Building an End-End Policy Driven Secure Hybrid Cloud DC Architecture

Transcription

1

2 BRKSEC-2980 Building an End-End Policy Driven Secure Hybrid Cloud DC Architecture David Jansen CCIE #5952 DSE

3 Cisco Spark How Questions? Use Cisco Spark to communicate with the speaker after the session 1. Find this session in the Cisco Live Mobile App 2. Click Join the Discussion 3. Install Spark or go directly to the space 4. Enter messages/questions in the space cs.co/ciscolivebot#brksec Cisco and/or its affiliates. All rights reserved. Cisco Public

4 Abstract: Building an End-End Policy Driven Secure Hybrid Cloud DC Architecture [BRKSEC-2980] This session will introduce a hybrid multi cloud design with workloads deployed in a combination of on premise DC's and colocation facility based cloud hubs w/access to public IaaS services and SaaS based applications. We will introduce embedded fabric based network security services using multi-tenancy, network segmentation, and micro-segmentation to provide security controls. We will expand fabric provided security to incorporate attached L4-L7 stateful security services for more rigorous compliance and regulatory. Finally, we will review protecting cloud based workloads, creating cloud aggregation transit security hubs, and using virtualized security services (VNF s). The goal is to outline a security framework architecture that highlights the 5-6 critical security technologies customers should be factoring into design, architecture, and services to most effectively protect themselves. Employing this foundational blueprint across both Campus, on-premises DC and cloud workloads will enable customers to add more specialized security capabilities and services in the future to further strengthen their aggregate posture. Included in this design and covered in this session are the following key technology pillars that represent the security baseline: Identity management Segmentation & multi-tenancy Visibility & telemetry Next generation FW / Malware defense Cloud broker/data protection Security & policy communications

5 David Jansen, CCIE #5952 Distinguished System Engineer (DSE) Global Enterprise Segment Platforms & BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 5

6 Home is Season in Michigan is? Winter. Where is has been 25 degrees F; which is about -32 C Michigan Known for? But.. Most importantly: BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 6

7 Reference Session BRKSEC-2048: Demystifying ACI Security BRKSEC-2059: Deploying ISE in a Dynamic Environment BRKSEC-3699: Designing ISE for Scale & High Availability BRKSEC-3229: ISE under magnifying glass. How to troubleshoot ISE BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 7

8 Agenda Problem Statement + Intro Data Center / co-lo / Cloud Campus / Branch Data Center + Campus / Branch Extending Policy to Public IaaS Transit VPC with TrustSec Cisco Cloud Policy Platform (CPP) ACI Anywhere Policy Discovery, Visibility and Enforcement with Tetration Putting it all together Q&A

9 Problem Statement There are a multitude of domains at play in modern IT infrastructure Historically domains have been totally independent and not federated Operations need to move towards a consolidated view with federated information across the different policy domains BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 9

10 Where should you start? Business case regulatory PCI, HIPPA, GOV t, BSI, SSI results in segmentation (put scope around the segmentation) Exec sponsor have to have Start with PIN vs use-case; ie. start at the DC first or do you start with the users What tools do you have to help with process? Help me deploy segmentation w/o being fired BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 10

11 Who Defines the policy? Compliance / Policy (Risk Management (IRM)) SecOps DevOps NetOps BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 11

12 The Goal: To build an end-to-end, Branch to Campus/WAN to DC/Cloud, resulting in: End to End Visibility End to End Segmentation End to End Policy Infrastructure/ Users/Devices Groups SecurityServices Groups Applications/Data Normalize policy constructs used across multiple domains BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 12

13 Group-Based Policy Domains However - Group membership is not shared between domains Policy domains managed independently (increased Opex) Security Groups Network Security Groups Security Groups Security Groups ACI Endpoint Groups (EPG) ISE/TrustSec (SGT) Tetration Analytics Platform Clusters Port Groups Object Groups / Secure Groups StealthWatch host-groups Cloud environments and vendor-specific domains are increasingly using groupbased policies BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 13

14 All of the components Level Set Policy Consumption / Enforcement: Policy Definition: Cisco Tetration Analytics Platform APIC ç ç Cisco Tetration Analytics Platform APIC Stealthwatch Cloud Policy Platform 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

