Cisco Connect Halifax 2018 Application insight and zero trust policies with cisco tetration

Cisco Canada
Cisco CanadaCisco Canada
© 2017 Cisco and/or its affiliates. All rights reserved. 1
Nadir Lakhani
Technical Solutions Architect
April, 2018
Cisco
Connect Your Time
Is Now
Application Insight and
Zero-Trust Policies with
Cisco Tetration
What does Tetration mean?
• Tetration (or Hyper -4) is the next hyperoperation after exponentiation, and is defined as iterated
exponentiation. The word was coined by Reuben Louis Goodstein, from tetra – (four) and iteration.
Tetration is used for the notation of very large numbers.
Rapid App
Deployment
Continuous Development
Application Mobility
Micro Services
Policy
Enforcement
Heterogeneous Network
Secure Zero-Trust
Policy Compliance
Security Challenges in Modern Data Centers
Securing Applications Has Become Complex
Applications Are Driving Modern Datacenter Infrastructure
Cisco Tetration Platform
Use Cases
Application
Insight
Process
Inventory
Visibility and
Forensics
Cisco Tetration™
Platform
Foundation
Segmentation
Operations
White-list Policy Policy
Compliance
Application
Segmentation
Process
Security
Software
Inventory
Baseline
Advanced Security
Neighborhood
Graphs
Network
and TCP
Performance
Cisco Tetration Platform
Architecture Overview
Web GUI REST API
Event
notification
Cisco
Tetration apps
Third-Party
Sources
(Configuration Data)
Software Sensor and Enforcement
Data Collection Layer
Container Host Sensors*
Embedded Network Sensors
(Telemetry Only)
ERSPAN Sensors
(Telemetry Only)
Netflow Sensors*
(Telemetry Only)
Analytics Engine
*Support coming in Q2CY18
Cisco Tetration analytics data sources
Main features
ü Low CPU overhead (SLA enforced)
ü Low network overhead
ü New Enforcement point (software agents)
ü Highly secure (code signed and authenticated)
ü Every flow (no sampling) and no payload
*Note: Available for POC/Trail purposes only
Software sensors
Linux servers
(virtual machine and bare metal)
Windows servers
(virtual machines and bare metal)
Windows Desktop VM
(virtual desktop infrastructure only)
Cisco Nexus 9300 EX
Cisco Nexus 9300 FX
Network sensors
Next-generation Cisco Nexus® Series Switches
Other Sensors
Other types of sensorsAvailable today
Container Host*
(Host OS – Linux Based)
ERSPAN Sensor
Netflow Sensor*
*Support coming in Q2CY18
7© 2017 Cisco and/or its affiliates. All rights reserved.
Application Dependency Mapping
Application Dependency and Cluster Grouping
Bare-metal, VM,
and switch
telemetry
Cisco Tetration
Analytics™ platform
Unsupervised machine
learning
Behavior analysis
On-premises and cloud workloads (AWS)
Bare-metal and
VM telemetry
VM telemetry
(AMI …)
BM VM
BMVM
VM BM
BMVM
BM
VM BM
VMVM
Bare metal and VM
BM VM VM BM
Brownfield
üüü ü
BM VM VM BM
üüü ü
Network-only sensors,
host-only sensors, or both (preferred)
BM VM VM VM BM
Cisco Nexus® 9000 Series ü
Application clusters
conversation views Policy details
Application Conversation View
Whitelist Policy Recommendation
Application discovery
{
"src_name": "App",
"dst_name": "Web",
"whitelist": [
{
"port": [0, 0],
"proto": 1,
"action": "ALLOW"
},
{
"port": [80, 80],
"proto": 6,
"action": "ALLOW"
},
{
"port": [443, 443],
"proto": 6,
"action": "ALLOW"
}
]
}
Whitelist policy recommendation
(available in JSON, XML, and YAML)
© 2016 Cisco and/or its affiliates. All rights reserved. 11
Compliance, Policy Validation
All Flows are tracked 4 ways
• Permitted, bidirectional flows
that match the policy
• Misdropped, permitted traffic
where we have dropped a
packet
• Escaped, bidirectional flows
that are against the policy
• Rejected, uni-directional
flows that are against the
policy
User-Uploaded asset tags
• Discovered inventory
• Uploaded inventory and metadata (32 arbitrary tags)
• Inventory tracked in real time, along with historical trends
User-uploaded tags
Cisco Tetration Analytics™
sensor feed
Real-time inventory merged with
information with historical trends
Cisco Tetration
Analytics
merge
operation
VMware vCenter
(virtual machine attributes)
AWS attributes
(AWS tags)
Segmentation Policy: Express Policies in Human
Language
Development can’t talk to production
• Cisco Tetration™ knows who is production
• Cisco Tetration knows who is development
• Policies are continuously updated as applications change
14© 2017 Cisco and/or its affiliates. All rights reserved.
Application segmentation
Cisco Tetration application segmentation
Policy recommendation
Cisco
Tetration™
Application workspaces
Application
segmentation
policy
Public
cloud
Private
cloud
On-premise
How Does it Work?
Cisco Tetration™ automatically converts your intent into blacklist and
whitelist rules
Intent Rules
Block nonproduction applications from
talking to production applications
SOURCE 10.0.0.0/8
DEST 128.0.0.0/8
Allow HR applications to use the
employee database
SOURCE 128.0.10.0/24
DEST 128.0.11.0/24
Block all HTTP connections that are not
destined for web servers
SOURCE * DEST
128.0.100.0/24 PORT = 80
SOURCE * DEST * PORT = 80
Rule-Processing Order
• Application owners need some amount of autonomy to
make application-level
changes quickly
• Security and network teams
need to control the global aspects
of application interconnection
and shared services
• Cisco Tetration™ flattens intent in a
deterministic order, prioritizing
intent of higher-authority users over intent of
application owners
Security team rules
Network team rules
Application owner rules
Enforcement of policy across any floor tile
Azure Amazon
Cisco Tetration Analytics™
1. Generates unique policy
per workload
2. Pushes policy to all
workloads
3. Workload securely enforces
policy
4. Continuously recomputes
policy from identity and
classification changes
Google
Enforcement
Compliance monitoring
VirtualBare metal Cisco ACITMPublic cloud Traditional network
© 2016 Cisco and/or its affiliates. All rights reserved. 19
Tetration Policy Enforcement in Cisco ACI
Cisco Tetration
Analytics™
Northbound REST
Interface
• Use Tetration fine grained ADM to create
ACI compatible Policy*
• Assign Tetration policy elements to ACI
policy elements
• Understand the impact (TCAM) of policy
• Provide optimizations to efficiently fit policy
in fabric
Tetration
ACI App
Application White-
list App
*Not all Tetration policy features can be supported by ACI
Cisco Tetration Analytics™
© 2016 Cisco and/or its affiliates. All rights reserved. 20
Cisco ACI Fabric Enforcement – TCAM Optimization
For a large deployment
Applying generalization to Top 5
policy groups
Results in
160K
78%
TCAM saving
• Adjust the policy enforcement mechanism based on
TCAM utilization
• Enforce as-is
• Enforce outgoing connection as-is (Incoming will be
generalized)
• Enforce incoming as-is (outgoing will be generalized)
• Generalize enforcement in both directions
• Visualize TCAM impact on associated leaf switches
21© 2017 Cisco and/or its affiliates. All rights reserved.
Network performance
Performance monitoring
With deep-visibility software sensors only
Cisco
Tetration™
With deep-visibility software sensors
installed on servers Application limited
• Process or server cannot drain traffic fast enough
• Identify whether limitation is on provider or consumer slide
Network limited
• Network congestion is causing TCP congestion
and window collapse
Enhanced TCP metrics
• SRTT latency
• Application-perceived latency
• TCP retransmissions
• TCP congestion window reduced
• TCP MSS changed
• TCP zero window
• Long TCP handshakes
Performance monitoring
With Cisco ACI and Cisco Nexus 9300 FX switches only
Cisco
Tetration™
Cisco ACI™ infrastructure using Cisco
Nexus® 9300 FX leaf switches and Cisco
Nexus 9300 FX line cards in spine
Track topology and topology changes using time series
• Covers fabric and external devices such as servers (LLDP required)
• Flow-context-specific topology views
View traffic flow information in time series
• Mapping of individual flows to fabric topology and queues
• Per-flow hop-by-hop path view
• Per-hop latency and fabric latency
• Fabric drop indicators
View link and queue information in a fabric in time series
• Flows through a particular link
• Throughput information
• Average and maximum latency
• Drop indicators
Additional flow search capabilities
• Search for specific flows within a link and queue
• Search based on fabric links
• Search based on class of service
*PTP required in production fabric
24© 2017 Cisco and/or its affiliates. All rights reserved.
Other use cases
• Dedicated virtual machines on each host with 3 software sensors in each virtual machine
• Each sensor binds to a separate vNIC
• ERSPAN terminates on the virtual machine vNIC
• Each sensor terminates one ERSPAN session
• Sensor generates telemetry based on the data-plane traffic
• Horizontally scalable
Layer 3 connection
ERSPAN
Layer 3 switch
Cisco Tetration telemetry: ERSPAN option
Expanded telemetry
collection option
• Augment telemetry from other
parts of the network
• Useful when software sensor
or hardware sensor is not
feasible
Cisco Tetration™
telemetry
Cisco Tetration™
Platform
Production
network
Production
network
Insight-based notification: Neighborhood graphs
Cisco Tetration
Analytics™
Kafka
broker
Northbound
consumers
Northbound
consumers
Message publish
Kafka
Neighborhood graphs
• Find up to two-hop
communication neighbors for
a selected workload
• Drill down into details about
communication between
these neighbors
• View dashboard display
using graph database
• Determine the number
of server hops between
two workloads
• Get out-of-the-box
and customer alerts
through Kafka
Virtual Desktop Infrastructure: Visualization
Main features
ü Support Microsoft Windows Desktop 7, 8, and 10
ü Get per-packet, per-flow visibility
ü Correlate traffic with process on the desktop instances
ü Tie VDI user traffic to application workspace
VDI instances
Cisco Tetration
Analytics™
Policy-related notification
Cisco Tetration
Analytics™
Kafka
broker
Northbound
consumers
Northbound
consumers
Message publish
Kafka
• Alerts every minute
for enforcement
• Policy compliance
event notifications
• Count of policy alerts
until whitelisted
• Alerts when IP tables or
firewall is flushed or disabled
by user
• Alerts when enforcement
sensor is disabled
• Publishes policy differences
between versions
29© 2017 Cisco and/or its affiliates. All rights reserved.
Deployment options
Cisco Tetration Cloud
• Software deployed in public
cloud
• Suitable for deployments of
less than 1000 workloads
• Public cloud instance owned
by customer
Cisco Tetration™ platform
(large form factor)
• Suitable for deployments of
more than 5000 workloads
• Built-in redundancy
• Scales to up to 25,000
workloads
Includes:
• 36 Cisco UCS® C220
servers
• 3 Cisco Nexus® 9300
platform switches
Cisco Tetration-M (small
form factor)
• Suitable for deployments
of less than 5000
workloads
Includes:
• 6 Cisco UCS C220
servers
• 2 Cisco Nexus 9300
platform switches
Cisco Tetration: On-Premises Deployment options
Amazon
Web Services
Hardware Options Public cloud
Microsoft
Azure
Software Only Option
Cisco Tetration Software
only option
• Suitable for deployments of
less than 1000 workloads
• Published hardware
requirements
• Supported in Vmware ESXi
based environment
Coming in
Q2CY18
Cisco Tetration™ as a Service
• Software as a Service model: no need to
purchase, install and manage hardware or
software
• Fully managed and operated by Cisco
• Suitable for commercial customers and
SaaS-first/SaaS-only customers
• Flexible pricing model, lower barrier to
entry
• Quick turn up
• Scales to up to 25,000 workloads
Cisco Tetration : As-a-Service Option
Cisco Tetration as a Service
Coming in
Q2CY18
32© 2017 Cisco and/or its affiliates. All rights reserved.
Ecosystem
Cisco Tetration Analytics: Ecosystem
Cisco Tetration
Analytics™
Application Dependency Layer4-7 Services
Enforcement Visibility and Optimization
Insight exchange
Open
In summary: Platform built for scale and flexibility
Real time and scalable
Holistic workload
protection
Easy to use
• Every packet, every flow
• Application segmentation
for 1000s of applications
• Extends visibility to
process and software
packages
• Long term
data retention
• Consistent application
segmentation
• Any workload, anywhere
• Process behavior
deviations
• Software package
vulnerability
• One touch deployment
• Self monitoring
• Self diagnostics
• Standard web UI
• REST API (pull)
• Event notification (push)
• Tetration applications
Thank you.
1 von 35

