brkaci-2504 -...
TRANSCRIPT
BRKACI-2504 Cisco Security on ACI,
MicroSegmentation, ASA,FirePower
Brenden Buresh – DC Technical Solutions Architect
• Introduction – Data Center Security
• ACI Fundamental Building Blocks
• ACI Tenant Whitelist Security
• ACI Fabric Infrastructure Security
• ACI Fabric Micro-Segmentation
• Extending ACI Security Outside DC
• Conclusion – ACI=Advanced Security
Agenda
Introduction: Data Center Security
Security Threats are Trending Higher Cisco Annual Security Report 2016
Organizational Security – Confidence SlippingCisco Annual Security Report 2016
What is the Problem Facing IT Organizations?Complexity of Traditional Infrastructure
Fragile
Network Complexity Dictates
App Deployment/Operation
InsecureRigid
• Logical-Physical Tightly Coupled
• 1 Intentional Change Yields Many
Unintended Changes
• Org Silos—Language Translation
• “Don’t Touch It!”
• Code Upgrades, Config Changes,
New Devices
• Stifles Innovation
• Box by Box Configuration
• Error Prone
• Compliance Challenges
POLICY
Operational
Simplicity
Application
Centricity
Security and
Compliance
Multi-Vendor
Innovation
Compute
Network
Storage
L4-7 Services
Security
Orchestration
Management
UCS
Service
Profile
Application
Network
Profile
Security
Profile
Why Policy Has Become Table Stakes?Policy Driven Infrastructure Delivers Network Simplification via Policy Automation
Policy: Links Application Language to Infrastructure
99
Network Language
Compute/Storage
Language
Security Language
Application Language
• Application tier policy and
dependencies
• Security requirements
• Service level agreement
• Application performance
• Compliance
• Geo dependencies
Decouple Application and
policy from Underlying
infrastructure
Infrastructure
Common Policy
App
Network
Profile
USC
Service
ProfilePolicy-Driven
Infrastructure
ACI Fundamental Building Blocks
Application Centric InfrastructureAutomating IT by Making Applications the Focal Point
Business
Requirements
STORAGE
POLICY POLICY
SECURITYCOMPUTEL4-7 SERVICES
Applications Policy Integrated Physical and Virtual
Agile, Open and Secure
ACI Solution: Agile, Open, and Secure
14
Open
App Requirements Drive
Network Deployment/Operation
Secure
• Speed through Automation
• Physical and Virtual Endpoints with
Consistent Policy
• Application Health Monitoring
• H/W Based VXLAN Gateway
Agile
• Whitelist Approach
• Multitenant Aware
• Simplified Compliance
• Open APIs, Open Source and Open
Standards
• Customer Choice And Interoperability
• Drives Innovation
Policy
Automation
Visibility Scale and
Performance
Open
API’s
Partner
Ecosystem
Multi-Tenant
Security
Compliance
Building Blocks (Pillars) of ACIRapid Application Deployment via Open Networks with Scale, Security, Full Visibility
Application Centric Policy Open EcosystemACI Fabric/Nexus 9000
Industry Leading
Technology
Partnerships
Application Centric Infrastructure
Cisco ACI Fabric
16
ProgrammabilityPower EfficiencyPort DensityPerformance
Innovations in Cisco® NX-OS Software
Nexus 9500 Modular Switches Nexus 9300 Fixed Switches
Innovations in Hardware and System Design
Price
Integrated Overlay
CapabilitiesImproved Application
Performance
Programmability
and Automation
ACI Policy Driven NetworkApplication Network Profiles
SYSTEM CONFIGURES HARDWARE
AUTOMATICALLY
SecuritySME
Network SME
Application SME
SYSTEM CONFIGURES HARDWARE
AUTOMATICALLY
Application Profiles
Virtualization Policy
Bare-Metal Policy
Network Policy
Security Policy
END POINT GROUPS, CONTRACTS, AND SERVICE GRAPHS TO CREATE ANPS
POLICIES USED TO CREATE A POLICY DRIVEN NETWORK
Leaf Node Name
VLAN, IP Pools
Switch Profiles
Interface Policies
Attachable Access Entity Profile
Bridge Domains
EPGs
Layer 4-7 Service Graphs
WEB EPG
End Point Groups, Provider Contract to App, Firewalls,
Load Balancers, IPS, IDS
APP EPG
End Point Groups, Consumer and Provider
Contracts, Firewalls, Load Balancers
Database EPG
End Point Groups, Consumer
Contracts, Firewalls
ACI – A Policy Based IP Network
PayloadIPVXLANVTEP
AVS
VTEP
APIC - Policy Controller &
Distributed Management
Information Tree (DMIT)
Physical and Virtual L4-7
Service Nodes
Physical and Virtual VTEP’s
(Policy & Forwarding Edge
Nodes)
Proxy (Directory)
Services
Physical and Virtual Endpoints
(Servers) & VMM (Hypervisor vSwitch)
VTEP
IP Network & Integrated
VXLAN
WAN/DCI
Services
VTEP
VTEP
AVS
VTEP
“Users”“Files”
ACI Fabric
Define Endpoint Groups
Any endpoints anywhere within the
fabric, virtual or physical
Enforce Ingress Fabric Rules
Hardware rules on each port, security in
depth, embedded QoS
Single Point of Orchestration
Different administrative groups
use same interface, high level
of object sharing
Application Policy Infrastructure
Controller (APIC)Create Contracts Between Endpoint
Groups
Port-level rules: drop, prioritize, push to
service chain; reusable templates
Service Graph
Single Pass Services
Security administrator defines
generic templates in APIC,
availed to contract creation
All TCP/UDP: Accept, Redirect
UDP/16384-32767: Prioritize
