Benjamin Rossignol

Security Consulting Systems Engineer

berossig@cisco.com

Simplifying Security in the Data Center

How do we Simplify the Secure Data Center?

• Introduction

• Micro-Segmentation

• Secure VDI

• ACI-TrustSec Integration

• Security Feedback Loop with Firepower

Agenda

ACI Service Graphs Keep it Simple

ACI Web Contract

Consumer Provider

Managed/Unmanaged

Devices

Client EPG Web EPG

S

ACI Allows for Easier Services Insertion

L4-L7 Service Automation: Support for All DevicesAny Device and Cluster Manager Support

L4-L7 Service Automation L4-L7 Services

Cisco ACI™

Services Graph

L4- L7 Device Package No Device Package Service Cluster Manager

• Centralized L4-L7 service configuration and management

• Full L4-L7 service automation (with device package)

• Large ecosystem and investment protection

• Security policy follows workload

• Centralized security provisioning and visibility

• Automated service insertion and chaining

• Support for any L4-L7 device

• New support for L4-L7 cluster managers

Embedded

Security

Micro-

Segmentation

Security

AutomationEncryption Analytics

Same Policy Model across physical and any virtualization or cloud technology

VM

1VM

2

VM

1

VM

1VM

2

KVM OpFlex

Agent

V(X)LAN

Open

vSwitchESXi Cisco

AVS

V(X)LAN

VMware

DVSHyper-V

MSFT vSwitch

V(X)LAN

Docker OpFlex

Agent

V(X)LAN

Open

vSwitch

VM

1

VM

1VM

2

VM

1

Docker1 Docker2

Docker1 Docker2

OpFlex OpFlex OpFlex OpFlex

Bare Metal

VLAN

Can we use Micro Segmentation within ACI to effectively

isolate application traffic?

Using Micro Segmentation

Macro Segmentation

Development

Datacenter

Production

Campus

The separation of Trusted and

Untrusted environments.

Examples:

• Internet

• Campus

• Datacenter

• Development

• Production

Service

Graphs

Firewalls

ACLs

EPGs

Internet

Micro Segmentation

Application

Web Tier

Database

Campus

Ring-fencing, or isolation

application traffic to a specific

set of servers within a

datacenter.

Examples:

• Web Tier to Application

• Application to Database

Service

Graphs

EPGs

Virtual

Firewalls

vDS Cisco AVS IP/MAC EPG Hyper-V vSwitch Open vSwitch Open vSwitch

VLANVLAN or

VXLAN

VLAN or

VXLAN VLANVLANVLAN

Micro-Segmentation with ACI

EPG-Web

Micro-Segmentation Across any Workload

Attributes Type

MAC Address Filter Network

IP Address Filter Network

VNic Dn (vNIC domain name) VM

VM Identifier VM

VM Name VM

Hypervisor Identifier VM

VMM Domain VM

Datacenter VM

Custom Attribute

(VMWare AVS/vDS only)

VM

Operating System VM

opflex opflex opflex

vDS Cisco AVS IP/MAC EPG Hyper-V vSwitch Open vSwitch Open vSwitch

VLANVLAN or

VXLAN

VLAN or

VXLAN VLANVLANVLAN

MAC-EPG Support in ACI

MAC-EPG-Web

Micro-Segmentation Across any Workload

Attributes Type

MAC Address Filter Network

IP Address Filter Network

VNic Dn (vNIC domain name) VM

VM Identifier VM

VM Name VM

Hypervisor Identifier VM

VMM Domain VM

Datacenter VM

Custom Attribute

(VMWare AVS/vDS only)

VM

Operating System VM

• MAC-EPG is a micro-segmented EPG with endpoint membership based on MAC address attribute list which is derived from endpoints of a Base EPG

• Scoped at BD level

• MAC-EPGs can have large mac-lists

• Usecases: Migrations, Security Feedback Loop, etc …

MAC-EPG (Micro-Segmentation)

BD1/subnet1

Base EPG

MAC-EPG-1 MAC-EPG-NContract

Within BD traffic is Bridged

BD2/subnet2

Base EPG

MAC-EPG-1

Inter BD traffic is Routed

Contract

MicroSegmentation Demowith ACI

User Segmentation and VDI

CampusPC

PC

PC

Datacenter

SalesIT

HR

VDI

EPG

Server

EPG

NGFW /

NGIPS

NGFW /

NGIPSSolution provides:

Next-Generation Security (NGFW, NGIPS, AMP) with

Identity controls.

VDI Farm is one big flat subnet, with lateral blocking. Need

to provide secure access to Servers.

Secure VDI Usecase Flow:User-Identity Micro-Segmentation with FirePower + ACI

Usecase 1 Usecase 2

Shipping

Consuming Micro-SegmentationUser-Identity Micro-Segmentation with ACI

Src-EPG Dest-EPG

Contract

Src-EPG Dest-EPG

Contract

AD based

User

Identify

Policy

Concept

Solution Intra-EPG

Isolation

ACI Service Graph w/ Firepower

Enforce User-Identity Based

Network Access Control Policy

Red User can only Access Red VMs

Green User can only Access Green VMs

ACI Policy

Model

Extension

Shipping

Secure VDI Usecase:User-Identity Micro-Segmentation with FirePower + ACI

Campus Network

providerconsumer

Firepower 4100 / 9300

FTD Image

vPC

Contract L3out

service-graph with

FirePower

FMC Active

Directory

SF User

Agent

VDI

EPGL3out

Users Initiate

VDI session

VDI Farm - one big flat subnet but

VMs isolated, blocking lateral

User-Identity

Network Access Control

Policy

Server

EPGUsers (AD Group:

VDI Session)

Destination

Network (Server

EPG)

