Thanks to visit codestin.com
Credit goes to www.scribd.com

Scribd
Upload
113 views101 pages

SDN & ACI Security for IT Pros

The document discusses how software-defined networking (SDN) and the Application Centric Infrastructure (ACI) framework from Cisco address the challenges of securing modern applications in data centers. It explains how ACI uses policy-based segmentation through endpoint groups (EPGs) and contracts to implement microsegmentation and whitelisting-based security. EPGs group similar devices, contracts define allowed communication between EPGs through stateless access control lists, and application profiles collect EPGs and contracts to define full applications. This provides a zero-trust security model compared to traditional trust-based data center switching.

Uploaded by

Marcin Chojna
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
113 views101 pages

SDN & ACI Security for IT Pros

The document discusses how software-defined networking (SDN) and the Application Centric Infrastructure (ACI) framework from Cisco address the challenges of securing modern applications in data centers. It explains how ACI uses policy-based segmentation through endpoint groups (EPGs) and contracts to implement microsegmentation and whitelisting-based security. EPGs group similar devices, contracts define allowed communication between EPGs through stateless access control lists, and application profiles collect EPGs and contracts to define full applications. This provides a zero-trust security model compared to traditional trust-based data center switching.

Uploaded by

Marcin Chojna
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 101

Global vision.

Local knowledge.
Cisco Connect Dubrovnik
Croatia
Demystifying ACI Security

Dragan Novaković
Consulting Security Engineer
March 2019
The Case for SDN

© 2018 Cisco and/or its affiliates. All rights reserved.


Applications All Around Us
…are the driving force of business that are being…
Rapidly developed and
Deployed at scale

…while requiring…
Frequent updates and
Highest Availability (SLAs)

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
Challenge for Infrastructure
…to keep up with the pace of change imposed on the:
Network
Security
…functions, while maintaining application:
Capacity
Resiliency
Agility

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
Software-Defined Networking
…Comes to the Rescue
“…is an emerging architecture that is dynamic, manageable, cost-
effective, and adaptable, making it ideal for the high-bandwidth,
dynamic nature of today's applications. This architecture decouples
the network control and forwarding functions enabling the network
control to become directly programmable and the underlying
infrastructure to be abstracted for applications and network
services.”

Source: www.opennetworking.org

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
What are the
critical Security
Functions in the
DataCenter?

© 2018 Cisco and/or its affiliates. All rights reserved.


Defining SDN use case for DC security

Automatic
Micro- Segmentation Remediation

Programmability

Embedding security
policy within Application Ease of Service Insertion
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
ACI Devices Role

Spine Nodes

Leaf Nodes

Service Producers

APIC Controller Service


Consumers
“DB” “App”

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
ACI Whitelist Policy supports “Zero Trust” Model
Whitelist policy = Explicitly configured ACI contract between EPG 1 and EPG 2 allowing
traffic between their members

TRUST BASED ON LOCATION ZERO TRUST ARCHITECTURE


(Traditional DC Switch) (Nexus 9K with ACI)

1 2 3 4

1 2 3 4
EPG 1 EPG 2
“WEB” “APP”

Servers 2 and 3 can No communication allowed between


communicate unless blacklisted Servers 2 and 3 unless there is a whitelist
policy
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
The Heart of ACI
ACI uses a policy based approach that focuses on
the application.
QoS QoS QoS

Filter Service Filter

Web App DB

External
Network

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
ACI Communication Abstraction
APIC All TCP/UDP:
- Accept
- Redirect to FW and IPS
Security Policy All Other :
“App” → “DB” - Drop

ACI Fabric

“DB” “App”
Security Services
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
A Policy Based on Groups
Web Tier App Tier DB Tier

EP EP EP EP EP EP

EP EP EP EP EP EP

First, we need a way to identify and group together end points.


© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
End Point Group
“EPG Web” “EPG App” “EPG DB”

EP EP EP EP EP EP

EP EP EP EP EP EP

In the ACI model, we do this using the End Point Group (EPG).
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
Endpoint Groups Communications

“EPG Web” “EPG App” “EPG DB”

EP EP EP EP EP EP

EP EP EP EP EP EP

Devices within an Endpoint group can communicate, provided that they have IP
reachability (provided by the Bridge Domain/VRF).
Communication between Endpoint groups is, by default, not permitted.