Recomendados

Cisco Connect Halifax 2018 Cisco Spark hybrid services architectural design von
Cisco Connect Halifax 2018   Cisco Spark hybrid services architectural designCisco Connect Halifax 2018   Cisco Spark hybrid services architectural design
Cisco Connect Halifax 2018 Cisco Spark hybrid services architectural designCisco Canada
606 views42 Folien
Cisco Connect Halifax 2018 Accelerating the secure digital business through... von
Cisco Connect Halifax 2018   Accelerating the secure digital business through...Cisco Connect Halifax 2018   Accelerating the secure digital business through...
Cisco Connect Halifax 2018 Accelerating the secure digital business through...Cisco Canada
220 views32 Folien
Cisco Connect Halifax 2018 Cisco dna - deeper dive von
Cisco Connect Halifax 2018   Cisco dna - deeper diveCisco Connect Halifax 2018   Cisco dna - deeper dive
Cisco Connect Halifax 2018 Cisco dna - deeper diveCisco Canada
907 views75 Folien
Cisco Connect Halifax 2018 Application agility and programmability with cis... von
Cisco Connect Halifax 2018   Application agility and programmability with cis...Cisco Connect Halifax 2018   Application agility and programmability with cis...
Cisco Connect Halifax 2018 Application agility and programmability with cis...Cisco Canada
1.1K views33 Folien
Cisco Connect Halifax 2018 Compute infrastructure for a hybrid cloud ucs an... von
Cisco Connect Halifax 2018   Compute infrastructure for a hybrid cloud ucs an...Cisco Connect Halifax 2018   Compute infrastructure for a hybrid cloud ucs an...
Cisco Connect Halifax 2018 Compute infrastructure for a hybrid cloud ucs an...Cisco Canada
718 views49 Folien
Cisco Connect Halifax 2018 Cisco dna - network intuitive von
Cisco Connect Halifax 2018   Cisco dna - network intuitiveCisco Connect Halifax 2018   Cisco dna - network intuitive
Cisco Connect Halifax 2018 Cisco dna - network intuitiveCisco Canada
1K views80 Folien

Más contenido relacionado

Was ist angesagt?

