Brksec 2048

#CLUS
Demystifying ACI
Security
Fabien Gandola – CSE Security for EMEA
BRKSEC-2048
#CLUS
Cisco Webex Teams
Questions?
Use Cisco Webex Teams (formerly Cisco Spark)
to chat with the speaker after the session
How
1 Find this session in the Cisco Events App
2 Click “Join the Discussion”
3 Install Webex Teams or go directly to the team space
4 Enter messages/questions in the team space
Webex Teams will be moderated cs.co/ciscolivebot#BRKSEC-2048

by the speaker until June 18, 2018.
#CLUS BRKSEC-2048 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
CONCLUSION
In Conclusion
• ACI helps tackling DC Security Challenges by :
• Integrating security in the Application
• Accelerating security deployment
• Automating security insertion
• Cisco Security helps better protect your DC by :

• Providing leading edge technologies
• Integrating smoothly in ACI architecture
• Providing a full security framework
LET’S TAKE A STEP
BACK…
Business Trends and
Datacenter Challenges
What Changed ?
• Virtualization
What Changed ?
• Virtualization
• Requirements for security for
East-West Traffic
What Changed ?
• Virtualization
• Requirements for security
for East-West Traffic
• Architecture with Multiple
active Data Centers
What Changed ?
• Virtualization
• Requirements for security
for East-West Traffic
• Architecture with Multiple
active Data Centers
• Hybrid Data Center with
Public Cloud Solution
Digitization generates DC Challenges
I00I III0I III00II 0II00II

10I000 0II0 00 0III000
Enable Protect Defend Across the Manage Data

Business Growth Infrastructure and Extended DC Deluge and
New Business Value Critical Data Physical + Virtual + Cloud Device
New Business Models 24x7 Proliferation
The Cisco Advantage
An Architectural Approach
Clusterin
g
NGIPS
• Control North/South traffic with NGFW
• Scale and HA with Clustering NGFW
• Inspect North/South traffic with NGIPS
• Segment and Protect virtual enclave with

ASAv and FTDv
Physical
Hosts
…Leveraging the Infrastructure…
Clusterin
Lancope Stealhwatch
g
NGIPS
Leverage your Cisco Infrastructure to
fight Advanced Pervasive Threats SGT SGT
SGT
ASA FW
NGA
SGT
TrustSec with Security Group Tagging
SGT SGT
Simplify
SGT SGT
Virtual
FlowSensor
Accelerat
e ISE SGT
SGT
Automate
Standardize
…Ready for Next Generation DataCenter.
Clusterin
g
ACI Fabric NGIPS
Application Centric Infrastructure

- Scalable
ASA FW
- Simple
- Flexible
- Reliable
- Automated
- Secured
Physical
PHYSICAL ENDPOINT
SECURITY NODES Hosts
VIRTUAL ENDPOINT
SERVICE NODES
Feature Product Matrix
ASA/FTD FTD StealthWatch TrustSec
Access Control
Segmentation
Context Discovery
Threat Detection
Threat Protection
APT Detection
Forensic Analysis
Compliance
Feature Product Matrix with ACI
ASA/FTD FTD StealthWatch TrustSec
Access Control
Segmentation
Context Discovery
Threat Detection
Threat Protection
APT Detection
Forensic Analysis
Compliance
The Case for SDN
Applications All Around Us
…are the driving force of business that are being…

Rapidly developed and
Deployed at scale
…while requiring…
Frequent updates and
Highest Availability (SLAs)
Challenge for Infrastructure
…to keep up with the pace of change

imposed on the:
Network
Security
…functions, while maintaining application:
Capacity
Resiliency
Agility
Software-Defined Networking
…Comes to the Rescue
“…is an emerging architecture that is dynamic, manageable, cost-
effective, and adaptable, making it ideal for the high-bandwidth,
dynamic nature of today's applications. This architecture decouples
the network control and forwarding functions enabling the network
control to become directly programmable and the underlying
infrastructure to be abstracted for applications and network
services.”
Source: www.opennetworking.org
What are the critical
Security Functions in the
DataCenter?
Defining SDN use case for DC security
Automatic
micro- segmentation Remediation
Programmability
Embedding security
policy within Application Ease of Service Insertion
Agenda
Introduction Use Cases Conclusion
• Introduction
Agenda
• Use Cases
• Basic Access Control
• Basic Segmentation
• Micro-Segmentation
• Access Control with NGFW
• Segmentation with NGFW
• Threat Detection with IDS
• Threat Protection with IPS
• Where is my automation in there ?
• Behavior Anomaly Detection
• More Granular Access Control
• Conclusion
About me…
Fabien Gandola –
fgandola@cisco.com
TSA Cyber Security EMEAR
19 years in Cisco
ACI Devices Role
Spine Nodes
Leaf Nodes
Service Producers
APIC Controller Service

Consumers
“DB” “App”
ACI Whitelist Policy supports “Zero Trust” Model
Whitelist policy = Explicitly configured ACI contract between EPG 1 and EPG 2 allowing
traffic between their members
TRUST BASED ON LOCATION ZERO TRUST ARCHITECTURE

(Traditional DC Switch) (Nexus 9K with ACI)
1 2 3 4
1 2 3 4 EPG 1 EPG 2
“WEB” “APP”
Servers 2 and 3 can No communication allowed between

communicate unless blacklisted Servers 2 and 3 unless there is a whitelist
policy
The Heart of ACI
ACI uses a policy based approach that
focuses on the application.

QoS QoS QoS
Filter Service Filter
Web App DB
Externa
l
Networ
k
ACI Communication Abstraction
APIC All TCP/UDP:
- Accept
- Redirect to FW and IPS
Security Policy All Other :
“App” → “DB” - Drop
ACI Fabric
“DB” “App”
Security Services
What are the ACI Building Blocks ?
A Policy Based on Groups
Web Tier App Tier DB Tier
EP EP EP EP EP EP
EP EP EP EP EP EP
First, we need a way to identify and group together end points.

End Point Group
“EPG Web” “EPG App” “EPG DB”
EP EP EP EP EP EP
EP EP EP EP EP EP
In the ACI model, we do this using the End Point Group (EPG).
Endpoint Groups Communications
EP EP EP EP EP EP
EP EP EP EP EP EP
Devices within an Endpoint group can communicate, provided that they have IP reachability (provided by
the Bridge Domain/VRF).
Communication between Endpoint groups is, by default, not permitted.
Contract
EP EP EP EP EP EP
EP EP EP EP EP EP
Once we have our EPGs defined, we need to create policies to

determine how they communicate with each other.
Contract : Kind of reflexive “Stateless” ACLs
EP EP EP EP EP EP
EP EP EP EP EP EP
Filters
TCP: 80 A contract typically refers to one or
TCP: 443
more ‘filters’ to define specific
protocols & ports allowed between
EPGs.
Create a Contract
Access Control From Outside
EPG EPG EPG

L3out Web App DB
Contract
Client-Web
Perimeter Stateless Access Control
How Secure is the
Fabric to rely on it for
Security ?
ACI Fabric Security
• Whitelist Security Model • NXOS Image Signing and

