Cisco Connect Halifax 2018 Application insight and zero trust policies with cisco tetration
1 like658 views
This document provides an overview of Cisco Tetration, which is a platform that provides application dependency mapping, segmentation, and security across data centers, public clouds, and hybrid environments. It analyzes network traffic using software sensors to map application dependencies and clusters. It then generates whitelist policies and enforces segmentation policies across workloads to limit communication based on application ownership and intent-based rules. The platform also provides capabilities for compliance monitoring, inventory tracking, performance monitoring, and ecosystem integration. It has various deployment options including on-premises, public cloud, and as a managed service.
![Whitelist Policy Recommendation
Application discovery
{
"src_name": "App",
"dst_name": "Web",
"whitelist": [
{
"port": [0, 0],
"proto": 1,
"action": "ALLOW"
},
{
"port": [80, 80],
"proto": 6,
"action": "ALLOW"
},
{
"port": [443, 443],
"proto": 6,
"action": "ALLOW"
}
]
}
Whitelist policy recommendation
(available in JSON, XML, and YAML)](https://image.slidesharecdn.com/ciscoconnecthalifax2018-applicationinsightandzerotrustpolicieswithciscotetration-180405154323/85/Cisco-Connect-Halifax-2018-Application-insight-and-zero-trust-policies-with-cisco-tetration-10-320.jpg)
Cisco Connect Halifax 2018 Application insight and zero trust policies with cisco tetration
- 1. © 2017 Cisco and/or its affiliates. All rights reserved. 1 Nadir Lakhani Technical Solutions Architect April, 2018 Cisco Connect Your Time Is Now Application Insight and Zero-Trust Policies with Cisco Tetration
- 2. What does Tetration mean? • Tetration (or Hyper -4) is the next hyperoperation after exponentiation, and is defined as iterated exponentiation. The word was coined by Reuben Louis Goodstein, from tetra – (four) and iteration. Tetration is used for the notation of very large numbers.
- 3. Rapid App Deployment Continuous Development Application Mobility Micro Services Policy Enforcement Heterogeneous Network Secure Zero-Trust Policy Compliance Security Challenges in Modern Data Centers Securing Applications Has Become Complex Applications Are Driving Modern Datacenter Infrastructure
- 4. Cisco Tetration Platform Use Cases Application Insight Process Inventory Visibility and Forensics Cisco Tetration™ Platform Foundation Segmentation Operations White-list Policy Policy Compliance Application Segmentation Process Security Software Inventory Baseline Advanced Security Neighborhood Graphs Network and TCP Performance
- 5. Cisco Tetration Platform Architecture Overview Web GUI REST API Event notification Cisco Tetration apps Third-Party Sources (Configuration Data) Software Sensor and Enforcement Data Collection Layer Container Host Sensors* Embedded Network Sensors (Telemetry Only) ERSPAN Sensors (Telemetry Only) Netflow Sensors* (Telemetry Only) Analytics Engine *Support coming in Q2CY18
- 6. Cisco Tetration analytics data sources Main features ü Low CPU overhead (SLA enforced) ü Low network overhead ü New Enforcement point (software agents) ü Highly secure (code signed and authenticated) ü Every flow (no sampling) and no payload *Note: Available for POC/Trail purposes only Software sensors Linux servers (virtual machine and bare metal) Windows servers (virtual machines and bare metal) Windows Desktop VM (virtual desktop infrastructure only) Cisco Nexus 9300 EX Cisco Nexus 9300 FX Network sensors Next-generation Cisco Nexus® Series Switches Other Sensors Other types of sensorsAvailable today Container Host* (Host OS – Linux Based) ERSPAN Sensor Netflow Sensor* *Support coming in Q2CY18
- 7. 7© 2017 Cisco and/or its affiliates. All rights reserved. Application Dependency Mapping
- 8. Application Dependency and Cluster Grouping Bare-metal, VM, and switch telemetry Cisco Tetration Analytics™ platform Unsupervised machine learning Behavior analysis On-premises and cloud workloads (AWS) Bare-metal and VM telemetry VM telemetry (AMI …) BM VM BMVM VM BM BMVM BM VM BM VMVM Bare metal and VM BM VM VM BM Brownfield üüü ü BM VM VM BM üüü ü Network-only sensors, host-only sensors, or both (preferred) BM VM VM VM BM Cisco Nexus® 9000 Series ü
- 9. Application clusters conversation views Policy details Application Conversation View
- 10. Whitelist Policy Recommendation Application discovery { "src_name": "App", "dst_name": "Web", "whitelist": [ { "port": [0, 0], "proto": 1, "action": "ALLOW" }, { "port": [80, 80], "proto": 6, "action": "ALLOW" }, { "port": [443, 443], "proto": 6, "action": "ALLOW" } ] } Whitelist policy recommendation (available in JSON, XML, and YAML)
