Brkaci 2110

BRKACI-2110
Tetration and ACI

Better Together
Chris McHenry, Technical Solutions Architect

We need to think differently
about protecting servers.
Typical Network Security vs. Zero Trust
Internal Blog
Sensitive Data
BRKACI-2110 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
Start Here
Internal Blog
Sensitive Data
Start Here
Internal Blog
Sensitive Data
Start Here Start Here
Internal Blog
Internal Blog
Sensitive Data
Sensitive Data
Internal Blog
Internal Blog
Sensitive Data
Sensitive Data
Internal Blog
Internal Blog
Internal Blog
Sensitive Data
Sensitive Data
Internal Blog
Don’t Let
Internal Blog Someone Else Party In
Internal Blog
Your Data Center

Sensitive Data
Sensitive Data
The Best Way to Secure a Workload?
More Realistically?
• Australian Signals Directorate TOP4
• https://www.asd.gov.au/publications/protect/top_4_mitigations.htm
1. Application Whitelisting
2. Patching Systems
3. Restricting Administrative Privileges
4. Creating a Defense in Depth System
Micro Segmenting in an Heterogeneous Data
Center
Campus
and Many different types of workloads running in a Data Center
Branch Users
Complex Troubleshooting, Software Vulnerabilities and Unpatched Software

Micro Segmenting in an Heterogeneous Data
Center
Virtualized w/ KVM, VMWARE,
HYPER-V
Campus
and Production/Development
Branch Users
AWS, GCP, AZURE Bare Metal / Big Data Shared/Infra
Complex Troubleshooting, Software Vulnerabilities and Unpatched Software

Agenda
• Introduction
• Contextual Visibility
• Network Performance Monitoring and Diagnostics
• Zero-Trust Policy Intent & Discovery
• Policy Enforcement
• ACI & Defense in Depth
• Conclusion
Cisco Webex Teams
Questions?
Use Cisco Webex Teams (formerly Cisco Spark)
to chat with the speaker after the session
How
1 Find this session in the Cisco Events Mobile App
2 Click “Join the Discussion”
3 Install Webex Teams or go directly to the team space
4 Enter messages/questions in the team space
cs.co/ciscolivebot#BRKACI-2110
Challenges in Building a Secure Hybrid IT
Environment Without Compromising Agility?
Know your applications – Understand what can/should Create a single source of truth
what’s running, what’s critical, be deployed in public cloud vs. to avoid mistakes
Understand what workloads on premise
are running vulnerable
software
Minimize attack surface with Automate policy as workloads Define a compliance model to
fine grained segmentation and scale or move across track changes and policy
zero trust policy infrastructure violations
ACI: Simple, Consistent, Automated Networking
1
Point of management for all your Physical,
Virtual, Container-based and Cloud Networking
Spine Layer
Nexus 9000
Leaf Layer
Nexus 9000
WAN Legacy
Networks
(N5K/N7K)
L4-L7 Services
VM VM VM VM
ACI
The network made simple
BRKACI-2110 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco Tetration
Operations Advanced Security
Actions
White-list Application Policy
Policy Segmentation Compliance
Cisco Tetration™ Insights
Platform Visibility and Process Application

Forensics Inventory Insight
Meta-Data generated
from every packet▸ Ingest ▸ Learn Behavior Analytics &
Third-Party Sources Analytics Cluster Machine Learning
Appliance model ▸ Store ▸ Simulate
(Configuration Data) On-Premise or Cloud
▸ Analyse ▸ Act
OS Sensor Network Sensor Foundation

Windows
Cloud-Scale Nexus
Linux
Nexus 9000 ‘X’
Bare Metal
Containers
Tetration Helps to Answers Critical Questions
Who Talks With Who? Aut. Policy Discovery? Policy Violations? Micro-Segmentation
Application Dependency Mapping Pushing and Simulation Audit+Compliancy Policy Enforcement
Port, Server and Process Process Anomaly Software Vulnerability Security Risk
Details Operational Efficiency Detect Suspicious behavior Detection Assesment
Cisco Tetration: On-premises deployment
options
On-premises appliance options Virtual appliance options
Cisco Tetration™ Platform Cisco Tetration-M Cisco Tetration Virtual