All Other: Drop
Policy Contract “Users → Files”
ACI is a Robust Network Fabric Provides a New Communication Abstraction Model
“Users”“Files”
ACI Fabric
Logical Endpoint Groups by
Role
Heterogeneous clients, servers,
external clouds; fabric controls
communication
Every device is one hop away, microsecond
latency, no power or port availability
constraints, ease of scaling
Flexible Insertion
ACI Controller manages all
participating devices, change control
and audit capabilities
Unified Management and Visibility
Fabric Port Services
Hardware filtering and bridging; default
gateway; seamless service insertion,
“service farm” aggregation
Flat Hardware Accelerated
Network
Full abstraction, de-coupled from
VLANs and Dynamic Routing, low
latency, built-in QoS
Application Centric Infrastructure Fabric
ACI Policy InstantiationLogical Network Provisioning of Stateless Hardware
ACI Fabric
Application Policy
Infrastructure Controller
Integrated GBP VXLAN Overlay
APIC
ADCAPP DBF/W
ADCWEB
ACI Policy
Application Policy Infrastructure ControllerCentralized Automation and Fabric Management
Layer 4..7 System
Management
Storage
Management
Orchestration
Management
Storage SME Server SME Network SME
Security SME App. SME OS SME
Open RESTful API
Policy-Based
Provisioning
APIC
• Unified point of Data Center network
automation and management:
• Data Model based declarative
provisioning
• Application, Topology Monitoring, &
Troubleshooting
• 3rd party Integration (L4-L7 Services,
Storage, Compute, WAN, …)
• Image Management (Spine / Leaf)
• Fabric Inventory
• Centralized Access to ‘all’ Fabric information
- GUI, CLI and RESTful API’s
• Extensible to compute and storage
management
Application Centric Infrastructure VisionOpen Ecosystem, Open API’s
Application
Network Profile
Hypervisor Management
Systems Management
Centralized Policy Management
Open APIs, Open Source,
Open StandardsAPIC
Fabric
Automation Enterprise Monitoring
Physical Networking
Hypervisors and Virtual Networking
Compute L4–L7Services
Storage
Orchestration Frameworks
Cisco ACI Built on Open Architectures
24
OPEN STANDARDS
OPEN ECOSYSTEM
OPEN SOURCE
OpFlexNSHVXLAN
UCS ACIInter
cloudSecurity
OPEN INTERFACES
RESTful APIs (XML)
IoT
DevOps
ACI TenantWhitelist Security
APPLICATION
SECURITY
Web
Tier
App
Tier
DB
Tier
Trusted
ZoneDB
Tier
DMZ
External
Zone
Cloud
Application Admin
Security Admin
Network Admin
Cloud Admin
ACI Goal: Common Policy and Operations Framework
26
Application Admin
Security Admin
Network Admin
SECURITY
Trusted
ZoneDB
Tier
DMZ
External Zone
APPLICATION
COMMON POOL OF RESOURCES
Cloud Admin
Cloud
ACI Goal: Common Policy and Operations Framework
27
ACI Policy Model Brings Concept of End-Point Group
28
HTTPS
Service
HTTPS
Service
HTTPS
Service
HTTPS
Service
HTTP
Service
HTTP
Service
HTTP
Service
HTTP
Service
EPG - Web
EPGs are a grouping of end-points representing application or
application components independent of other network constructs.
POLICY MODEL
End-Points and EPG membership
Device connected to network directly or indirectly
Has address (identity), location, attributes (version, patch level)
Can be physical or virtual or container
• Examples:
• End Point Group (EPG) membership defined by:• Ingress physical port (leaf or FEX)
• Ingress logical port (VM port group)
• VLAN ID
• VXLAN (VNID)
• IP address (so far only applicable to external/border leaf connectivity)
• IP Prefix/Subnet (so far only applicable to external/border leaf connectivity)
• NVGRE (VSID) (future)
• VM-based attributes (future)
• Layer 4 ports (future)
Server
Virtual Machines & Containers
Storage
Client
EPGs, Subnets, and Policy
30
EPGs separate the addressing of an application
from it’s mapping and policy enforcement on the network.
10.10.10.x
10.10.11.xPolicy/Security
enforcement occurs
at the EPG level
HTTPS
Service
HTTPS
Service
HTTPS
Service
HTTPS
Service
HTTP
Service
HTTP
Service
HTTP
Service
HTTP
Service
EPG WEB-1 EPG WEB-2
ACI Enables Segmentation Based on Business Needs
Level of Segmentation/Isolation/Visibility
VLAN 1 VXLAN 2
VLAN 3
Network centric
Segmentation
DEV
TEST
PROD
Segment by Application
Lifecycle
PRODUCTION
PODDMZ
SHARED
SERVICES
Basic DC Network
Segmentation
Per Application-tier /
Service Level
Micro-Segmentation
WEB
APP
DB
Intra-EPG
Micro-Segmentation
WEB
WEB
Container Security
VM
OVS/OpFlex
New
P P P
App DBWeb
Outside
Client(s)
QoS
Filter
QoS
Service
QoS
Filter
Could be many VMs or containers
Could be mix of physical/virtual machines/containers
Mostly physical
resources
App
Network
Profile
P = Defined Policy
“The Application”
ACI and Today’s 3-Tier applications
Application Network Profiles (ANP)
33
Inbound/Outbound
PoliciesInbound/Outbound
Policies
Application Network Profile
Application Network profiles are a group of EPGs and the policies
that define the communication between them.
POLICY
MODEL
=
EPG - WEB EPG - APP EPG - DB
Applying Policy between EPGs: ACI Contracts
34
EPG A
EPGB
EPG CContract 02
The policy model allows for both unidirectional and bidirectional policies.