- 11. © 2016 Cisco and/or its affiliates. All rights reserved. 11 Compliance, Policy Validation All Flows are tracked 4 ways • Permitted, bidirectional flows that match the policy • Misdropped, permitted traffic where we have dropped a packet • Escaped, bidirectional flows that are against the policy • Rejected, uni-directional flows that are against the policy
- 12. User-Uploaded asset tags • Discovered inventory • Uploaded inventory and metadata (32 arbitrary tags) • Inventory tracked in real time, along with historical trends User-uploaded tags Cisco Tetration Analytics™ sensor feed Real-time inventory merged with information with historical trends Cisco Tetration Analytics merge operation VMware vCenter (virtual machine attributes) AWS attributes (AWS tags)
- 13. Segmentation Policy: Express Policies in Human Language Development can’t talk to production • Cisco Tetration™ knows who is production • Cisco Tetration knows who is development • Policies are continuously updated as applications change
- 14. 14© 2017 Cisco and/or its affiliates. All rights reserved. Application segmentation
- 15. Cisco Tetration application segmentation Policy recommendation Cisco Tetration™ Application workspaces Application segmentation policy Public cloud Private cloud On-premise
- 16. How Does it Work? Cisco Tetration™ automatically converts your intent into blacklist and whitelist rules Intent Rules Block nonproduction applications from talking to production applications SOURCE 10.0.0.0/8 DEST 128.0.0.0/8 Allow HR applications to use the employee database SOURCE 128.0.10.0/24 DEST 128.0.11.0/24 Block all HTTP connections that are not destined for web servers SOURCE * DEST 128.0.100.0/24 PORT = 80 SOURCE * DEST * PORT = 80
- 17. Rule-Processing Order • Application owners need some amount of autonomy to make application-level changes quickly • Security and network teams need to control the global aspects of application interconnection and shared services • Cisco Tetration™ flattens intent in a deterministic order, prioritizing intent of higher-authority users over intent of application owners Security team rules Network team rules Application owner rules
- 18. Enforcement of policy across any floor tile Azure Amazon Cisco Tetration Analytics™ 1. Generates unique policy per workload 2. Pushes policy to all workloads 3. Workload securely enforces policy 4. Continuously recomputes policy from identity and classification changes Google Enforcement Compliance monitoring VirtualBare metal Cisco ACITMPublic cloud Traditional network
- 19. © 2016 Cisco and/or its affiliates. All rights reserved. 19 Tetration Policy Enforcement in Cisco ACI Cisco Tetration Analytics™ Northbound REST Interface • Use Tetration fine grained ADM to create ACI compatible Policy* • Assign Tetration policy elements to ACI policy elements • Understand the impact (TCAM) of policy • Provide optimizations to efficiently fit policy in fabric Tetration ACI App Application White- list App *Not all Tetration policy features can be supported by ACI Cisco Tetration Analytics™
- 20. © 2016 Cisco and/or its affiliates. All rights reserved. 20 Cisco ACI Fabric Enforcement – TCAM Optimization For a large deployment Applying generalization to Top 5 policy groups Results in 160K 78% TCAM saving • Adjust the policy enforcement mechanism based on TCAM utilization • Enforce as-is • Enforce outgoing connection as-is (Incoming will be generalized) • Enforce incoming as-is (outgoing will be generalized) • Generalize enforcement in both directions • Visualize TCAM impact on associated leaf switches
- 21. 21© 2017 Cisco and/or its affiliates. All rights reserved. Network performance
- 22. Performance monitoring With deep-visibility software sensors only Cisco Tetration™ With deep-visibility software sensors installed on servers Application limited • Process or server cannot drain traffic fast enough • Identify whether limitation is on provider or consumer slide Network limited • Network congestion is causing TCP congestion and window collapse Enhanced TCP metrics • SRTT latency • Application-perceived latency • TCP retransmissions • TCP congestion window reduced • TCP MSS changed • TCP zero window • Long TCP handshakes