(large form factor) (small form factor) • Suitable for deployments of less than 1000 workloads
• Suitable for deployments of • Suitable for • VMware ESXi-based environment
more than 5000 workloads deployments of less
• Published system specification (CPU cores, memory, storage,
• Built-in redundancy than 5000 workloads etc.,) for ESXi based deployments
• Scales to up to 25,000
workloads Includes:
• 6 Cisco UCS C220 servers
Includes:
• 2 Cisco Nexus 9300
• 36 Cisco UCS® C220 platform switches
servers
• 3 Cisco Nexus® 9300
platform switches
Software subscription license based on number of workloads; available in 1-, 3-, and 5-year terms
Cisco Tetration software-as-a-service option
Cisco Tetration™ SaaS
• SaaS model: No need to purchase,

install and manage HW or SW Public
• Fully managed and operated cloud
by Cisco
• Suitable for commercial Real-time
customers and SaaS-first/SaaS- Private Data Sync
only customers cloud
• Flexible pricing model; lower barrier
to entry
Legacy
• Quick turn up
• Scales to up to 25,000 workloads
Software subscription license based on number of workloads; available in 1- and 3-year terms
Next-Level Visibility
What Does the Sensor Collect
Device
Process Information:
Information: Buffer/ACL Drops,
Which process etc.
Application is it, who started Application
Process Process
it, hash, etc. Process Process
Sockets Sockets
Transport Transport
Network Network Network Network
Data Link Data Link Data Link Data Link
Physical Physical Physical Physical
Core Sensor Functionality
Per-packet Source/Destination IP, Port, Protocol
Flow Size/Duration
Full Visibility ERSPAN Hardware AnyConnect

Software Sensor Sensor Sensor NVM New!
Network or Application Issue? Application Per-packet flow metadata Switches and Interfaces User Identity
Response Time, SRTT, TCP Resets, Retransmits,
Window Size Issues, TCP Performance and Source/Dest IP, Port, Protocol Hop-by-hop Topology LDAP group information
Bottleneck Data Mapping *FX
Process
Open Used and Unused Ports Hop-by-hop Forward and
Reverse Network Paths *FX URL
Hostname, Interfaces, OS Version
Hop-by-hop Latency *FX
Process Name, Launch String, PID, Lifecycle,
and SHA 256 Hash Burst and Drop Statistics *FX
Parent Child Processes, Privilege Escalation
User Access
Installed Packages and CVE Exposure
Network Policy Enforcement

Supported OS Versions: https://www.cisco.com/c/en/us/td/docs/data-center-
analytics/tetration-analytics/sw/release-notes/cta_rn_3_1_1_53.html
Supporting Sensor Functionality
Netflow AWS Universal 3rd Party
Sensor CloudWatch Software Sensor Data
Flow Information – Src/Dst IP, Flow Information – Src/Dst IP, Netstat Data Load Balancers
Port, Protocol Port, Protocol
Hostname DNS
Includes data on AWS PaaS
services OS Version Inventory Data
Interfaces Route Tags
Netscaler Snapshot Process Information IPAM

F5 Sensor
(5 min)
CMDB
Snapshot Flow Information (5
vCenter Tags
Flow Information Flow Information min)
Kubernetes
NAT Stitching NAT Stitching
NIST CVE Information
Automated Enforcement at the Automated Enforcement at
VIP the VIP
What Does the Sensor Collect?
Network and App InfoSec
Network and App InfoSec
Network and App Operations
Pervasive Visibility In A Multi-Cloud Environment
192.168.19.3
10.4.51.5 10.200.21.110
Endpoint Identity that may

change constantly
10.51.51.0/24
192.168.132.99 10.51.52.0/24
10.51.53.0/24
Difficult to discover policy
without any context
10.43.223.221 Internet
10.85.232.4
Visibility with Context and Control
Asset Tagging & Tetration Integration
192.168.19.3
Employee
10.4.51.5 10.200.21.110
Supplier Server
Clear understanding of traffic