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
Contract
“EPG Web” “EPG App” “EPG DB”

EP EP EP EP EP EP

EP EP EP EP EP EP

s
Contract
Once we have our EPGs defined, we need to create policies to determine how they
communicate with each other.

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
Contract : Kind of reflexive “Stateless” ACLs
“EPG Web” “EPG App” “EPG DB”

EP EP EP EP EP EP

EP EP EP EP EP EP

Filters A contract typically refers to one or more ‘filters’


TCP: 80
TCP: 443 to define specific protocols & ports allowed
between EPGs.

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
Create a Contract

Stateful filters – limited to checking if the ACK bit


is set in the packets from provider to consumer
without any TCP flow state tracking

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
Access Control From Outside

EPG EPG EPG


L3out Web App DB

Contract
Client-Web

Perimeter Stateless Access Control

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
Segmentation Using Contracts

EPG EPG EPG


L3out Web App DB

Contract Contract Contract


Client-Web Web-App App-DB

Stateless Firewall(Contract)
Stateless Access Control (Contract)
Load Balancer

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
Application Profile

“EPG Web” “EPG App” “EPG DB”

EP EP EP EP EP EP
Contract Contract

EP EP EP EP EP EP

Application Profile “My Expenses”

A collection of EPGs and the associated contracts that


define how they communicate form an Application Profile.
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
Tenants
A Tenant is a container for
Engineering-Tenant Marketing-Tenant
all network, security,
troubleshooting and L4 –
7 service policies.
Tenant resources are
isolated from each other,
allowing management by
different administrators.

IT Internet
Shared Test /
IPTV
Tenants can provide traffic
Services Dev
and RBAC isolation…

ACI Fabric
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
VRF aka Context aka Private Network
Engineering-Tenant

VRF-1 VRF-3
VRF(also called contexts) are
defined within a tenant to allow
isolated and potentially
overlapping IP address space.
VRF-2 VRF-4

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
Bridge Domain: Not a VLAN but almost…
Engineering-Tenant

VRF-1 VRF-3 Within a private network, one


Bridge Domain 1 Bridge Domain 5
or more bridge domains must
Bridge Domain 2 Bridge Domain 6 be defined.

A bridge domain is a L2
VRF-2 VRF-4
forwarding construct within
Bridge Domain 3 Bridge Domain 7
the fabric, used to constrain
Bridge Domain 4 Bridge Domain 8 broadcast and multicast
traffic

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
But what if I want
all EPGs to be able
to send syslog,
query DNS,
communicate with
the AD, etc…?
© 2018 Cisco and/or its affiliates. All rights reserved.
vzAny applies rules to all EPGs in a VRF

Syslog Syslog Syslog

EPG A EPG EPG A EPG EPG EPG


Provider vzAny Consumer vzAny vzAny vzAny

Any EPG can EPG A can consume Any EPG in the VRF
consume syslog that Syslog from any EPG can consume or
EPG A provides in the VRF provide syslog

http://www.cisco.com/c/en/us/td/docs/switches/datacenter/aci/apic/sw/kb/b_KB_Use_vzAny_to_AutomaticallyApplyCommunicationRules_toEPGs.html#concept_F2BC3533B
F984F1F88A18B712ED9C072

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
But what if I want
some EPGs to
communicate
freely between
themselves?
© 2018 Cisco and/or its affiliates. All rights reserved.
Contract Preferred Groups
Allow traffic between a group of EPGs

EPG A EPG B EPG 1

EPG C EPG D EPG 2


Contract Preferred Group
Alphabet
No contract required within the group Contract required
http://www.cisco.com/c/en/us/td/docs/switches/datacenter/aci/apic/sw/kb/b_APIC_Contract_Preferred_Group.html

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
ACI Micro
Segmentation

© 2018 Cisco and/or its affiliates. All rights reserved.