Contracts define the way in which EPGs interact
Unidirectional
Communication
Bidirectional
CommunicationContract 01
Ex: ACI Logical Model applied to the “3-Tier App” ANP
Building ACI Contracts
Subjects are a combination of A filter, an action and a label
Contracts define communication
between source and destination EPGs
Contracts are groups of subjects which define communication between EPGs
Filter | Action | LabelSubject
TCP Port 80
Filter
Permit
Action
Web Access
Label
Contract 1
Subject 1
Subject 2
Subject 3
Policy Options: Actions
36
Permit Deny
RedirectLog
……
CopyPacke
t
Mark Packet DSCP
There are six policy options supported: Permit the traffic Block the traffic Redirect the traffic Log the traffic Copy the traffic Mark the traffic (DSCP/CoS)
Policy encompasses traffic handling, quality of service, security monitoring and logging
ADCAPP DBF/W
ADCWEB
HYPERVISORHYPERVISOR HYPERVISOR
CONNECTIVIT
Y POLICY
SECURITY
POLICIESQOS
STORAGE
AND
COMPUTE
APPLICATION
L4..7
SERVICES
SLA
QoS
Security
Load
Balancing
APP PROFILE
Application Network Profiles(ANP) & ACI: How it Works?
37
Example of an Application Mapped to ACI
ACI Embedded Tools – Endpoint Tracker
Application that reads all of the Endpoints from APIC
Registers for Endpoint add/delete
“Punch clock” for Endpoints
• Who (MAC, IP )
• What (Tenant, App, EPG)
• Where (Interface)
• When (Timestamps)
Determine what was on network at any time
SQL or GUI frontend
SQL
Web1
Web2
Web3
App1
App2
App3
DB1
DB2
DB3
ACI Embedded Tools – Diagrams
• A whiteboard diagram of an applications deployed security policy
• http://blog.esquilax.org/2015/01/14/generating-aci-diagrams-with-acitoolkit/
• https://github.com/cgascoig/aci-diagram
Automating InfrastructureDynamic Endpoint Attachment
ACI Policy
Allow HR-EPG Inbound to
HR-Web EPG
ASA and F5 Object-Group:
Automatically update
ASA and F5 with new
endpoints connecting
to network for HR-
EPG. Remove
endpoints when they
disconnect from
network.
Web servers
immediately available
when added to DNS
Keep policies up
to date without
manual configuration
1.1.1.1
1.1.1.2
2.1.1.1
ACI Fabric
Dynamic Update to EPG Object-Group
APIC dynamically detect new endpoint, ASA subscribes to attach/detach event, and ASA automatically adds to object-group
webConsumer
appProvider
ACE
192.168.10.200192.168.20.200
Object-group
192.168.10.101
New
192.168.10.102
New
object-group network __$EPG$_podA-myapps-app
network-object host 192.168.10.101
network-object host 192.168.10.102
access-list access-list-inbound extended permit tcp any object-group __$EPG$_podA-myapps-app eq www
2: APIC create object-group for the EPG.
1: Enable “Attachment Notification”
on function connector internal.
3: APIC add new endpoints to object-group
(192.168.10.101, 192.168.102)
ACI Fabric Infrastructure Security
APIC Communicating to the Network
• Infra VRF – Used for inband APIC to switch node communication, non routable outside the fabric
currently (Multi-Fabric, Remote Leaf will both allow extension of the Infra VRF - Future)
• Inband Management Network – ‘tenant’ VRF created for inband access to switch nodes
• OOB Management Network – APIC and switch node dedicated mgmt ports
OOB Management Network
APIC will have:
1. 2 attached to fabric for data
2. 2 for mgmt (OOB)
3. 1 console ethernet port (can be only used
for direct laptop hookup)
4. CIMC/IPMI ports
Inband Management VRF
Infrastructure VRF
Switch nodes will have:
1. Inband access to Infra & Mgmt VRF
2. Mgmt Port (OOB)
3. Console port
APIC APIC APIC
APIC First Time Setup
• APIC one time setup is via UCS console access
• Cluster configuration
• Fabric Name
• Number of controllers [1..9]
• Controller ID [1..9]
• TEP Address pool [10.0.0.1/16]
• Infra VLAN ID [4093]
• Out-of-band management configuration
• Management IP address [192.168.10.1/254]
• Default gateway [192.168.10.254]
• Admin user configuration
• Enable strong passwords (Y/N)
• Password
After first time setup, APIC UI is
accessible via URL
https://<APIC-mgmt-IP>
APIC
APIC Fabric Login Screen
APIC & ACI – System Security
APIC
Same SSL Certificate
presented by all APICs to
External HTTPS
connections• Two modes of access to the REST
interface
• Web-Token
• X.509 based certs
• X.509 REST requests are signed with the user private key
• RSA keys of 1024, 1536 or 2048 bits
• Two Factor Authentication
Cisco Signed Certificates
(shipped with switch and APIC)SSL
SSL
Chain of Trust for ACI Nodes (APIC to Switch)
APIC
SSL
1. Establish SSL connection and exchange public key certificates
2. For additional security, shared secret or device serial number can be optionally exchanged (Post FCS)
3. After successful validation, connection is ready
4. Messages are authenticated with HMAC digest
Chain of Trust for ACI Nodes (APIC)
• Secure Container Based for BASH (iShell)
• No root access for customers (TAC only)
• APIC ISO is encrypted and keys are stored on APIC TPM
• RPM’s are not visible
• Secure Trusted Executable
• Secure Mode Installer
APIC
SSL
Chain of Trust for ACI Nodes (Switches)
• Chain of Trust for images on Switch Nodes
• Anti Counterfeit Technology-2 Hardware Security Module (ACT2 HSM)