flow with context
10.51.51.0/24
192.168.132.99 Multi-Cloud 10.51.52.0/24
10.51.53.0/24
Easier to create & apply policy Quarantine High Risk
Segment
based on such context
10.43.223.221 Internet
Shared Internet
Server 10.85.232.4
Employee
Network Performance
and Troubleshooting
Nexus 9000 Cloudscale ASIC
• Collects full flow information plus metadata
• 5-tuple flow info
• Interface/queue info
• Flow start/stop time
• Flow latency – Nano-second accuracy (Requires PTP)
• Direct hardware export
• 9300-EX / 9300-FX / 9300-FX2 platforms support hardware

flow table
Micro-Burst Detection
• Hardware FX and Deep software
sensors can report burst events in 1ms
granularity
• Two metrics to search against:
• Fwd/Rev Burst Indicators:
• The number of burst events per flow per minute
• Long sum aggregated across flows
• Fwd/Rev Burst+Drop Indicators:

• The number of instances where the packet drop
for a flow coincides with the maximum burst
• Only supported for Hardware FX sensors
ACI Advantage: Encapsulated Remote SPAN
Common ERSPAN ERSPAN Sensors

Sources
Cisco ACI Each VM Processes Up to

10GB of Traffic
Most ERSPAN sources
Cisco Nexus (5k/7k/9k) Scale Out is Supported
can slice packets at the
source so network
overhead is minimal Requires 4GB of RAM and 8
Cisco Catalyst vCPUs
(>3%)
VMWare vSwitches
ACI Advantage: Tetration Annotations
Real-Time Endpoint
State
Leaf, Port, Tenant, VRF,
EPG,…
https://github.com/CiscoSE/tet-aci-annotations
Identifying Bottlenecks – SW Sensor
Identify where the potential bottleneck could be: Information is correlated based on:
• Network • TCP retransmissions
• Application (consumer or provider) • Window size changes
• Both • Latency and other factors
Identifying Bottlenecks – SW Sensor
Data-Driven Troubleshooting Methodology
Discover
Commonality
Find Problem Test Potential
and Verify Solution
Areas Solutions
Characterize
the Problem
Ask Questions and Make Decisions Supported by Data

Issue #1: Clear Problem Start and End
Issue #2: “Database Outage”
Issue is immediately isolated to only 6 web hosts by inspecting top contributors

to Application Latency during the outage window. These hosts are having a
total connectivity failure to the primary database.
Issue #2: Confirming the Scope of Impact
Issue #2: And in the mean time…
Primary database continues normal operation for all other web servers in app
and within the same VIP. What happened to those 6 servers!?
Demo – Visibility and
Troubleshooting
Zero-Trust Policy Intent
& Discovery
The Traditional Approach
Gather Data
App Guy
Implement the
Gather Data Analyze the Data Policy 1 Year
Later?
100 Billion
Events in 3
Months
Implement the
Gather Data Analyze the Data Policy 1 Year
Later?
100 Billion
Events in 3
Months
Troubleshooting?
Tetration Policy Lifecycle
Collect High
Application Automated Policy Enforce Policy Policy
Quality
Dependency Whitelist Policy Simulation and (Natively or Compliance
Network
Mapping Generation Impact Externally) and Auditability
Behavior and
Assessment
Identity Data
Tetration Policy Lifecycle – Foundation for Zero Trust
Policy Discovery – What Talks to What
Zero Trust Policy Dynamically Discovered

Cisco Tetration Analytics ADM
Dynamic
Discovered
Cluster/EPG of
Endpoints
Zero Trust Policy Dynamically Discovered
The Value of Big Data and Machine Learning
Real-World 50-100x Reduction in Complexity With Zero Input!
Rule-processing order
Security Intent Application Zero Trust Intent
Rule Flattening
Security team rules Network team rules Application owner rules
It’s not only about the network
• Attacks are mainly driven by application vulnerabilities, not network
• In most cases the port will be legitimately open

• Apache Struts?
• The protection needs to be elevated to Operating System
• Get CVE and patching information?
• Detect Side Channel Attacks?
• Identify Privilege escalations?
Understanding Exposure
• Tetration Stores all CVE information since 1999
• And collects the list of installed packages in order to detect known vulnerabilities
And Taking Action!
• As Tetration is Tag and Metadata driven we can easily segment based on CVE
• Or Installed packages
• And implement across the datacenter
Policy Compliance and Simulation
What was seen
on the network
Permitted that was out of
Traffic Seen on Policy
the network
Policy Enforcement
Layered Enforcement Points
Consistent Policy - Cisco Tetration
Application Layer Duo Security

