simplifying the secure data center
TRANSCRIPT
Benjamin Rossignol
Security Consulting Systems Engineer
Simplifying Security in the Data Center
• Introduction
• Micro-Segmentation
• Secure VDI
• ACI-TrustSec Integration
• Security Feedback Loop with Firepower
Agenda
ACI Service Graphs Keep it Simple
ACI Web Contract
Consumer Provider
Managed/Unmanaged
Devices
Client EPG Web EPG
S
ACI Allows for Easier Services Insertion
L4-L7 Service Automation: Support for All DevicesAny Device and Cluster Manager Support
L4-L7 Service Automation L4-L7 Services
Cisco ACI™
Services Graph
L4- L7 Device Package No Device Package Service Cluster Manager
• Centralized L4-L7 service configuration and management
• Full L4-L7 service automation (with device package)
• Large ecosystem and investment protection
• Security policy follows workload
• Centralized security provisioning and visibility
• Automated service insertion and chaining
• Support for any L4-L7 device
• New support for L4-L7 cluster managers
Embedded
Security
Micro-
Segmentation
Security
AutomationEncryption Analytics
Same Policy Model across physical and any virtualization or cloud technology
VM
1VM
2
VM
1
VM
1VM
2
KVM OpFlex
Agent
V(X)LAN
Open
vSwitchESXi Cisco
AVS
V(X)LAN
VMware
DVSHyper-V
MSFT vSwitch
V(X)LAN
Docker OpFlex
Agent
V(X)LAN
Open
vSwitch
VM
1
VM
1VM
2
VM
1
Docker1 Docker2
Docker1 Docker2
OpFlex OpFlex OpFlex OpFlex
Bare Metal
VLAN
Can we use Micro Segmentation within ACI to effectively
isolate application traffic?
Using Micro Segmentation
Macro Segmentation
Development
Datacenter
Production
Campus
The separation of Trusted and
Untrusted environments.
Examples:
• Internet
• Campus
• Datacenter
• Development
• Production
Service
Graphs
Firewalls
ACLs
EPGs
Internet
Micro Segmentation
Application
Web Tier
Database
Campus
Ring-fencing, or isolation
application traffic to a specific
set of servers within a
datacenter.
Examples:
• Web Tier to Application
• Application to Database
Service
Graphs
EPGs
Virtual
Firewalls
vDS Cisco AVS IP/MAC EPG Hyper-V vSwitch Open vSwitch Open vSwitch
VLANVLAN or
VXLAN
VLAN or
VXLAN VLANVLANVLAN
Micro-Segmentation with ACI
EPG-Web
Micro-Segmentation Across any Workload
Attributes Type
MAC Address Filter Network
IP Address Filter Network
VNic Dn (vNIC domain name) VM
VM Identifier VM
VM Name VM
Hypervisor Identifier VM
VMM Domain VM
Datacenter VM
Custom Attribute
(VMWare AVS/vDS only)
VM
Operating System VM
opflex opflex opflex
vDS Cisco AVS IP/MAC EPG Hyper-V vSwitch Open vSwitch Open vSwitch
VLANVLAN or
VXLAN
VLAN or
VXLAN VLANVLANVLAN
MAC-EPG Support in ACI
MAC-EPG-Web
Micro-Segmentation Across any Workload
Attributes Type
MAC Address Filter Network
IP Address Filter Network
VNic Dn (vNIC domain name) VM
VM Identifier VM
VM Name VM
Hypervisor Identifier VM
VMM Domain VM
Datacenter VM
Custom Attribute
(VMWare AVS/vDS only)
VM
Operating System VM
• MAC-EPG is a micro-segmented EPG with endpoint membership based on MAC address attribute list which is derived from endpoints of a Base EPG
• Scoped at BD level
• MAC-EPGs can have large mac-lists
• Usecases: Migrations, Security Feedback Loop, etc …
MAC-EPG (Micro-Segmentation)
BD1/subnet1
Base EPG
MAC-EPG-1 MAC-EPG-NContract
Within BD traffic is Bridged
BD2/subnet2
Base EPG
MAC-EPG-1
Inter BD traffic is Routed
Contract
User Segmentation and VDI
CampusPC
PC
PC
Datacenter
SalesIT
HR
VDI
EPG
Server
EPG
NGFW /
NGIPS
NGFW /
NGIPSSolution provides:
Next-Generation Security (NGFW, NGIPS, AMP) with
Identity controls.
VDI Farm is one big flat subnet, with lateral blocking. Need
to provide secure access to Servers.