15 Data Center

16 Where are the Applications / Data being deployed Private First Cloud All-In Cloud First (Hybrid) Red Employee Vendor Partner Customer Badge Employee Red Badge Vendor Partner Customer Employee Red Badge Vendor Partner Customer Private DC Public Cloud Public Cloud Private DC N e u tra l F a c ility DMZ Public Cloud Apps Internet SAAS Internet SAAS Apps ~50% Apps Apps Internet SAAS ~50% Apps Apps BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 16

17 ACI Fabric Overview Outside QoS Policy LB Service Policy Web QoS Policy App QoS Policy DB FW Service Policy Access Policy Intranet / WAN / Campus APIC APIC Extranet Internet BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 17

18 ACI Policy Model Tenant CiscoLive Barcelona Context (VRF A) Context (VRF B) Bridge Domain (BD) Bridge Domain (BD) Bridge Domain (BD) Subnet A Subnet B EPG A EPG B EPG C EPG = Group Applications Applications Applications BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 18

19 Network Centric Mode VLAN = EPG EPG-A EPG-B EPG-n - Connect non-aci networks to ACI leaf nodes - Connect at L2 with VLAN trunks (802.1Q) - Objective: Map VLANs to EPGs, extend policy model to non-aci networks Endpoint(s) Endpoint(s) Endpoint(s) BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 19

20 ACI Policy Model: EPG To EPG Communication EPG-A Allow HTTP Allow ICMP EPG-n Provides policies Zero Trust Security Model Consumes policies - Need to define a Contract (Policy); - A contract is used to specify the interaction between two EPG(s), a provider/consumer pair. - The goal is to provide a global policy view that focuses on improving automation and scalability. - You have the option to change the default from white-list to Unenforced VRFs; IP Any Any. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 20

21 ACI Policy Model: uepg Communication uepg Allow HTTP Allow ICMP BM Provides policies Consumes policies Zero Trust Security Model BM C BM - Need to define a Contract (Policy); - A contract is used to specify the interaction within an uepg(s), a provider/consumer pair. - The goal is to provide a global policy view that focuses on improving automation and scalability. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 21

22 Campus / Branch

23 ISE/SDA/TrustSec Policy Types DNA-C + SDA Access Policy (ISE) Authentication & Authorization Who goes in which group Based on which criteria Authentication methods Access Control Policy (TrustSec) Who can access what Rules for x-group access Permit/deny group to group DB BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 23

24 SD-Access High Level Topology Internet / WAN Fabric border-node Fabric Core Intermediate-nodes Fabric Aggregation Intermediate-node Fabric edge-node: BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 24

25 SDA/TrustSec Policy Model Virtual-Network (VRF A) Subnet A Virtual Network (VRF B) Subnet B -VLAN -Interface -Host-IP/32 -VLAN -Interface -Host-IP/32 -VLAN -Interface -Host-IP/32 SGT A SGT B SGT C SGT = Group Users Users Users BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 25

26 Cisco SDA(TrustSec) Simplified access control with Group Based Policy Enforcement Group Based Policies ACLs, Firewall Rules Shared Services Application Servers Propagation Carry Group context through the fabric using only SGT Enforcement Border Node or Firewall ISE Classification Static or Dynamic SGT assignments Access Node Access Node Enforcement points receives policy for only what is connected Employee Tag Supplier Tag Non-Compliant Employee Voice Voice Employee Supplier Non-Compliant Non-Compliant Tag VLAN A VLAN B BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 26

27 SDA Access Control Two Level Hierarchy Macro Level Network Virtual Network (VN) First level Segmentation that ensures zero communication between specific groups. Ability to consolidate multiple networks into one management plane. Building Management VN Campus Users VN BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 27

28 SDA Access Control Two Level Hierarchy Micro Level Building Management VN Finance SG Network Employee SG Campus Users VN Scalable Group (SG) Second level Segmentation ensures role based access control between two groups within a Virtual Network. Provides the ability to segment the network into either line of businesses or functional blocks. Can also write a policy such as: sgt1 <_> sgt1 = deny ip BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 28