Verification
• APIC Hardening
• Role Based Access Control
• APIC Northbound Protocols
• Audit Logs for all Changes
• APIC Northbound Authentication
• Security Compliance Report
• Two Factor Authentication
(RSA Secure ID)
• Security Certifications
• APIC to Switch Authentication • MACsec Support
and Encryption
• 802.1X
For more information on ACI fabric security:
http://www.cisco.com/c/en/us/solutions/collateral/data-center-virtualization/application-centric-infrastructure/white-paper-c11-
736292.html
Is there away to create
Management zones ?
Tenants
A Tenant is a container
Engineering-Tenant Marketing-Tenant
for all network, security,
troubleshooting and L4 –
7 service policies.
Tenant resources are
isolated from each other,
allowing management by
different administrators.
IT Internet
Shared Test /
IPTV
Tenants can provide traffic
Services Dev
and RBAC isolation…
ACI Fabric
• Introduction
Agenda • Use Cases :
• Segmentation with NGW
• Where is my Automation in there ?
• Conclusion
Contract
EP EP EP EP EP EP
EP EP EP EP EP EP
Once we have our EPGs defined, we need to create policies to

determine how they communicate with each other.
Segmentation Using Contracts
EPG EPG EPG

L3out Web App DB
Contract Contract Contract

Client-Web Web-App App-DB
Stateless Firewall(Contract)
Load Balancer
But what if I want all
EPGs to be able to
send syslog, query
DNS, communicate
with the AD, etc…?
vzAny applies rules to all EPGs in a VRF
Syslog Syslog Syslog
EPG A EPG EPG A EPG EPG EPG

Provider vzAny Consume vzAny vzAny vzAny
r
Any EPG can EPG A can consume Any EPG in the VRF
consume syslog that Syslog from any EPG can consume or
EPG A provides in the VRF provide syslog
http://www.cisco.com/c/en/us/td/docs/switches/datacenter/aci/apic/sw/kb/b_KB_Use_vzAny_to_AutomaticallyApplyCommunicationRules_toEPGs.html#concept_F2BC35
33BF984F1F88A18B712ED9C072
But what if I want some
EPGs to communicate
freely between
themselves?
Contract Preferred Groups
Allow traffic between a group of EPGs
EPG A EPG B EPG 1
EPG C EPG D EPG 2

Contract Preferred Group
Alphabet
No contract required within the group Contract required
http://www.cisco.com/c/en/us/td/docs/switches/datacenter/aci/apic/sw/kb/b_APIC_Contract_Preferred_Group.html
Those 2 forms of
contracts help a lot
fighting the number of
contracts impacting
TCAM usage in switches.
Is that really helping me
Compare to traditional
ACLs ????
The abstraction layer provided by
the EPG detaches the security
policy from the infrastructure
such as IP address or Vlans.
Application Profile
EP EP EP EP EP EP
Contract Contract
EP EP EP EP EP EP
Application Profile “My Expenses”
A collection of EPGs and the associated contracts that

define how they communicate form an Application Profile.
Demo:
Security Embedded in Application
VMware keeps talking about NSX Micro-
segmentation…
• Introduction
• Conclusion
The ACI Micro Segmentation Toolbox
EPGs & Contracts

ACI Policy Model
• Functional equivalent to Isolated

Private VLAN: ALL endpoints in
EPG are isolated from each
other
• Supported since ACI 1.2(2)
• Can be combined with Micro-

Intra-EPG isolation segmented EPG
Intra-EPG endpoint isolation
EPGs & Contracts

ACI Policy Model
Intra-EPG isolation Intra-EPG Contracts
No Service Graph
attached
Micro-segmented EPGs
with attributes
• Use of attributes to classify
endpoints in a specific kind of EPG
called µEPG
• Network-based attributes: IP/MAC

• VM-based attributes: Guest OS,
VM name, ID, vnic, DVS,
Datacenter
• Does not create a Port Group on

VMM (no vnic reassign)
• Supported since ACI 1.1(1)
About Micro-segmented EPGs
• µSeg EPGs are not linked to a “Base” EPG (though virtual endpoints are still
“attached” to their corresponding Port Groups):
• They have their own Bridge Domain  Endpoints addressing must be taken into
consideration in the design
• They have their own set of Contracts  There is no contract inheritance from the “Base”
EPG.
• Attributes are matched using an “OR” operator with a precedence order in case
of conflict
• Any VM in the VMM Domain & Tenant matching an attribute will be put in the µSeg EPG 
Choose wisely the attribute(s) you want to match
• In the last 2 case studies, Custom Attributes would be a natural choice
USE CASE
Securing infrastructure
Quarantining compromised endpoints
Securing an application life cycle
Use Case 3: Application life Cycle
Joomla Web Application
Production
Web Database
tcp/80 Environment
tcp/3306
WAN
tcp/80 Web Web VM
VM1 VM2 MySQL
http://172.16.1.100
VIP - 172.16.1.100
Load Balancer can reach web
servers, but not the DB
WAN
Web Application protected by 172.16.10.0/24

a NGFW at the perimeter
Web Web DB
VM1 VM2 VM Single Subnet to
Web Servers reach DB via simplify IPAM
NGFW, but do not need to
talk to each other #CLUS BRKSEC-2048 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 65
Use Case 3: Application life Cycle
New VM added to
Pool automatically updated
http://172.16.1.100/acme by APIC when VM moves
NGFW rules allowing DB
Joomla Web Application
into uEPG
access
Prod
Database
tcp/80 172.16.1.100 Web
tcp/3306
WAN
tcp/80 Web Web VM
VM1 VM2 MySQL
Test Site:
http://172.16.1.200/acme Test
Web Database
172.16.1.200
VM
MySQL
HAProxy
Dev
Web Database
Test vDesktops
Web VM
VM3 MySQL
Micro Segmented EPGs with VM Attributes
WAN/INTERNET
V V V V
Production M M M M
Clusters V V V V
M M M M
Test V V V V
Clusters M M M M
vSphere Clusters MGMT &

Storage #CLUS BRKSEC-2048 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 67
ACI has a wide segmentation support
Intra-EPG • DVS since • Roadmap • Supported • Supported

ACI 1.2(2) since ACI since ACI
• AVS since 1.2(2) 1.2(2)
ACI 1.3(1)
Micro- • DVS since • Microsoft • Roadmap • IP EPG since
segmentatio ACI 1.3(1) Virtual ACI 1.2(1)
n with Switch with -E
9300-EX since ACI hardware
hardware 1.2(1) • MAC EPG
• AVS since planned
ACI 1.1(1)
Micro-Segmentation HW Support
1st generation (-E) (-EX)
AVS Useg (VM, IP, MAC) Yes Yes Yes
Microsoft Useg (VM, IP, MAC) Yes Yes Yes
vDS Useg (VM, IP, MAC) No No Yes
Bare-Metal (IP-EPG) No Yes* Yes*
Bare-Metal (MAC-EPG) N/A Yes Yes
Openstack (GBP) No Future Future
Container No Future Future
* Caveat: IP-EPGs must be in 2 subnets

