BRKACI-2504 Cisco Security on ACI, MicroSegmentation, ASA, FirePower. Brenden Buresh DC Technical Solutions Architect

Transcription

1

2 BRKACI-2504 Cisco Security on ACI, MicroSegmentation, ASA, FirePower Brenden Buresh DC Technical Solutions Architect

3 Agenda Introduction Data Center Security ACI Fundamental Building Blocks ACI Tenant Whitelist Security ACI Fabric Infrastructure Security ACI Fabric Micro-Segmentation Extending ACI Security Outside DC Conclusion ACI=Advanced Security

4 Introduction: Data Center Security

5 Security Threats are Trending Higher Cisco Annual Security Report 2016

6 Organizational Security Confidence Slipping Cisco Annual Security Report 2016

7 What is the Problem Facing IT Organizations? Complexity of Traditional Infrastructure Network Complexity Dictates App Deployment/Operation Rigid Logical-Physical Tightly Coupled 1 Intentional Change Yields Many Unintended Changes Org Silos Language Translation Fragile Don t Touch It! Code Upgrades, Config Changes, New Devices Stifles Innovation Insecure Box by Box Configuration Error Prone Compliance Challenges

8 Why Policy Has Become Table Stakes? Policy Driven Infrastructure Delivers Network Simplification via Policy Automation POLICY UCS Service Profile Application Network Profile Compute L4-7 Services Storage Management Security Profile Network Orchestration Security Operational Simplicity Application Centricity Security and Compliance Multi-Vendor Innovation

9 Policy: Links Application Language to Infrastructure Application Language Application tier policy and dependencies Security requirements Service level agreement Application performance Compliance Geo dependencies Common Policy App Network USC Service Profile Policy-Driven Profile Decouple Application and Infrastructure policy from Infrastructure Underlying infrastructure Network Language Compute/Storage Language Security Language 9

10 ACI Fundamental Building Blocks

11 Application Centric Infrastructure Automating IT by Making Applications the Focal Point Agile, Open and Secure Business Requirements Applications Policy Integrated Physical and Virtual POLICY POLICY L4-7 SERVICES COMPUTE SECURITY STORAGE

12 ACI Solution: Agile, Open, and Secure Agile App Requirements Drive Network Deployment/Operation Open Secure Policy Automation Visibility Scale and Performance Open API s Partner Ecosystem Multi-Tenant Security Compliance Speed through Automation Physical and Virtual Endpoints with Consistent Policy Application Health Monitoring H/W Based VXLAN Gateway Open APIs, Open Source and Open Standards Customer Choice And Interoperability Drives Innovation Whitelist Approach Multitenant Aware Simplified Compliance 14

13 Building Blocks (Pillars) of ACI Rapid Application Deployment via Open Networks with Scale, Security, Full Visibility Application Centric Infrastructure Industry Leading Technology Partnerships ACI Fabric/Nexus 9000 Application Centric Policy Open Ecosystem

14 Cisco ACI Fabric Nexus 9500 Modular Switches Nexus 9300 Fixed Switches Innovations in Hardware and System Design Performance Port Density Power Efficiency Programmability Price Innovations in Cisco NX-OS Software Improved Application Performance Integrated Overlay Capabilities Programmability and Automation 16

15 ACI Policy Driven Network Application Network Profiles SYSTEM CONFIGURES HARDWARE AUTOMATICALLY POLICIES USED TO CREATE A POLICY DRIVEN NETWORK END POINT GROUPS, CONTRACTS, AND SERVICE GRAPHS TO CREATE ANPS SYSTEM CONFIGURES HARDWARE AUTOMATICALLY Application SME Network SME Security Policy Network Policy Bare-Metal Policy Virtualization Policy Application Profiles Security SME Leaf Node Name VLAN, IP Pools Switch Profiles Interface Policies Attachable Access Entity Profile Bridge Domains EPGs Layer 4-7 Service Graphs End Point Groups, Provider Contract to App, Firewalls, End Point Groups, Consumer and Provider End Point Groups, Consumer WEB EPG APP EPG Load Balancers, IPS, IDS Contracts, Firewalls, Load Balancers Database EPG Contracts, Firewalls

16 ACI A Policy Based IP Network Proxy (Directory) Services IP Network & Integrated VXLAN APIC - Policy Controller & Distributed Management Information Tree (DMIT) VTEP VTEP VXLAN IP Payload VTEP Physical and Virtual VTEP s (Policy & Forwarding Edge Nodes) VTEP AVS VTEP AVS VTEP WAN/DCI Services Physical and Virtual Endpoints (Servers) & VMM (Hypervisor vswitch) Physical and Virtual L4-7 Service Nodes

17 ACI is a Robust Network Fabric Provides a New Communication Abstraction Model Single Point of Orchestration Different administrative groups use same interface, high level of object sharing Application Policy Infrastructure Controller (APIC) Policy Contract Users Files All TCP/UDP: Accept, Redirect UDP/ : Prioritize All Other: Drop Create Contracts Between Endpoint Groups Port-level rules: drop, prioritize, push to service chain; reusable templates ACI Fabric Enforce Ingress Fabric Rules Hardware rules on each port, security in depth, embedded QoS Single Pass Services Define Endpoint Groups Security administrator defines generic templates in APIC, availed to contract creation Service Graph Files Users Any endpoints anywhere within the fabric, virtual or physical

