Follows Workloads
L4-7 Security
Services (physical or virtual,
location independent)
L4-7 Security Via ACI Service Graph
Advanced Protection with NGFW, IPS/IDS, DDoS Services Insertion
Sizing at Scale-Enabled via Pool and ACI Dynamic Redirection
L4-7 Security Policy Applied Consistently for Any Workload
ACI Services Graph L4-7 Visibility and Control
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Challenges with Network Service Insertion
Service Insertion In traditional Networks
Router
Router
Switch
LB
FW
Configure firewall network parameters
Configure Network to insert Firewall
Configure firewall rules as required by the application
Configure Router to steer traffic to/from Load Balancer
Configure Load Balancer Network Parameters
Configure Load Balancer as required by the application
vFW
servers
Service insertion takes days
Network configuration is time consuming and error prone
Difficult to track configuration on services
22
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Application Policy
Consumes
Contract
dB Contract
MSSQL: Accept
MySQL: Accept
HTTP: Accept, Count
Filter Named collection of L4 port
ranges
- HTTP = [80, 443]
- MSSQL = [1433-1434]
- MySQL = [3306, 25565]
- DNS = [53, 953, 1337, 5353]
Action What action or actions to take on
packet
- Accept
- Service Insert
- Count
- Copy (future sw release)
Provides
EPG - APP EPG - DB
APP DB
23
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Network Service Insertion
WEB EXTERNAL Consumes Web Contract
HTTP: Accept, Service Graph
FW
LB
Contract provides a mechanism to add Network Services through associating a Service Graph
APIC configures network service functions on devices like firewall, Load Balancers through a device packages
Consumer Provider
A Service Graph identifies a set of network service functions required by an application
A device package can be uploaded on APIC at run time
Adding new network service support through device package does not require APIC reboot
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Service Insertion Architecture Device Package
Configuration Model
Device Interface: REST/CLI
APIC Script Interface
Python Scripts
Script Engine
APIC– Policy Manager
Configuration Model (XML File)
Python Scripts
Device Model defines Service Function and Configuration
Device scripts translates APIC API callouts to device specific callouts
APIC
Service Device
Script can interface with the device using REST, SSH or any mechanism
Device package contains a device model and device python scripts
Service functions are added to the APIC through a device package
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Open Security Framework & Ecosystem
Broad Ecosystem enables Choice,
Investment Protection and supports
Defense in Depth Security Strategy SECURITY APPLICATIONS
(Compliance, SIEM, Security Analytics etc.)
APIC
END-TO-END LAYERED SECURITY ENFORCEMENT
ACI
Fabric DNS Firewall IDS / IPS DDoS
Open Standard
OPFLEX
Open Device
Interface
Open REST APIs
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Simplified ACL / Firewall Policy Management
• Reduces security risk by eliminating
configuration errors
• Policy lifecycle management for
including de-commissioning upon
application removal enables compliance
• Retain existing policies/rules minimizing
disruptions to current operations
• Centralized L4-7 Policy Automation with
Device Package (e.g., ASA/ASAv)
• Policy supports workload mobility
APIC
App
Security
Policy
Device Package
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
VIRTUAL PHYSICAL
ASA 5585-X
16 Way Clustering with State
Synchronization*
ASAv
Full ASA Feature Set
Hypervisor Independent
Virtual Switch Agnostic
Dynamic Scalability
ASA
* Up to 640Gbps of Distributed Firewall capacity
CENTRALIZED SECURITY
POLICY AUTOMATION
ACI Integration with Cisco ASA
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Accelerated Threat Detection and Response with ACI FirePOWER NGIPS Integration
Host 3
Application 1
(Physical)
Host 1 Host 2
Application 2
(Physical) V
M
V
M
V
M
FirePOWER IPS uses ACI fabric visibility to
detect and alert on key security threats early
in the attack lifecycle
Proactive Detection Mitigation Incident Response and Mission Assurance
Attack Lifecycle
Weaponize Execute
Deliver Control Maintain
Exploit
Recon
APIC FireSIGHT
FireSIGHT Manager continuous analytics
enables detection of advanced security threats
FireSIGHT uses APIC APIs to dynamically push
group policies to mitigate attack and quarantine
FirePOWER IPS continuously gathers events
from ACI Fabric to detect new threats
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
• Reduces compliance scope and costs
• Simplifies audit based on higher level policy
• Reduces costs with a shared network and secure multi-tenancy
• Provides role-based access control
• Centralizes auditing and access monitoring
Monitoring
Access
Centralized
Audit
Security
Policy
Security
Network
Access
Control
ACI Security Validated for PCI Compliant Networks
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Application Decommissioning and Compliance Compliance/Security Requirement:
When an application gets decommissioned, every IT resource associated with
that must be removed and/or wiped out.
UCS allows one do dissociate service
profile(s) associated with this application.
Audit OK !
Storage arrays can wipe-out the data or
associated disks can be trashed.
Audit OK !
Current network approach and solutions
don’t have a way to map application
workflow and “remove” it.
Audit Fail
ACI is the only solution that can support
this programmatically and in a automated
manner
Audit OK !
Symantec’s Views on ACI Security
Sheila Jordan Chief Information Officer
Vince Spina VP, Global Network Infrastructure & Data Center
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
ACI Group Policy with
Advanced Protection
(FirePOWER NGIPS,
ASA NGFW)
Automated Protection for
Physical and Virtual
Workloads
ACI Validated for PCI
Compliant
Networks
Detect, understand and block
Threat Centric Automation Compliance
Advanced Protection with Full Automation for Physical and Virtual Workloads
Manual process Short on resources
Long provisioning times
Costly Complex validation process
Cisco ACI Addresses Key Datacenter Security Challenges