Agenda • Introduction
• Use Cases :
 Basic Access Control
 Basic Segmentation
 Micro-Segmentation
Access Control with NGFW

 Segmentation with NGFW
 Threat Detection with IDS
 Threat Protection with IPS
 Where is my Automation in there ?
 Behavior Anomaly Detection
 More Granular Access Control
• Conclusion
Cisco ACI Supports Flexible East-West Security Models
L4 Stateless Security L4-7 Visibility and Control
Cisco ACI Services
Graph
Firewall at Each
Leaf Switch L4-7 Security Services
(physical or virtual,
Servers (Physical or Virtual) location independent)
L4−7 Security via Cisco ACI™
► L4 Distributed Stateless Firewall ► Service Graph
L4 Stateless Firewall Advanced Protection with NGFW, IPS/IDS,
Attached to Every Server DDoS Services Insertion
Port
Line Rate Policy Enforcement Sizing at Scale: Can add ASA Cluster
L4-7 Security Policy Applied
Policy Follows Workloads Consistently for Any Workload
Why Inserting Security Services ?
• Stateless Segmentation not sufficient for compliance
• More granular Access Control (i.e. user based)
• Dynamic protocol requiring better inspection
• Better protection and detection mechanisms
Where to Connect Security Services in the Fabric ?
NGFW Appliance and Virtual NGIPS Appliance and Virtual
WE DON’T REALLY CARE !!!!

How to Insert Security Services
• Network Stitching ACI L2 Fabric
• Service graph insertion
• Unmanaged
• Managed with Device package
• Managed Hybrid
Match the requirements and operation

model of the DC and Security Team
Flexible Options for Services Insertion
ACI L2 Fabric Service Graph Service Graph
No Package Managed
• APIC defines Tenants • Fabric GW/Routing • Orchestrate with
Vendor:
• EPG is VLAN/Subnet • No Device Package: - Service Policy or
-Network Policy Mode - Service Manager
SecOps Control Service Device Packages
APIC in
Control
Unmanaged Service Graphs Managed Service Graphs
WEP EPG EPG EPG EPG EPG EPG EPG EPG

Geb App DB Web App DB Web App DB
L2 Network Stitching
- Each Interfaces of the Firewall is
set to belong to the different
EPG
- The Forwarding decision is 100%
network centric, and doesn’t
involve APIC
- NO CONTRACT NEEDED
- No Integration with APIC EPG EPG EPG
Web App DB
When use this method :
- When policy is quite static
BD BD BD
- When more than 2 interfaces Web App DB
needed on the FW
Service Graph
technology was
designed to automate
and accelerate the
deployment of L4-L7
sevices in the network.
Why Use Service Graph ?
• Security is fully inserted to the Application as the service graph is an
extension of the contract in the Application Profile
• Granular way to send traffic to the Security Service using the contract
• Configuration Templates
• Automation of the Network configuration both for Fabric and Security
appliance (with Device Package)
• Statistics and health score automatically collected for the services
• Dynamic update of the ACLs based on End point discovery in the EPG
• Insert several services seamlessly with Service Chaining
ACI Zero Trust Model
APIC
CONTRACT
ACI Fabric
“DB” “App”
Service Graph
EP EP EP EP EP EP
Contract Contrac
t
EP EP EP EP EP EP
In order to add L4-7 services such as security, you can add

a Service Graph to a contract to redirect traffic to a Service
Producer such as an ASA or Firepower NGIPS
Build a Policy with Service Graph
APIC All TCP/UDP:
- Accept
- Redirect to FW and IPS
Security Policy All Other :
“App” → “DB” - Drop
ACI Fabric
“DB” “App”
Security Services
Add a Service graph to a Contract
Service Automation Through Device Package Device Package
Device Specification
<dev type= “f5”>
<service type= “slb”>
<param name= “vip”>
<dev ident=“210.1.1.1”
<validator=“ip”
<hidden=“no”>
• Service automation requires a vendor <locked=“yes”>
device package. It is a zip file containing

• Device specification (XML file)
Cisco APIC – Policy Element
• Device scripts (Python) Device Model
• Cisco® APIC interfaces with the device

Cisco APIC Script Interface
using device Python scripts
• Cisco APIC uses the device configuration Device-Specific Python Scripts
model provided in the package to pass
appropriate configurations to the device Device Interface: REST/CLI
scripts Script Engine
APIC Node
Service automation
requires a vendor
Device script handlers interface with the

device package. It is a
zip file containing
•
Device specification
(XML file)
Device scripts (Python)
device using its REST or CLI interface Device Manager Console
Service Device
ASA Device Package Opt 1: Policy Orchestration
Managed – Service Policy
FirePOWER Services
Threat Defence Polices
Threat Policy on FMC Security team configures via FMC
ACLs, Inspections, HA, S2S

VPN, Special Features Security team adds more ASA cfg.
Interfaces, VLANs, IPs, Static

or Dynamic Routes
APIC Configures on ASA APIC Configures on ASA
via ASA Device Package via ASA Device Package
ASA Policy Orchestration (PO)

DP
Nexus9k Leafs/Spines - Shadow EPG VLANs, L3outs
APIC Configures Service Graph in the ACI Fabric
ASA PO & FI Device Package
ASA DP Built-In Profiles
Template for Routed ASA

Requires Entry of IP Addresses
HA needs Standby IP Entry
Template for Transparent ASA

Requires Entry of BVI IP Address
HA needs Standby IP Entry
ASA PO Function Profile – I.e., PBR One-Arm
Why Use Managed Service Graph ?
• Full Tenant orchestration with L4-L7 services
• ACL changes on the firewall can be offloaded to custom tools,
using Northbound API
• Device package allows for very fast deployment of security
• APIC monitors the service health and validates configuration
Why Use Unmanaged Service Graph ?
• Continuity of the SecOps management workflows and tools
• No device package available from a Vendor
• Quicker migration of security appliance configs and policies into
ACI fabric
• Allow use of the full spectrum of product features, not just the
features supported by the device package
Can we get the benefits
of the Device Package
without the Drawbacks ?
Service Graph Hybrid Managed
• Leverage the network and interface configuration automation from
APIC with the Device Package
• Leverage the External Security management solution for the
security team to create the security policy
• Use the Service graph to tie together the policy and the network
insertion
ASA Device Package Opt 2: Fabric Insertion
Managed – Service Policy Managed – Service Policy
FirePOWER Services FirePOWER Services