• Validates the FPGA software, ROMMON software, switch preboot image and the switch
full image
SwitchImage
Generate Hash (SHA512)
Create Signature (RSA-2048 bit)
Using Insieme RSA 2048 Private Key
Signed Hash
FIPS-140-3 compliant build systemThis standard requires software to be digitally signed and beverified for authenticity and integrity prior to load and execution.Cisco maintains the Abraxas build system which keeps privatekeys secure and provides signing services via ssh/https APIs
Fabric Initialization & Maintenance
• ACI Fabric supports discovery, boot, inventory and systems maintenance processes via the
APIC
• Fabric Discovery and Addressing
• Image Management
• Topology validation through wiring diagram and systems checks
Loopback and VTEP IP Addresses
allocated from “Infra VRF” via DHCP from
APIC
APIC Cluster
Topology Discovery via LLDP
using ACI specific TLV’s (ACI
OUI)
APICAPICAPIC
Fabric Initialization & Maintenance
APIC bootstrap configuration
1) APIC Cluster Configuration
2) Fabric Name
3) TEP Address space (Infra-VRF)
4) …
Leaf switch discovers attached
APIC via LLDP, requests TEP
address and boot file via DHCP
2
1
Spine switch discovers attached
Leaf via LLDP, requests TEP
address and boot file via DHCP
3
All nodes in the same APIC cluster should
contain same bootstrap information if they are
intended to form a cluster
4
Fabric can be discovered and initialized
from multiple sources concurrently
5
6 Fabric will self assemble starting from
multiple APIC sources
APIC Cluster
7
APIC Cluster will form when members
discovery each other via Appliance
Vector (AV)APIC APIC APIC
Fabric Initialization & MaintenanceNode Identity Policy
• Assigns ID/Name to switches based on serial number
• Controls which switches can join the fabric
• Allows zero touch provisioning of switches
POST: https://192.168.10.1/api/node/mo/uni/controller.xml
<fabricNodeIdentPol>
<fabricNodeIdentP serial=”TNAX234ZA"
name="leaf1" nodeId=”101"/>
<fabricNodeIdentP serial=” JNAX234ZZ"
name="leaf2" nodeId=”102"/>
<fabricNodeIdentP serial=“KLAX234ZZ”
name="spine1" nodeId=”103"/>
</fabricNodeIdentPol>
APIC Image Management
• Covers multiple items like:
• Compatibility Catalog• Checks at upgrade /
downgrade events such as configuration
• Switch image management• Leaf and Spine switches
• APIC image management• Policy controller cluster
• Image repository on APIC
Admin Firmware Fabric Node Firmware
Fabric Initialization & Maintenance
• ACI Fabric leverages the same Global Catalogue methodology as UCS, the supported HW/SW matrix, image
versioning, …
• APIC and switch node image management controlled via APIC policies
• Policies control which images should be on which groupings of devices, when the images should be
upgraded/downgraded
• Also control the upgrade process, automatic, manual step by step, …
“All-APICs”APIC Cluster
“All-Leafs”
“All-Spines”
APIC APIC APIC
ACI Fabric Micro-Segmentation Security
Spectrum of Micro-Segmentation
Segmentation
Micro-SegmentationPer EPG
Per vNIC
ACI SecurityAutomated Security with Built-In Multi-Tenancy
Distributed Stateless Firewall
Line Rate Security Enforcement
Open: Integrate Any Security Device
ACI Services
Graph
Embedded Security
• White-list Firewall Policy Model
• Authenticated Northbound API (X.509)
• Encrypted Management Plane (TLS
1.2)
Micro-Segmentation
• VMware AVS, VDS*, Microsoft Hyper-
V, and Bare-metal workloads
• Intra End Point Group Isolation
• Attribute Based Isolation and
Quarantine
Security Automation
• Dynamic Service Insertion and
Chaining
• Security Policy Follows Workloads
• Centralized Security Provisioning and
Visibility
* Note: Available: 1H CY 2016
Cisco ACI Delivers Micro-SegmentationFlexible, Granular, Consistent
Attributes Based Intra-EPG BasedEPG Based
ACI Benefits
PROD
PODDMZ
SHARED
SERVICES
Basic DC Segmentation
DEV
TEST
PROD
Application Lifecycle
Segmentation
WEB
APP
DB
Service Level
Segmentation
Network-Centric
Segmentation
VLAN 1 VXLAN 2
VLAN 3
FW
OS
‘Linux’
IP
‘1.1.1.1’
FW
Name
‘Video’
Intra-EPG Isolation
All Workloads Can Communicate
Application Tier Policy
Group
Isolate Workloads within Application
Tier
Application Tier Policy
Group
Quarantine Compromised Workloads
Isolate
VMware VDS Microsoft Hyper-V KVM* Cisco AVS
Policy Driven Micro-Segmentation for Any Workload
Physical*Future
Cisco ACI Security OptionsPolicy Driven Micro-Segmentation and Intra-EPG Isolation
PROD
PODDMZ
SHARED
SERVICES
Basic DC Segmentation
Flexible Segmentation
DEV
TEST
PROD
Application Lifecycle
Segmentation
WEB
APP
DB
Service Level
Segmentation
Network-Centric
Segmentation
VLAN 1 VXLAN 2
VLAN 3
Hypervisor Agnostic Micro-segmentation
For Any Virtual Workload
Quarantine Infected VMs With Guest OS = Linux
Hypervisor
Virtual Switch
Attributes Based Micro-Segments
(DVS, AVS, Hyper-V Switch, KVM*)
FW
OS = Linux Name = Video-*IP = 1.1.1.x
FW
* Note - Futures
Intra-EPG Isolation + Micro-segmentation
For Any Workload (Physical, Virtual)
Intra-EPG Isolation
Local switching
Micro-Segmentation
Web EPG DB EPG
Web EPG DB EPG
Quarantine VM
DB EPG
Local switching
Intra-EPG IsolationIntra-EPG Isolation