- 23. Performance monitoring With Cisco ACI and Cisco Nexus 9300 FX switches only Cisco Tetration™ Cisco ACI™ infrastructure using Cisco Nexus® 9300 FX leaf switches and Cisco Nexus 9300 FX line cards in spine Track topology and topology changes using time series • Covers fabric and external devices such as servers (LLDP required) • Flow-context-specific topology views View traffic flow information in time series • Mapping of individual flows to fabric topology and queues • Per-flow hop-by-hop path view • Per-hop latency and fabric latency • Fabric drop indicators View link and queue information in a fabric in time series • Flows through a particular link • Throughput information • Average and maximum latency • Drop indicators Additional flow search capabilities • Search for specific flows within a link and queue • Search based on fabric links • Search based on class of service *PTP required in production fabric
- 24. 24© 2017 Cisco and/or its affiliates. All rights reserved. Other use cases
- 25. • Dedicated virtual machines on each host with 3 software sensors in each virtual machine • Each sensor binds to a separate vNIC • ERSPAN terminates on the virtual machine vNIC • Each sensor terminates one ERSPAN session • Sensor generates telemetry based on the data-plane traffic • Horizontally scalable Layer 3 connection ERSPAN Layer 3 switch Cisco Tetration telemetry: ERSPAN option Expanded telemetry collection option • Augment telemetry from other parts of the network • Useful when software sensor or hardware sensor is not feasible Cisco Tetration™ telemetry Cisco Tetration™ Platform Production network Production network
- 26. Insight-based notification: Neighborhood graphs Cisco Tetration Analytics™ Kafka broker Northbound consumers Northbound consumers Message publish Kafka Neighborhood graphs • Find up to two-hop communication neighbors for a selected workload • Drill down into details about communication between these neighbors • View dashboard display using graph database • Determine the number of server hops between two workloads • Get out-of-the-box and customer alerts through Kafka
- 27. Virtual Desktop Infrastructure: Visualization Main features ü Support Microsoft Windows Desktop 7, 8, and 10 ü Get per-packet, per-flow visibility ü Correlate traffic with process on the desktop instances ü Tie VDI user traffic to application workspace VDI instances Cisco Tetration Analytics™
- 28. Policy-related notification Cisco Tetration Analytics™ Kafka broker Northbound consumers Northbound consumers Message publish Kafka • Alerts every minute for enforcement • Policy compliance event notifications • Count of policy alerts until whitelisted • Alerts when IP tables or firewall is flushed or disabled by user • Alerts when enforcement sensor is disabled • Publishes policy differences between versions
- 29. 29© 2017 Cisco and/or its affiliates. All rights reserved. Deployment options
- 30. Cisco Tetration Cloud • Software deployed in public cloud • Suitable for deployments of less than 1000 workloads • Public cloud instance owned by customer Cisco Tetration™ platform (large form factor) • Suitable for deployments of more than 5000 workloads • Built-in redundancy • Scales to up to 25,000 workloads Includes: • 36 Cisco UCS® C220 servers • 3 Cisco Nexus® 9300 platform switches Cisco Tetration-M (small form factor) • Suitable for deployments of less than 5000 workloads Includes: • 6 Cisco UCS C220 servers • 2 Cisco Nexus 9300 platform switches Cisco Tetration: On-Premises Deployment options Amazon Web Services Hardware Options Public cloud Microsoft Azure Software Only Option Cisco Tetration Software only option • Suitable for deployments of less than 1000 workloads • Published hardware requirements • Supported in Vmware ESXi based environment Coming in Q2CY18
- 31. Cisco Tetration™ as a Service • Software as a Service model: no need to purchase, install and manage hardware or software • Fully managed and operated by Cisco • Suitable for commercial customers and SaaS-first/SaaS-only customers • Flexible pricing model, lower barrier to entry • Quick turn up • Scales to up to 25,000 workloads Cisco Tetration : As-a-Service Option Cisco Tetration as a Service Coming in Q2CY18
- 32. 32© 2017 Cisco and/or its affiliates. All rights reserved. Ecosystem
- 33. Cisco Tetration Analytics: Ecosystem Cisco Tetration Analytics™ Application Dependency Layer4-7 Services Enforcement Visibility and Optimization Insight exchange
- 34. Open In summary: Platform built for scale and flexibility Real time and scalable Holistic workload protection Easy to use • Every packet, every flow • Application segmentation for 1000s of applications • Extends visibility to process and software packages • Long term data retention • Consistent application segmentation • Any workload, anywhere • Process behavior deviations • Software package vulnerability • One touch deployment • Self monitoring • Self diagnostics • Standard web UI • REST API (pull) • Event notification (push) • Tetration applications
- 35. Thank you.