Threat Defence Polices ASA has an option Threat Defence Polices
Threat Policy on FMC
that allows APIC to Security team configures via FMC
configure insertion
ACLs, Inspections, HA, and
into fabric while all all other ASA features
ACLs, Inspections, HA, S2S
VPN, Special Features
other ASA features
Security team adds more ASA cfg.
are configured out
Interfaces, VLANs, IPs, Static of band (CLI, Interfaces, VLANs, IPs, Static
or Dynamic Routes REST-API, CSM, or Dynamic Routes
APIC Configures on ASA CDO) APIC Configures on ASA
via ASA Device Package via ASA Device Package
ASA Policy Orchestration (PO) DP ASA Fabric Insertion (FI) DP
Nexus9k Leafs/Spines - Shadow EPG VLANs, L3outs
APIC Configures Service Graph in the ACI Fabric
ASA PO & FI Device Package
FTD Device Package Workflow
1. Existing Rule - Security Admin uses FMC to create an ACP Rule to be
used with the new service graph. The rule includes allowed protocols,
NGIPS, and AMP protections.
• Network Admin uses APIC to attach Security Zones to a given Rule, directing
service graph traffic to an appropriate NGFW inspections.
2. New Rule – Network Admin uses APIC to create a new security Rule on
FMC using the service graph. This is a Deny rule, preventing traffic flow
until Security Admin gets a changes to update it.
• Security Admin uses FMC to update the new ACP Rule with an appropriate allowed
protocol, NGIPS, and AMP policy. To prevent deletion of this rule on service graph
detach, Security Admin can preserve configured security policy by updating ACP
Rule comments.
Security team configures via FMC
FTD FI Device Package for ACI

Managed Service Graph
Hybrid – Service Manager Model
App DB
Firepower NGFW APIC Imports

(FTD 6.2.3 image) FTD Device Package
Registered to FMC To Program FMC
FMC GUI API API / GUI

SECURITY FMC 6.2 NETWORK
Policy Creation: Fabric Insertion:

Security Admin uses FMC to create an appropriate policy Network Admin uses APIC to program Fabric Insertion of FTD
FTD FI Device Package Version 1.0.3
APIC configures FMC 6.2.3, using REST-APIs to manage the following devices:
 Pre-registered FTD devices in either Stand-alone, HA or Cluster mode
APIC configures the following features:

• Interfaces in Routed, Switched, or Inline mode. Defines VLAN sub-interfaces
(including Port-Channels) for Routed and Transparent firewall mode, including IRB.
Static routes can be added under interface configuration.
• Security Zones, Interface Names, Inline Sets, as specified in function profile
parameters. FMC names are prefixed with APIC Tenant and registered FTD device
name. EPG learning feature is supported with FMC.
• Assignment of the Security Zones to pre-configured ACP Rule(s).
1.0.3 1.0.2 1.0.1
• Cluster support • HA support • Routed
• Ether-Channel • FTDv VLAN trunks • Transparent
• Static Routes • FPR2100 support • NGIPS modes
• Dynamic EPG • Interfaces/Zones
• Enhance validation • Inline Pairs
• Suffix changes • Attach Zones to
ACP Rules
FTD Device Package for ACI – Version to Feature Comparison
Matching FTD/ACI Deployment Modes
• Firewall Modes GoTo

• Routed Service Graph
• Transparent
GoThrough
• NGIPS/IDS Modes Service
• Inline (managed) Graph
• or Inline TAP (unmanaged)
• Passive (unmanaged)
Copy
Service Graph
Until recently, Security
service insertion was
looking like that :
Perimeter FW Goto Mode
Enclave with Single Segment
EPG EPG EPG
L3out Web App DB

Perimeter Stateful Firewall Stateless Firewall(Contract)
Load Balancer
VRF aka Context aka Private Network
Engineering-Tenant
VRF-1 VRF-3
VRF(also called contexts) are
defined within a tenant to allow
isolated and potentially
overlapping IP address space.
VRF-2 VRF-4
Bridge Domain: Not a VLAN but almost…
Engineering-Tenant
VRF-1 VRF-3 Within a private network, one

Bridge Domain 1 Bridge Domain 5
or more bridge domains
Bridge Domain 2 Bridge Domain 6 must be defined.
A bridge domain is a L2
VRF-2 VRF-4
forwarding construct within
Bridge Domain 3 Bridge Domain 7
the fabric, used to constrain
Bridge Domain 4 Bridge Domain 8 broadcast and multicast
traffic
In Summary
Tenant “University”
Infrastructure
PN “Engineering” PN “Business”
Bridge Domain 172 Bridge Domain 10 Bridge Domain 100
Subnet 172.1.1.0/24
Subnet 10.1.1.0/24
Subnet 172.1.2.0/24
Subnet 10.1.1.0/24 Subnet 10.1.2.0/24
…
…
Subnet 172.20.1.0/24
EPG
EPG Web Policy “HTTP”
EPG
Web
DB
Apps
Policy “HTTP” EPG
App
Policy “SQL”
EPG EPG Policy “SQL”
App DB
Use Case 1 (Topology)
BD: ASA-external BD: ASA-internal EPG 192.168.11.1/24

GW: 192.168.11.254
Web
L3out 172.16.10.254
0.0.0.0/0 192.168.11.254
EPG 192.168.11.100/24
App
10.1.1.254 10.1.1.1 172.16.10.1
EPG 192.168.11.200/24
Typically Web services DB
would be nated or load-

balanced.
Perimeter FW in GoTo mode
Enclave with Multiple Segment
EPG EPG EPG
L3out Web App DB

Perimeter Stateful Firewall Stateless Firewall(Contract)
Load Balancer
Topology
BD: ASA-external BD: ASA-internal EPG BD: Web

192.168.11.1/24
Web GW: 192.168.11.254
L3out 172.16.10.254 172.16.11.254

0.0.0.0/0 EPG BD: App
192.168.12.1/24
App GW: 192.168.12.254
10.1.1.254 10.1.1.1 172.16.10.1 172.16.11.1
EPG BD: DB
BD: LB 192.168.13.1/24
DB GW: 192.168.13.254
VIP1: 110 TCP 80

VIP2: 120 TCP 5001
VIP3: 130 TCP 6001
Reuse same L4-L7 Device
• ADC Interface: reusable
192.168.10.200/24
GW: 192.168.10.254 • VIP: different for each deployment
Security Service
insertion had to be
thought carefully while
the fabric was
designed.
Security Service
insertion had to be
thought carefully while
the fabric was
designed.
Policy Based Redirect is your Best Friend
Before Service graph is deployed
APIC relies on
Routing to forward
192.168.11.254 192.168.12.254 192.168.13.254
traffic from Server

in EPG WEB to
EPG
Web
EPG
App
EPG
DB Server in EPB APP
based on contract
BD: DB BD: App BD: DB
192.168.11.1/24 192.168.12.1/24 192.168.13.1/24
GW: 192.168.11.254 GW: 192.168.12.254 GW: 192.168.13.254
Policy Based Redirect is your Best Friend
With PBR Service Graph
APIC relies on PBR to redirect
the traffic defined in the
contract to the Security
192.168.11.254 192.168.12.254
Service
192.168.13.254
192.168.100.1 192.168.100.5
BD: ASA-external BD: ASA-external