Cisco Connect Halifax 2018 cloud and on premises collaboration security exp... von
Cisco Connect Halifax 2018   cloud and on premises collaboration security exp...Cisco Connect Halifax 2018   cloud and on premises collaboration security exp...
Cisco Connect Halifax 2018 cloud and on premises collaboration security exp...Cisco Canada
342 views114 Folien
Cisco Connect Halifax 2018 Simple IT von
Cisco Connect Halifax 2018   Simple ITCisco Connect Halifax 2018   Simple IT
Cisco Connect Halifax 2018 Simple ITCisco Canada
135 views29 Folien
Cisco Digital Network Architecture - Introducing the Network Intuitive von
Cisco Digital Network Architecture - Introducing the Network IntuitiveCisco Digital Network Architecture - Introducing the Network Intuitive
Cisco Digital Network Architecture - Introducing the Network IntuitiveCisco Canada
4.1K views77 Folien
Cisco Connect Halifax 2018 Accelerating incident response in organizations... von
Cisco Connect Halifax 2018   Accelerating incident  response in organizations...Cisco Connect Halifax 2018   Accelerating incident  response in organizations...
Cisco Connect Halifax 2018 Accelerating incident response in organizations...Cisco Canada
78 views13 Folien
TechWiseTV Workshop: Cisco DNA Center Assurance von
TechWiseTV Workshop: Cisco DNA Center AssuranceTechWiseTV Workshop: Cisco DNA Center Assurance
TechWiseTV Workshop: Cisco DNA Center AssuranceRobb Boyd
3.5K views26 Folien
Cisco connect winnipeg 2018 simply powerful networking with meraki von
Cisco connect winnipeg 2018   simply powerful networking with merakiCisco connect winnipeg 2018   simply powerful networking with meraki
Cisco connect winnipeg 2018 simply powerful networking with merakiCisco Canada
331 views30 Folien

Was ist angesagt?(20)

Cisco Connect Halifax 2018 cloud and on premises collaboration security exp... von Cisco Canada
Cisco Connect Halifax 2018   cloud and on premises collaboration security exp...Cisco Connect Halifax 2018   cloud and on premises collaboration security exp...
Cisco Connect Halifax 2018 cloud and on premises collaboration security exp...
Cisco Canada342 views
Cisco Connect Halifax 2018 Simple IT von Cisco Canada
Cisco Connect Halifax 2018   Simple ITCisco Connect Halifax 2018   Simple IT
Cisco Connect Halifax 2018 Simple IT
Cisco Canada135 views
Cisco Digital Network Architecture - Introducing the Network Intuitive von Cisco Canada
Cisco Digital Network Architecture - Introducing the Network IntuitiveCisco Digital Network Architecture - Introducing the Network Intuitive
Cisco Digital Network Architecture - Introducing the Network Intuitive
Cisco Canada4.1K views
Cisco Connect Halifax 2018 Accelerating incident response in organizations... von Cisco Canada
Cisco Connect Halifax 2018   Accelerating incident  response in organizations...Cisco Connect Halifax 2018   Accelerating incident  response in organizations...
Cisco Connect Halifax 2018 Accelerating incident response in organizations...
Cisco Canada78 views
TechWiseTV Workshop: Cisco DNA Center Assurance von Robb Boyd
TechWiseTV Workshop: Cisco DNA Center AssuranceTechWiseTV Workshop: Cisco DNA Center Assurance
TechWiseTV Workshop: Cisco DNA Center Assurance
Robb Boyd3.5K views
Cisco connect winnipeg 2018 simply powerful networking with meraki von Cisco Canada
Cisco connect winnipeg 2018   simply powerful networking with merakiCisco connect winnipeg 2018   simply powerful networking with meraki
Cisco connect winnipeg 2018 simply powerful networking with meraki
Cisco Canada331 views
Cisco connect winnipeg 2018 simplifying cloud adoption with cisco ucs von Cisco Canada
Cisco connect winnipeg 2018   simplifying cloud adoption with cisco ucsCisco connect winnipeg 2018   simplifying cloud adoption with cisco ucs
Cisco connect winnipeg 2018 simplifying cloud adoption with cisco ucs
Cisco Canada215 views
Cisco Connect Toronto 2018 cloud and on premises collaboration security exp... von Cisco Canada
Cisco Connect Toronto 2018   cloud and on premises collaboration security exp...Cisco Connect Toronto 2018   cloud and on premises collaboration security exp...
Cisco Connect Toronto 2018 cloud and on premises collaboration security exp...
Cisco Canada270 views
Cisco connect winnipeg 2018 understanding cisco's next generation sdwan sol... von Cisco Canada
Cisco connect winnipeg 2018   understanding cisco's next generation sdwan sol...Cisco connect winnipeg 2018   understanding cisco's next generation sdwan sol...
Cisco connect winnipeg 2018 understanding cisco's next generation sdwan sol...
Cisco Canada807 views
Cisco connect winnipeg 2018 a look at network assurance in dna center von Cisco Canada
Cisco connect winnipeg 2018   a look at network assurance in dna centerCisco connect winnipeg 2018   a look at network assurance in dna center
Cisco connect winnipeg 2018 a look at network assurance in dna center
Cisco Canada1.9K views
Cisco connect winnipeg 2018 simple it leads to simple it management von Cisco Canada
Cisco connect winnipeg 2018   simple it leads to simple it managementCisco connect winnipeg 2018   simple it leads to simple it management
Cisco connect winnipeg 2018 simple it leads to simple it management
Cisco Canada194 views
Cisco Connect Toronto 2017 - NFV/SDN Platform for Orchestrating Cloud and vBr... von Cisco Canada
Cisco Connect Toronto 2017 - NFV/SDN Platform for Orchestrating Cloud and vBr...Cisco Connect Toronto 2017 - NFV/SDN Platform for Orchestrating Cloud and vBr...
Cisco Connect Toronto 2017 - NFV/SDN Platform for Orchestrating Cloud and vBr...
Cisco Canada3.1K views
[Cisco Connect 2018 - Vietnam] Rajinder singh cisco sd-wan-next generation ... von Nur Shiqim Chok
[Cisco Connect 2018 - Vietnam] Rajinder singh   cisco sd-wan-next generation ...[Cisco Connect 2018 - Vietnam] Rajinder singh   cisco sd-wan-next generation ...
[Cisco Connect 2018 - Vietnam] Rajinder singh cisco sd-wan-next generation ...
Nur Shiqim Chok81 views
Cisco Connect Toronto 2017 - Anatomy-of-attack von Cisco Canada
Cisco Connect Toronto 2017 - Anatomy-of-attackCisco Connect Toronto 2017 - Anatomy-of-attack
Cisco Connect Toronto 2017 - Anatomy-of-attack
Cisco Canada1.1K views
Cisco Connect Vancouver 2017 - Understanding Cisco next gen SD-WAN von Cisco Canada
Cisco Connect Vancouver 2017 - Understanding Cisco next gen SD-WANCisco Connect Vancouver 2017 - Understanding Cisco next gen SD-WAN
Cisco Connect Vancouver 2017 - Understanding Cisco next gen SD-WAN
Cisco Canada1.8K views
Cisco connect winnipeg 2018 gain insight and programmability with cisco dc ... von Cisco Canada
Cisco connect winnipeg 2018   gain insight and programmability with cisco dc ...Cisco connect winnipeg 2018   gain insight and programmability with cisco dc ...
Cisco connect winnipeg 2018 gain insight and programmability with cisco dc ...
Cisco Canada250 views
Cisco Connect Vancouver 2017 - Cisco Spark Hybrid Services Architectural Design von Cisco Canada
Cisco Connect Vancouver 2017 - Cisco Spark Hybrid Services Architectural DesignCisco Connect Vancouver 2017 - Cisco Spark Hybrid Services Architectural Design
Cisco Connect Vancouver 2017 - Cisco Spark Hybrid Services Architectural Design
Cisco Canada357 views
Cisco Connect Toronto 2018 DNA automation-the evolution to intent-based net... von Cisco Canada
Cisco Connect Toronto 2018   DNA automation-the evolution to intent-based net...Cisco Connect Toronto 2018   DNA automation-the evolution to intent-based net...
Cisco Connect Toronto 2018 DNA automation-the evolution to intent-based net...
Cisco Canada1.3K views
Cisco Connect Toronto 2017 - Simplifying Cloud Adoption von Cisco Canada
Cisco Connect Toronto 2017 - Simplifying Cloud AdoptionCisco Connect Toronto 2017 - Simplifying Cloud Adoption
Cisco Connect Toronto 2017 - Simplifying Cloud Adoption
Cisco Canada298 views
Cisco Connect Vancouver 2017 - Cisco Meraki -Let Simple Work For You von Cisco Canada
Cisco Connect Vancouver 2017 - Cisco Meraki -Let Simple Work For YouCisco Connect Vancouver 2017 - Cisco Meraki -Let Simple Work For You
Cisco Connect Vancouver 2017 - Cisco Meraki -Let Simple Work For You
Cisco Canada133 views