18 Application Centric Infrastructure Fabric Flat Hardware Accelerated Network ACI Fabric Full abstraction, de-coupled from VLANs and Dynamic Routing, low latency, built-in QoS Flexible Insertion Fabric Port Services Every device is one hop away, microsecond latency, no power or port availability constraints, ease of scaling Hardware filtering and bridging; default gateway; seamless service insertion, service farm aggregation Unified Management and Visibility ACI Controller manages all participating devices, change control and audit capabilities Files Users Logical Endpoint Groups by Role Heterogeneous clients, servers, external clouds; fabric controls communication

19 ACI Policy Instantiation Logical Network Provisioning of Stateless Hardware F/W ADC WEB ADC APP DB ACI Policy APIC ACI Fabric Integrated GBP VXLAN Overlay Application Policy Infrastructure Controller

20 Application Policy Infrastructure Controller Centralized Automation and Fabric Management Unified point of Data Center network automation and management: Data Model based declarative provisioning Application, Topology Monitoring, & Troubleshooting 3 rd party Integration (L4-L7 Services, Storage, Compute, WAN, ) Image Management (Spine / Leaf) Fabric Inventory Centralized Access to all Fabric information - GUI, CLI and RESTful API s Extensible to compute and storage management Layer 4..7 Open RESTful API Policy-Based Provisioning System Management APIC Storage Management Storage SME Orchestration Management Server SME Network SME Security SME App. SME OS SME

21 Application Centric Infrastructure Vision Open Ecosystem, Open API s Automation Hypervisor Management Enterprise Monitoring Systems Management Orchestration Frameworks Application Network Profile APIC Centralized Policy Management Open APIs, Open Source, Open Standards Fabric Physical Networking Hypervisors and Virtual Networking Compute L4 L7 Services Storage

22 Cisco ACI Built on Open Architectures OPEN SOURCE OPEN STANDARDS DevOps VXLAN NSH OpFlex OPEN INTERFACES OPEN ECOSYSTEM RESTful APIs (XML) UCS Security ACI Inter cloud IoT 24

23 ACI Tenant Whitelist Security

24 ACI Goal: Common Policy and Operations Framework Cloud Cloud Admin Application Admin Web Tier External Zone App Tier APPLICATION DB Tier Security Admin DMZ Trusted Zone SECURITY DB Tier Network Admin 26

25 ACI Goal: Common Policy and Operations Framework Cloud Cloud Admin Application Admin APPLICATION External Zone Security Admin DMZ Trusted Zone SECURITY DB Tier Network Admin COMMON POOL OF RESOURCES 27

26 ACI Policy Model Brings Concept of End-Point Group EPGs are a grouping of end-points representing application or application components independent of other network constructs. HTTPS Service EPG - Web HTTPS Service POLICY MODEL HTTPS Service HTTP Service HTTP Service HTTPS Service HTTP Service HTTP Service 28

27 End-Points and EPG membership Server Virtual Machines & Containers Storage Device connected to network directly or indirectly Has address (identity), location, attributes (version, patch level) Can be physical or virtual or container Examples: End Point Group (EPG) membership defined by: Ingress physical port (leaf or FEX) Ingress logical port (VM port group) VLAN ID VXLAN (VNID) IP address (so far only applicable to external/border leaf connectivity) IP Prefix/Subnet (so far only applicable to external/border leaf connectivity) NVGRE (VSID) (future) VM-based attributes (future) Layer 4 ports (future) Client

28 EPGs, Subnets, and Policy EPGs separate the addressing of an application from it s mapping and policy enforcement on the network. EPG WEB-1 EPG WEB-2 Policy/Security enforcement occurs at the EPG level HTTPS Service HTTPS Service HTTPS Service HTTPS Service x HTTP Service HTTP Service HTTP Service HTTP Service x 30

29 ACI Enables Segmentation Based on Business Needs New PRODUCTION POD DMZ DEV VLAN 1 VXLAN 2 WEB WEB TEST APP SHARED SERVICES PROD VLAN 3 DB WEB OVS/OpFlex VM Basic DC Network Segmentation Segment by Application Lifecycle Network centric Segmentation Per Application-tier / Service Level Micro-Segmentation Intra-EPG Container Security Micro-Segmentation Level of Segmentation/Isolation/Visibility

30 ACI and Today s 3-Tier applications Web App Network Profile The Application App DB Outside Client(s) QoS QoS QoS P Service P P Filter Filter P = Defined Policy Could be many VMs or containers Mostly physical resources Could be mix of physical/virtual machines/containers

31 Application Network Profiles (ANP) Application Network profiles are a group of EPGs and the policies that define the communication between them. Application Network Profile EPG - WEB EPG - APP EPG - DB POLICY MODEL = Inbound/Outbound Policies Inbound/Outbound Policies 33

32 Applying Policy between EPGs: ACI Contracts Contracts define the way in which EPGs interact Unidirectional Communication EPG B Contract 02 EPG C Contract 01 Bidirectional Communication EPG A The policy model allows for both unidirectional and bidirectional policies. Ex: ACI Logical Model applied to the 3-Tier App ANP 34