L3 Enabled L3 Enabled
EPG EPG EPG 192.168.100.0/30 192.168.100.4/30

Web App DB
BD: DB BD: App BD: DB

192.168.11.1/24 192.168.12.1/24 192.168.13.1/24
GW: 192.168.11.254 GW: 192.168.12.254 GW: 192.168.13.254
Fabien, PBR seems
great to insert service at
L3 but how does that
help for segmentation ?
Agenda
• Introduction
• Use Cases :
 Access Control with NGFW
Segmentation with NGFW

• Conclusion
PBR for micro-Segmentation
Based only on Contract
192.168.10.254
Because this is a
BD: MyApp
192.168.10.0/24
L3 Enabled
communication
between two End-
EPG
Web
EPG
App
EPG
DB
points in different
EPG, the
forwarding
192.168.10.100 192.168.10.200 decision is made in
the leaf switch
Leveraging PBR
Because the traffic goes to Leaf

Switch where PBR rules are enforced,
traffic will be sent to the security
service defined in the Service Graph.
192.168.10.254
192.168.200.254
BD: MyApp
192.168.10.0/24
L3 Enabled
BD: ASA
L3 Enabled
EPG EPG EPG
192.168.200.254
Web App DB
192.168.10.100 192.168.10.200
Leveraging PBR
The Firewall must be in ONE ARM as
source and destination are in the same
Subnet. It must allow traffic in and out
via the same interface.
192.168.10.254
BD: MyApp 192.168.200.254

192.168.10.0/24
L3 Enabled
BD: ASA
EPG EPG EPG L3 Enabled
Web App DB
192.168.200.254
192.168.10.100 192.168.10.200
Demonstration :
Policy Based Redirect
New features
related to PBR
ACI Version 3.2
• Multi-node PBR
• vzAny with PBR
• Resilient Hash PBR

ACI
Multi-node PBR 3.2
• Prior to ACI 3.2: Concatenating PBR nodes was not supported.

• For example, both 1st and 2nd node can’t be PBR nodes. Either one of them can be.
EPG EPG
Client Contract
Web
consumer
Redirect provider
PBR Non-PBR
• ACI 3.2: Support more than 1 node PBR in a Service Graph. (up to 3 nodes)
• We can mix PBR node and non-PBR node in same Service Graph
EPG EPG
Client Contract
Web
consumer
Redirect provider
PBR PBR PBR

PBR with vzAny Before
• vzAny is useful if we have a security requirement that is applied to all EPGs in same VRF
and also it helps to reduce policy TCAM consumption.
• Today, PBR with vzAny (provider) is not supported.
• vzAny (consumer) can be used for shared service use case.
VRF1 VRF1
consumer provider Shared service

Shared service
EPG
vzAny Contract NFS
Client Web
EPG
Contract NFS
Redirect
App DB
Redirect
vzAny
PBR Node PBR Node
ACI
PBR with vzAny 3.2
• In ACI 3.2, PBW with vzAny (provider) is also supported.

• Use case: Insert Firewall everywhere.
VRF1 VRF1
consumer provider
Client Web Client Web
vzAny Contract vzAny
Contract
Redirect App DB
Redirect App DB
vzAny vzAny
PBR Node PBR Node
Resilient Hash PBR Before
• Symmetric PBR is supported today, but if one of the PBR nodes is down,
traffic will be re-hashed. So existing connection having been going
through available PBR nodes could be affected.
Thanks to Symmetric PBR, incoming Some traffic could be load-balanced to different PBR
and return traffic go to same PBR nodes that don’t have existing connection info.
node.
X
User1 User1
Incoming Return Incoming Return
Traffic Traffic Traffic Traffic
User2 User2
PBR for PBR PBR for PBR

User3 incoming traffic for return traffic User3 incoming traffic for return traffic
User4 PBR nodes User4 PBR nodes
ACI
Resilient Hash PBR 3.2
• With Resilient Hash PBR, only the traffics that went though failed
node will start using different PBR node.
X
User1 User1
Incoming Return Incoming Return
Traffic Traffic Traffic Traffic
User2 User2
PBR for PBR PBR for PBR

User3 incoming traffic for return traffic User3 incoming traffic for return traffic
User4 PBR nodes User4 PBR nodes
Policy Based Redirect Consideration
There is a risk for the L4-7 Service

Graph to be bypassed if there is
more than one contract between the
2 EPGs.
PBR Consideration Explanation
The most precise contract will be applied.
EPG EPG
Web App
Contract 1: Permit TCP any any  Service Graph

Firewall
EPG EPG
Web App
Contract 2: Permit TCP any

any eq HTTP
PBR Consideration Explanation
The most precise contract will be applied !!!
Because contract 2 is more

precise,
EPG
Web
EPG
App
the HTTP traffic between EPG

Contract 1: Permit TCP any any  Service Graph
WebFirewall
and EPG App will not be sent
to the Firewall for inspection.
EPG EPG
Web App
Contract 2: Permit TCP any

any eq HTTP
Proper RBAC
configuration and
Auditing are key to
enfore roles and
responsabilities
Policy Based Redirect Requirements
• APIC must be v 2.0.1 or Higher
• The Service switch must be at least ‘-EX’ or more recent
• If not all the fabric is ‘-EX’, the Service switch must be dedicated to
Services (i.e. no workload connected with the L4-7 services)
What about IDS ?
Agenda
• Introduction
• Use Cases :
 Segmentation with NGW
Threat Detection with IDS
• Conclusion
IDS Insertion in ACI
• Traditional Span mechanism based on EPG source/Destination
• NEW Copy Service :
• Specific Service graph
• As based attached to contract, leverage Subject for a more granular
selection of traffic than SPAN
• Require –EX leaf switch

• Support only one device per copy
cluster
ACI Integration with SPAN
SPAN: Add Source
Service Copy Configuration Steps
• Identify the source and destination endpoint groups.
• Configure the contract that specifies what to copy according to the subject and what
is allowed in the contract filter.
• Configure Layer 4 to Layer 7 copy devices that identify the target devices and
specify the ports where they attach.
• Use the copy service as part of a Layer 4 to Layer 7 service graph template.
• Configure a device selection policy that specifies which device will receive the traffic
from the service graph. When you configure the device selection policy, you specify
the contract, service graph, copy cluster, and cluster logical interface that is in copy
device.
Copy Service : Service Graph Template
https://www.cisco.com/c/en/us/td/docs/switches/datacenter/aci/apic/sw/1-
x/L4-
L7_Services_Deployment/guide/b_L4L7_Deploy_ver211/b_L4L7_Deploy_ver211
_chapter_01101.html#id_28562
Agenda
• Introduction
• Use Cases :
Threat Protection with IPS
• Conclusion
Cisco Firepower Threat Defense Features
Cisco Firepower Threat Defense Full Feature-Set - NGFW
 L2-L7 Firewall with L3 (Routed), L2 (Transparent IRB or Inline-NGIPS)
Modes
 Scalable CGNAT, ACL, Dynamic Routing, Fail-to-Wire I/O modules
 Application Inspection, PKI for Site-to-Site VPN, Onbox Manager
 Inter-chassis cluster, FlexConfig, REST-APIs, Packet Tracer/Capture
 NSS Leading Next-Gen IPS - SourceFIRE
 Comprehensive Threat Prevention, L7 Application Visibility and Control Cisco
 Security Intelligence (C&C, Botnets, IP, DNS, etc.), Threat / Risk Reports
Firepower
 Blocking of Files by Type, Protocol, and Direction, Protocol Rate Limiting
Threat Defense
 Access Control: Enforcement by Application and User AD integration
 Switch, Routing, NAT Options, and ISE PxGRID integration 6.2
 URL Filtering, Malware Blocking, Continuous File Analysis
 Malware Network Trajectory, User-based IOCs, URL lookup
 AMP public & private cloud with ThreatGrid, FMC-ThreatGrid APIs
 Firepower Management Center (fka. FireSIGHT or Defense Center)
GoThrough Perimeter NGIPS
The Server gateway is out of the fabric
VRF OutSide VRF MyApp
BD: ASA-external BD: ASA-internal