FW
Intra-EPG Isolation +
Micro-Segmentation
Intra-EPG Isolation
• 1.2.2x/11.2.2x release added Intra-EPG Isolation Support:1.VMware DVS (ie. AVS not required)
2.Bare Metal
• When Intra-EPG Isolation is enabled “ALL” endpoints in
EPG are isolated(All Intra-EPG Isolation endpoints must be in the same EPG)
• Can isolate Physical and Virtual endpoints in same EPG
• Partial Intra-EPG isolation of endpoints is not supported
Micro-Segmentation
• Micro-Segmentation = Attributes based EPG + contract (optional)
• Attributes = VM attributes or Networking attributes such as IP, MAC
• 2 main use-cases:
• 1. Quarantine (ie. no EPG contract),
• 2. Micro-Segments (with contract policy)
• 1.2.1x/11.2.1x release Adds Micro-Segmentation for: Microsoft Hyper-V
• 1.2.2x/11.2.2x release Adds Micro-Segmentation for – see table below:
• VMware DVS * (ie. AVS not required)
• * Note: L4 State and Connection Inspection requires ASA
Micro-Segmentation ACI
Release
VMWare + AVS 1.1.1x/11.1.1x
Microsoft Hyper-V 1.2.1x/11.2.1x
Multi-Hypervisor 1.2.1x/11.2.1x
VMWare DVS 1.2.2x/11.2.2x
Intra-EPG Isolation 1.2.2x/11.2.2x
Intra-EPG Isolation + Micro-Segmentation 1.2.2x/11.2.2x
Intra-EPG DVS Micro-SegmentationASA-5500-X Joint Solution Proposal
ASA 5500-X w/ FP Service NW Only
Stitching
1. Intra-EPG Micro-Segmentation • DVS: VM isolation with PVLAN gets traffic to Leaf Switch
• ACI Leaf: MAC/IP-EPG to re-classify traffic, Service Node NW Stitching
2. Stateful Firewall with ASA 5500-X• Stateful Inspection & ASA Security Features
• FirePOWER Services 50k-1M IPS sessions
ACI Security Certifications
Complete
Target Complete Jan 16
Target Complete Jan/Feb 16
Complete Dec 15
Planning
Landscape of ACI Security Partners
Automation
Security &
Governance
Big Data &
Analytics
Security &
Services
Open Infra.
Northbound Partners
Operations
Orchestration
Analytics
Southbound Partners
Enterprise Monitoring
L4-L7 Services
Fabric Attached Devices
Cloud Orchestration and Management
SecurityADC
Security
PaaS
EPG (End Point) Classification
Server
Virtual Machines & Containers
Storage
Client
• Endpoint == Workload unit connected to network directly
or indirectly
• An endpoint has address (identity), location, attributes
(version, patch level)
• Can be physical or virtual or container
• End Point Group (EPG) membership defined by:
• Ingress physical port (Leaf or FEX)
• Ingress logical port (VM port group)
• VLAN ID (EPG1, vlan 10 Permit port dest = 80 => epg2, vlan 20)
• VXLAN (VNID)
• IP Prefix/Subnet (so far only applicable to external/border leaf
connectivity)
• VM-based attributes - 11.1 release
• IP address and subnet – 1.2.1x/11.2.1x release (/32, /n)
• MAC address - Radar
IP Based EPGsSupport for IP Based EPG on PhysDom, L2Out, and L3Out
• 1.2.1x/11.2.1x release: supports IP-EPG classification:
• Physical Leaf only
• Physical Domain (ie. no VMM domain)
• IP-EPG are very flexible and granular, can be defined for
any IPv4 host (/32) or prefix (/n mask)
• IP-EPG derivation is based on longest-prefix match in HW
• Each IP-EPG gets its own class-id which is used as
source-group or destination-group when a security policy
(contract) is applied
• Only Inter-EPG policy contracts supported
• Note: L3 BD only, L2 BD cannot do IP-Learning
• IP-EPG will require ‘E’ version of 93xx (Donner-C HW)
10.10.10.32 = EPG_Filer_1
10.10.10.33 = EPG_Filer_2
10.10.10.56 = EPG_Filer_3
L3Out
10.10.20.32 = LXC_Web
10.10.20.33 = LXC_App
10.10.20.56 = LXC_App2
10.20.30.45 == EPG_DNS
L2Out
IP Based EPG: Use Case 1 Shared Storage for Each Customer
Storage
Servers for Customer A
ESXi ESXi
Servers for Customer B
ESXi ESXi
Different security policy is needed for
logical storages which use same VLAN
and same MAC, but different IP.
VLAN 10
Storage for customer A
192.168.1.1Storage for customer B
192.168.1.2
IP Based EPG: Use Case 2 Docker Containers
10.10.20.32 = LXC_Web
10.10.20.33 = LXC_App
10.10.20.56 = LXC_App2
Different security policy is needed for
containers which use same VLAN, but
different IP.
VLAN 10
Microsoft Hyper-V Attribute Based EPG and Micro-Segmentation
Feature DescriptionThis feature allows granular EPG derivation based on various VM attributes such as
VM Name, Guest OS, MAC, IP etc.
Prior to 1.2.1x/11.2.1x release, this feature is available for virtual endpoints attached
with Cisco AVS
Distributed Virtual Switch (B-release). It’s not available with VMware DVS
In 1.2.1x/11.2.1x release, we add this feature for ACI + SCVMM integration also.
Note: This doesn’t provide an Intra EPG security policy
Use-caseIsolate Malicious VM
Create Security across Zones
BenefitsWithout changing the port-group association of servers, extra security and segmentation
can be provided
Microsoft Hyper-V: Use Case 1 Isolate a Malicious VM
Win EPG
• Problem: Vulnerability is detected in a particular type of operating system (e.g. Windows). Network security administrator would like to isolate all Windows VM.
• Solution: Define Security EPG with criterion as “Operating System = Windows”. No contracts are provided or consumed by this EPG. It will stop all inter-EPG communication for the matching VMs.