Similar a Cisco Connect Halifax 2018 Application insight and zero trust policies with cisco tetration

Cisco Connect 2018 Malaysia - Secure data center-building a secure zero-trus... von
Cisco Connect 2018 Malaysia -  Secure data center-building a secure zero-trus...Cisco Connect 2018 Malaysia -  Secure data center-building a secure zero-trus...
Cisco Connect 2018 Malaysia - Secure data center-building a secure zero-trus...NetworkCollaborators
99 views19 Folien
Hope, fear, and the data center time machine von
Hope, fear, and the data center time machineHope, fear, and the data center time machine
Hope, fear, and the data center time machineCisco Canada
488 views29 Folien
Deploying Next Generation Firewalling with ASA - CX von
Deploying Next Generation Firewalling with ASA - CXDeploying Next Generation Firewalling with ASA - CX
Deploying Next Generation Firewalling with ASA - CXCisco Canada
8.5K views65 Folien
Data in Motion - tech-intro-for-paris-hackathon von
Data in Motion - tech-intro-for-paris-hackathonData in Motion - tech-intro-for-paris-hackathon
Data in Motion - tech-intro-for-paris-hackathonCisco DevNet
807 views17 Folien
Cisco Connect 2018 Thailand - Cisco automation von
Cisco Connect 2018 Thailand - Cisco automation Cisco Connect 2018 Thailand - Cisco automation
Cisco Connect 2018 Thailand - Cisco automation NetworkCollaborators
125 views29 Folien
CyberCrime in the Cloud and How to defend Yourself von
CyberCrime in the Cloud and How to defend Yourself CyberCrime in the Cloud and How to defend Yourself
CyberCrime in the Cloud and How to defend Yourself Alert Logic
763 views36 Folien

Similar a Cisco Connect Halifax 2018 Application insight and zero trust policies with cisco tetration(20)

Cisco Connect 2018 Malaysia - Secure data center-building a secure zero-trus... von NetworkCollaborators
Cisco Connect 2018 Malaysia -  Secure data center-building a secure zero-trus...Cisco Connect 2018 Malaysia -  Secure data center-building a secure zero-trus...
Cisco Connect 2018 Malaysia - Secure data center-building a secure zero-trus...
Hope, fear, and the data center time machine von Cisco Canada
Hope, fear, and the data center time machineHope, fear, and the data center time machine
Hope, fear, and the data center time machine
Cisco Canada488 views
Deploying Next Generation Firewalling with ASA - CX von Cisco Canada
Deploying Next Generation Firewalling with ASA - CXDeploying Next Generation Firewalling with ASA - CX
Deploying Next Generation Firewalling with ASA - CX
Cisco Canada8.5K views
Data in Motion - tech-intro-for-paris-hackathon von Cisco DevNet
Data in Motion - tech-intro-for-paris-hackathonData in Motion - tech-intro-for-paris-hackathon
Data in Motion - tech-intro-for-paris-hackathon
Cisco DevNet807 views
CyberCrime in the Cloud and How to defend Yourself von Alert Logic
CyberCrime in the Cloud and How to defend Yourself CyberCrime in the Cloud and How to defend Yourself
CyberCrime in the Cloud and How to defend Yourself
Alert Logic 763 views
Security Delivery Platform: Best practices von Mihajlo Prerad
Security Delivery Platform: Best practicesSecurity Delivery Platform: Best practices
Security Delivery Platform: Best practices
Mihajlo Prerad926 views
Next-gen Network Telemetry is Within Your Packets: In-band OAM von Open Networking Summit
Next-gen Network Telemetry is Within Your Packets: In-band OAMNext-gen Network Telemetry is Within Your Packets: In-band OAM
Next-gen Network Telemetry is Within Your Packets: In-band OAM
Splunk App for Stream for Enhanced Operational Intelligence from Wire Data von Splunk
Splunk App for Stream for Enhanced Operational Intelligence from Wire DataSplunk App for Stream for Enhanced Operational Intelligence from Wire Data
Splunk App for Stream for Enhanced Operational Intelligence from Wire Data
Splunk1.6K views
Splunk MINT for Mobile Intelligence and Splunk App for Stream for Enhanced Op... von Splunk
Splunk MINT for Mobile Intelligence and Splunk App for Stream for Enhanced Op...Splunk MINT for Mobile Intelligence and Splunk App for Stream for Enhanced Op...
Splunk MINT for Mobile Intelligence and Splunk App for Stream for Enhanced Op...
Splunk990 views
TechWiseTV Workshop: Tetration Analytics von Robb Boyd
TechWiseTV Workshop: Tetration AnalyticsTechWiseTV Workshop: Tetration Analytics
TechWiseTV Workshop: Tetration Analytics
Robb Boyd710 views
ONF & iSDX Webinar von Katie Hyman
ONF & iSDX WebinarONF & iSDX Webinar
ONF & iSDX Webinar
Katie Hyman348 views
Developing Tizen OS Based Solutions (IDF13) - Chris Norman von Ryo Jin
Developing Tizen OS Based Solutions (IDF13) - Chris NormanDeveloping Tizen OS Based Solutions (IDF13) - Chris Norman
Developing Tizen OS Based Solutions (IDF13) - Chris Norman
Ryo Jin2.4K views
Docker meetup oct14 von Vipin Jain
Docker meetup   oct14Docker meetup   oct14
Docker meetup oct14
Vipin Jain1.3K views
Design and Deploy Secure Clouds for Financial Services Use Cases von PLUMgrid
Design and Deploy Secure Clouds for Financial Services Use CasesDesign and Deploy Secure Clouds for Financial Services Use Cases
Design and Deploy Secure Clouds for Financial Services Use Cases
PLUMgrid307 views
Fiware - communicating with ROS robots using Fast RTPS von Jaime Martin Losa
Fiware - communicating with ROS robots using Fast RTPSFiware - communicating with ROS robots using Fast RTPS
Fiware - communicating with ROS robots using Fast RTPS
Jaime Martin Losa1.9K views
How to scale your PaaS with OVH infrastructure? von OVHcloud
How to scale your PaaS with OVH infrastructure?How to scale your PaaS with OVH infrastructure?
How to scale your PaaS with OVH infrastructure?
OVHcloud365 views
Building Reactive Applications with DDS von Angelo Corsaro
Building Reactive Applications with DDSBuilding Reactive Applications with DDS
Building Reactive Applications with DDS
Angelo Corsaro3.4K views
Deep Flow Monitoring with ServicePilot von ServicePilot
Deep Flow Monitoring with ServicePilotDeep Flow Monitoring with ServicePilot
Deep Flow Monitoring with ServicePilot
ServicePilot326 views