The ACI Micro Segmentation Toolbox

EPGs & Contracts


ACI Policy Model

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
The ACI Micro Segmentation Toolbox

• Functional equivalent to
Isolated Private VLAN: ALL
endpoints in EPG are isolated
from each other

• Supported since ACI 1.2(2)

Intra-EPG isolation • Can be combined with


Micro-segmented EPG

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
The ACI Micro Segmentation Toolbox

EPGs & Contracts


ACI Policy Model

Intra-EPG isolation Intra-EPG Contracts

From 4.0 with Service


Graph attached

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
The ACI Micro Segmentation Toolbox
Use of attributes to classify Micro-segmented
endpoints in a specific kind of EPGs
EPG called µEPG with attributes

Network-based attributes:
IP/MAC
VM-based attributes: Guest
OS, VM name, ID, vnic, DVS,
Datacenter

Does not create a Port Group


on VMM (no vnic reassign)

Supported since ACI 1.1(1)

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 33
About Micro-segmented EPGs
• µSeg EPGs are not linked to a “Base” EPG (though virtual endpoints are still
“attached” to their corresponding Port Groups):
• They have their own Bridge Domain à Endpoints addressing must be taken into
consideration in the design
• They have their own set of Contracts à There is no contract inheritance from the “Base”
EPG.
• Attributes are matched using an “OR” operator with a precedence order in
case of conflict
• Any VM in the VMM Domain & Tenant matching an attribute will be put in the µSeg EPG
à Choose wisely the attribute(s) you want to match
• In the last 2 case studies, Custom Attributes would be a natural choice

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
Use Cases

Securing infrastructure

Quarantining compromised endpoints

Securing an application life cycle

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
Security Services

© 2018 Cisco and/or its affiliates. All rights reserved.


Cisco ACI Supports Flexible East-West Security Models
L4 Stateless Security L4-7 Visibility and Control
Cisco ACI Services
Graph

Firewall at Each
Leaf Switch L4-7 Security Services
(physical or virtual,
Servers (Physical or Virtual) location independent)
L4−7 Security via Cisco ACI™
► L4 Distributed Stateless Firewall ► Service Graph

L4 Stateless Firewall Attached Advanced Protection with NGFW, IPS/IDS,


to Every Server Port DDoS Services Insertion

Line Rate Policy Enforcement Sizing at Scale: Can add ASA Cluster
L4-7 Security Policy Applied
Policy Follows Workloads Consistently for Any Workload

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
Why Inserting Security Services ?
• Stateless Segmentation not sufficient for compliance
• More granular Access Control (i.e. user based)
• Dynamic protocol requiring better inspection
• Better protection and detection mechanisms

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
Cisco Security Portfolio Overview
Firewall/IPS/AMP Analytics Cloud
Firepower NGFW/NGIPS/AMP StealthWatch ASAv, FMCv, NGFWv
Enterprise AWS, Azure

FMC
ASAv, FMCv, NGFWv on Hypervisor
StealthWatch Cloud Umbrella &
CloudLock
Cisco ASA

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 39
Where to Connect Security Services in the Fabric ?

NGFW Appliance and Virtual NGIPS Appliance and Virtual

WE DON’T REALLY CARE !!!!


© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 40
How to Insert Security Services
• Network Stitching ACI L2 Fabric
• Service graph insertion
• Unmanaged
• Managed with Device package
• Managed Hybrid

Match the requirements and operation


model of the DC and Security Team

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 41
Flexible Options for Services Insertion
ACI L2 Fabric Service Graph Service Graph
No Package Managed
• APIC defines Tenants • Fabric GW/Routing • Orchestrate with
Vendor:
• EPG is VLAN/Subnet • No Device Package: - Service Policy or
-Network Policy Mode - Service Manager
SecOps Control Service Device Packages

APIC in
Control

Unmanaged Service Graphs Managed Service Graphs

WEP EPG EPG EPG EPG EPG EPG EPG EPG


Geb App DB Web App DB Web App DB

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 42
Service Graph
technology was
designed to
automate and
accelerate the
deployment of L4-L7
sevices in the
network
© 2018 Cisco and/or its affiliates. All rights reserved.
Why Use Service Graph ?
• Security is fully inserted to the Application as the service graph is an
extension of the contract in the Application Profile
• Granular way to send traffic to the Security Service using the contract
• Configuration Templates
• Automation of the Network configuration both for Fabric and Security
appliance (with Device Package)
• Statistics and health score automatically collected for the services
• Dynamic update of the ACLs based on End Point discovery in the EPG
• Insert several services seamlessly with Service Chaining