• No VM attach/detach or placement of VM to a different port-group is needed.
WebWeb01Linux
Web02Linux
Web03Win
AppApp01Linux
App02Linux
App03Win
DBDB01Linux
DB02Linux
DB03Win
XCriterion
Attribute
(OS = Windows)
Web03Win
Microsoft Hyper-V: Use Case 2 Security Across Zones
HR-Web
Sales-Web
• Problem: VMs belonging to different departments (e.g. HR, Sales) or different roles (Production, Test) are placed in the port-group. But isolation across departments are required. (e.g. HR-Web-VM should not be able to talk to Sales-Web-VM)
• Solution: Define EPGs, which match if the VM Name contains a matching string (e.g. HR, Sales etc).
• Each Attribute based EPG can have their own security policies.
WebWeb01
HR-Web01
Sales-Web01
AppApp01 App02 App03
DBDB01 DB02 DB03
Criterion
Attribute
(VM name contains HR)
Criterion
Attribute
(VM name contains Sales)
X
Create useg EPG
L4-L7 Service Automation – Support for all Devices Any Device and Cluster Manager Support
L4-7 Services
ACI Services Graph
L4-7 Service Automation
Full L4-L7 Centralized Service Automation (With Device Package)
Large Ecosystem and Investment Protection
FuturesAvailable
Now
Centralized Network Automation (With NO Device Package)
New support for L4-L7 Cluster Managers
L4- L7 Device
Package
No Device
Package
Service Cluster
Manager
Network Only Stitching Mode
Insert Node between consumer EPG and provider EPG.
Managed mode and un-managed mode can be combined into a single service graph.
• Insert Node between consumer EPG and provider EPG
• Managed mode and un-managed mode can be combined into a single
service graph
2.1.1x/12.1.1x: PBR Support for Service Graph Routed Mode with Policy Based Routing
EPG A EPG B
FWExternal Internal
Single VRF
EPG C
10.0.0.27 20.0.0.22
20.0.0.26
Policy Redirect for
EPG A to EPG C
Direct Forwarding for
EPG A to EPG B
Cisco ACI + OpFlex SecurityOpenStack APIC ML2 Driver
OpenStack Controller
Hypervisor
vm1
Project 1 Project 2 Project 3
vm2vm5
vm4
vm3
OpFlex
Agent
APIC ML2 Driver
V(X)LAN
Open
vSwitch
OpFlex
Proxy
Security Group Enforcement
in OVS using IP-Tables
Security policy enforcement in OVS using IP-
Tables by OpenStack (outside of APIC)
L2/L3 forwarding in fabric
Floating IP / NAT support
APIC GUI integration / VMM Domain for
OpenStack
Statistics
Service redirection
OpFlex Agent Offers:
Available
1.2.1x/11.2.1x
Neutron Object APIC Object (ML2 Driver Mapping)
Project Tenant
Network EPG + BD
Subnet Subnet
Security Group + Rule IP Tables (outside of APIC by OpenStack)
Router Contract
Network:external L3Out / Outside EPG
APIC GBP Driver Security ImplementationOVS via OpFlex and ACI Fabric
Security policy enforcement in OVS
via OF action and ACI Fabric via
whitelist policy simultaneously
Floating IP / NAT support
APIC GUI integration / VMM
Domain for OpenStack
Statistics
Service redirection
OpFlex Agent Offers:OpenStack Controller
Hypervisor
vm1
Project 1 Project 2 Project 3
vm2vm5
vm4
vm3
OpFlex
Agent
V(X)LAN
Open
vSwitch
GBP APIC Driver
OpFlex
Proxy
Fabric Traffic Security
Enforcement using ACI
Whitelist Policy
Local traffic in Hypervisor:
Security Group Enforcement
in OVS using Open Flow• gbp policy-classiifer-create
• gbp policy-rule-create blah --actions allow
Group Based Policy Available
1.2.1x/11.2.1x
ASA Multiple-Context in Service Graphs - Shipping
ASA1 Active ASA2 Standby
Leaf2Leaf1
FO
PO2 PO2
• Register ASA1 Active Contexts with APIC via MGMT IPs
• ASA2 Standby Admin context registers to APIC, which applies HA config to allow a sync of full configuration, so it can take over MAC/IP on Active failure
• Define a Port-Channel as a single logical interface connecting to multiple Leafs
• APIC creates sub-interfaces based on dynamically allocated VLAN from a pool, and in the System context it assigns Port-channel sub-interfaces to appropriate user context, Contexts A, B, and C
• IPs, Interface and ACLs names, can now overlap between contexts
interface Port-channel2.500
VLAN 500
context A
allocate-interface Port-channel2.500
change-to context A
interface Port-channel2.500
nameif consumer_internalA
ip address 10.1.1.1 255.255.255.0
security-level 100
…
APIC programs interfaces for user Context via CLI:
Context AMGMT IP1pre-config
Context B MGMT IP2pre-config
Context C MGMT IP3pre-config
System Context
User Context
vPC2 vPC3
MGMT IP0pre-config
Context Admin
Device Manager Package
Cisco APIC – Policy Element
Device Model
Device-Specific Python Scripts
Script Engine
APIC Node
• Device Manager Package is used to
configure the controller of the
Service Device (eg, FireSIGHT)
instead of configuring the Service
Device
• 1.2.2x/11.2.2x release target for
FirePOWER appliance
• FirePOWER Device Manager
Package:
• FireSight Credentials
• Internal/External Interfaces
• Virtual Inline Pair
• (more parameters possible)
Cisco APIC Script Interface
Device Interface: REST/CLI
Service automation
requires a vendor device
package. It is a zip file
containing
Device specification
(XML file)
Device scripts (Python)
Service
InstancesCluster Service
Instances
Device ManagerE.g.