Group A

1.0.0.1 <= VDI IP

1.0.0.2

Destination Subnet

10.0.0.0/30

Group B

3.0.0.1

Destination

20.0.0.1

SourceFire Policy

Shipping

Secure VDIDemonstration

User Segmentation

Campus

Control of which systems or

applications within a datacenter

a user or group can connect to.PC

PC

PC

8 SGT / Sales

3 SGT / HR

99 SGT / IT

Trustsec / Security Group Tags

VLAN Assignment

Passive Identity from Active Directory

Datacenter

Problem: Disjointed Identity & Security Policy Domains Between Campus and Data Center

TrustSec domain

Voice Employee Supplier BYOD

Campus / Branch / Non-Fabric

TrustSec Policy Domain

Voic

e

VLA

N

Data

VLAN

Web App DBACI Fabric

Data Center

APIC Policy DomainAPIC

WAN

Disjoint: Identity, Grouping

Policy Domains

TrustSec Policy Domain APIC Policy Domain

• Today customer has two disjointed identity and security policy domains in Campus and Data Center:

• TrustSec User Identity, SGT and SGACL in Campus

• APIC App Endpoint Identity, EPG and Contract in Data Center

• Customer Requirement:

• Need Common “Identity,” Tagging and “Security Policy” between TrustSec and ACI domains

TrustSec/ISE Policy Domain

CMD/SGT

ACI Policy Domain

TrustSec

Border Router

(ASR1K Initially)

Higher Scale Data Plane Solution

SXP

SGT <-> EPG

translation

WA

N

IPSec, DMVPN,

GETVPN, OTP

Policy Plane (REST API)

Routing Plane (MP-BGP EVPN)

“Trusted Mode”

Data Plane (GBP VXLAN)

ISE Builds Translation Table

1. GET: VRF-ID, Class-ID

2. SGT <==> VRF-ID, Class-ID

Download

Translation

Table

EPG Starts on ASR1k

2

3

4

TargetQ2-CY17

1

ASR1k(config)# cts sg-epg translations

Golf L3out

Leaf: -EX only

TrustSec/ISE Policy Domain

CMD/SGT

ACI Policy Domain

TrustSec

Border Router

(ASR1K Initially)

Campus to ACI Flow

SXP

SGT <-> EPG

translation

WA

N

IPSec, DMVPN,

GETVPN, OTP SGT-EPG

iVXLAN

Contract Applied on Leaf

Lookup:s-class, d-class, policy

APP-EPG

Golf L3out

TargetQ2-CY17

TrustSec/ISE Policy Domain

CMD/SGT

ACI Policy Domain

TrustSec

Border Router

(ASR1K Initially)

ACI to Campus Flow

SXP

SGT <-> EPG

translation

WA

N

IPSec, DMVPN,

GETVPN, OTP

SGT-EPG

iVXLAN

VzAny Contract

Permit-all or filter ports

APP-EPG

Golf L3out

TargetQ2-CY17

Per-Host Policy

in ASR1k

TrustSec

Domain

Phase 1

Identity and Policy Propagation between ISE and APIC

No SGT tags sent to ACI

Enforcement at N9300 border leaf

Leverage IP address as User identifier

Scale: ~10k/Leaf

Works with existing ACI infra: N9300 leafs and N9500 Spines

Target Timeframe: Shipping now

Solution: Normalize Identity and SGT/EPG

Phase 2

Policy Mapping between ISE and APIC AND Data plane Integration (ASR1K or ACI Spine)

ASR1K DCI translates SGT EPG-Class-ID

Enforcement at N9300 leaf

Scale: SGT/ EPG namespace

Works with existing N9300 leafs, requires upgrade of N9500 spines (line card/ fabric module available mid CY16)

Target Timeframe: Q2 CY17

TrustSec

Domain

ACI

Domain

SGT EPG

SGT EPG

ACI

Domain

iVXLANSGTASR1k

Shipping Q2-CY17

Security Feedback Loop

Firepower, in all its forms, supports:

Correlation Polices and Remediation Modules,

allowing us to take a customized action based on defined

behavior on the network.

Example: If a server is attacked by host in my PCI network, I want to block the attacker.

Security Feedback Loop

Consuming Micro-SegmentationACI and SourceFire – Security Closed Feedback Loop

CORPEPG

FW

NGIPS10.1.0.234

Atta

ck

WebEPG

REMEPG

QUAEPG

FW

FireSIGHT Management

Center

REST Calls to

APIC NB API

Move VM

To Quarantine

Quarantine for RemediationPost Remediation Move Cleaned VM

Status:1. Cisco on Cisco solution (ACI + Security BU)

2. Remediation module in FMC used for security

feedback loop (no, device package required)

3. Productization for VMware vDS, AVS and BM

is shipping

• Quarantine IP-EPG creation

• Quarantine bad endpoints using IP-

EPG only

4. Tested 150 IP-EPG creation and TBD

endpoints

5. NGIPS stitching has no dependencies on

Remediation module. NGIPS Stitching can we

with device package or not. Both options

supported.

Demo Video: https://youtu.be/zSfDT1-47Hg

Security Feedback Loop, continued…

Security Feedback Loop, continued…

Cisco has just released the

new ACI Remediation Module

for Firepower!

Security Feedback Loop, continued…

Security Feedback Loop Demonstration

• FMC Remediation Module for ACI Documentationhttp://www.cisco.com/c/dam/en/us/td/docs/security/asa/apic/quick-start/guide/fmc-rm-qsg1x.pdf

• FMC Remediation Module for ACI YouTube Videohttps://www.youtube.com/watch?v=zSfDT1-47Hg&feature=youtu.be

• Micro Segmentation Demo on YouTubehttps://youtu.be/EEs7B1dKVjE

Additional Resources