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 45
ACI Zero Trust Model
APIC

CONTRACT

ACI Fabric

“DB” “App”

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 46
Build a Policy with Service Graph
APIC All TCP/UDP:
- Accept
- Redirect to FW and IPS
Security Policy All Other :
“App” → “DB” - Drop

ACI Fabric

“DB” “App”
Security Services
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 47
Add a Service graph to a Contract

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 48
Service Automation Through Device Package Device Package
Device Specification
<dev type= “f5”>
<service type= “slb”>
<param name= “vip”>
<dev ident=“210.1.1.1”
<validator=“ip”

Service automation requires a vendor


<hidden=“no”>
• <locked=“yes”>

device package. It is a zip file containing


• Device specification (XML file)
Cisco APIC – Policy Element
• Device scripts (Python) Device Model

• Cisco® APIC interfaces with the device Cisco APIC Script Interface
using device Python scripts
• Cisco APIC uses the device configuration Device-Specific Python Scripts
model provided in the package to pass
appropriate configurations to the device Device Interface: REST/CLI

scripts Script Engine

APIC Node
Service automation
requires a vendor

Device script handlers interface with the


device package. It is a


zip file containing
Device specification
(XML file)
Device scripts (Python)

device using its REST or CLI interface Device Manager Console

Service Device
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 49
ASA Device Package Opt 1: Policy Orchestration
Managed – Service Policy

FirePOWER Services
Threat Defence Polices
Threat Policy on FMC Security team configures via FMC

ACLs, Inspections, HA, S2S


VPN, Special Features Security team adds more ASA cfg.

Interfaces, VLANs, IPs, Static


or Dynamic Routes
APIC Configures on ASA APIC Configures on ASA
via ASA Device Package via ASA Device Package

ASA Policy Orchestration (PO)


DP

Nexus9k Leafs/Spines - Shadow EPG VLANs, L3outs

APIC Configures Service Graph in the ACI Fabric

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 50
ASA PO & FI Device Package

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 51
ASA DP Built-In Profiles

Template for Routed ASA


Requires Entry of IP Addresses
HA needs Standby IP Entry

Template for Transparent ASA


Requires Entry of BVI IP Address
HA needs Standby IP Entry

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 52
Why Use Managed Service Graph ?
• Full Tenant orchestration with L4-L7 services
• ACL changes on the firewall can be offloaded to custom tools, using
Northbound API
• Device package allows for very fast deployment of security
• APIC monitors the service health and validates configuration

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 53
Why Use Unmanaged Service Graph ?
• Continuity of the SecOps management workflows and tools
• No device package available from a Vendor
• Quicker migration of security appliance configs and policies into ACI fabric
• Allow use of the full spectrum of product features, not just the features
supported by the device package

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 54
Service Graph Hybrid Managed
• Leverage the network and interface configuration automation from APIC
with the Device Package
• Leverage the External Security management solution for the security team
to create the security policy
• Use the Service graph to tie together the policy and the network insertion

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 55
ASA Device Package Opt 2: Fabric Insertion
Managed – Service Policy Managed – Service Policy

FirePOWER Services FirePOWER Services


Threat Defence Polices ASA has an option Threat Defence Polices
Threat Policy on FMC
that allows APIC to Security team configures via FMC
configure insertion
ACLs, Inspections, HA, and
into fabric while all
ACLs, Inspections, HA, S2S all other ASA features
VPN, Special Features
other ASA features
Security team adds more ASA cfg.
are configured out
Interfaces, VLANs, IPs, Static of band (CLI, Interfaces, VLANs, IPs, Static
or Dynamic Routes REST-API, CSM, or Dynamic Routes
APIC Configures on ASA CDO) APIC Configures on ASA
via ASA Device Package via ASA Device Package

ASA Policy Orchestration (PO) DP ASA Fabric Insertion (FI) DP

Nexus9k Leafs/Spines - Shadow EPG VLANs, L3outs

APIC Configures Service Graph in the ACI Fabric

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 56
ASA PO & FI Device Package