Zero trust at the application layer while enabling holistic 2-factor authentication in the
(User Access Control)
Layered Enforcement
cloud or on-premise.
Cisco FirePower Threat Defense (NGFW/NGIPS/Advanced Malware)

Deep Packet Inspection Consistently rated highest in efficacy by NSSLabs. Powered by Cisco Talos threat
(Layer 4-7) intelligence.
Network-Level Cisco Nexus and Cisco ACI

(Layer 2-4, Macro-Segmentation, Security policy enforcement outside of the workload leveraging SDN capabilities including
Selective Micro-Segmentation) physical and virtual switching
Host-Level Cisco Tetration Cloud Workload Protection Platform

(Layer 2-4+ Granular Zero-Trust Network Segmentation, Vulnerability Detection, Process Behavior Analytics, File and
Segmentation) Memory Monitoring
Virtual Cloud
Physical Containers
(Any Hypervisor) (Azure/AWS/Google)
Enforcement of policy across any floor tile
Cisco Tetration Analytics™
Google
1. Generates unique policy

per workload Azure Amazon
2. Pushes policy to all
workloads
3. Workload securely
enforces policy
4. Continuously recomputes ACME Corp
policy from identity and
classification changes Compliance monitoring
Enforcement
Public cloud Bare metal Virtual Cisco ACITM Traditional network
Subscribe to Kafka to ingest TA policy: https://github.com/tetration-exchange/pol-client-java

Demo – Tetration Policy
Lifecycle & Enforcement
Tetration Scripts in the Demo
tetration-excel
https://github.com/CiscoSE/tetration-excel
Script to convert Tetration ADM and Policy to Excel
tetration-postman
https://github.com/CiscoSE/tetration-postman
Postman collection for interacting with the Cisco Tetration API
tetration-diagram
https://github.com/CiscoSE/tetration-diagram
Script to convert Tetration's ADM output to a diagram format
tet-aci-annotations
https://github.com/CiscoSE/tet-aci-annotations
Synchronizes endpoint state information with Cisco Tetration
ACI Security
For a pure network-based micro-
segmentation security approach visit:
Learn more: [BRKACI-2301] - Practical Applications of Cisco ACI Micro Segmentation
The ACI Policy Model
Tenant ≈ GlobalWealth
VRF ≈ VRF Contracts≈ Access Lists

Bridge Domain ≈ Subnet/SVI
End Point Group ≈ Broadcast Domain/VLAN EPG1 EPG2

Any-Any
Private VLAN Replicates a
Traditional Switch
L2 External EPG≈ 802.1q Trunk

L3 External EPG≈ L3 Routed Link
The ACI Policy Model – Network Centric Configuration
Tenant
Global VRF/Routing Table and Protocol
VLAN 10
VLAN 20BD
BD VLAN 30 BD
10.10.10.1/24
10.10.20.1/24 10.10.30.1/24
VLAN 10
VLAN 20EPG
EPG VLAN 30 EPG
Any-Any Contract Any-Any Contract
The ACI Policy Model – Network Centric Configuration
Tenant
Global VRF/Routing Table and Protocol Connect
To Externa
Switch
VLAN 10 BD VLAN 20 BD VLAN 30 BD
10.10.10.1/24 10.10.20.1/24 10.10.30.1/24
L2 External
(802.1q Trunk)
VLAN 10 EPG VLAN 20 EPG VLAN 30 EPG
L3 External
(Routed
Interface)
Any-Any Contract Any-Any Contract
ACI Policy Model – Micro Segmentation
App 1 - App 1 - App 1 -

Database Tier App Tier EPG Web Tier EPG L2/L3
EPG Only SQL Only HTTP Only HTTP
External
(REST)
Application Profile
Zero Trust in the Real World
ACI Preferred Groups: Selective Segmentation
Advanced Policy Building Block
Inside the
Preferred Group there VRF – MyVRF
is unrestricted
communication Preferred Group
EPG-A EPG-B EPG-C EPG-D L3Out