FireSIGHT
Operational Model with Device Manager
1. Create Security Policy
for Application
4. Assign security policy to firewall
2. Create Application Networking
and assign NGFW Service
Network
Admin
Security
Admin
Panorama
3. Network Configuration
Hostname
IP Address
VLAN
Security Zone
5. Security Configuration
Security Policies
Profiles
Address Objects
• Insert firewall services between two EPGs All firewall security features can be applied
E.g.
FireSIGHT
“Chassis” Device PackageVirtual Service Instances
Cisco APIC – Policy Element
Device Model
Device-Specific Python Scripts
Script Engine
APIC Node
Cisco APIC Script Interface
Device Interface: REST/CLI
Script Engine
Service automation
requires a vendor device
package. It is a zip file
containing
Device specification
(XML file)
Device scripts (Python)
Virtual Service
Instances
Chassis
Cluster Service
Instances
• In order to manage ‘virtual services’
running on a single device the device
package framework has been
extended to define a ‘chassis’
(1.2.1x/11.2.1x release)
• A chassis defines the device that
contains the virtual service instances
• Specific attributes are associated with
the chassis (VLAN id’s on ports) and
others with the service instance
The Attack ContinuumConsistent Protection for ANY Workload 24x7
Scope
Contain
Remediate
Continuous
Solution
Discover
Enforce
Harden
Detect
Block
Defend
86© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Threat Centric
Visibility
Compliance
Secure Multi-Tenancy with Whitelisting
Per-Application Micro Segmentation
Centralized Policy Orchestration and
Distributed Sensors
Deep Traffic inspection
Forensic Analysis
Dynamic Workload Quarantine
Remediation and Return to Production
Threat-Centric Protection
Real-Time Threat Intelligence
Firepower Services for ACIIntelligent Threat Defense
EPG
“Internet”
ACI Fabric
EPG
“Web”
FireSIGHT Management
CenterAlerts
Network Visibility
Policy Management
Analytics
Remediation
Application Policy Infrastructure
Controller (APIC)
Service GraphContracts
NGIPS/NGFW
Advanced Malware Protection
Policy and events
Basic configuration
and health
Intelligent Remediation
Security Feedback Loop
UNTPUBLIC
Trusted – No GraphCORP
APIC172.28.199.30
Move IP to Quarantine
FireSIGHT Management
Center
FWNGIPS
10.1.0.234
Relaxed
REST calls to
APIC NB API
ACI Fabric
N9K Leaf SwitchFirePOWER Appliance 10.0.1.30
SPAN Traffic
AttackESXi – 10.1.0.44
1.1.1.6 1.1.1.7
FWQUA
Strict
REM
1.1.1.3
Firepower
Cisco Security in ACI Integration Models
89© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Data Plane to ACI Fabric Data Plane to ACI Fabric
Threat Policy Configuration
Visibility and
Real-Time Alerts
Firepower Device Manager Package
ASA with Firepower
ASA Device Package
Access Policy ConfigurationService Graph Segmentation
Fully Managed ASA Device Partially Managed Firepower Device
Netflow and Syslogs
Firepower Services
Embedded Module
ASA and Firepower Advantages for Cisco ACI
90© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Maintain similar high performance for
all clients, applications, and protocols;
ease of future expansion
Consistency Across Platforms and Protocols
Cisco® ACI Fabric
Policy Contract
Identify and block malicious traffic; Remediate infected EPs; Allow monitor-only and reduced inline
inspection where most applications are known, to optimize on use of resources
while provide necessary visibility
Balance Security and Performance
Cisco ACI only performs stateless
load-balancing; firewall cluster scales
with state, HA, elasticity, and
embedded threat protection
Stateful Capacity Scaling
Link aggregation with LACP; VLAN
insertion into Cisco ACI; full
interoperability with fabric leaf nodes
Universal Attachment
Same feature set in both physical and
virtual form factors; consistent
performance across platforms
Portable Architecture
Cisco ACI and Cisco Advanced Security Better Together – Protection Across the Entire Continuum
NGIPS/NGFW
Advanced Malware Protection
Cisco Advanced Security – ASA / FirePOWER / AMP
Full APIC integration
Highest Rated Breach
Detection**
World’s Most Deployed NGFW
APIC
Real-time Threat Intelligence
Highest Rated NGIPS*
Native ACI Security
Centralized Policy Automation
Secure Multi-Tenancy with Whitelisting
Context-aware Segmentation
Virtual and Physical
Industry Compliance
Standards (PCI)
Group Policy
vm vm phy
Addresses Data Center Challenges: Threat-centric, Visibility, Compliance
ACI Provides Secure Path to Authenticate Endpoints
ACI Fabric
Bank
Authentication
Server
Base EPG
ESXi
Hyper-V
Bare-
Metal
Servers
1. ACI isolates all endpoints in Base EPG
2. Fabric implements whitelist policy
3. Base EPG only provides uni-directional access to JPMC Authentication Server
1
Bank-x IP-EPG
1. If endpoint authentication fails, it remains in base=EPG
2. If endpoint authentication passes, JPMC server makes REST API call to APIC
3. Provides attributes of the endpoint APIC and Target EPG membership
2
3 1. REST API call to APIC
2. Provide endpoint IP attribute for JPMC IP-EPG membership
4
1. ACI moves authenticated endpoints out of Base EPG
2. Installs endpoints into JPMC IP-EPG
Based EPG Pre-Authenticated Endpoints
IP-EPG Authenticated Endpoints
Dot1x Endpoint Authentication Solution
ESXi
Bare-
Metal