33 Building ACI Contracts Filter TCP Port 80 Action Permit Label Web Access Subject Filter Action Label Subjects are a combination of A filter, an action and a label Contracts define communication between source and destination EPGs Contract 1 Subject 1 Subject 2 Subject 3 Contracts are groups of subjects which define communication between EPGs

34 Policy Options: Actions Permit Redirect Deny Log There are six policy options supported: Permit the traffic Block the traffic Redirect the traffic Log the traffic Copy the traffic Mark the traffic (DSCP/CoS) Copy Packe t Mark Packet DSCP Policy encompasses traffic handling, quality of service, security monitoring and logging 36

35 Application Network Profiles (ANP) & ACI: How it Works? F/W ADC WEB ADC APP DB SLA QoS CONNECTIVIT Y POLICY Security SECURITY POLICIES Load Balancing QOS APPLICATION L4..7 SERVICES STORAGE AND COMPUTE APP PROFILE HYPERVISOR HYPERVISOR HYPERVISOR 37

36 Example of an Application Mapped to ACI

37 ACI Embedded Tools Endpoint Tracker Application that reads all of the Endpoints from APIC Registers for Endpoint add/delete Punch clock for Endpoints Who (MAC, IP ) What (Tenant, App, EPG) Where (Interface) When (Timestamps) Web1 App1 DB1 Determine what was on network at any time Web2 App2 DB2 SQL or GUI frontend SQL Web3 App3 DB3

38 ACI Embedded Tools Diagrams A whiteboard diagram of an applications deployed security policy

39 Automating Infrastructure Dynamic Endpoint Attachment ACI Policy Allow HR-EPG Inbound to HR-Web EPG ASA and F5 Object-Group: Keep policies up to date without manual configuration Web servers immediately available when added to DNS ACI Fabric Automatically update ASA and F5 with new endpoints connecting to network for HR- EPG. Remove endpoints when they disconnect from network.

40 Dynamic Update to EPG Object-Group object-group network $EPG$_podA-myapps-app network-object host network-object host : APIC create object-group for the EPG. 3: APIC add new endpoints to object-group ( , ) APIC dynamically detect new endpoint, ASA subscribes to attach/detach event, and ASA automatically adds to object-group access-list access-list-inbound extended permit tcp any object-group $EPG$_podA-myapps-app eq www 1: Enable Attachment Notification on function connector internal. New New web Consumer app Provider ACE Object-group

41 ACI Fabric Infrastructure Security

42 APIC Communicating to the Network Infrastructure VRF Switch nodes will have: 1. Inband access to Infra & Mgmt VRF 2. Mgmt Port (OOB) 3. Console port APIC APIC APIC OOB Management Network APIC will have: 1. 2 attached to fabric for data 2. 2 for mgmt (OOB) 3. 1 console ethernet port (can be only used for direct laptop hookup) 4. CIMC/IPMI ports Inband Management VRF Infra VRF Used for inband APIC to switch node communication, non routable outside the fabric currently (Multi-Fabric, Remote Leaf will both allow extension of the Infra VRF - Future) Inband Management Network tenant VRF created for inband access to switch nodes OOB Management Network APIC and switch node dedicated mgmt ports

43 APIC First Time Setup APIC one time setup is via UCS console access Cluster configuration Fabric Name Number of controllers [1..9] Controller ID [1..9] TEP Address pool [ /16] Infra VLAN ID [4093] Out-of-band management configuration Management IP address [ /254] Default gateway [ ] Admin user configuration Enable strong passwords (Y/N) Password APIC After first time setup, APIC UI is accessible via URL

44 APIC Fabric Login Screen

45 APIC & ACI System Security Two modes of access to the REST interface Web-Token X.509 based certs SSL Same SSL Certificate presented by all APICs to External HTTPS connections APIC X.509 REST requests are signed with the user private key RSA keys of 1024, 1536 or 2048 bits Two Factor Authentication SSL Cisco Signed Certificates (shipped with switch and APIC)

46 Chain of Trust for ACI Nodes (APIC to Switch) 1. Establish SSL connection and exchange public key certificates 2. For additional security, shared secret or device serial number can be optionally exchanged (Post FCS) 3. After successful validation, connection is ready 4. Messages are authenticated with HMAC digest SSL APIC

47 Chain of Trust for ACI Nodes (APIC) Secure Container Based for BASH (ishell) No root access for customers (TAC only) APIC APIC ISO is encrypted and keys are stored on APIC TPM RPM s are not visible Secure Trusted Executable Secure Mode Installer SSL

48 Chain of Trust for ACI Nodes (Switches) Chain of Trust for images on Switch Nodes Anti Counterfeit Technology-2 Hardware Security Module (ACT2 HSM) Validates the FPGA software, ROMMON software, switch preboot image and the switch full image Switch Image Signed Hash FIPS compliant build system This standard requires software to be digitally signed and be verified for authenticity and integrity prior to load and execution. Cisco maintains the Abraxas build system which keeps private keys secure and provides signing services via ssh/https APIs Generate Hash (SHA512) Create Signature (RSA-2048 bit) Using Insieme RSA 2048 Private Key