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 57
FTD Device Package Workflow
Existing Rule - Security Admin uses FMC to create an ACP Rule to be used
with the new service graph. The rule includes allowed protocols, NGIPS,
and AMP protections.
• Network Admin uses APIC to attach Security Zones to a given Rule, directing
service graph traffic to an appropriate NGFW inspections.
New Rule – Network Admin uses APIC to create a new security Rule on FMC
using the service graph. This is a Deny rule, preventing traffic flow until
Security Admin gets a changes to update it.
• Security Admin uses FMC to update the new ACP Rule with an appropriate allowed
protocol, NGIPS, and AMP policy. To prevent deletion of this rule on service graph
detach, Security Admin can preserve configured security policy by updating ACP
Rule comments.

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 58
Security team configures via FMC

FTD FI Device Package for ACI


Managed Service Graph
Hybrid – Service Manager Model

App DB

Firepower NGFW APIC Imports


(FTD 6.2.3 image) FTD Device Package
Registered to FMC To Program FMC

FMC GUI API API / GUI


SECURITY FMC 6.2 NETWORK

Policy Creation: Fabric Insertion:


Security Admin uses FMC to create an appropriate policy Network Admin uses APIC to program Fabric Insertion of FTD

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
FTD Device Package for ACI
1.0.1 1.0.2 1.0.3

• Cluster support • HA support


• Routed
• Ether-Channel • FTDv VLAN trunks
• Transparent
• Static Routes • FPR2100 support
• NGIPS modes
• Dynamic EPG
• Interfaces/Zones
• Enhance validation
• Inline Pairs
• Suffix changes
• Attach Zones to ACP
Rules

FTD Device Package for ACI – Version to Feature Comparison

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
FTD FI Device Package Version 1.0.3

APIC configures FMC 6.2.3, using REST-APIs to manage the following devices:
Ø Pre-registered FTD devices in either Stand-alone, HA or Cluster mode

APIC configures the following features:


• Interfaces in Routed, Switched, or Inline mode. Defines VLAN sub-interfaces
(including Port-Channels) for Routed and Transparent firewall mode, including IRB.
Static routes can be added under interface configuration.
• Security Zones, Interface Names, Inline Sets, as specified in function profile
parameters. FMC names are prefixed with APIC Tenant and registered FTD device
name. EPG learning feature is supported with FMC.
• Assignment of the Security Zones to pre-configured ACP Rule(s).

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Matching FTD/ACI Deployment Modes
• Firewall Modes
GoTo
• Routed
Service Graph
• Transparent

GoThrough
• NGIPS/IDS Modes Service
• Inline (managed) Graph
• or Inline TAP (unmanaged)
• Passive (unmanaged)
Copy
Service Graph

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 62
Security Service
insertion using PBR

© 2018 Cisco and/or its affiliates. All rights reserved.


Policy Based Redirect is your Best Friend

APIC relies on Routing to


192.168.11.254 192.168.12.254 192.168.13.254 forward traffic from Server in
EPG WEB to Server in EPB
APP based on contract

EPG EPG EPG


Web App DB

BD: DB BD: App BD: DB


192.168.11.1/24 192.168.12.1/24 192.168.13.1/24
GW: 192.168.11.254 GW: 192.168.12.254 GW: 192.168.13.254

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 64
Policy Based Redirect is your Best Friend
With PBR Service Graph

APIC relies on PBR to redirect the traffic defined


in the contract to the Security Service

192.168.11.254 192.168.12.254 192.168.13.254


192.168.100.1 192.168.100.5

BD: ASA-external BD: ASA-external


L3 Enabled L3 Enabled

EPG EPG EPG 192.168.100.0/30 192.168.100.4/30


Web App DB

BD: DB BD: App BD: DB


192.168.11.1/24 192.168.12.1/24 192.168.13.1/24
GW: 192.168.11.254 GW: 192.168.12.254 GW: 192.168.13.254

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 65
PBR for micro-Segmentation
Based only on Contract
192.168.10.254 Because this is a
BD: MyApp
communication between two
192.168.10.0/24
L3 Enabled
End-Points in different EPG,
the forwarding decision is
made in the leaf switch
EPG EPG EPG
Web App DB

192.168.10.100 192.168.10.200

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 66
PBR for micro-Segmentation
Leveraging PBR

Because the traffic goes to Leaf Switch where


PBR rules are enforced, traffic will be sent to the
security service defined in the Service Graph.