Servers
ACI
LeafHyper-V
Bank EPG
Dot1x Authentication Fails
ESXi
Bare-
Metal
Servers
ACI
LeafHyper-V
Bank EPG
Dot1x Authentication Pass
Just added to
Roadmap
Extending ACI Fabric Outside DC
1.2.1x/11.2.1x ASA Device Package EnhancementACI and TrustSec Leveraging ASA +SXP
DB EPG
ISE
ACI Fabric
Corp EPG
Marketing
Engineering
Corp→DB : Allow, Redirect to ASA
All Other : Drop
APIC Policy Contract
Source Destination Action
Engineering Any Allow
Any Any Deny
[SGT 333]
SXP
1. Corporate users on
traditional Nexus 7000 in Corp
EPG get assigned SGT values
by ISE
2. ASA learns SGT
mappings OOB through
SXP
3. Coarse filtering: ACI Policy Contract
allows all traffic from corporate
network to database, redirects to ASA
4. Fine filtering: ASA permits
only Engineering to access
database from corporate based
on SGT
ACI + TrustSec Policy Plane IntegrationISE Policy Domain APIC Policy Domain
Co
ntr
oll
er
La
ye
r 1. Exchange SG/EPG Names
2. Exchange IP->SG/EPG Bindings
Server IP-> EPG bindingsUser IP->SGT Bindings
ISE
ACI Border Leaf
iVXLAN
SXP S
Enterprise CoreCMD/SGT
SXPv4
Netw
ork
La
ye
r
SGT not propagated in data plane
iVXLAN
Server
classificationUser
classification Propagation
DC
EnforcementPropagationCampus
Enforcement
Add a New Host IP/SGT in ISE
New IP Address
BYOD SGT
Assigned
(Could also be
learned over SXP)
BYOD EPG Now Contains Our New HostAvailable for Use in ACI Policies
ACI + TrustSec Phase 2 (release 2.1.1x/12.1.1x)
• Dataplane Integration with Trustsec Switch/Router (eg. ASR1k)
• ASR implements ACI and Trustsec Policy and Data Plane Integration
1. ASR maps SGT to EPG
2. ASR instantiates an EPG and adds IVXLAN dataplane
3. Sends packet to ACI fabric for contract enforcement
Conclusion: ACI=Advanced Security
ACI Addresses the Security Challenge in the DCStrategic Security Imperatives Addressed by ACI
Automate
Compliance,
Centralized
Auditing &
Logging
Visibility,
Analytics,
Forensics,
Threat
Mitigation
Simplified Policy
Based Multi-
Tenancy &
Micro-
Segmentation
Network
Services
Automation,
Open Eco-
System
Security
Expressed in
Application
Constructs &
Language
Centralized Security Across Physical and VirtualEndpoint Network Virtual Cloud
Cisco ACI Takeaways
102
SECURITY
INHERENT Security and INTEGRATION
TELEMETRY
Rich TELEMETRY & Application HEALTH
SCORE
SPEED
NETWORK and SERVICES Delivered in
minutes
POLICY
Policy-based deployment/governance
Physical & virtual
Cisco Application Centric Infrastructure – Physical & Virtual
Fixed Workloads Variable Workloads
OPEN and AGNOSTIC
Cisco Data Center Security
103
Embedded L4 Security
Embedded Sensors
Firewall at Each
Leaf switchServers (Physical, Virtual, Containers, Micro
Services)
L4-7 Security Services
(physical or virtual,
location independent)
Next Gen Stateful L4-7
Visibility and Control
Network Analytics:
Multi-Tier Sensor Data
Gathering (hardware
and software)
App1 DBWeb1
QoS
Filter
QoSServi
ce
QoS
Filter
Branch Policy Driven
Security
Architecture
Identity and Policy
Federation
Differentiation for Nexus/ACI Solutions - Contiv
104
ACI: Automated Networking, Policies, Prioritization, network uniformity for various workloads
Network SLAs for Applications: App to App with physical infrastructure integration
</code>
APPWEB DB
Native Apps: Better Visibility, Diagnostics, Analytics, Interoperable Standards Based
App1 App2
App1 App2
Contiv Provides Policy-Rich Container NetworkingIntegrates with Cisco Nexus and ACI
Application Composition+
Policy Intent
Node 1 Node2 Node-n
Contiv Master
Docker | Kubernetes |
Mesos Plugin Agents
• Contiv.io is an open-source project that creates a
policy framework in different domains of containers
• Network Policies: Policies for Application Security,
Prioritization, and Network Resource Allocation
• Network Services for Apps (Virtual or Physical
Service appliances)
• Analytics/Diagnostics
• Integrates with Cisco ACI, Nexus, and UCS
Solutions
• Status: Beta
Hypervisors, Isolation, Segmentation - Unikernels
106
Unikernels, also know as “virtual library operating system”
Microsoft Drawbridge architecture (Image Credit: Microsoft Research)
Why ACI is Best for Micro-Segmentation
107
Micro Segmentation works for all workloads (bare metal, virtual, containers, management, backup …)
Same policy-model for vSphere, Hyper-V, OpenStack, Containers and Bare Metal.
With ACI 1.2 support for up to 10 vCenter (supports 5.1, 5.5 and 6.0) and up to 10,000 servers.
Works with standard virtual switch offerings, including VMware VDS, OVS, MSFT vSwitch (AVS is optional for vSphere)
Stateful firewall when using Cisco AVS on vSphere at no extra cost with better performance at the VMware environment
Complete Your Online Session Evaluation
Learn online with Cisco Live!
Visit us online after the conference
for full access to session videos and
presentations.
www.CiscoLiveAPAC.com
Give us your feedback and receive a
Cisco 2016 T-Shirt by completing the
Overall Event Survey and 5 Session
Evaluations.– Directly from your mobile device on the Cisco Live
Mobile App
– By visiting the Cisco Live Mobile Site http://showcase.genie-connect.com/ciscolivemelbourne2016/
– Visit any Cisco Live Internet Station located
throughout the venue
T-Shirts can be collected Friday 11 March
at Registration
Thank you