49 Fabric Initialization & Maintenance Topology Discovery via LLDP using ACI specific TLV s (ACI OUI) Loopback and VTEP IP Addresses allocated from Infra VRF via DHCP from APIC APIC APIC Cluster APIC APIC ACI Fabric supports discovery, boot, inventory and systems maintenance processes via the APIC Fabric Discovery and Addressing Image Management Topology validation through wiring diagram and systems checks

50 Fabric Initialization & Maintenance 3 6 Fabric will self assemble starting from multiple APIC sources Spine switch discovers attached Leaf via LLDP, requests TEP address and boot file via DHCP 5 2 Leaf switch discovers attached APIC via LLDP, requests TEP address and boot file via DHCP Fabric can be discovered and initialized from multiple sources concurrently 7 APIC Cluster APIC APIC APIC APIC Cluster will form when members discovery each other via Appliance Vector (AV) 1 APIC bootstrap configuration 1) APIC Cluster Configuration 2) Fabric Name 3) TEP Address space (Infra-VRF) 4) 4 All nodes in the same APIC cluster should contain same bootstrap information if they are intended to form a cluster

51 Fabric Initialization & Maintenance Node Identity Policy Assigns ID/Name to switches based on serial number Controls which switches can join the fabric Allows zero touch provisioning of switches POST: <fabricnodeidentpol> <fabricnodeidentp serial= TNAX234ZA" name="leaf1" nodeid= 101"/> <fabricnodeidentp serial= JNAX234ZZ" name="leaf2" nodeid= 102"/> <fabricnodeidentp serial= KLAX234ZZ name="spine1" nodeid= 103"/> </fabricnodeidentpol>

52 APIC Image Management Covers multiple items like: Compatibility Catalog Checks at upgrade / downgrade events such as configuration Switch image management Leaf and Spine switches APIC image management Policy controller cluster Image repository on APIC Admin Firmware Fabric Node Firmware

53 Fabric Initialization & Maintenance All-Spines All-Leafs All-APICs APIC Cluster APIC APIC APIC ACI Fabric leverages the same Global Catalogue methodology as UCS, the supported HW/SW matrix, image versioning, APIC and switch node image management controlled via APIC policies Policies control which images should be on which groupings of devices, when the images should be upgraded/downgraded Also control the upgrade process, automatic, manual step by step,

54 ACI Fabric Micro- Segmentation Security

55 Spectrum of Micro-Segmentation Segmentation Micro-Segmentation Per EPG Per vnic

56 ACI Security Automated Security with Built-In Multi-Tenancy Distributed Stateless Firewall ACI Services Graph Line Rate Security Enforcement Open: Integrate Any Security Device Embedded Security White-list Firewall Policy Model Authenticated Northbound API (X.509) Encrypted Management Plane (TLS 1.2) Micro-Segmentation VMware AVS, VDS*, Microsoft Hyper- V, and Bare-metal workloads Intra End Point Group Isolation Attribute Based Isolation and Quarantine * Note: Available: 1H CY 2016 Security Automation Dynamic Service Insertion and Chaining Security Policy Follows Workloads Centralized Security Provisioning and Visibility

57 Cisco ACI Delivers Micro-Segmentation Flexible, Granular, Consistent EPG Based Attributes Based Intra-EPG Based PROD POD DMZ VLAN 1 VXLAN 2 Quarantine Compromised Workloads Isolate Workloads within Application Tier SHARED SERVICES VLAN 3 Basic DC Segmentation DEV Network-Centric Segmentation WEB Isolate Intra-EPG Isolation Application Tier Policy Group TEST APP FW FW All Workloads Can Communicate PROD Application Lifecycle Segmentation DB Service Level Segmentation IP OS Linux ACI Benefits Name Video Application Tier Policy Group VMware VDS Microsoft Hyper-V KVM* Cisco AVS *Future Policy Driven Micro-Segmentation for Any Workload Physical

58 Cisco ACI Security Options Policy Driven Micro-Segmentation and Intra-EPG Isolation Quarantine Infected VMs With Guest OS = Linux Quarantine VM Intra-EPG Isolation + Micro-Segmentation FW PROD POD DMZ VLAN 1 VXLAN 2 DB EPG SHARED SERVICES Basic DC Segmentation DEV VLAN 3 Network-Centric Segmentation WEB IP = x FW OS = Linux FW Name = Video-* Micro-Segmentation Intra-EPG Isolation Web EPG Intra-EPG Isolation DB EPG TEST APP Attributes Based Micro-Segments (DVS, AVS, Hyper-V Switch, KVM*) Intra-EPG Isolation Local switching Local switching PROD Application Lifecycle Segmentation DB Service Level Segmentation Virtual Switch Hypervisor Web EPG DB EPG Flexible Segmentation * Note - Futures Hypervisor Agnostic Micro-segmentation For Any Virtual Workload Intra-EPG Isolation + Micro-segmentation For Any Workload (Physical, Virtual)

59 Intra-EPG Isolation 1.2.2x/11.2.2x release added Intra-EPG Isolation Support: 1.VMware DVS (ie. AVS not required) 2.Bare Metal When Intra-EPG Isolation is enabled ALL endpoints in EPG are isolated (All Intra-EPG Isolation endpoints must be in the same EPG) Can isolate Physical and Virtual endpoints in same EPG Partial Intra-EPG isolation of endpoints is not supported