29 Data Center + Campus/Branch

30 ISE/TrustSec/SDA + APIC Indentity APIC ISE BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 30

31 Enabling Group-Based Policies Across the Enterprise Goal: Consistent Security Policy Groups and Identity shared between TrustSec and ACI domains Allow TrustSec security groups to be used in ACI policies Allow ACI EndPoint Groups to be used in policies across the Enterprise Simplified management of security appliances using both TrustSec and ACI classifications TrustSec Policy Domain ACI Policy Domain Campus / Branch / Non-ACI DC TrustSec Policy Domain ISE 2.1 APIC Data Center APIC Policy Domain Voice Employee Supplier BYOD Voice VLAN Data VLAN TrustSec domain ACI Fabric Web App DB BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 31

32 Enabling Group-based Policies across the Enterprise DB Web SG-FW SG-ACL Contract Campus / Branch / Non ACI DC TrustSec Policy Domain APIC Data Center APIC Policy Domain Shared Policy Groups Voice Employee Supplier BYOD Voice VLAN Data VLAN TrustSec domain ACI Fabric Web App DB BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 32

33 TrustSec/SDA SGT Info Used in ACI Policies SD Access Policy Domain ISE ACI Policy Domain Network Layer Controller Layer ISE Exchanges: SGT Name: Auditor SGT Binding = Controller Layer EPG Name = Auditor Groups= PCI EPG Auditor SRC: DST: SGT: 5 Campus Fabric SRC: DST: Plain Ethernet/IP x SRC: DST: ACI EPG Border Leaf (N9K) ACI Spine (N9K) ACI Leaf (N9K) PCI Scalable Groups available in ACI Policies Network Layer BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 33

34 ACI EPG Info Used in SDA/TrustSec Policies SD Access Policy Domain ISE ACI Policy Domain ISE Retrieves: EPG Name: PCI EPG Endpoint= Controller Layer Propagated with SXP: Auditor = PCI EPG = PCI EPG Endpoint = Network Layer Controller Layer SRC: DST: SGT: Auditor Retrieved Groups: Auditor, PCI EPG Campus Fabric Auditor Endpoint Groups available in TrustSec Policies Plain Ethernet/IP ACI Border Leaf (N9K) ACI Spine (N9K) ACI Border Leaf (N9K) PCI Network Layer BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 34

35 Firewall Deployment Option(s) Single VN - Endpoint to Application ISE SGT in Campus/WAN SGT in-line Tagging (optional) Scalable Group Tags ACI EPGs B 5 SRC: B Firewall B SXP/PXGRID PCI_Users DST: SRC: SGT: 5 DST: PCI_App IP Address SGT PCI Users LOB2 Users PCI_DB PCI_App_EPG SGT DGT SGFW PCI_Users PCI_App permit ip BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 35

36 Problem Statement DC Automation!= Security Automation Customer Deployment Example Large Global Company has 200+ perimeter firewalls managed by Firewall Console, external to ACI ACI is being used to instantiate applications that are consumed with by business partners Each time an application was enabled in ACI via automation, there would be no automation of the fact that a new workload needed to be represented in the Firewall console for the 200+ perimeter firewalls Hence a fall back to a manual process had to be invoked to enable firewall policies on the 200+ perimeter firewalls DC Automation did not equal Security Automation BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 36

37 TrustSec/ACI interop = Security Automation Customer Deployment Example Supplier1 Supplier2 Joint Venture1 APIC-DC SGT-aware StealthWatch Voice Non- Employee Development BYOD Compliant ACI Automation of applications triggers learning of the IP/EPG to be shared to ISE. ISE maps the IP/EPG to SGTs. These SGTs are then shared with the firewalls via pxgrid. The Firewalls are updated with the new IP/SGT(EPG) and policy is invoked automatically IP/SGT(EPG) is also shared with Stealthwatch TrustSec/ACI interoperability via ISE = Security Automation - This means that ACI EPGs are now relevant to the 200+ perimeter firewalls ACI Info shared using Security Group Tags ACI Group Info www Web Prod App Dev App PCI App Database BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 37

38 Extending Policy to Public IaaS

39 Agenda Enabling Group-based Policies w/ AWS Cisco Cloud Policy Platform (CPP) ACI Anywhere Tetration Policy Discovery, Visibility and Enforcement Putting it all together

40 Enabling Group-based Policies w/ AWS CSR NGFWv CSR NGFWv ISE BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 40