External
EPG
Contracts are required

to reach EPG inside the
Excluded EPGs can Preferred Group
NOT communicate EPG-1
Contract-1
without contracts
EPG-3
EPG-2
Contract-2
Dynamic EPGs (uSeg) with ACI
Attributec Type
MAC Address Filter Network
IP Address Filter Network
VNic Dn (vNIC domain name) VM

VM Identifier VM
VLAN VLAN VLAN or
VM Name VM VLAN VLAN
VXLAN
VLAN
Hypervisor Identifier VM vDS Cisco AVS IP/MAC EPG Hyper-V vSwitch Open vSwitch Open vSwitch
VMM Domain VM
Datacenter VM
Custom Attribute VM
(VMWare AVS/vDS only)
Operating System VM EPG-Web
Micro-Segmentation Across any Workload
Same Policy Model Across the Hybrid Cloud
V(X)LAN OpFlex V(X)LAN OpFlex V(X)LAN OpFlex V(X)LAN OpFlex VLAN
KVM Open OpFlex ESXi VMware Cisco Hyper-V MSFT vSwitch Docker Open OpFlex Bare Metal
vSwitch Agent DVS AVS vSwitch Agent
VM VM VM VM VM VM VM VM VM Docker1 Docker2
1 2 1 1 2 1 1 2 1
Docker1 Docker2
AVE: Extending Policy to the Virtual Machine
ACI Virtual Edge Hypervisor Agnostic
VM VM VM ACI Virtual Edge
Native Switch
ACI Virtual Edge (AVE) Hypervisor
VM VM VM VM VM VM VM
Bare Metal Server
Policy Consistency Across Multiple Hypervisors

ACI and Tetration Logical Design – Brownfield
Network Centric ACI Tetration
VRF: Production Root Scope
Annotations
BD: VLAN-1 BD: VLAN-2, Scope:VLAN-1&2

Scope:VLAN-1 Scope:VLAN-2
10.41.41.254/24, 10.51.51.254/24, Query: BD=VLAN-2,
Query: BD=VLAN-1 or BD=VLAN-2,
, ,
Base EPG: VLAN-1 Base EPG: VLAN-2 Filter: Cluster 1 Cluster 2 ADM Results
Preferred Group Preferred Group Optional &
Quarantine x.x.x.x/32 x.x.x.x/32
Zero-Trust Policy Zero-Trust Policy
x.x.x.x/32 x.x.x.x/32
*Include Fine on External
Dependencies
uSeg: uSeg: uSeg:

Quarantine Cluster 1 Cluster 2 EPG Contract Provide/Consume
Non-P-Group
uEPG1, proxy-access Web
uEPG2 (icmp, tcp/3128)
Cluster = uEPG uEPG2, Ansible-Provisioning DB
uEPG1 (icmp, tcp/22)
Demo – Tetration Policy
in ACI
Best Practices
• Focus on Developing Proper Annotations and Integrating into IT Workflow.
• Deploy Software Sensors for Pervasive Visibility and Rich Metadata
• Go after Low Hanging Fruit early on:
• Segment Production from Non-Production
• Segment ATMs from Rest of Infrastructure
• Allow Employees to access Web Front End
• Use vzAny when you can to optimize switch resources
• If your contract consist of 30+ filters, then consider Tetration native enforcement
• For ACI Policy Generation Define Scopes based on BDs or EPGs Annotations
• Look to use a single Bridge Domain for Deployment
• Use annotated hosts to define Scopes for Granular Policy Generation
• Communicate across organizations for complete picture
• Network< -> Operations <-> Security <-> Application Owners
Internal Blog
Sensitive Data
Start Here
Internal Blog
Sensitive Data
Start Here
Internal Blog
Sensitive Data
Internal Blog
Internal Blog
Sensitive Data
Sensitive Data
Internal Blog
Internal Blog
Sensitive Data
Sensitive Data
Internal Blog
Internal Blog
Internal Blog
Sensitive Data
Sensitive Data
Internal Blog
Don’t LetBlog Someone Else Party In