L3 enabled No L3 192.168.12.50/24
192.168.12.50/24 192.168.12.100/24
192.168.12.254 GW: 192.168.12.254
GW: 192.168.12.254 GW: 192.168.12.254
EPG
EPG EPG
DB
Web App
Service Graph will not allow each Bridge Domain on

each side to have L3 enabled. This might prevent to
use Dynamic Update for ACL on the FW
NGIPS between App Tiers
VRF VRF VRF

VRF outside web App DB
BD: ASA-external BD: Web BD: App BD: DB
L3 Enabled L3 Disabled L3 Disabled L3 Disabled
EPG EPG EPG

Web App DB
192.168.12.254
Service Graph will not allow each Bridge Domain on

each side to have L3 enabled. This might prevent to
use Dynamic Update for ACL on the FW
Some Best Practices ?
My Best Practices
• For new deployment PBR is
recommended when possible
BD: MyApp
192.168.10.0/24
L3 Enabled
EPG EPG EPG

Web App DB
192.168.10.100 192.168.10.200
My Best practices
• For new deployment PBR is recommended when possible
• Leverage L4-7 security services for the access control of an
enclave or security zone
App1 App 2 App3

EPG EPG EPG
Web Web Web
EPG EPG EPG
App App App
EPG EPG EPG

DB DB DB
My Best practices
• Leverage L4-7 security services for
the access control of an enclave or
security zone App1 App 2 App 3
• Leverage Contracts within an EPG EPG EPG
Enclave for segmentation Web Web Web
EPG EPG EPG
App App App
EPG EPG EPG

DB DB DB
Best practices
• Leverage L4-7 security services
for the access control of an
enclave or security zone App1 App 2 App 3
• Leverage Contracts within an EPG EPG EPG
Enclave for segmentation Web Web Web
EPG EPG EPG
• Enhanced Segmentation and App App App
Threat Detection with L4-7 EPG

DB
EPG EPG
DB
Services in sensitive area
DB
Best practices
• For new deployment PBR is recommended
when possible
• Leverage L4-7 security services for the
access control of an enclave or security
zone
• Leverage Contracts within an Enclave for App1 App 2 App 3
segmentation
EPG EPG EPG
• Enhanced Segmentation and Threat Web Web Web
Detection with L4-7 Services in sensitive EPG EPG EPG

App App App
area
EPG EPG EPG
• Leverage IDS for visibility and dynamically DB DB DB
change security policy when potential
threat detected.
• Introduction
• Conclusion
ASA Device Package
Dynamic Update to EPG Object-Group

APIC dynamically detects new endpoint,
ASA subscribes to attach/detach event,
and ASA device package automatically
2: APIC create object-group for the EPG. adds EPs to object-group
3: APIC add new endpoints to object-group

(192.168.10.101, 192.168.102)
object-group network __$EPG$_pod37-aprof-app
network-object host 192.168.10.101
network-object host 192.168.10.102
access-list access-list-inbound extended permit tcp any object-group __$EPG$_pod37-aprof-app eq www

New New
1: Enable “Attachment Notification”
on function connector internal.
192.168.10.101 192.168.10.102
web 192.168.20.200 192.168.10.200 app

Consumer Provider
ACE Object-group
FMC to APIC Rapid Threat Containment
Step 4: APIC quickly contains/quarantines Step 3: Attack event is configured to trigger
the infected App1 workload into an isolated remediation module for APIC that uses NB API
uSeg EPG to contain the infected host in ACI fabric
4 3
ACI Fabric
FMC
App EPG DB EPG
1 2
App2 Infected App1
Step 1: Infected End Point launches an attack Step 2: Intrusion event is generated and sent to
that NGFW(v), FirePOWER Services in ASA, FMC revealing information about the infected
or FirePOWER(v) appliance blocks inline host
Management tools for every organization
vCenter Plugin
APIC GUI
NX-OS
Style CLI
Choose the
right one!
API - Automation
Cisco ACI interface summary
CLI
Advanced GUI REST client

APIC
Cisco ACI network (single point of
management)
Basic GUI ACI toolkit
REST Python SDK
Ruby SDK
Powershell SDK
I don’t know Anything about Scripting !!!
Sniffer: API Inspector
• API calls made by GUI are captured

• GET, POST
• Navigating through panes fetches data
with GET requests
• Submitting configuration changes uses
POST requests
• Record your GUI interaction as JSON-
based REST calls
• Modify and replay with tools like
Postman
Capturing API Calls
Save Objects in JSON format
Edit Your Jason Code
Arya - ACI REST Python Adapter
Arya is a tool that takes XML or JSON

object documents as input and
outputs them as Python code
leveraging the ACI Python SDK.
https://github.com/datacenter/arya
Arya Example
Demo : Automation with API scripts
Agenda
• Introduction
• Use Cases :
 Access Control with ASA/NGFW
 Segmentation with ASA/NGFW
More Granular Access Control
• Conclusion
access-list 102 permit tcp 37.85.170.24 0.0.0.127 lt 3146 77.26.232.98 0.0.0.127 gt 1462
access-list 102 permit tcp 155.237.22.232 0.0.0.127 gt 1843 239.16.35.19 0.0.1.255 lt 4384
access-list 102 permit icmp 136.237.66.158 255.255.255.255 eq 946 119.186.148.222 0.255.255.255 eq 878
access-list 102 permit ip 129.100.41.114 255.255.255.255 gt 3972 47.135.28.103 0.0.0.255 eq 467
with TrustSec
Traditional Security Policy
Security Control Automation
Simplified Access Management
Improved Security Efficacy
Software Defined
Segmentatio
TrustSec Security Policy
n Network Fabric
Switch Router Wireless DC FW DC Switch

Flexible and Scalable Policy Enforcement
Enabling Group-Based Policies across the
Enterprise
• Cohesive security policy
• Simplified security management
• End-to-End segmentation
TrustSec Policy Domain ACI Policy Domain
Campus / Branch / Non-ACI DC

ISE 2.1
APIC Data Center
TrustSec Policy Domain DC
APIC Policy Domain
Voice Employee Supplier BYOD