41 Extending Policy & Control into AWS Leverage Security Group Tags (SGT) within AWS Transit VPC environment Today: Configure SGT s and ISE controls on the CSRv/ASAv within the AWS Transit VPC environment. Then manually create policy groups within ISE to test managing segmentation and control between VPC s. Roadmap: Leverage CPP to import AWS Transit VPC security groups into ISE dynamically instead of manually creating policy groups. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 41

42 AWS Transit VPC Simplifying Segmentation and Control dev prod CL VPC1 App 1 VPC2 App 2 VPC3 App 3 Dev VPC Tag Prod VPC Tag Cisco Live Tag Control Traffic between VPC s Simplify Security Configurations Scale Security Group Control Single Control Point Employee Developer Guest Non-Compliant App 1 (VPC1) App 2 (VPC2) App 3 (VPC3) X X X X X X AZ1 Transit VPC Dynamic Route Peering Data Center Direct Connect AZ2 ISE Identity & Access Control Policy Enforcement Control Access to spoke VPC s based on SGT Tags and Policy Enforcement within the Transit VPC Hub CSRv s Employee Tag Developer Tag Guest Tag Non-Compliant Tag

43 AWS Transit VPC Simplifying Segmentation and Control Dev VPC Tag Prod VPC Tag Cisco Live Tag Dev Prod CiscoLive VPC /16 VPC /16 VPC3 Control Traffic between VPC s Simplify Security Configurations Scale Security Group Control Single Control Point Secure Internet Breakout by enabling Snort IPS on CSR Employee Developer Dev VPC Prod VPC CiscoLive Dev (VPC1) Prod (VPC2) CiscoLive (VPC3) AZ1 Transit VPC Internet X X X CSR1 CSR2 Dynamic Route Peering ASR Direct Connect X ISE X Data Center /16 Identity & Access Control Policy Enforcement AZ2 - Control Spke to Spoke - Control User to App - Control App to App - Control Internet Employee Tag Developer Tag

44 AWS Transit VPC Simplifying Segmentation and Control Dev VPC Tag Prod VPC Tag Cisco Live Tag Dev Prod CiscoLive VPC1 Internet /16 VPC /16 VPC3 Control Traffic between VPC s Simplify Security Configurations Scale Security Group Control Single Control Point Secure Internet Breakout by enabling Snort IPS on CSR Employee Developer Dev VPC Prod VPC CiscoLive Dev (VPC1) Prod (VPC2) CiscoLive (VPC3) AZ1 Transit VPC Internet X X X CSR1 ASR CSR2 Dynamic Route Peering Direct Connect X ISE X Data Center /16 Identity & Access Control Policy Enforcement AZ2 - Control Spke to Spoke - Control User to App - Control App to App - Control Internet Employee Tag Developer Tag

45 Cisco Cloud Policy Platform (CPP)

46 Enabling Group-based Policies across the Enterprise Goal: Share group information between cloud domains and Enterprise to simplify policy management In Progress Future Future Share classifications to reduce SecOps effort, deliver consistency and simplify audit tasks ODL Groups Available DNA-C/ISE Cloud Policy Platform APIC ACI EndPoint Groups Enable adoption of different cloud environments without duplicating group policy management Enterprise Security Groups BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 46

47 Campus User to Cloud Access Control Typical Scenarios Policy enforced in enterprise network OR cloud (Virtual Firewall or SGACLcapable virtual routers e.g ASAv, CSR-1000v, ISRv, FTD AWS Security Groups Prod App Dev App Prod App Dev App Azure Network Security Groups Avoids policy changes as new workloads are provisioned in clouds Policy Enforcement Options Policy Enforcement Options Dev Apps Prod Apps Employee X Enterprise Network ISE Ent Policy Domain Employee Tag Developer Tag Guest Tag Non-Compliant Tag Developer X Guest X X Non Compliant Employee Voice Voice Employee Developer Guest Non Compliant BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 47

48 Define Classification Policy AWS attributes (AWS tags, Security Groups) Info rendered to Cisco network as SGT BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 48

49 Using Group Information From CPP In ISE In Security Appliances for workloads in hybrid cloud and on premise BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 49

50 ACI Anywhere

51 ACI Anywhere - Vision Any Workload, Any Location, Any Cloud ACI Anywhere Remote PoD Multi-Pod / Multi-Site Hybrid Cloud Extension IP WAN IP WAN Remote Location On Premise Public Cloud Security Everywhere Analytics Everywhere Policy Everywhere BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 51