192.168.10.254
192.168.200.254
BD: MyApp
192.168.10.0/24
L3 Enabled
BD: ASA
L3 Enabled
EPG EPG EPG
192.168.200.254
Web App DB

192.168.10.100 192.168.10.200

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 67
PBR for micro-Segmentation
Leveraging PBR

The Firewall must be in ONE ARM as source and


destination are in the same Subnet. It must allow
traffic in and out via the same interface.

192.168.10.254

BD: MyApp 192.168.200.254


192.168.10.0/24
L3 Enabled

BD: ASA
EPG EPG EPG L3 Enabled
Web App DB
192.168.200.254

192.168.10.100 192.168.10.200

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 68
New features
related to PBR
ACI Version 3.2
• Multi-node PBR

• vzAny with PBR

• Resilient Hash PBR

© 2018 Cisco and/or its affiliates. All rights reserved.


ACI
Multi-node PBR 3.2

• Prior to ACI 3.2: Concatenating PBR nodes was not supported.


• For example, both 1st and 2nd node can’t be PBR nodes. Either one of them can be.
EPG EPG
Client
Contract
Web
consumer
Redirect provider

PBR Non-PBR

• ACI 3.2: Support more than 1 node PBR in a Service Graph. (up to 3 nodes)
• We can mix PBR node and non-PBR node in same Service Graph

EPG EPG
Client
Contract
Web

consumer
Redirect provider

PBR PBR PBR


© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
ACI
PBR with vzAny 3.2

• In ACI 3.2, PBW with vzAny (provider) is also supported.


• Use case: Insert Firewall everywhere.

VRF1 VRF1

consumer provider
Client Web Client Web
vzAny Contract vzAny
Contract
Redirect App DB
Redirect App DB

vzAny vzAny
PBR Node PBR Node

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Resilient Hash PBR Before

• Symmetric PBR is supported today, but if one of the PBR nodes is down,
traffic will be re-hashed. So existing connection having been going through
available PBR nodes could be affected.
Thanks to Symmetric PBR, incoming Some traffic could be load-balanced to different PBR
and return traffic go to same PBR nodes that don’t have existing connection info.
node.

X
User1 User1
Incoming Return Incoming Return
Traffic Traffic Traffic Traffic
User2 User2

User3 User3

User4 User4

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
ACI
Resilient Hash PBR 3.2

• With Resilient Hash PBR, only the traffics that went though failed node will
start using different PBR node.

X
User1 User1
Incoming Return Incoming Return
Traffic Traffic Traffic Traffic
User2 User2

User3 User3

User4 User4

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Policy Based Redirect Requirements
• APIC must be v 2.0.1 or Higher
• The Service switch must be at least ‘-EX’ or more recent
• If not all the fabric is ‘-EX’, the Service switch must be dedicated to
Services (i.e. no workload connected with the L4-7 services)

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 75
What about IDS ?

© 2018 Cisco and/or its affiliates. All rights reserved.


IDS Insertion in ACI
• Traditional Span mechanism based on EPG source/Destination
• NEW Copy Service :
• Specific Service graph
• As based attached to contract, leverage Subject for a more granular selection of
traffic than SPAN

• Require –EX leaf switch


• Support only one device per copy cluster

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 77
Service Copy Configuration Steps
• Identify the source and destination endpoint groups.
• Configure the contract that specifies what to copy according to the subject and what
is allowed in the contract filter.
• Configure Layer 4 to Layer 7 copy devices that identify the target devices and
specify the ports where they attach.
• Use the copy service as part of a Layer 4 to Layer 7 service graph template.
• Configure a device selection policy that specifies which device will receive the traffic
from the service graph. When you configure the device selection policy, you specify
the contract, service graph, copy cluster, and cluster logical interface that is in copy
device.

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 80
Copy Service : Service Graph Template

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/aci/apic/sw/1-x/L4-
L7_Services_Deployment/guide/b_L4L7_Deploy_ver211/b_L4L7_Deploy_ver211_chapter_0110
1.html#id_28562

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 81
Threat Protection
with IPS

© 2018 Cisco and/or its affiliates. All rights reserved.


Cisco Firepower Threat Defense Features
Cisco Firepower Threat Defense Full Feature-Set - NGFW
§ L2-L7 Firewall with L3 (Routed), L2 (Transparent IRB or Inline-NGIPS)
Modes
§ Scalable CGNAT, ACL, Dynamic Routing, Fail-to-Wire I/O modules
§ Application Inspection, PKI for Site-to-Site VPN, Onbox Manager
§ Inter-chassis cluster, FlexConfig, REST-APIs, Packet Tracer/Capture
§ NSS Leading Next-Gen IPS - SourceFIRE
§ Comprehensive Threat Prevention, L7 Application Visibility and Control Cisco
§ Security Intelligence (C&C, Botnets, IP, DNS, etc.), Threat / Risk Reports Firepower
§ Blocking of Files by Type, Protocol, and Direction, Protocol Rate Limiting
Access Control: Enforcement by Application and User AD integration
Threat Defense
§
§ Switch, Routing, NAT Options, and ISE PxGRID integration 6.2
§ URL Filtering, Malware Blocking, Continuous File Analysis
§ Malware Network Trajectory, User-based IOCs, URL lookup
§ AMP public & private cloud with ThreatGrid, FMC-ThreatGrid APIs
§ Firepower Management Center (fka. FireSIGHT or Defense Center)

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 83
Automation

© 2018 Cisco and/or its affiliates. All rights reserved.


ASA Device Package

Dynamic Update to EPG Object-Group


APIC dynamically detects new endpoint,
ASA subscribes to attach/detach event,
and ASA device package automatically
2: APIC create object-group for the EPG. adds EPs to object-group

3: APIC add new endpoints to object-group


(192.168.10.101, 192.168.102)
object-group network __$EPG$_pod37-aprof-app
network-object host 192.168.10.101
network-object host 192.168.10.102

access-list access-list-inbound extended permit tcp any object-group __$EPG$_pod37-aprof-app eq www


New New
1: Enable “Attachment Notification”
on function connector internal.
192.168.10.101 192.168.10.102

web 192.168.20.200 192.168.10.200 app


Consumer Provider

ACE Object-group

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 87
FMC to APIC Rapid Threat Containment
Step 4: APIC quickly contains/quarantines Step 3: Attack event is configured to trigger
the infected App1 workload into an isolated remediation module for APIC that uses NB API
uSeg EPG to contain the infected host in ACI fabric

4 3
ACI Fabric

uSeg
EPG
FMC

App EPG DB EPG

1 2
App2 Infected App1

Step 1: Infected End Point launches an attack Step 2: Intrusion event is generated and sent to
that NGFW(v), FirePOWER Services in ASA, FMC revealing information about the infected
or FirePOWER(v) appliance blocks inline host

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 88
TrustSec

© 2018 Cisco and/or its affiliates. All rights reserved.


access-list 102 permit tcp 37.85.170.24 0.0.0.127 lt 3146 77.26.232.98 0.0.0.127 gt 1462
access-list 102 permit tcp 155.237.22.232 0.0.0.127 gt 1843 239.16.35.19 0.0.1.255 lt 4384
access-list 102 permit icmp 136.237.66.158 255.255.255.255 eq 946 119.186.148.222 0.255.255.255 eq 878
access-list 102 permit ip 129.100.41.114 255.255.255.255 gt 3972 47.135.28.103 0.0.0.255 eq 467

with TrustSec
Traditional Security Policy

Security Control Automation

Simplified Access Management

Improved Security Efficacy

Software Defined
TrustSec Security Policy
Segmentation
Network Fabric

Switch Router Wireless DC FW DC Switch


Flexible and Scalable Policy Enforcement

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 90
Enabling Group-Based Policies across the
Enterprise
• Cohesive security policy
• Simplified security management
• End-to-End segmentation
TrustSec Policy Domain ACI Policy Domain

Campus / Branch / Non-ACI DC


ISE 2.1
APIC Data Center
TrustSec Policy Domain DC
APIC Policy Domain

Voice Employee Supplier BYOD


ACI Fabric
Web App DB
Voice Data
VLAN VLAN

Presentation ID © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 91
TrustSec Security Groups Provisioned in ACI