60 Micro-Segmentation Micro-Segmentation = Attributes based EPG + contract (optional) Attributes = VM attributes or Networking attributes such as IP, MAC 2 main use-cases: 1. Quarantine (ie. no EPG contract), 2. Micro-Segments (with contract policy) 1.2.1x/11.2.1x release Adds Micro-Segmentation for: Microsoft Hyper-V 1.2.2x/11.2.2x release Adds Micro-Segmentation for see table below: VMware DVS * (ie. AVS not required) * Note: L4 State and Connection Inspection requires ASA Micro-Segmentation VMWare + AVS Microsoft Hyper-V Multi-Hypervisor VMWare DVS Intra-EPG Isolation Intra-EPG Isolation + Micro-Segmentation ACI Release 1.1.1x/11.1.1x 1.2.1x/11.2.1x 1.2.1x/11.2.1x 1.2.2x/11.2.2x 1.2.2x/11.2.2x 1.2.2x/11.2.2x

61 Intra-EPG DVS Micro-Segmentation ASA-5500-X Joint Solution Proposal NW Only Stitching ASA 5500-X w/ FP Service 1. Intra-EPG Micro-Segmentation DVS: VM isolation with PVLAN gets traffic to Leaf Switch ACI Leaf: MAC/IP-EPG to re-classify traffic, Service Node NW Stitching 2. Stateful Firewall with ASA 5500-X Stateful Inspection & ASA Security Features FirePOWER Services 50k-1M IPS sessions

62 ACI Security Certifications Complete Target Complete Jan 16 Target Complete Jan/Feb 16 Complete Dec 15 Planning

63 Landscape of ACI Security Partners Orchestration PaaS Automation Security & Governance Analytics Enterprise Monitoring Operations Security Cloud Orchestration and Management Big Data & Analytics Northbound Partners Southbound Partners Open Infra. ADC L4-L7 Services Security Security & Services Fabric Attached Devices

64 EPG (End Point) Classification Server Virtual Machines & Containers Storage Client Endpoint == Workload unit connected to network directly or indirectly An endpoint has address (identity), location, attributes (version, patch level) Can be physical or virtual or container End Point Group (EPG) membership defined by: Ingress physical port (Leaf or FEX) Ingress logical port (VM port group) VLAN ID (EPG1, vlan 10 Permit port dest = 80 => epg2, vlan 20) VXLAN (VNID) IP Prefix/Subnet (so far only applicable to external/border leaf connectivity) VM-based attributes release IP address and subnet 1.2.1x/11.2.1x release (/32, /n) MAC address - Radar

65 IP Based EPGs Support for IP Based EPG on PhysDom, L2Out, and L3Out 1.2.1x/11.2.1x release: supports IP-EPG classification: Physical Leaf only Physical Domain (ie. no VMM domain) IP-EPG are very flexible and granular, can be defined for any IPv4 host (/32) or prefix (/n mask) IP-EPG derivation is based on longest-prefix match in HW Each IP-EPG gets its own class-id which is used as source-group or destination-group when a security policy (contract) is applied Only Inter-EPG policy contracts supported Note: L3 BD only, L2 BD cannot do IP-Learning IP-EPG will require E version of 93xx (Donner-C HW) L3Out == EPG_DNS L2Out = LXC_Web = LXC_App = LXC_App = EPG_Filer_ = EPG_Filer_ = EPG_Filer_3

66 IP Based EPG: Use Case 1 Shared Storage for Each Customer Different security policy is needed for logical storages which use same VLAN and same MAC, but different IP. VLAN 10 Storage ESXi ESXi ESXi ESXi Storage for customer A Storage for customer B Servers for Customer A Servers for Customer B

67 IP Based EPG: Use Case 2 Docker Containers Different security policy is needed for containers which use same VLAN, but different IP. VLAN = LXC_Web = LXC_App = LXC_App2

68 Microsoft Hyper-V Attribute Based EPG and Micro-Segmentation Feature Description This feature allows granular EPG derivation based on various VM attributes such as VM Name, Guest OS, MAC, IP etc. Prior to 1.2.1x/11.2.1x release, this feature is available for virtual endpoints attached with Cisco AVS Distributed Virtual Switch (B-release). It s not available with VMware DVS In 1.2.1x/11.2.1x release, we add this feature for ACI + SCVMM integration also. Note: This doesn t provide an Intra EPG security policy Use-case Isolate Malicious VM Create Security across Zones Benefits Without changing the port-group association of servers, extra security and segmentation can be provided

69 Microsoft Hyper-V: Use Case 1 Isolate a Malicious VM Problem: Vulnerability is detected in a particular type of operating system (e.g. Windows). Network security administrator would like to isolate all Windows VM. Solution: Define Security EPG with criterion as Operating System = Windows. No contracts are provided or consumed by this EPG. It will stop all inter-epg communication for the matching VMs. No VM attach/detach or placement of VM to a different port-group is needed. Web Web01 Linux Web02 Linux Web03 Win Web03 Win App App01 Linux App02 Linux App03 Win X Win EPG Criterion Attribute (OS = Windows) DB DB01 Linux DB02 Linux DB03 Win

70 Microsoft Hyper-V: Use Case 2 Security Across Zones Problem: VMs belonging to different departments (e.g. HR, Sales) or different roles (Production, Test) are placed in the port-group. But isolation across departments are required. (e.g. HR-Web-VM should not be able to talk to Sales-Web-VM) Solution: Define EPGs, which match if the VM Name contains a matching string (e.g. HR, Sales etc). Each Attribute based EPG can have their own security policies. Web App Web01 HR- Web01 Sales- Web01 App01 App02 App03 HR-Web X Criterion Attribute (VM name contains HR) Sales-Web Criterion DB DB01 DB02 DB03 Attribute (VM name contains Sales)

71 Create useg EPG

72 L4-L7 Service Automation Support for all Devices Any Device and Cluster Manager Support L4-7 Service Automation L4-7 Services ACI Services Graph Available Now Futures L4- L7 Device Package No Device Package Service Cluster Manager Full L4-L7 Centralized Service Automation (With Device Package) Large Ecosystem and Investment Protection Centralized Network Automation (With NO Device Package) New support for L4-L7 Cluster Managers

73 Network Only Stitching Mode Insert Node between consumer EPG and provider EPG Managed mode and un-managed mode can be combined into a single service graph Insert Node between consumer EPG and provider EPG. Managed mode and un-managed mode can be combined into a single service graph.

74 2.1.1x/12.1.1x: PBR Support for Service Graph Routed Mode with Policy Based Routing Policy Redirect for EPG A to EPG C External FW Internal EPG C EPG A Direct Forwarding for EPG A to EPG B Single VRF EPG B

75 Cisco ACI + OpFlex Security OpenStack APIC ML2 Driver OpenStack Controller APIC ML2 Driver OpFlex Agent Offers: Security policy enforcement in OVS using IP- Tables by OpenStack (outside of APIC) L2/L3 forwarding in fabric Floating IP / NAT support Available 1.2.1x/11.2.1x Security Group Enforcement in OVS using IP-Tables APIC GUI integration / VMM Domain for OpenStack Statistics Service redirection Hypervisor V(X)LAN Open vswitch OpFlex Agent Project 1 Project 2 Project 3 OpFlex Proxy Neutron Object Project Network Subnet Security Group + Rule APIC Object (ML2 Driver Mapping) Tenant EPG + BD Subnet IP Tables (outside of APIC by OpenStack) vm1 vm2 vm3 vm4 vm5 Router Network:external Contract L3Out / Outside EPG

76 APIC GBP Driver Security Implementation OVS via OpFlex and ACI Fabric Group Based Policy OpenStack Controller GBP APIC Driver OpFlex Agent Offers: Available 1.2.1x/11.2.1x Fabric Traffic Security Enforcement using ACI Whitelist Policy Hypervisor V(X)LAN Open vswitch OpFlex Proxy OpFlex Agent Local traffic in Hypervisor: Security Group Enforcement in OVS using Open Flow gbp policy-classiifer-create gbp policy-rule-create blah --actions allow Security policy enforcement in OVS via OF action and ACI Fabric via whitelist policy simultaneously Floating IP / NAT support APIC GUI integration / VMM Domain for OpenStack Statistics Project 1 Project 2 Project 3 vm1 vm3 vm5 vm2 vm4 Service redirection

77 ASA Multiple-Context in Service Graphs - Shipping Leaf1 Leaf2 Register ASA1 Active Contexts with APIC via MGMT IPs vpc2 PO2 FO vpc3 PO2 ASA2 Standby Admin context registers to APIC, which applies HA config to allow a sync of full configuration, so it can take over MAC/IP on Active failure Define a Port-Channel as a single logical interface connecting to multiple Leafs APIC creates sub-interfaces based on dynamically allocated VLAN from a pool, and in the System context it assigns Port-channel sub-interfaces to appropriate user context, Contexts A, B, and C ASA1 Active Context Admin Context A Context B Context C ASA2 Standby MGMT IP0 pre-config MGMT IP1 pre-config MGMT IP2 pre-config MGMT IP3 pre-config IPs, Interface and ACLs names, can now overlap between contexts APIC programs interfaces for user Context via CLI: interface Port-channel2.500 VLAN 500 context A allocate-interface Port-channel2.500 change-to context A interface Port-channel2.500 nameif consumer_internala ip address security-level 100 System Context User Context

78 Device Manager Package Device Manager Package is used to configure the controller of the Service Device (eg, FireSIGHT) instead of configuring the Service Device 1.2.2x/11.2.2x release target for FirePOWER appliance FirePOWER Device Manager Package: FireSight Credentials Internal/External Interfaces Virtual Inline Pair (more parameters possible) Cisco APIC Policy Element Device Model E.g. FireSIGHT Cluster Service Instances Cisco APIC Script Interface Device-Specific Python Scripts Device Interface: REST/CLI Service automation requires a vendor device package. It is a zip file containing Device specification (XML file) Device scripts (Python) Script Engine APIC Node Device Manager Service Instances