Más de Cisco Canada

Cisco connect montreal 2018 net devops von
Cisco connect montreal 2018 net devopsCisco connect montreal 2018 net devops
Cisco connect montreal 2018 net devopsCisco Canada
6.5K views56 Folien
Cisco connect montreal 2018 iot demo kinetic fr von
Cisco connect montreal 2018   iot demo kinetic frCisco connect montreal 2018   iot demo kinetic fr
Cisco connect montreal 2018 iot demo kinetic frCisco Canada
1.3K views24 Folien
Cisco connect montreal 2018 - Network Slicing: Horizontal Virtualization von
Cisco connect montreal 2018 - Network Slicing: Horizontal VirtualizationCisco connect montreal 2018 - Network Slicing: Horizontal Virtualization
Cisco connect montreal 2018 - Network Slicing: Horizontal VirtualizationCisco Canada
1.4K views59 Folien
Cisco connect montreal 2018 secure dc von
Cisco connect montreal 2018    secure dcCisco connect montreal 2018    secure dc
Cisco connect montreal 2018 secure dcCisco Canada
973 views47 Folien
Cisco connect montreal 2018 enterprise networks - say goodbye to vla ns von
Cisco connect montreal 2018   enterprise networks - say goodbye to vla nsCisco connect montreal 2018   enterprise networks - say goodbye to vla ns
Cisco connect montreal 2018 enterprise networks - say goodbye to vla nsCisco Canada
1.5K views57 Folien
Cisco connect montreal 2018 vision mondiale analyse locale von
Cisco connect montreal 2018 vision mondiale analyse localeCisco connect montreal 2018 vision mondiale analyse locale
Cisco connect montreal 2018 vision mondiale analyse localeCisco Canada
682 views68 Folien

Más de Cisco Canada(20)

Cisco connect montreal 2018 net devops von Cisco Canada
Cisco connect montreal 2018 net devopsCisco connect montreal 2018 net devops
Cisco connect montreal 2018 net devops
Cisco Canada6.5K views
Cisco connect montreal 2018 iot demo kinetic fr von Cisco Canada
Cisco connect montreal 2018   iot demo kinetic frCisco connect montreal 2018   iot demo kinetic fr
Cisco connect montreal 2018 iot demo kinetic fr
Cisco Canada1.3K views
Cisco connect montreal 2018 - Network Slicing: Horizontal Virtualization von Cisco Canada
Cisco connect montreal 2018 - Network Slicing: Horizontal VirtualizationCisco connect montreal 2018 - Network Slicing: Horizontal Virtualization
Cisco connect montreal 2018 - Network Slicing: Horizontal Virtualization
Cisco Canada1.4K views
Cisco connect montreal 2018 secure dc von Cisco Canada
Cisco connect montreal 2018    secure dcCisco connect montreal 2018    secure dc
Cisco connect montreal 2018 secure dc
Cisco Canada973 views
Cisco connect montreal 2018 enterprise networks - say goodbye to vla ns von Cisco Canada
Cisco connect montreal 2018   enterprise networks - say goodbye to vla nsCisco connect montreal 2018   enterprise networks - say goodbye to vla ns
Cisco connect montreal 2018 enterprise networks - say goodbye to vla ns
Cisco Canada1.5K views
Cisco connect montreal 2018 vision mondiale analyse locale von Cisco Canada
Cisco connect montreal 2018 vision mondiale analyse localeCisco connect montreal 2018 vision mondiale analyse locale
Cisco connect montreal 2018 vision mondiale analyse locale
Cisco Canada682 views
Cisco Connect Montreal 2018 Securité : Sécuriser votre mobilité avec Cisco von Cisco Canada
Cisco Connect Montreal 2018 Securité : Sécuriser votre mobilité avec CiscoCisco Connect Montreal 2018 Securité : Sécuriser votre mobilité avec Cisco
Cisco Connect Montreal 2018 Securité : Sécuriser votre mobilité avec Cisco
Cisco Canada673 views
Cisco connect montreal 2018 collaboration les services webex hybrides von Cisco Canada
Cisco connect montreal 2018 collaboration les services webex hybridesCisco connect montreal 2018 collaboration les services webex hybrides
Cisco connect montreal 2018 collaboration les services webex hybrides
Cisco Canada1.6K views
Integration cisco et microsoft connect montreal 2018 von Cisco Canada
Integration cisco et microsoft connect montreal 2018Integration cisco et microsoft connect montreal 2018
Integration cisco et microsoft connect montreal 2018
Cisco Canada1K views
Cisco connect montreal 2018 compute v final von Cisco Canada
Cisco connect montreal 2018   compute v finalCisco connect montreal 2018   compute v final
Cisco connect montreal 2018 compute v final
Cisco Canada1.6K views
Cisco connect montreal 2018 saalvare md-program-xr-v2 von Cisco Canada
Cisco connect montreal 2018 saalvare md-program-xr-v2Cisco connect montreal 2018 saalvare md-program-xr-v2
Cisco connect montreal 2018 saalvare md-program-xr-v2
Cisco Canada573 views
Cisco connect montreal 2018 sd wan - delivering intent-based networking to th... von Cisco Canada
Cisco connect montreal 2018 sd wan - delivering intent-based networking to th...Cisco connect montreal 2018 sd wan - delivering intent-based networking to th...
Cisco connect montreal 2018 sd wan - delivering intent-based networking to th...
Cisco Canada641 views
Cisco Connect Toronto 2018 an introduction to Cisco kinetic von Cisco Canada
Cisco Connect Toronto 2018   an introduction to Cisco kineticCisco Connect Toronto 2018   an introduction to Cisco kinetic
Cisco Connect Toronto 2018 an introduction to Cisco kinetic
Cisco Canada1.5K views
Cisco Connect Toronto 2018 IOT - unlock the power of data - securing the in... von Cisco Canada
Cisco Connect Toronto 2018   IOT - unlock the power of data - securing the in...Cisco Connect Toronto 2018   IOT - unlock the power of data - securing the in...
Cisco Connect Toronto 2018 IOT - unlock the power of data - securing the in...
Cisco Canada823 views
Cisco Connect Toronto 2018 DevNet Overview von Cisco Canada
Cisco Connect Toronto 2018  DevNet OverviewCisco Connect Toronto 2018  DevNet Overview
Cisco Connect Toronto 2018 DevNet Overview
Cisco Canada726 views
Cisco Connect Toronto 2018 DNA assurance von Cisco Canada
Cisco Connect Toronto 2018  DNA assuranceCisco Connect Toronto 2018  DNA assurance
Cisco Connect Toronto 2018 DNA assurance
Cisco Canada839 views
Cisco Connect Toronto 2018 network-slicing von Cisco Canada
Cisco Connect Toronto 2018   network-slicingCisco Connect Toronto 2018   network-slicing
Cisco Connect Toronto 2018 network-slicing
Cisco Canada2.1K views
Cisco Connect Toronto 2018 the intelligent network with cisco meraki von Cisco Canada
Cisco Connect Toronto 2018   the intelligent network with cisco merakiCisco Connect Toronto 2018   the intelligent network with cisco meraki
Cisco Connect Toronto 2018 the intelligent network with cisco meraki
Cisco Canada955 views
Cisco Connect Toronto 2018 sixty to zero von Cisco Canada
Cisco Connect Toronto 2018   sixty to zeroCisco Connect Toronto 2018   sixty to zero
Cisco Connect Toronto 2018 sixty to zero
Cisco Canada549 views
Cisco Connect Toronto 2018 sd-wan - delivering intent-based networking to t... von Cisco Canada
Cisco Connect Toronto 2018   sd-wan - delivering intent-based networking to t...Cisco Connect Toronto 2018   sd-wan - delivering intent-based networking to t...
Cisco Connect Toronto 2018 sd-wan - delivering intent-based networking to t...
Cisco Canada1.9K views