Secure VDI Usecase Flow:User-Identity Micro-Segmentation with FirePower + ACI
Usecase 1 Usecase 2
Shipping
Consuming Micro-SegmentationUser-Identity Micro-Segmentation with ACI
Src-EPG Dest-EPG
Contract
Src-EPG Dest-EPG
Contract
AD based
User
Identify
Policy
Concept
Solution Intra-EPG
Isolation
ACI Service Graph w/ Firepower
Enforce User-Identity Based
Network Access Control Policy
Red User can only Access Red VMs
Green User can only Access Green VMs
ACI Policy
Model
Extension
Shipping
Secure VDI Usecase:User-Identity Micro-Segmentation with FirePower + ACI
Campus Network
providerconsumer
Firepower 4100 / 9300
FTD Image
vPC
Contract L3out
service-graph with
FirePower
FMC Active
Directory
SF User
Agent
VDI
EPGL3out
Users Initiate
VDI session
VDI Farm - one big flat subnet but
VMs isolated, blocking lateral
User-Identity
Network Access Control
Policy
Server
EPGUsers (AD Group:
VDI Session)
Destination
Network (Server
EPG)
Group A
1.0.0.1 <= VDI IP
1.0.0.2
Destination Subnet
10.0.0.0/30
Group B
3.0.0.1
Destination
20.0.0.1
SourceFire Policy
Shipping
User Segmentation
Campus
Control of which systems or
applications within a datacenter
a user or group can connect to.PC
PC
PC
8 SGT / Sales
3 SGT / HR
99 SGT / IT
Trustsec / Security Group Tags
VLAN Assignment
Passive Identity from Active Directory
Datacenter
Problem: Disjointed Identity & Security Policy Domains Between Campus and Data Center
TrustSec domain
Voice Employee Supplier BYOD
Campus / Branch / Non-Fabric
TrustSec Policy Domain
Voic
e
VLA
N
Data
VLAN
Web App DBACI Fabric
Data Center
APIC Policy DomainAPIC
WAN
Disjoint: Identity, Grouping
Policy Domains
TrustSec Policy Domain APIC Policy Domain
• Today customer has two disjointed identity and security policy domains in Campus and Data Center:
• TrustSec User Identity, SGT and SGACL in Campus
• APIC App Endpoint Identity, EPG and Contract in Data Center
• Customer Requirement:
• Need Common “Identity,” Tagging and “Security Policy” between TrustSec and ACI domains
TrustSec/ISE Policy Domain
CMD/SGT
ACI Policy Domain
TrustSec
Border Router
(ASR1K Initially)
Higher Scale Data Plane Solution
SXP
SGT <-> EPG
translation
WA
N
IPSec, DMVPN,
GETVPN, OTP
Policy Plane (REST API)
Routing Plane (MP-BGP EVPN)
“Trusted Mode”
Data Plane (GBP VXLAN)
ISE Builds Translation Table
1. GET: VRF-ID, Class-ID
2. SGT <==> VRF-ID, Class-ID
Download
Translation
Table
EPG Starts on ASR1k
2
3
4
TargetQ2-CY17
1
ASR1k(config)# cts sg-epg translations
Golf L3out
Leaf: -EX only
TrustSec/ISE Policy Domain
CMD/SGT
ACI Policy Domain
TrustSec
Border Router
(ASR1K Initially)
Campus to ACI Flow
SXP
SGT <-> EPG
translation
WA
N
IPSec, DMVPN,
GETVPN, OTP SGT-EPG
iVXLAN
Contract Applied on Leaf
Lookup:s-class, d-class, policy
APP-EPG
Golf L3out
TargetQ2-CY17
TrustSec/ISE Policy Domain
CMD/SGT
ACI Policy Domain
TrustSec
Border Router
(ASR1K Initially)
ACI to Campus Flow
SXP
SGT <-> EPG
translation
WA
N
IPSec, DMVPN,
GETVPN, OTP
SGT-EPG
iVXLAN
VzAny Contract
Permit-all or filter ports
APP-EPG
Golf L3out
TargetQ2-CY17
Per-Host Policy
in ASR1k
TrustSec
Domain
Phase 1
Identity and Policy Propagation between ISE and APIC
No SGT tags sent to ACI
Enforcement at N9300 border leaf
Leverage IP address as User identifier
Scale: ~10k/Leaf
Works with existing ACI infra: N9300 leafs and N9500 Spines
Target Timeframe: Shipping now
Solution: Normalize Identity and SGT/EPG
Phase 2
Policy Mapping between ISE and APIC AND Data plane Integration (ASR1K or ACI Spine)
ASR1K DCI translates SGT EPG-Class-ID
Enforcement at N9300 leaf
Scale: SGT/ EPG namespace
Works with existing N9300 leafs, requires upgrade of N9500 spines (line card/ fabric module available mid CY16)
Target Timeframe: Q2 CY17
TrustSec
Domain
ACI
Domain
SGT EPG
SGT EPG
ACI
Domain
iVXLANSGTASR1k
Shipping Q2-CY17
Firepower, in all its forms, supports:
Correlation Polices and Remediation Modules,
allowing us to take a customized action based on defined
behavior on the network.
Example: If a server is attacked by host in my PCI network, I want to block the attacker.
Security Feedback Loop
Consuming Micro-SegmentationACI and SourceFire – Security Closed Feedback Loop
CORPEPG
FW
NGIPS10.1.0.234
Atta
ck
WebEPG
REMEPG
QUAEPG
FW
FireSIGHT Management
Center
REST Calls to
APIC NB API
Move VM
To Quarantine
Quarantine for RemediationPost Remediation Move Cleaned VM
Status:1. Cisco on Cisco solution (ACI + Security BU)
2. Remediation module in FMC used for security
feedback loop (no, device package required)
3. Productization for VMware vDS, AVS and BM
is shipping
• Quarantine IP-EPG creation
• Quarantine bad endpoints using IP-
EPG only
4. Tested 150 IP-EPG creation and TBD
endpoints
5. NGIPS stitching has no dependencies on
Remediation module. NGIPS Stitching can we
with device package or not. Both options
supported.
Demo Video: https://youtu.be/zSfDT1-47Hg
Security Feedback Loop, continued…
Cisco has just released the
new ACI Remediation Module
for Firepower!
• FMC Remediation Module for ACI Documentationhttp://www.cisco.com/c/dam/en/us/td/docs/security/asa/apic/quick-start/guide/fmc-rm-qsg1x.pdf
• FMC Remediation Module for ACI YouTube Videohttps://www.youtube.com/watch?v=zSfDT1-47Hg&feature=youtu.be
• Micro Segmentation Demo on YouTubehttps://youtu.be/EEs7B1dKVjE
Additional Resources