52 ACI Anywhere Multi-Cloud Future Multisite Orchestrator IP Network Site 1 Site 2 Consistent Policy Enforcement on-prem & Public Cloud Automated Inter-connect provisioning Simplified Operations with end-to-end visibility BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 52

53 Policy Discovery, Visibility and Enforcement with Tetration

54 Enabling Group-based Policies across the Enterprise Raw Data Sources (Flow Information): Tetration Software Agents ERSPAN / Out-of-band Sensor Tetration hardware agents (Nx9k) Netflow (v9 & IPFIX) Policy Sources: Zero-Knowledge (Dynamic Discovery) Firewalls ACI ISE AlgoSec / Tufin CMDB Cisco Tetration Analytics Platform BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 54

55 Enabling Group-based Policy Discovery Cisco Tetration Analytics Platform APIC BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 55

56 Security challenges in current Data Centers Brownfields/Cloud migrations How to define a Zero-Trust Model for my current applications? Application-Dependency mapping Discovery-plane How to rapidly deploy that model into ACI? Contracts Filters EPGs BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 56

57 Current Network Centric Deployments Unenforced VRFs EPG: Vlan 10 EPG: Vlan 20 EPG: Vlan 30 EPG: Vlan 40 BM BM BM BM BM BM BM BM EPG: Vlan 31 EPG: Vlan 32 EPG: Vlan 33 VLAN10 == BD10 == EPG10 BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 57

58 Tetration Analysis Dependency Mapping Network Centric Tetration Analytics Engine Application Centric VLAN 10 C VLAN 20 C VLAN 30 Cisco Tetration Analytics Platform Web C App C DB BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 58

59 Application Centric Deployments Inter EPG Web App1 Web App2 C C C Web App3 Application X BM BM BM C C C C BM C C C BM BM BM BM C Image Servers Shared Services Database BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 59

60 Application Centric Deployments Inter and Intra EPG Enforcement Web App1 Web App2 C C C Web App3 Application X BM C BM BM C C C C BM C C C BM BM BM BM C Image Servers Shared Services Database BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 60

61 Policy Is Imported & Massaged and Enforced on ACI Tetration Policy BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 61

62 Pervasive Enforcement Tetration Agent Zero Trust White-List Policy Tetration Agent IPSets IPTables Native Endpoint Firewalls Windows Firewall Public Cloud Bare Metal Virtual Cisco ACI TM* Traditional Network* BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 62

63 Tetration Identity with ISE

64 Tetration Identity with ISE Provide the following Benefits: IP to SGT / IP to SGT/User mappings: Give context to flows in a single interface Dynamic Mappings: Support for shared devices where user changes Flow Search by Username, Group or SGT: What were the connections from user X? ADM maps reflecting SGT tags: Which devices or users are accessing the right applications ISE publishes update over the pxgrid message bus Tetration consumes this message bus and annotates the hosts / end-points provided by ISE BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 64

65 ISE Provides Campus Identity to Tetration DCs Enforced Policies For: User: Tony User: Tony or SGT:16=Doctors SGT: 16 (Doctors) App: Patient-Data (EPG) IP: IP: Users via pxgrid Cisco Tetration Analytics Platform Dynamic Policy Generated Applications/Data (Software Sensor) 1) The sensor endpoint is sending Telemetry data 2) The endpoint also authenticates with ISE which notifies our identity repository via pxgrid. 3) Tetration merges the two streams and outputs dynamically generated policy. May not access employee data May access patient records BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 65

66 Policy Enforcement User / SGT based policy enforcement leveraging the Software Enforcement Agent (server side) BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 66

67 User to Application Inter EPG L3Out External EPG Employee L3Out External EPG BM BM BM C C C C C C C Web Server Farm Middleware (ie. J) DB Servers X X Doctors C C C BM Image Servers patient-data Imaging Database BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 67

68 How Does It Work? Tetration automatically converts your intent into black and white list rules Intent Rules Block non-production apps talking to production apps Allow Doctors apps to access patient-data Block all HTTP connections that are not destined to web servers SOURCE /8 DEST /8 SOURCE /24 DEST /24 SOURCE * DEST /24 PORT = 80 SOURCE * DEST * PORT = 80 BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 68