Último

CloudStack and GitOps at Enterprise Scale - Alex Dometrius, Rene Glover - AT&T von
CloudStack and GitOps at Enterprise Scale - Alex Dometrius, Rene Glover - AT&TCloudStack and GitOps at Enterprise Scale - Alex Dometrius, Rene Glover - AT&T
CloudStack and GitOps at Enterprise Scale - Alex Dometrius, Rene Glover - AT&TShapeBlue
152 views34 Folien
Cencora Executive Symposium von
Cencora Executive SymposiumCencora Executive Symposium
Cencora Executive Symposiummarketingcommunicati21
159 views14 Folien
Kyo - Functional Scala 2023.pdf von
Kyo - Functional Scala 2023.pdfKyo - Functional Scala 2023.pdf
Kyo - Functional Scala 2023.pdfFlavio W. Brasil
457 views92 Folien
Zero to Cloud Hero: Crafting a Private Cloud from Scratch with XCP-ng, Xen Or... von
Zero to Cloud Hero: Crafting a Private Cloud from Scratch with XCP-ng, Xen Or...Zero to Cloud Hero: Crafting a Private Cloud from Scratch with XCP-ng, Xen Or...
Zero to Cloud Hero: Crafting a Private Cloud from Scratch with XCP-ng, Xen Or...ShapeBlue
198 views20 Folien
Hypervisor Agnostic DRS in CloudStack - Brief overview & demo - Vishesh Jinda... von
Hypervisor Agnostic DRS in CloudStack - Brief overview & demo - Vishesh Jinda...Hypervisor Agnostic DRS in CloudStack - Brief overview & demo - Vishesh Jinda...
Hypervisor Agnostic DRS in CloudStack - Brief overview & demo - Vishesh Jinda...ShapeBlue
161 views13 Folien
Centralized Logging Feature in CloudStack using ELK and Grafana - Kiran Chava... von
Centralized Logging Feature in CloudStack using ELK and Grafana - Kiran Chava...Centralized Logging Feature in CloudStack using ELK and Grafana - Kiran Chava...
Centralized Logging Feature in CloudStack using ELK and Grafana - Kiran Chava...ShapeBlue
145 views17 Folien

Último(20)