79 Operational Model with Device Manager 2. Create Application Networking and assign NGFW Service E.g. FireSIGHT 1. Create Security Policy for Application Panorama Network Admin 4. Assign security policy to firewall Security Admin 3. Network Configuration Hostname IP Address VLAN Security Zone 5. Security Configuration Security Policies Profiles Address Objects Insert firewall services between two EPGs All firewall security features can be applied

80 Chassis Device Package Virtual Service Instances In order to manage virtual services running on a single device the device package framework has been extended to define a chassis (1.2.1x/11.2.1x release) A chassis defines the device that contains the virtual service instances Specific attributes are associated with the chassis (VLAN id s on ports) and others with the service instance Cisco APIC Policy Element Device Model Cisco APIC Script Interface Device-Specific Python Scripts Device Interface: REST/CLI Service automation requires a vendor device package. It is a zip file containing Device specification (XML file) Device scripts (Python) Script Engine Script Engine APIC Node Virtual Service Instances Cluster Service Instances Chassis

81 The Attack Continuum Consistent Protection for ANY Workload 24x7 Detect Deep Traffic inspection Visibility Centralized Policy Orchestration and Distributed Sensors Secure Multi-Tenancy with Whitelisting Per-Application Micro Segmentation Discover Enforce Harden Continuous Solution Block Defend Threat-Centric Protection Real-Time Threat Intelligence Threat Centric Scope Forensic Analysis Compliance Contain Dynamic Workload Quarantine Remediate Remediation and Return to Production 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 86

82 Firepower Services for ACI Intelligent Threat Defense Intelligent Remediation Contracts Service Graph Basic configuration and health FireSIGHT Management Center Alerts Network Visibility Policy Management Analytics Remediation Policy and events Application Policy Infrastructure Controller (APIC) ACI Fabric EPG Web NGIPS/NGFW Advanced Malware Protection EPG Internet

83 Security Feedback Loop ESXi FirePOWER Appliance SPAN Traffic N9K Leaf Switch UNT PUBLIC Attack FW FireSIGHT Management Center NGIPS Trusted No Graph Relaxed REST calls to APIC NB API CORP Move IP to Quarantine APIC QUA FW Strict REM ACI Fabric

84 Cisco Security in ACI Integration Models Netflow and Syslogs Firepower Services Embedded Module Visibility and Real-Time Alerts Threat Policy Configuration Access Policy Configuration Data Plane to ACI Fabric ASA Device Package ASA with Firepower Fully Managed ASA Device Service Graph Segmentation Data Plane to ACI Fabric Firepower Device Manager Package Firepower Partially Managed Firepower Device 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 89

85 ASA and Firepower Advantages for Cisco ACI Stateful Capacity Scaling Cisco ACI only performs stateless load-balancing; firewall cluster scales with state, HA, elasticity, and embedded threat protection Universal Attachment Policy Contract Consistency Across Platforms and Protocols Maintain similar high performance for all clients, applications, and protocols; ease of future expansion Link aggregation with LACP; VLAN insertion into Cisco ACI; full interoperability with fabric leaf nodes Portable Architecture Same feature set in both physical and virtual form factors; consistent performance across platforms Cisco ACI Fabric Balance Security and Performance Identify and block malicious traffic; Remediate infected EPs; Allow monitor-only and reduced inline inspection where most applications are known, to optimize on use of resources while provide necessary visibility 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 90

86 Cisco ACI and Cisco Advanced Security Better Together Protection Across the Entire Continuum Cisco Advanced Security ASA / FirePOWER / AMP APIC Full APIC integration Highest Rated NGIPS* Highest Rated Breach Detection** Native ACI Security World s Most Deployed NGFW Real-time Threat Intelligence vm vm phy Centralized Policy Automation Secure Multi- Tenancy with Whitelisting Context-aware Segmentation NGIPS/NGFW Virtual and Physical Advanced Malware Protection Group Policy Industry Compliance Standards (PCI) Addresses Data Center Challenges: Threat-centric, Visibility, Compliance

87 ACI Provides Secure Path to Authenticate Endpoints Based EPG Pre-Authenticated Endpoints IP-EPG Authenticated Endpoints 3 1. REST API call to APIC 2. Provide endpoint IP attribute for JPMC IP-EPG membership 1 1. ACI isolates all endpoints in Base EPG 2. Fabric implements whitelist policy 3. Base EPG only provides uni-directional access to JPMC Authentication Server ESXi Bank-x IP-EPG Hyper-V Base EPG Bank Authentication Server Bare- Metal Servers 4 1. ACI moves authenticated endpoints out of Base EPG 2. Installs endpoints into JPMC IP-EPG ACI Fabric 1. If endpoint authentication fails, it remains in base=epg 2. If endpoint authentication passes, JPMC server makes REST API call to APIC 3. Provides attributes of the endpoint APIC and Target EPG membership 2

88 Dot1x Endpoint Authentication Solution Just added to Roadmap Dot1x Authentication Fails Dot1x Authentication Pass ESXi ESXi Hyper-V ACI Leaf Bank EPG Hyper-V ACI Leaf Bank EPG Bare- Metal Servers Bare- Metal Servers