ACI Fabric
Web App DB
Voice Data
VLAN VLAN
TrustSec Security Groups Provisioned in ACI
TrustSec ACI
Max: 200 Security Groups
ISE Dynamically provisions TrustSec APIC
DC
Up to 4000/32 mappings (gen1)
Security Groups in ACI Fabric
Up to 10K/32 mappings (gen2) (-
EX)
Security Groups TrustSec Groups represented as

External EPGs
TrustSec Groups Shared with ACI
TrustSec Groups Shared with ACI
Sharing Application Context to TrustSec Policies
TrustSec ACI
ISE dynamically learns internal EPGs
and APIC
DC
VM Bindings from ACI fabric
VM1
TrustSec Domain
VM100
TrustSec Policies Controlling 0
Access to ACI Data Centers ACI Fabric

Sharing ACI Endpoint Groups to TrustSec
• EPG suffix added to Security Group name

•IP-SGT bindings from ACI can be propagated over SXP TrustSec devices
and to pxGrid peers
Data Plane Integration
New Capabilities:
• Take current SGT propagation methods (DMVPN, GETVPN, SXP, IPSEC, GRE, LISP/VXLAN
(campus fabric) into ACI fabric
Benefits:
• Greater scale (remove IP/Group info from leaf)
• Seamless integration
Sharing Context Across the Enterprise
TrustSec Policy Domain ACI Policy Domain
ISE SGT/EPG
Namespace Alignment
APIC
DC
Class ID
SGT # to EPG #
Translation Table
5 Enterprise
CMD iVXLAN #
Backbone SRC:10.1.10.220
SRC:10.1.10.220
DST: 10.1.100.52
DST: 10.1.100.52
BYOD SGT: 5 TrustSec Border Device Class ID
10.1.10.220 (ASR 1K) ACI Spine (N9K)
ACI Border Leaf Web

10.1.100.52
Agenda
• Introduction
• Use Cases :
Behavior Anomaly Detection
• Conclusion
StealthWatch
Verizon Report
Kill Chain: Post Breach
Threat Detection
1. Command 2. Reconnaissance
Switches
and Control
Routers
Firewall
IPS
N-AV
Web Sec
Email Sec
4. Data Theft
3.Propagation
Scalable Network Defense
Threat Detection
1. Command 2. Reconnaissance
Switches
and Control
Routers
Firewall
IPS
N-AV
Web Sec
Email Sec
4. Data Theft
3.Propagation
Cisco CTD Solution: Providing Scalable Visibility
Drilling into a single flow yields a plethora of information
Flow-based Anomaly Detection
1 2
• # Concurrent flows • Number of SYNs
• Packets per second received
• Bits per second • Rate of connection
• New flows created resets
• Number of SYNs • Duration of the flow
sent • Over 80+ other
• Time of day attributes
Collect & Analyze Flows Establish Baseline of

3
Behaviors
Anomaly detected in
host behavior
threshold
threshold threshold
threshold
Critical Servers Exchange Server Web Servers Marketing
Alarm on Anomalies & Changes in Behavior

Behavior-Based Attack Detection
High Concern Index indicates a

significant number of suspicious events
that deviate from established baselines
Host Groups Host CI CI% Alarms Alerts

Desktops 10.10.101.118 865,645,669 8,656% High Concern Ping, Ping_Scan, TCP_Scan
Index
NetFlow
It Can :Security Use cases
 Detect Sophisticated and Persistent Threats. Malware that makes it past
perimeter security can remain in the enterprise waiting to strike as lurking threats.
These may be zero day threats that do not yet have an antivirus signature or be hard
to detect for other reasons.
 Identify BotNet Command & Control Activity. BotNets are implanted in the
enterprise to execute commands from their Bot herders to send SPAM, Denial of
Service attacks, or other malicious acts.
 Uncover Network Reconnaissance. Some attacks will probe the network looking
for attack vectors to be utilized by custom-crafted cyber threats.
 Find Internally Spread Malware. Network interior malware proliferation can occur
across hosts for the purpose gathering security reconnaissance data, data exfiltration
or network backdoors.
 Reveal Data Loss. Code can be hidden in the enterprise to export of sensitive
information back to the attacker. This Data Leakage may occur rapidly or over time.
StealthWatch Solution Components
StealthWatch
Management
Console
StealthWatch Cisco ISE

FlowCollector
NetFlo
w
NBAR NSEL
StealthWatch
StealthWatch
FlowSensor FlowSensor
VE Users/Devices
Cisco Network
How do I send Traffic to
my FlowSensor ?
How Send Traffic to my FlowSensor ?
• Traditional Span mechanism based on EPG source/Destination
• NEW Copy Service :

• Specific Service graph
• As based attached to contract, leverage Subject for a more granular selection of traffic than
SPAN
- Require –EX leaf switch

- Support only one device per copy
cluster
ACI Integration with SPAN
SPAN: Add Source
Service Copy Configuration Steps
• Identify the source and destination endpoint groups.
• Configure the contract that specifies what to copy according to the subject and what
is allowed in the contract filter.
• Configure Layer 4 to Layer 7 copy devices that identify the target devices and
specify the ports where they attach.
• Use the copy service as part of a Layer 4 to Layer 7 service graph template.
• Configure a device selection policy that specifies which device will receive the traffic
from the service graph. When you configure the device selection policy, you specify
the contract, service graph, copy cluster, and cluster logical interface that is in copy
device.
Copy Service : Service Graph Template
https://www.cisco.com/c/en/us/td/docs/switches/datacenter/aci/apic/sw/1-
x/L4-
L7_Services_Deployment/guide/b_L4L7_Deploy_ver211/b_L4L7_Deploy_ver211
_chapter_01101.html#id_28562
Tetration
Software *=Roadmap
Tetration Analytics Application Insights
Sensors Appliance
SW Sensors
3rd Party
Feed
SW Sensors Integrate
Policy Simulation / Impact Analysis
Nexus 9300-EX
HW Sensors
Whitelist Policy
Recommendation
SW in
CloSen
Recommend
sorsud Forensics and Compliance
3rd
Policy
Party Enforcement
Record,
(Future Roadmap)
Analyze and Remediate

Listen Interact / Verify
Store #CLUS BRKSEC-2048 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 187
Cisco Tetration platform
Security use cases
Advanced security
Software
Process security
inventory baseline
Segmentation
Application Policy
Whitelist policy
segmentation compliance
Cisco Tetration Insights
Visibility and
Process inventory Application insight
forensics
Cisco Tetration Platform
Hybrid cloud workload protection approach
Communication control System behavior detection Vulnerability detection
• Automated whitelist policy • Process hash, lineage, • Installed package tracking

• Policy Simulation & Validation attributes • CVE tracking
• Policy enforcement • New command, new user • Vulnerability scoring
• Compliance Tracking • Account modification • Threat intelligence ingestion
• Outlier detection • Privilege escalation
• Shell-code execution
• Raw sockets
What is really running on my network?
Cisco Tetration Analytics application insight dependency map
(Service owner)
Service category
Service
Use Cisco
Tetration Analytics™ Service offering
outcome to generate
whitelist policies Application
Dependencies
Security
Whitelist Policy Recommendation
Application Discovery
Web App DB
Tier Tier Tier
Storage Storage
Whitelist Policy Recommendation