69 Using Tetration to Drive FW/ASA Configuration Whitelist Policy Recommendation (Available in JSON, XML, and YAML) Validated Whitelist ASA Config (Converted from JSON) { "src_name": External", "dst_name": Domain Controllers", "whitelist": [ { "port": [0, 0], "proto": 1, "action": "ALLOW" }, { "port": [389, 389], "proto": 6, "action": "ALLOW" }, { "port": [445, 445], "proto": 6, "action": "ALLOW" } ] } Standard Tetration whitelist policy is filtered for firewall zones and converted to ASA ACL format. Python Script object network Domain_Controllers host host object network MSSQL_Database host host ! access-list ACL_IN extended permit TCP any object Domain_Controllers eq ldap access-list ACL_IN extended permit TCP any object Domain_Controllers eq 445 access-list ACL_IN extended permit UDP any object MSSQL_Database eq BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 69

70 Using Tetration to Drive ASA Configuration object-group network DB host host host These are clusters that have been discovered by Tetration They are grouped together as object groups in the ASA The definitions in the Clusters section of the JSON export BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 70

71 Using Tetration to Drive ASA Configuration object-group network Patient-Data subnet These are filters that have been uploaded into Tetration based on data from IPAM around subnet descriptions. This is actually the same mechanism that would be used to build a policy to an SGT. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 71

72 Using Tetration to Drive ASA Configuration 3.Policy / contracts: access-list ACL_IN extended permit UDP object DB_VIP object Shared_Services_Mgmt_Net eq domain access-list ACL_IN extended permit UDP object DB_VIP object Shared_Services_Mgmt_Net eq ntp access-list ACL_IN extended permit TCP object Users object Default:Datacenter:Tetration eq https access-list ACL_IN extended permit TCP object Users object Default:Datacenter:Tetration eq 5640 These are the individual policies that have been discovered by Tetration and then filtered so that only the ones that would traverse the interfaces in the ASA based on the ASA routing table are represented. You can find these in the Default Policies section of the JSON BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 72

73 What about the case where there is NAT? SNAT: - Kafka (message bus) Flow-data: - h/w Sensor - OOB sensor BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 73

74 Tetration Visibility

75 Flow Search Search by Username Search by SGT BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 75

76 ADM BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public

77 Compliance, Policy Validation All Flows are tracked 4 ways Permitted, bidirectional flows that match the policy Misdropped, permitted traffic where we have dropped a packet Escaped, bidirectional flows that are against the policy Rejected, uni-directional flows that are against the policy BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 77

78 Putting it all Together

79 APIC BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 79

80 Tetration with StealthWatch Leverage information from Tetration Export workspaces, clusters and applications discovered in Tetration to Stealthwatch Host Groups Cisco StealthWatch Tetration Data (Network Analytics) BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 80

81 Tetration with StealthWatch Leverage information from Tetration Monitoring unified Policy Cisco StealthWatch Tetration Data (Network Analytics) BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 81

82 Putting it all together: Campus/Branch + DC + Cloud Customer Deployment Example Campus / Branch Cloud / IaaS Users TrustSec + Tetration Enforcement Cloud Policy Platform TrustSec Enforcement APIC Micro-Segmentation / Course Grain policy Stealthwatch ISE Data Center Cisco Tetration Analytics Platform Fine-grain policy BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 82

83 Cisco Spark How Questions? Use Cisco Spark to communicate with the speaker after the session 1. Find this session in the Cisco Live Mobile App 2. Click Join the Discussion 3. Install Spark or go directly to the space 4. Enter messages/questions in the space cs.co/ciscolivebot#brksec Cisco and/or its affiliates. All rights reserved. Cisco Public

84 Please complete your Online Session Evaluations after each session Complete 4 Session Evaluations & the Overall Conference Evaluation (available from Thursday) to receive your Cisco Live T-shirt All surveys can be completed via the Cisco Live Mobile App or the Communication Stations Complete Your Online Session Evaluation Don t forget: Cisco Live sessions will be available for viewing on-demand after the event at Cisco and/or its affiliates. All rights reserved. Cisco Public

85 Complete your Online Session Evaluation BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 85

86 Continue Your Education Demos in the Cisco campus Walk-in Self-Paced Labs Tech Circle Meet the Engineer 1:1 meetings Related sessions BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 86

87 Thank you

88