89 Extending ACI Fabric Outside DC

90 1.2.1x/11.2.1x ASA Device Package Enhancement ACI and TrustSec Leveraging ASA +SXP APIC Policy Contract Corp DB : Allow, Redirect to ASA All Other : Drop ACI Fabric 3. Coarse filtering: ACI Policy Contract allows all traffic from corporate network to database, redirects to ASA Marketing Engineering SXP DB EPG Corp EPG 1. Corporate users on traditional Nexus 7000 in Corp EPG get assigned SGT values by ISE ISE 2. ASA learns SGT mappings OOB through SXP Source Destination Action Engineering [SGT 333] Any Allow Any Any Deny 4. Fine filtering: ASA permits only Engineering to access database from corporate based on SGT

91 Network Layer Controller Layer ACI + TrustSec Policy Plane Integration ISE Policy Domain ISE 1. Exchange SG/EPG Names 2. Exchange IP->SG/EPG Bindings APIC Policy Domain User IP->SGT Bindings Server IP-> EPG bindings SXP S User classification CMD/SGT SXPv4 Propagation Campus Enforcement Enterprise Core SGT not propagated in data plane ACI Border Leaf ivxlan ivxlan Propagation DC Enforcement Server classification

92 Add a New Host IP/SGT in ISE New IP Address BYOD SGT Assigned (Could also be learned over SXP)

93 BYOD EPG Now Contains Our New Host Available for Use in ACI Policies

94 ACI + TrustSec Phase 2 (release 2.1.1x/12.1.1x) Dataplane Integration with Trustsec Switch/Router (eg. ASR1k) ASR implements ACI and Trustsec Policy and Data Plane Integration 1. ASR maps SGT to EPG 2. ASR instantiates an EPG and adds IVXLAN dataplane 3. Sends packet to ACI fabric for contract enforcement

95 Conclusion: ACI= Advanced Security

96 ACI Addresses the Security Challenge in the DC Strategic Security Imperatives Addressed by ACI Security Expressed in Application Constructs & Language Simplified Policy Based Multi- Tenancy & Micro- Segmentation Network Services Automation, Open Eco- System Visibility, Analytics, Forensics, Threat Mitigation Automate Compliance, Centralized Auditing & Logging Centralized Security Across Physical and Virtual Endpoint Network Virtual Cloud

97 Cisco ACI Takeaways Cisco Application Centric Infrastructure Physical & Virtual Fixed Workloads Variable Workloads SPEED SECURITY TELEMETRY POLICY NETWORK and SERVICES Delivered in minutes INHERENT Security and INTEGRATION Rich TELEMETRY & Application HEALTH SCORE Policy-based deployment/governance Physical & virtual OPEN and AGNOSTIC 102

98 Cisco Data Center Security Network Analytics: Multi-Tier Sensor Data Gathering (hardware and software) Embedded L4 Security Embedded Sensors Next Gen Stateful L4-7 Visibility and Control Identity and Policy Federation Firewall at Each Leaf switch Servers (Physical, Virtual, Containers, Micro Services) L4-7 Security Services (physical or virtual, location independent) Branch QoS Filter Web1 QoS Servi ce App1 QoS Filter DB Policy Driven Security Architecture 103

99 Differentiation for Nexus/ACI Solutions - Contiv WEB </code> APP DB ACI: Automated Networking, Policies, Prioritization, network uniformity for various workloads App1 App2 Native Apps: Better Visibility, Diagnostics, Analytics, Interoperable Standards Based App1 App2 Network SLAs for Applications: App to App with physical infrastructure integration 104

100 Contiv Provides Policy-Rich Container Networking Integrates with Cisco Nexus and ACI Application Composition + Policy Intent Contiv Master Contiv.io is an open-source project that creates a policy framework in different domains of containers Network Policies: Policies for Application Security, Prioritization, and Network Resource Allocation Docker Kubernetes Mesos Plugin Agents Network Services for Apps (Virtual or Physical Service appliances) Analytics/Diagnostics Node 1 Node2 Node-n Integrates with Cisco ACI, Nexus, and UCS Solutions Status: Beta

101 Hypervisors, Isolation, Segmentation - Unikernels Unikernels, also know as virtual library operating system Microsoft Drawbridge architecture (Image Credit: Microsoft Research) 106

102 Why ACI is Best for Micro-Segmentation Micro Segmentation works for all workloads (bare metal, virtual, containers, management, backup ) Same policy-model for vsphere, Hyper-V, OpenStack, Containers and Bare Metal. With ACI 1.2 support for up to 10 vcenter (supports 5.1, 5.5 and 6.0) and up to 10,000 servers. Works with standard virtual switch offerings, including VMware VDS, OVS, MSFT vswitch (AVS is optional for vsphere) Stateful firewall when using Cisco AVS on vsphere at no extra cost with better performance at the VMware environment 107

103 Complete Your Online Session Evaluation Give us your feedback and receive a Cisco 2016 T-Shirt by completing the Overall Event Survey and 5 Session Evaluations. Directly from your mobile device on the Cisco Live Mobile App By visiting the Cisco Live Mobile Site Visit any Cisco Live Internet Station located throughout the venue T-Shirts can be collected Friday 11 March at Registration Learn online with Cisco Live! Visit us online after the conference for full access to session videos and presentations.

104 Thank you

105