(Available in JSON, XML, and YAML)
Policy Enforcement
(Future Roadmap)
Policy Discovery – What talks to what and how
Workload Protection
Software Package Inventory, Vulnerability Details, Process Hash & Anomaly
Detection
Workload Protection
Software Package Inventory, Vulnerability Details, Process Hash & Anomaly
Detection
Privilege
Escalation
Visual Query with Flow Exploration
• Replay flow details like a DVR
• Information mapped across 25
different dimensions
• Thick lines indicate common flows
• Faint lines indicate uncommon flows
Switch on Outlier view to Outlier dimension is
Outliers highlight uncommon flows highlighted with purple circle
Possible malicious DNS traffic
Show all DNS traffic with packets larger then 82 bytes and a flow duration of greater then
6 seconds.
Tetration – the “Big Picture” Automated
Historic and
New flows…
Application Insight
Application Infrastructure
Zero-Trust Agnostic
Dependency
Policies Zero Trust Policy
A Mapping Enforcement
p
pli
Real-time Identitiy ca
Tagging Policy
ti
Simulation
Attributes from o
AWS, vCenter, Machine
n
CMDB, ISE, DNS, Learning
In
etc.
si
g Audit &
ht Compliance
OOB
Sensors Event
Real Notification
Netflow
time Trigger Actions
Software Quarantine
Sensors
and Protect
SLB Flow
Search
Hardwar
e
Sensors
Investigatio
n
Headers and Purpose-Built Platform
Context of each Forensic
Appliance, SW, Sensor Visibility
and every
NPMD
packet in
DC/cloud User/Tetration Applications
including sw/ (REST / Python / Scala / SQL /
SW Vulnerability Detection
process Process Behavior Deviation
R*)
inventory #CLUS BRKSEC-2048 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 198
BETTER TOGETHER ?
Network as a Sensor in the Data Center
Tetration for Application Analytics and Stealthwatch for Security Analysis
Application Segmentation and Policy Monitoring
Tetration Stealthwatch
Application Behavior Together Security Anomaly

Detection
Profiling
Complete Data Control
for Segmentation,
Automated Security, and Forensics Security Forensics
Application Grouping
Datacenter: Automated Application Network Wide:

Per Packet Telemetry Switching/Routing,
Based Segmentation
from Nexus 9000 & Proxies, Servers, &
Server Endpoints
Unmatched
Analytics and Forensics
for
Application and Security
Available Now: Investigative Pivot
Pivot from Stealthwatch to

Tetration interface during an
Investigation
Tetration
Analytics
Monitoring Unified Policy in the Data Centre
Tetration
Analytics
Export workspaces, clusters and applications

discovered in Tetration to Stealthwatch Host
Groups
Leverages Stealthwatch Host Group Automation Service

End to End SW Defined Segmentation
Identity Based Application Based

Segmentation Segmentation for the
Datacenter
ISE 2.1 ACI
Shared Policy Groups
App Policy Tetration
Analytics
Provide Identity Based Segmentation Provide Automated Granular Application

optimized for Branch to Campus to DC Based Segmentation optimized for in the
Datacenter
Only Cisco can do scalable

granular segmentation end to end
Monitoring Unified SGT-ACI Policy
Stealthwatch Deployment APIC-DC
Cisco ISE
Policy Plane
Policy Tetration
Push
syslog
Integration Analytics
Tetration
NetFlow Telemetry
EPG
SGT Definitions
Definitions
SPAN
pci_users EV_appProfile_LOB2_App1EPG
ACI Domain
SGT: 16 SGT: 10005
TrustSec Domain ACI Domain
Conclusion
Complete your online session evaluation
Give us your feedback to be entered

into a Daily Survey Drawing.
Complete your session surveys through
the Cisco Live mobile app or on
www.CiscoLive.com/us.
Don’t forget: Cisco Live sessions will be available for viewing
on demand after the event at www.CiscoLive.com/Online.
Continue
your Demos in
the Cisco
Walk-in
self-paced
Meet the
engineer
Related
sessions
education campus labs 1:1
meetings
Thank you
#CLUS
#CLUS

Brksec 2048

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Brksec 2048

Hochgeladen von

Copyright:

Verfügbare Formate

#CLUS

Webex Teams will be moderated cs.co/ciscolivebot#BRKSEC-2048

• Cisco Security helps better protect your DC by :

I00I III0I III00II 0II00II

Enable Protect Defend Across the Manage Data

• Scale and HA with Clustering NGFW

• Inspect North/South traffic with NGIPS

• Segment and Protect virtual enclave with

Application Centric Infrastructure

…are the driving force of business that are being…

…to keep up with the pace of change

APIC Controller Service

TRUST BASED ON LOCATION ZERO TRUST ARCHITECTURE

Servers 2 and 3 can No communication allowed between

focuses on the application.

Filter Service Filter

First, we need a way to identify and group together end points.

“EPG Web” “EPG App” “EPG DB”

Once we have our EPGs defined, we need to create policies to

EPG EPG EPG

Perimeter Stateless Access Control

• Whitelist Security Model • NXOS Image Signing and

Once we have our EPGs defined, we need to create policies to

EPG EPG EPG

Contract Contract Contract

Syslog Syslog Syslog

EPG A EPG EPG A EPG EPG EPG

EPG A EPG B EPG 1

EPG C EPG D EPG 2

“EPG Web” “EPG App” “EPG DB”

Application Profile “My Expenses”

A collection of EPGs and the associated contracts that

EPGs & Contracts

• Functional equivalent to Isolated

• Supported since ACI 1.2(2)

• Can be combined with Micro-

EPGs & Contracts

Intra-EPG isolation Intra-EPG Contracts

• Network-based attributes: IP/MAC

• Does not create a Port Group on

• Supported since ACI 1.1(1)

Quarantining compromised endpoints

Securing an application life cycle

Web Application protected by 172.16.10.0/24

vSphere Clusters MGMT &

Intra-EPG • DVS since • Roadmap • Supported • Supported

1st generation (-E) (-EX)

AVS Useg (VM, IP, MAC) Yes Yes Yes

Microsoft Useg (VM, IP, MAC) Yes Yes Yes

vDS Useg (VM, IP, MAC) No No Yes

Bare-Metal (IP-EPG) No Yes* Yes*

Bare-Metal (MAC-EPG) N/A Yes Yes

Openstack (GBP) No Future Future

Container No Future Future

* Caveat: IP-EPGs must be in 2 subnets

Access Control with NGFW

NGFW Appliance and Virtual NGIPS Appliance and Virtual

WE DON’T REALLY CARE !!!!

Match the requirements and operation

Unmanaged Service Graphs Managed Service Graphs

WEP EPG EPG EPG EPG EPG EPG EPG EPG

In order to add L4-7 services such as security, you can add

device package. It is a zip file containing