TrustSec ACI
Max: 200 Security Groups
ISE Dynamically provisions TrustSec APIC Up to 4000/32 mappings (gen1)
Security Groups in ACI Fabric DC
Up to 10K/32 mappings (gen2) (-
EX)

Security Groups TrustSec Groups represented as


External EPGs

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 92
TrustSec Groups Shared with ACI

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 93
TrustSec Groups Shared with ACI

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 94
Sharing Application Context to TrustSec Policies

TrustSec ACI
ISE dynamically learns internal
EPGs and APIC
DC
VM Bindings from ACI fabric

VM1
TrustSec Domain
VM100
TrustSec Policies Controlling 0

Access to ACI Data Centers ACI Fabric


© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 95
Sharing ACI Endpoint Groups to TrustSec

• EPG suffix added to Security Group name


• IP-SGT bindings from ACI can be propagated over SXP TrustSec devices and
to pxGrid peers

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 96
StealthWatch

© 2018 Cisco and/or its affiliates. All rights reserved.


Effective security depends on total visibility

KNOW SEE Understand what Be alerted to Respond to


every host every conversation is NORMAL CHANGE THREATS quickly

HQ

Network

Branch Users

Data Center
Roaming Users

Admin

© 2018 Cisco and/or its affiliates. All rights reserved.


Cisco CTD Solution: Providing Scalable Visibility
Drilling into a single flow yields a plethora of information

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 99
Flow-based Anomaly Detection
1 2
• # Concurrent flows • Number of SYNs
• Packets per second received
• Bits per second • Rate of connection
• New flows created resets
• Number of SYNs • Duration of the flow
sent • Over 80+ other
• Time of day attributes

Collect & Analyze Flows Establish Baseline of Behaviors


3
Anomaly detected in
host behavior
threshold

threshold threshold
threshold

Critical Servers Exchange Server Web Servers Marketing

Alarm on Anomalies & Changes in Behavior


© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 100
Behavior-Based Attack Detection

High Concern Index indicates a


significant number of suspicious events
that deviate from established baselines

Host Groups Host CI CI% Alarms Alerts


Desktops 10.10.101.118 865,645,669 8,656% High Concern Ping, Ping_Scan, TCP_Scan
Index

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 101
NetFlow
It Can :Security Use cases
§ Detect Sophisticated and Persistent Threats. Malware that makes it past perimeter
security can remain in the enterprise waiting to strike as lurking threats. These may be zero
day threats that do not yet have an antivirus signature or be hard to detect for other reasons.

§ Identify BotNet Command & Control Activity. BotNets are implanted in the enterprise to
execute commands from their Bot herders to send SPAM, Denial of Service attacks, or
other malicious acts.

§ Uncover Network Reconnaissance. Some attacks will probe the network looking for attack
vectors to be utilized by custom-crafted cyber threats.

§ Find Internally Spread Malware. Network interior malware proliferation can occur across
hosts for the purpose gathering security reconnaissance data, data exfiltration or network
backdoors.

§ Reveal Data Loss. Code can be hidden in the enterprise to export of sensitive information
back to the attacker. This Data Leakage may occur rapidly or over time.

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 102
StealthWatch Solution Components

StealthWatch
Management
Console

StealthWatch Cisco ISE


FlowCollector

NetFlo
w

NBAR NSEL
StealthWatch
StealthWatch
FlowSensor FlowSensor
VE Users/Devices
Cisco Network
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 103
How do I send
Traffic to my
FlowSensor ?

© 2018 Cisco and/or its affiliates. All rights reserved.


How Send Traffic to my FlowSensor ?
• Traditional Span mechanism based on EPG Source/Destination
• NEW Copy Service :
• Specific Service graph
• As based attached to contract, leverage Subject for a more granular selection of
traffic than SPAN

• Require –EX leaf switch


• Support only one device per copy cluster

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 105
In Conclusion
• ACI helps tackling DC Security Challenges by :
• Integrating security in the Application
• Accelerating security deployment
• Automating security insertion

• Cisco Security helps better protect your DC by :


• Providing leading edge technologies
• Integrating smoothly in ACI architecture
• Providing a full security framework

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 110

You might also like