Internal Blog
Internal
Your Data Center

Sensitive Data
Sensitive Data
Document on CCO
• Title: Cisco Application Centric Infrastructure Best Practices When Using Contracts
White Paper
• Listing page: http://www.cisco.com/c/en/us/solutions/data-center-

virtualization/application-centric-infrastructure/white-paper-listing.html
• Landing page: http://www.cisco.com/c/en/us/solutions/collateral/data-center-

virtualization/application-centric-infrastructure/white-paper-c11-737387.html
Cisco Webex Teams
Questions?
Use Cisco Webex Teams (formerly Cisco Spark)
to chat with the speaker after the session
How
1 Find this session in the Cisco Events Mobile App
2 Click “Join the Discussion”
3 Install Webex Teams or go directly to the team space
4 Enter messages/questions in the team space
cs.co/ciscolivebot#BRKACI-2110
Complete your online
session survey
• Please complete your Online Session
Survey after each session
• Complete 4 Session Surveys & the Overall
Conference Survey (available from
Thursday) to receive your Cisco Live T-
shirt
• All surveys can be completed via the Cisco
Events Mobile App or the Communication
Stations
Don’t forget: Cisco Live sessions will be available for viewing

on demand after the event at ciscolive.cisco.com
Continue Your Education
Demos in Meet the Related

Walk-in
the Cisco engineer sessions
self-paced
Showcase labs 1:1
meetings
Thank you

Brkaci 2110

Uploaded by

Copyright:

Available Formats

Brkaci 2110

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Brkaci 2110

Uploaded by

Copyright:

Available Formats

BRKACI-2110

Tetration and ACI

Chris McHenry, Technical Solutions Architect

Your Data Center

Complex Troubleshooting, Software Vulnerabilities and Unpatched Software

AWS, GCP, AZURE Bare Metal / Big Data Shared/Infra

Complex Troubleshooting, Software Vulnerabilities and Unpatched Software

Cisco Tetration™ Insights

Platform Visibility and Process Application

OS Sensor Network Sensor Foundation

Cisco Tetration™ Platform Cisco Tetration-M Cisco Tetration Virtual

• SaaS model: No need to purchase,

Network Network Network Network

Data Link Data Link Data Link Data Link

Physical Physical Physical Physical

Full Visibility ERSPAN Hardware AnyConnect

Parent Child Processes, Privilege Escalation

Installed Packages and CVE Exposure

Network Policy Enforcement

Interfaces Route Tags

Netscaler Snapshot Process Information IPAM

Endpoint Identity that may

Clear understanding of traffic

• 9300-EX / 9300-FX / 9300-FX2 platforms support hardware

• Fwd/Rev Burst+Drop Indicators:

Common ERSPAN ERSPAN Sensors

Cisco ACI Each VM Processes Up to

Ask Questions and Make Decisions Supported by Data

Issue is immediately isolated to only 6 web hosts by inspecting top contributors

Tetration Policy Lifecycle – Foundation for Zero Trust

Zero Trust Policy Dynamically Discovered

Real-World 50-100x Reduction in Complexity With Zero Input!

Security team rules Network team rules Application owner rules

• In most cases the port will be legitimately open

• And implement across the datacenter

Application Layer Duo Security

Cisco FirePower Threat Defense (NGFW/NGIPS/Advanced Malware)

Network-Level Cisco Nexus and Cisco ACI

Host-Level Cisco Tetration Cloud Workload Protection Platform

1. Generates unique policy

Public cloud Bare metal Virtual Cisco ACITM Traditional network

Subscribe to Kafka to ingest TA policy: https://github.com/tetration-exchange/pol-client-java

Learn more: [BRKACI-2301] - Practical Applications of Cisco ACI Micro Segmentation

VRF ≈ VRF Contracts≈ Access Lists

End Point Group ≈ Broadcast Domain/VLAN EPG1 EPG2

L2 External EPG≈ 802.1q Trunk

Any-Any Contract Any-Any Contract

Any-Any Contract Any-Any Contract

App 1 - App 1 - App 1 -

EPG-A EPG-B EPG-C EPG-D L3Out

Contracts are required

VNic Dn (vNIC domain name) VM

V(X)LAN OpFlex V(X)LAN OpFlex V(X)LAN OpFlex V(X)LAN OpFlex VLAN

ACI Virtual Edge Hypervisor Agnostic

VM VM VM ACI Virtual Edge

Policy Consistency Across Multiple Hypervisors

VRF: Production Root Scope

BD: VLAN-1 BD: VLAN-2, Scope:VLAN-1&2

uSeg: uSeg: uSeg: