Building an End-End Policy Driven Secure Hybrid Cloud DC Architecture

BRKSEC-2980 Building an End-End Policy Driven Secure Hybrid Cloud DC Architecture David Jansen CCIE #5952 DSE

Cisco Spark How Questions? Use Cisco Spark to communicate with the speaker after the session 1. Find this session in the Cisco Live Mobile App 2. Click Join the Discussion 3. Install Spark or go directly to the space 4. Enter messages/questions in the space cs.co/ciscolivebot#brksec-2980 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

Abstract: Building an End-End Policy Driven Secure Hybrid Cloud DC Architecture [BRKSEC-2980] This session will introduce a hybrid multi cloud design with workloads deployed in a combination of on premise DC's and colocation facility based cloud hubs w/access to public IaaS services and SaaS based applications. We will introduce embedded fabric based network security services using multi-tenancy, network segmentation, and micro-segmentation to provide security controls. We will expand fabric provided security to incorporate attached L4-L7 stateful security services for more rigorous compliance and regulatory. Finally, we will review protecting cloud based workloads, creating cloud aggregation transit security hubs, and using virtualized security services (VNF s). The goal is to outline a security framework architecture that highlights the 5-6 critical security technologies customers should be factoring into design, architecture, and services to most effectively protect themselves. Employing this foundational blueprint across both Campus, on-premises DC and cloud workloads will enable customers to add more specialized security capabilities and services in the future to further strengthen their aggregate posture. Included in this design and covered in this session are the following key technology pillars that represent the security baseline: Identity management Segmentation & multi-tenancy Visibility & telemetry Next generation FW / Malware defense Cloud broker/data protection Security & policy communications

David Jansen, CCIE #5952 Distinguished System Engineer (DSE) Global Enterprise Segment Platforms & Solutions dajansen@cisco.com @ccie5952 BRKSEC-2980 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 5

Home is Season in Michigan is? Winter. Where is has been 25 degrees F; which is about -32 C Michigan Known for? But.. Most importantly: BRKSEC-2980 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 6

Reference Session BRKSEC-2048: Demystifying ACI Security BRKSEC-2059: Deploying ISE in a Dynamic Environment BRKSEC-3699: Designing ISE for Scale & High Availability BRKSEC-3229: ISE under magnifying glass. How to troubleshoot ISE BRKSEC-2980 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 7

Agenda Problem Statement + Intro Data Center / co-lo / Cloud Campus / Branch Data Center + Campus / Branch Extending Policy to Public IaaS Transit VPC with TrustSec Cisco Cloud Policy Platform (CPP) ACI Anywhere Policy Discovery, Visibility and Enforcement with Tetration Putting it all together Q&A

Problem Statement There are a multitude of domains at play in modern IT infrastructure Historically domains have been totally independent and not federated Operations need to move towards a consolidated view with federated information across the different policy domains BRKSEC-2980 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 9

Where should you start? Business case regulatory PCI, HIPPA, GOV t, BSI, SSI results in segmentation (put scope around the segmentation) Exec sponsor have to have Start with PIN vs use-case; ie. start at the DC first or do you start with the users What tools do you have to help with process? Help me deploy segmentation w/o being fired BRKSEC-2980 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 10

The Goal: To build an end-to-end, Branch to Campus/WAN to DC/Cloud, resulting in: End to End Visibility End to End Segmentation End to End Policy Infrastructure/ Users/Devices Groups SecurityServices Groups Applications/Data Normalize policy constructs used across multiple domains BRKSEC-2980 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 12

Group-Based Policy Domains However - Group membership is not shared between domains Policy domains managed independently (increased Opex) Security Groups Network Security Groups Security Groups Security Groups ACI Endpoint Groups (EPG) ISE/TrustSec (SGT) Tetration Analytics Platform Clusters Port Groups Object Groups / Secure Groups StealthWatch host-groups Cloud environments and vendor-specific domains are increasingly using groupbased policies BRKSEC-2980 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 13

All of the components Level Set Policy Consumption / Enforcement: Policy Definition: Cisco Tetration Analytics Platform APIC ç ç Cisco Tetration Analytics Platform APIC Stealthwatch Cloud Policy Platform 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

Data Center

Where are the Applications / Data being deployed Private First Cloud All-In Cloud First (Hybrid) Red Employee Vendor Partner Customer Badge Employee Red Badge Vendor Partner Customer Employee Red Badge Vendor Partner Customer Private DC Public Cloud Public Cloud Private DC N e u tra l F a c ility DMZ Public Cloud Apps Internet SAAS Internet SAAS Apps ~50% Apps Apps Internet SAAS ~50% Apps Apps BRKSEC-2980 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 16

ACI Fabric Overview Outside QoS Policy LB Service Policy Web QoS Policy App QoS Policy DB FW Service Policy Access Policy Intranet / WAN / Campus APIC APIC Extranet Internet BRKSEC-2980 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 17

ACI Policy Model Tenant CiscoLive Barcelona Context (VRF A) Context (VRF B) Bridge Domain (BD) Bridge Domain (BD) Bridge Domain (BD) Subnet A Subnet B EPG A EPG B EPG C EPG = Group Applications Applications Applications BRKSEC-2980 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 18

Network Centric Mode VLAN = EPG EPG-A EPG-B EPG-n - Connect non-aci networks to ACI leaf nodes - Connect at L2 with VLAN trunks (802.1Q) - Objective: Map VLANs to EPGs, extend policy model to non-aci networks Endpoint(s) Endpoint(s) Endpoint(s) BRKSEC-2980 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 19

ACI Policy Model: EPG To EPG Communication EPG-A Allow HTTP Allow ICMP EPG-n Provides policies Zero Trust Security Model Consumes policies - Need to define a Contract (Policy); - A contract is used to specify the interaction between two EPG(s), a provider/consumer pair. - The goal is to provide a global policy view that focuses on improving automation and scalability. - You have the option to change the default from white-list to Unenforced VRFs; IP Any Any. BRKSEC-2980 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 20

ACI Policy Model: uepg Communication uepg Allow HTTP Allow ICMP BM Provides policies Consumes policies Zero Trust Security Model BM C BM - Need to define a Contract (Policy); - A contract is used to specify the interaction within an uepg(s), a provider/consumer pair. - The goal is to provide a global policy view that focuses on improving automation and scalability. BRKSEC-2980 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 21

Campus / Branch

ISE/SDA/TrustSec Policy Types DNA-C + SDA Access Policy (ISE) Authentication & Authorization Who goes in which group Based on which criteria Authentication methods Access Control Policy (TrustSec) Who can access what Rules for x-group access Permit/deny group to group DB BRKSEC-2980 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 23

SD-Access High Level Topology Internet / WAN Fabric border-node Fabric Core Intermediate-nodes Fabric Aggregation Intermediate-node Fabric edge-node: BRKSEC-2980 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 24

SDA/TrustSec Policy Model Virtual-Network (VRF A) Subnet A Virtual Network (VRF B) Subnet B -VLAN -Interface -Host-IP/32 -VLAN -Interface -Host-IP/32 -VLAN -Interface -Host-IP/32 SGT A SGT B SGT C SGT = Group Users Users Users BRKSEC-2980 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 25

Cisco SDA(TrustSec) Simplified access control with Group Based Policy Enforcement Group Based Policies ACLs, Firewall Rules Shared Services Application Servers Propagation Carry Group context through the fabric using only SGT Enforcement Border Node or Firewall ISE Classification Static or Dynamic SGT assignments Access Node Access Node Enforcement points receives policy for only what is connected Employee Tag Supplier Tag Non-Compliant Employee Voice Voice Employee Supplier Non-Compliant Non-Compliant Tag VLAN A VLAN B BRKSEC-2980 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 26

SDA Access Control Two Level Hierarchy Macro Level Network Virtual Network (VN) First level Segmentation that ensures zero communication between specific groups. Ability to consolidate multiple networks into one management plane. Building Management VN Campus Users VN BRKSEC-2980 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 27

SDA Access Control Two Level Hierarchy Micro Level Building Management VN Finance SG Network Employee SG Campus Users VN Scalable Group (SG) Second level Segmentation ensures role based access control between two groups within a Virtual Network. Provides the ability to segment the network into either line of businesses or functional blocks. Can also write a policy such as: sgt1 <_> sgt1 = deny ip BRKSEC-2980 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 28

Data Center + Campus/Branch

Enabling Group-Based Policies Across the Enterprise Goal: Consistent Security Policy Groups and Identity shared between TrustSec and ACI domains Allow TrustSec security groups to be used in ACI policies Allow ACI EndPoint Groups to be used in policies across the Enterprise Simplified management of security appliances using both TrustSec and ACI classifications TrustSec Policy Domain ACI Policy Domain Campus / Branch / Non-ACI DC TrustSec Policy Domain ISE 2.1 APIC Data Center APIC Policy Domain Voice Employee Supplier BYOD Voice VLAN Data VLAN TrustSec domain ACI Fabric Web App DB BRKSEC-2980 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 31

Enabling Group-based Policies across the Enterprise DB Web SG-FW SG-ACL Contract Campus / Branch / Non ACI DC TrustSec Policy Domain APIC Data Center APIC Policy Domain Shared Policy Groups Voice Employee Supplier BYOD Voice VLAN Data VLAN TrustSec domain ACI Fabric Web App DB BRKSEC-2980 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 32

TrustSec/SDA SGT Info Used in ACI Policies SD Access Policy Domain ISE ACI Policy Domain Network Layer Controller Layer ISE Exchanges: SGT Name: Auditor SGT Binding = 10.1.10.220 Controller Layer EPG Name = Auditor Groups= 10.1.10.220 PCI EPG 10.1.100.52 Auditor 10.1.10.220 5 SRC:10.1.10.220 DST: 10.1.100.52 SGT: 5 Campus Fabric SRC:10.1.10.220 DST: 10.1.100.52 Plain Ethernet/IP x SRC:10.1.10.220 DST: 10.1.100.52 ACI EPG Border Leaf (N9K) ACI Spine (N9K) ACI Leaf (N9K) PCI 10.1.100.52 Scalable Groups available in ACI Policies Network Layer BRKSEC-2980 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 33

ACI EPG Info Used in SDA/TrustSec Policies SD Access Policy Domain ISE ACI Policy Domain ISE Retrieves: EPG Name: PCI EPG Endpoint= 10.1.100.52 Controller Layer Propagated with SXP: Auditor = 10.1.10.220 PCI EPG = 10.1.100.52 PCI EPG Endpoint = 10.1.100.52 Network Layer Controller Layer SRC:10.1.10.220 DST: 10.1.100.52 SGT: Auditor Retrieved Groups: Auditor, PCI EPG Campus Fabric Auditor 10.1.10.220 Endpoint Groups available in TrustSec Policies Plain Ethernet/IP ACI Border Leaf (N9K) ACI Spine (N9K) ACI Border Leaf (N9K) PCI 10.1.100.52 Network Layer BRKSEC-2980 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 34

Firewall Deployment Option(s) Single VN - Endpoint to Application ISE SGT in Campus/WAN SGT in-line Tagging (optional) Scalable Group Tags ACI EPGs B 5 SRC:10.1.10.10 B Firewall B SXP/PXGRID PCI_Users DST: 10.1.100.52 SRC:10.1.10.10 10.1.10.10 SGT: 5 DST: 10.1.100.52 PCI_App 10.1.100.52 IP Address SGT 10.1.10.10 PCI Users 12.1.10.10 LOB2 Users 11.11.11.4 PCI_DB 10.1.100.52 PCI_App_EPG SGT DGT SGFW PCI_Users PCI_App permit ip BRKSEC-2980 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 35

Problem Statement DC Automation!= Security Automation Customer Deployment Example Large Global Company has 200+ perimeter firewalls managed by Firewall Console, external to ACI ACI is being used to instantiate applications that are consumed with by business partners Each time an application was enabled in ACI via automation, there would be no automation of the fact that a new workload needed to be represented in the Firewall console for the 200+ perimeter firewalls Hence a fall back to a manual process had to be invoked to enable firewall policies on the 200+ perimeter firewalls DC Automation did not equal Security Automation BRKSEC-2980 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 36

TrustSec/ACI interop = Security Automation Customer Deployment Example Supplier1 Supplier2 Joint Venture1 APIC-DC SGT-aware StealthWatch Voice Non- Employee Development BYOD Compliant ACI Automation of applications triggers learning of the IP/EPG to be shared to ISE. ISE maps the IP/EPG to SGTs. These SGTs are then shared with the firewalls via pxgrid. The Firewalls are updated with the new IP/SGT(EPG) and policy is invoked automatically IP/SGT(EPG) is also shared with Stealthwatch TrustSec/ACI interoperability via ISE = Security Automation - This means that ACI EPGs are now relevant to the 200+ perimeter firewalls ACI Info shared using Security Group Tags ACI Group Info www Web Prod App Dev App PCI App Database BRKSEC-2980 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 37

Extending Policy to Public IaaS

Agenda Enabling Group-based Policies w/ AWS Cisco Cloud Policy Platform (CPP) ACI Anywhere Tetration Policy Discovery, Visibility and Enforcement Putting it all together

Extending Policy & Control into AWS Leverage Security Group Tags (SGT) within AWS Transit VPC environment Today: Configure SGT s and ISE controls on the CSRv/ASAv within the AWS Transit VPC environment. Then manually create policy groups within ISE to test managing segmentation and control between VPC s. Roadmap: Leverage CPP to import AWS Transit VPC security groups into ISE dynamically instead of manually creating policy groups. BRKSEC-2980 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 41

AWS Transit VPC Simplifying Segmentation and Control dev prod CL VPC1 App 1 VPC2 App 2 VPC3 App 3 Dev VPC Tag Prod VPC Tag Cisco Live Tag Control Traffic between VPC s Simplify Security Configurations Scale Security Group Control Single Control Point Employee Developer Guest Non-Compliant App 1 (VPC1) App 2 (VPC2) App 3 (VPC3) X X X X X X AZ1 Transit VPC Dynamic Route Peering Data Center Direct Connect AZ2 ISE Identity & Access Control Policy Enforcement Control Access to spoke VPC s based on SGT Tags and Policy Enforcement within the Transit VPC Hub CSRv s Employee Tag Developer Tag Guest Tag Non-Compliant Tag

AWS Transit VPC Simplifying Segmentation and Control Dev VPC Tag Prod VPC Tag Cisco Live Tag Dev Prod CiscoLive VPC1 20.0.0.0/16 VPC2 30.0.0.0/16 VPC3 Control Traffic between VPC s Simplify Security Configurations Scale Security Group Control Single Control Point Secure Internet Breakout by enabling Snort IPS on CSR Employee Developer Dev VPC Prod VPC CiscoLive Dev (VPC1) Prod (VPC2) CiscoLive (VPC3) AZ1 Transit VPC Internet X X X CSR1 CSR2 Dynamic Route Peering ASR Direct Connect X ISE X Data Center 192.168.0.0/16 Identity & Access Control Policy Enforcement AZ2 - Control Spke to Spoke - Control User to App - Control App to App - Control Internet Employee Tag Developer Tag 192.168.0.6 192.168.1.2

AWS Transit VPC Simplifying Segmentation and Control Dev VPC Tag Prod VPC Tag Cisco Live Tag Dev Prod CiscoLive VPC1 Internet 20.0.0.0/16 VPC2 30.0.0.0/16 VPC3 Control Traffic between VPC s Simplify Security Configurations Scale Security Group Control Single Control Point Secure Internet Breakout by enabling Snort IPS on CSR Employee Developer Dev VPC Prod VPC CiscoLive Dev (VPC1) Prod (VPC2) CiscoLive (VPC3) AZ1 Transit VPC Internet X X X CSR1 ASR CSR2 Dynamic Route Peering Direct Connect X ISE X Data Center 192.168.0.0/16 Identity & Access Control Policy Enforcement AZ2 - Control Spke to Spoke - Control User to App - Control App to App - Control Internet Employee Tag Developer Tag 192.168.0.6 192.168.1.2

Cisco Cloud Policy Platform (CPP)

Enabling Group-based Policies across the Enterprise Goal: Share group information between cloud domains and Enterprise to simplify policy management In Progress Future Future Share classifications to reduce SecOps effort, deliver consistency and simplify audit tasks ODL Groups Available DNA-C/ISE Cloud Policy Platform APIC ACI EndPoint Groups Enable adoption of different cloud environments without duplicating group policy management Enterprise Security Groups BRKSEC-2980 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 46

Campus User to Cloud Access Control Typical Scenarios Policy enforced in enterprise network OR cloud (Virtual Firewall or SGACLcapable virtual routers e.g ASAv, CSR-1000v, ISRv, FTD AWS Security Groups Prod App Dev App Prod App Dev App Azure Network Security Groups Avoids policy changes as new workloads are provisioned in clouds Policy Enforcement Options Policy Enforcement Options Dev Apps Prod Apps Employee X Enterprise Network ISE Ent Policy Domain Employee Tag Developer Tag Guest Tag Non-Compliant Tag Developer X Guest X X Non Compliant Employee Voice Voice Employee Developer Guest Non Compliant BRKSEC-2980 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 47

ACI Anywhere

ACI Anywhere - Vision Any Workload, Any Location, Any Cloud ACI Anywhere Remote PoD Multi-Pod / Multi-Site Hybrid Cloud Extension IP WAN IP WAN Remote Location On Premise Public Cloud Security Everywhere Analytics Everywhere Policy Everywhere BRKSEC-2980 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 51

ACI Anywhere Multi-Cloud Future Multisite Orchestrator IP Network Site 1 Site 2 Consistent Policy Enforcement on-prem & Public Cloud Automated Inter-connect provisioning Simplified Operations with end-to-end visibility BRKSEC-2980 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 52

Policy Discovery, Visibility and Enforcement with Tetration

Enabling Group-based Policies across the Enterprise Raw Data Sources (Flow Information): Tetration Software Agents ERSPAN / Out-of-band Sensor Tetration hardware agents (Nx9k) Netflow (v9 & IPFIX) Policy Sources: Zero-Knowledge (Dynamic Discovery) Firewalls ACI ISE AlgoSec / Tufin CMDB Cisco Tetration Analytics Platform BRKSEC-2980 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 54

Security challenges in current Data Centers Brownfields/Cloud migrations How to define a Zero-Trust Model for my current applications? Application-Dependency mapping Discovery-plane How to rapidly deploy that model into ACI? Contracts Filters EPGs BRKSEC-2980 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 56

Current Network Centric Deployments Unenforced VRFs EPG: Vlan 10 EPG: Vlan 20 EPG: Vlan 30 EPG: Vlan 40 BM BM BM BM BM BM BM BM EPG: Vlan 31 EPG: Vlan 32 EPG: Vlan 33 VLAN10 == BD10 == EPG10 BRKSEC-2980 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 57

Tetration Analysis Dependency Mapping Network Centric Tetration Analytics Engine Application Centric VLAN 10 C VLAN 20 C VLAN 30 Cisco Tetration Analytics Platform Web C App C DB https://github.com/cmchenr?tab=repositories BRKSEC-2980 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 58

Application Centric Deployments Inter EPG Web App1 Web App2 C C C Web App3 Application X BM BM BM C C C C BM C C C BM BM BM BM C Image Servers Shared Services Database BRKSEC-2980 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 59

Application Centric Deployments Inter and Intra EPG Enforcement Web App1 Web App2 C C C Web App3 Application X BM C BM BM C C C C BM C C C BM BM BM BM C Image Servers Shared Services Database BRKSEC-2980 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 60

Pervasive Enforcement Tetration Agent Zero Trust White-List Policy Tetration Agent IPSets IPTables Native Endpoint Firewalls Windows Firewall Public Cloud Bare Metal Virtual Cisco ACI TM* Traditional Network* BRKSEC-2980 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 62

Tetration Identity with ISE

Tetration Identity with ISE Provide the following Benefits: IP to SGT / IP to SGT/User mappings: Give context to flows in a single interface Dynamic Mappings: Support for shared devices where user changes Flow Search by Username, Group or SGT: What were the connections from user X? ADM maps reflecting SGT tags: Which devices or users are accessing the right applications ISE publishes update over the pxgrid message bus Tetration consumes this message bus and annotates the hosts / end-points provided by ISE BRKSEC-2980 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 64

ISE Provides Campus Identity to Tetration DCs Enforced Policies For: User: Tony User: Tony or SGT:16=Doctors SGT: 16 (Doctors) App: Patient-Data (EPG) IP: 23.72.193.172 IP: 23.72.193.172 Users via pxgrid Cisco Tetration Analytics Platform Dynamic Policy Generated Applications/Data (Software Sensor) 1) The sensor endpoint is sending Telemetry data 2) The endpoint also authenticates with ISE which notifies our identity repository via pxgrid. 3) Tetration merges the two streams and outputs dynamically generated policy. May not access employee data May access patient records BRKSEC-2980 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 65

User to Application Inter EPG L3Out External EPG Employee L3Out External EPG BM BM BM C C C C C C C Web Server Farm Middleware (ie. J) DB Servers X X Doctors C C C BM Image Servers patient-data Imaging Database BRKSEC-2980 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 67

How Does It Work? Tetration automatically converts your intent into black and white list rules Intent Rules Block non-production apps talking to production apps Allow Doctors apps to access patient-data Block all HTTP connections that are not destined to web servers SOURCE 10.0.0.0/8 DEST 128.0.0.0/8 SOURCE 128.0.10.0/24 DEST 128.0.11.0/24 SOURCE * DEST 128.0.100.0/24 PORT = 80 SOURCE * DEST * PORT = 80 BRKSEC-2980 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 68

Using Tetration to Drive FW/ASA Configuration Whitelist Policy Recommendation (Available in JSON, XML, and YAML) Validated Whitelist ASA Config (Converted from JSON) { "src_name": External", "dst_name": Domain Controllers", "whitelist": [ { "port": [0, 0], "proto": 1, "action": "ALLOW" }, { "port": [389, 389], "proto": 6, "action": "ALLOW" }, { "port": [445, 445], "proto": 6, "action": "ALLOW" } ] } Standard Tetration whitelist policy is filtered for firewall zones and converted to ASA ACL format. Python Script object network Domain_Controllers host 7.0.0.11 host 7.0.0.12 object network MSSQL_Database host 7.0.0.21 host 7.0.0.22! access-list ACL_IN extended permit TCP any object Domain_Controllers eq ldap access-list ACL_IN extended permit TCP any object Domain_Controllers eq 445 access-list ACL_IN extended permit UDP any object MSSQL_Database eq 3389 https://www.github.com/cmchenr/tetration-asa BRKSEC-2980 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 69

Using Tetration to Drive ASA Configuration object-group network DB host 172.17.20.86 host 172.17.20.87 host 172.17.20.85 These are clusters that have been discovered by Tetration They are grouped together as object groups in the ASA The definitions in the Clusters section of the JSON export BRKSEC-2980 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 70

Using Tetration to Drive ASA Configuration object-group network Patient-Data subnet 172.16.1.0 255.255.255.0 These are filters that have been uploaded into Tetration based on data from IPAM around subnet descriptions. This is actually the same mechanism that would be used to build a policy to an SGT. BRKSEC-2980 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 71

Using Tetration to Drive ASA Configuration 3.Policy / contracts: access-list ACL_IN extended permit UDP object DB_VIP object Shared_Services_Mgmt_Net eq domain access-list ACL_IN extended permit UDP object DB_VIP object Shared_Services_Mgmt_Net eq ntp access-list ACL_IN extended permit TCP object Users object Default:Datacenter:Tetration eq https access-list ACL_IN extended permit TCP object Users object Default:Datacenter:Tetration eq 5640 These are the individual policies that have been discovered by Tetration and then filtered so that only the ones that would traverse the interfaces in the ASA based on the ASA routing table are represented. You can find these in the Default Policies section of the JSON BRKSEC-2980 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 72

Tetration Visibility

Compliance, Policy Validation All Flows are tracked 4 ways Permitted, bidirectional flows that match the policy Misdropped, permitted traffic where we have dropped a packet Escaped, bidirectional flows that are against the policy Rejected, uni-directional flows that are against the policy BRKSEC-2980 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 77

Putting it all Together

Tetration with StealthWatch Leverage information from Tetration Export workspaces, clusters and applications discovered in Tetration to Stealthwatch Host Groups Cisco StealthWatch Tetration Data (Network Analytics) BRKSEC-2980 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 80

Tetration with StealthWatch Leverage information from Tetration Monitoring unified Policy Cisco StealthWatch Tetration Data (Network Analytics) BRKSEC-2980 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 81

Putting it all together: Campus/Branch + DC + Cloud Customer Deployment Example Campus / Branch Cloud / IaaS Users TrustSec + Tetration Enforcement Cloud Policy Platform TrustSec Enforcement APIC Micro-Segmentation / Course Grain policy Stealthwatch ISE Data Center Cisco Tetration Analytics Platform Fine-grain policy BRKSEC-2980 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 82

Please complete your Online Session Evaluations after each session Complete 4 Session Evaluations & the Overall Conference Evaluation (available from Thursday) to receive your Cisco Live T-shirt All surveys can be completed via the Cisco Live Mobile App or the Communication Stations Complete Your Online Session Evaluation Don t forget: Cisco Live sessions will be available for viewing on-demand after the event at www.ciscolive.com/global/on-demand-library/. 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

Continue Your Education Demos in the Cisco campus Walk-in Self-Paced Labs Tech Circle Meet the Engineer 1:1 meetings Related sessions BRKSEC-2980 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 86

Thank you