CloudStack and GitOps at Enterprise Scale - Alex Dometrius, Rene Glover - AT&T von ShapeBlue
CloudStack and GitOps at Enterprise Scale - Alex Dometrius, Rene Glover - AT&TCloudStack and GitOps at Enterprise Scale - Alex Dometrius, Rene Glover - AT&T
CloudStack and GitOps at Enterprise Scale - Alex Dometrius, Rene Glover - AT&T
ShapeBlue152 views
Zero to Cloud Hero: Crafting a Private Cloud from Scratch with XCP-ng, Xen Or... von ShapeBlue
Zero to Cloud Hero: Crafting a Private Cloud from Scratch with XCP-ng, Xen Or...Zero to Cloud Hero: Crafting a Private Cloud from Scratch with XCP-ng, Xen Or...
Zero to Cloud Hero: Crafting a Private Cloud from Scratch with XCP-ng, Xen Or...
ShapeBlue198 views
Hypervisor Agnostic DRS in CloudStack - Brief overview & demo - Vishesh Jinda... von ShapeBlue
Hypervisor Agnostic DRS in CloudStack - Brief overview & demo - Vishesh Jinda...Hypervisor Agnostic DRS in CloudStack - Brief overview & demo - Vishesh Jinda...
Hypervisor Agnostic DRS in CloudStack - Brief overview & demo - Vishesh Jinda...
ShapeBlue161 views
Centralized Logging Feature in CloudStack using ELK and Grafana - Kiran Chava... von ShapeBlue
Centralized Logging Feature in CloudStack using ELK and Grafana - Kiran Chava...Centralized Logging Feature in CloudStack using ELK and Grafana - Kiran Chava...
Centralized Logging Feature in CloudStack using ELK and Grafana - Kiran Chava...
ShapeBlue145 views
DRaaS using Snapshot copy and destination selection (DRaaS) - Alexandre Matti... von ShapeBlue
DRaaS using Snapshot copy and destination selection (DRaaS) - Alexandre Matti...DRaaS using Snapshot copy and destination selection (DRaaS) - Alexandre Matti...
DRaaS using Snapshot copy and destination selection (DRaaS) - Alexandre Matti...
ShapeBlue139 views
Business Analyst Series 2023 - Week 4 Session 8 von DianaGray10
Business Analyst Series 2023 -  Week 4 Session 8Business Analyst Series 2023 -  Week 4 Session 8
Business Analyst Series 2023 - Week 4 Session 8
DianaGray10123 views
Updates on the LINSTOR Driver for CloudStack - Rene Peinthor - LINBIT von ShapeBlue
Updates on the LINSTOR Driver for CloudStack - Rene Peinthor - LINBITUpdates on the LINSTOR Driver for CloudStack - Rene Peinthor - LINBIT
Updates on the LINSTOR Driver for CloudStack - Rene Peinthor - LINBIT
ShapeBlue206 views
How to Re-use Old Hardware with CloudStack. Saving Money and the Environment ... von ShapeBlue
How to Re-use Old Hardware with CloudStack. Saving Money and the Environment ...How to Re-use Old Hardware with CloudStack. Saving Money and the Environment ...
How to Re-use Old Hardware with CloudStack. Saving Money and the Environment ...
ShapeBlue166 views
Backup and Disaster Recovery with CloudStack and StorPool - Workshop - Venko ... von ShapeBlue
Backup and Disaster Recovery with CloudStack and StorPool - Workshop - Venko ...Backup and Disaster Recovery with CloudStack and StorPool - Workshop - Venko ...
Backup and Disaster Recovery with CloudStack and StorPool - Workshop - Venko ...
ShapeBlue184 views
The Power of Heat Decarbonisation Plans in the Built Environment von IES VE
The Power of Heat Decarbonisation Plans in the Built EnvironmentThe Power of Heat Decarbonisation Plans in the Built Environment
The Power of Heat Decarbonisation Plans in the Built Environment
IES VE79 views
Future of AR - Facebook Presentation von Rob McCarty
Future of AR - Facebook PresentationFuture of AR - Facebook Presentation
Future of AR - Facebook Presentation
Rob McCarty64 views
Enabling DPU Hardware Accelerators in XCP-ng Cloud Platform Environment - And... von ShapeBlue
Enabling DPU Hardware Accelerators in XCP-ng Cloud Platform Environment - And...Enabling DPU Hardware Accelerators in XCP-ng Cloud Platform Environment - And...
Enabling DPU Hardware Accelerators in XCP-ng Cloud Platform Environment - And...
ShapeBlue106 views
2FA and OAuth2 in CloudStack - Andrija Panić - ShapeBlue von ShapeBlue
2FA and OAuth2 in CloudStack - Andrija Panić - ShapeBlue2FA and OAuth2 in CloudStack - Andrija Panić - ShapeBlue
2FA and OAuth2 in CloudStack - Andrija Panić - ShapeBlue
ShapeBlue147 views
Elevating Privacy and Security in CloudStack - Boris Stoyanov - ShapeBlue von ShapeBlue
Elevating Privacy and Security in CloudStack - Boris Stoyanov - ShapeBlueElevating Privacy and Security in CloudStack - Boris Stoyanov - ShapeBlue
Elevating Privacy and Security in CloudStack - Boris Stoyanov - ShapeBlue
ShapeBlue222 views
Why and How CloudStack at weSystems - Stephan Bienek - weSystems von ShapeBlue
Why and How CloudStack at weSystems - Stephan Bienek - weSystemsWhy and How CloudStack at weSystems - Stephan Bienek - weSystems
Why and How CloudStack at weSystems - Stephan Bienek - weSystems
ShapeBlue238 views
Digital Personal Data Protection (DPDP) Practical Approach For CISOs von Priyanka Aash
Digital Personal Data Protection (DPDP) Practical Approach For CISOsDigital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Priyanka Aash158 views
iSAQB Software Architecture Gathering 2023: How Process Orchestration Increas... von Bernd Ruecker
iSAQB Software Architecture Gathering 2023: How Process Orchestration Increas...iSAQB Software Architecture Gathering 2023: How Process Orchestration Increas...
iSAQB Software Architecture Gathering 2023: How Process Orchestration Increas...
Bernd Ruecker54 views
Confidence in CloudStack - Aron Wagner, Nathan Gleason - Americ von ShapeBlue
Confidence in CloudStack - Aron Wagner, Nathan Gleason - AmericConfidence in CloudStack - Aron Wagner, Nathan Gleason - Americ
Confidence in CloudStack - Aron Wagner, Nathan Gleason - Americ
ShapeBlue130 views

Cisco Connect Halifax 2018 Application insight and zero trust policies with cisco tetration

  • 1. © 2017 Cisco and/or its affiliates. All rights reserved. 1 Nadir Lakhani Technical Solutions Architect April, 2018 Cisco Connect Your Time Is Now Application Insight and Zero-Trust Policies with Cisco Tetration
  • 2. What does Tetration mean? • Tetration (or Hyper -4) is the next hyperoperation after exponentiation, and is defined as iterated exponentiation. The word was coined by Reuben Louis Goodstein, from tetra – (four) and iteration. Tetration is used for the notation of very large numbers.
  • 3. Rapid App Deployment Continuous Development Application Mobility Micro Services Policy Enforcement Heterogeneous Network Secure Zero-Trust Policy Compliance Security Challenges in Modern Data Centers Securing Applications Has Become Complex Applications Are Driving Modern Datacenter Infrastructure
  • 4. Cisco Tetration Platform Use Cases Application Insight Process Inventory Visibility and Forensics Cisco Tetration™ Platform Foundation Segmentation Operations White-list Policy Policy Compliance Application Segmentation Process Security Software Inventory Baseline Advanced Security Neighborhood Graphs Network and TCP Performance
  • 5. Cisco Tetration Platform Architecture Overview Web GUI REST API Event notification Cisco Tetration apps Third-Party Sources (Configuration Data) Software Sensor and Enforcement Data Collection Layer Container Host Sensors* Embedded Network Sensors (Telemetry Only) ERSPAN Sensors (Telemetry Only) Netflow Sensors* (Telemetry Only) Analytics Engine *Support coming in Q2CY18
  • 6. Cisco Tetration analytics data sources Main features ü Low CPU overhead (SLA enforced) ü Low network overhead ü New Enforcement point (software agents) ü Highly secure (code signed and authenticated) ü Every flow (no sampling) and no payload *Note: Available for POC/Trail purposes only Software sensors Linux servers (virtual machine and bare metal) Windows servers (virtual machines and bare metal) Windows Desktop VM (virtual desktop infrastructure only) Cisco Nexus 9300 EX Cisco Nexus 9300 FX Network sensors Next-generation Cisco Nexus® Series Switches Other Sensors Other types of sensorsAvailable today Container Host* (Host OS – Linux Based) ERSPAN Sensor Netflow Sensor* *Support coming in Q2CY18
  • 7. 7© 2017 Cisco and/or its affiliates. All rights reserved. Application Dependency Mapping
  • 8. Application Dependency and Cluster Grouping Bare-metal, VM, and switch telemetry Cisco Tetration Analytics™ platform Unsupervised machine learning Behavior analysis On-premises and cloud workloads (AWS) Bare-metal and VM telemetry VM telemetry (AMI …) BM VM BMVM VM BM BMVM BM VM BM VMVM Bare metal and VM BM VM VM BM Brownfield üüü ü BM VM VM BM üüü ü Network-only sensors, host-only sensors, or both (preferred) BM VM VM VM BM Cisco Nexus® 9000 Series ü
  • 9. Application clusters conversation views Policy details Application Conversation View
  • 10. Whitelist Policy Recommendation Application discovery { "src_name": "App", "dst_name": "Web", "whitelist": [ { "port": [0, 0], "proto": 1, "action": "ALLOW" }, { "port": [80, 80], "proto": 6, "action": "ALLOW" }, { "port": [443, 443], "proto": 6, "action": "ALLOW" } ] } Whitelist policy recommendation (available in JSON, XML, and YAML)
  • 11. © 2016 Cisco and/or its affiliates. All rights reserved. 11 Compliance, Policy Validation All Flows are tracked 4 ways • Permitted, bidirectional flows that match the policy • Misdropped, permitted traffic where we have dropped a packet • Escaped, bidirectional flows that are against the policy • Rejected, uni-directional flows that are against the policy
  • 12. User-Uploaded asset tags • Discovered inventory • Uploaded inventory and metadata (32 arbitrary tags) • Inventory tracked in real time, along with historical trends User-uploaded tags Cisco Tetration Analytics™ sensor feed Real-time inventory merged with information with historical trends Cisco Tetration Analytics merge operation VMware vCenter (virtual machine attributes) AWS attributes (AWS tags)
  • 13. Segmentation Policy: Express Policies in Human Language Development can’t talk to production • Cisco Tetration™ knows who is production • Cisco Tetration knows who is development • Policies are continuously updated as applications change
  • 14. 14© 2017 Cisco and/or its affiliates. All rights reserved. Application segmentation
  • 15. Cisco Tetration application segmentation Policy recommendation Cisco Tetration™ Application workspaces Application segmentation policy Public cloud Private cloud On-premise
  • 16. How Does it Work? Cisco Tetration™ automatically converts your intent into blacklist and whitelist rules Intent Rules Block nonproduction applications from talking to production applications SOURCE 10.0.0.0/8 DEST 128.0.0.0/8 Allow HR applications to use the employee database SOURCE 128.0.10.0/24 DEST 128.0.11.0/24 Block all HTTP connections that are not destined for web servers SOURCE * DEST 128.0.100.0/24 PORT = 80 SOURCE * DEST * PORT = 80
  • 17. Rule-Processing Order • Application owners need some amount of autonomy to make application-level changes quickly • Security and network teams need to control the global aspects of application interconnection and shared services • Cisco Tetration™ flattens intent in a deterministic order, prioritizing intent of higher-authority users over intent of application owners Security team rules Network team rules Application owner rules
  • 18. Enforcement of policy across any floor tile Azure Amazon Cisco Tetration Analytics™ 1. Generates unique policy per workload 2. Pushes policy to all workloads 3. Workload securely enforces policy 4. Continuously recomputes policy from identity and classification changes Google Enforcement Compliance monitoring VirtualBare metal Cisco ACITMPublic cloud Traditional network
  • 19. © 2016 Cisco and/or its affiliates. All rights reserved. 19 Tetration Policy Enforcement in Cisco ACI Cisco Tetration Analytics™ Northbound REST Interface • Use Tetration fine grained ADM to create ACI compatible Policy* • Assign Tetration policy elements to ACI policy elements • Understand the impact (TCAM) of policy • Provide optimizations to efficiently fit policy in fabric Tetration ACI App Application White- list App *Not all Tetration policy features can be supported by ACI Cisco Tetration Analytics™
  • 20. © 2016 Cisco and/or its affiliates. All rights reserved. 20 Cisco ACI Fabric Enforcement – TCAM Optimization For a large deployment Applying generalization to Top 5 policy groups Results in 160K 78% TCAM saving • Adjust the policy enforcement mechanism based on TCAM utilization • Enforce as-is • Enforce outgoing connection as-is (Incoming will be generalized) • Enforce incoming as-is (outgoing will be generalized) • Generalize enforcement in both directions • Visualize TCAM impact on associated leaf switches
  • 21. 21© 2017 Cisco and/or its affiliates. All rights reserved. Network performance
  • 22. Performance monitoring With deep-visibility software sensors only Cisco Tetration™ With deep-visibility software sensors installed on servers Application limited • Process or server cannot drain traffic fast enough • Identify whether limitation is on provider or consumer slide Network limited • Network congestion is causing TCP congestion and window collapse Enhanced TCP metrics • SRTT latency • Application-perceived latency • TCP retransmissions • TCP congestion window reduced • TCP MSS changed • TCP zero window • Long TCP handshakes
  • 23. Performance monitoring With Cisco ACI and Cisco Nexus 9300 FX switches only Cisco Tetration™ Cisco ACI™ infrastructure using Cisco Nexus® 9300 FX leaf switches and Cisco Nexus 9300 FX line cards in spine Track topology and topology changes using time series • Covers fabric and external devices such as servers (LLDP required) • Flow-context-specific topology views View traffic flow information in time series • Mapping of individual flows to fabric topology and queues • Per-flow hop-by-hop path view • Per-hop latency and fabric latency • Fabric drop indicators View link and queue information in a fabric in time series • Flows through a particular link • Throughput information • Average and maximum latency • Drop indicators Additional flow search capabilities • Search for specific flows within a link and queue • Search based on fabric links • Search based on class of service *PTP required in production fabric
  • 24. 24© 2017 Cisco and/or its affiliates. All rights reserved. Other use cases
  • 25. • Dedicated virtual machines on each host with 3 software sensors in each virtual machine • Each sensor binds to a separate vNIC • ERSPAN terminates on the virtual machine vNIC • Each sensor terminates one ERSPAN session • Sensor generates telemetry based on the data-plane traffic • Horizontally scalable Layer 3 connection ERSPAN Layer 3 switch Cisco Tetration telemetry: ERSPAN option Expanded telemetry collection option • Augment telemetry from other parts of the network • Useful when software sensor or hardware sensor is not feasible Cisco Tetration™ telemetry Cisco Tetration™ Platform Production network Production network
  • 26. Insight-based notification: Neighborhood graphs Cisco Tetration Analytics™ Kafka broker Northbound consumers Northbound consumers Message publish Kafka Neighborhood graphs • Find up to two-hop communication neighbors for a selected workload • Drill down into details about communication between these neighbors • View dashboard display using graph database • Determine the number of server hops between two workloads • Get out-of-the-box and customer alerts through Kafka
  • 27. Virtual Desktop Infrastructure: Visualization Main features ü Support Microsoft Windows Desktop 7, 8, and 10 ü Get per-packet, per-flow visibility ü Correlate traffic with process on the desktop instances ü Tie VDI user traffic to application workspace VDI instances Cisco Tetration Analytics™
  • 28. Policy-related notification Cisco Tetration Analytics™ Kafka broker Northbound consumers Northbound consumers Message publish Kafka • Alerts every minute for enforcement • Policy compliance event notifications • Count of policy alerts until whitelisted • Alerts when IP tables or firewall is flushed or disabled by user • Alerts when enforcement sensor is disabled • Publishes policy differences between versions
  • 29. 29© 2017 Cisco and/or its affiliates. All rights reserved. Deployment options
  • 30. Cisco Tetration Cloud • Software deployed in public cloud • Suitable for deployments of less than 1000 workloads • Public cloud instance owned by customer Cisco Tetration™ platform (large form factor) • Suitable for deployments of more than 5000 workloads • Built-in redundancy • Scales to up to 25,000 workloads Includes: • 36 Cisco UCS® C220 servers • 3 Cisco Nexus® 9300 platform switches Cisco Tetration-M (small form factor) • Suitable for deployments of less than 5000 workloads Includes: • 6 Cisco UCS C220 servers • 2 Cisco Nexus 9300 platform switches Cisco Tetration: On-Premises Deployment options Amazon Web Services Hardware Options Public cloud Microsoft Azure Software Only Option Cisco Tetration Software only option • Suitable for deployments of less than 1000 workloads • Published hardware requirements • Supported in Vmware ESXi based environment Coming in Q2CY18
  • 31. Cisco Tetration™ as a Service • Software as a Service model: no need to purchase, install and manage hardware or software • Fully managed and operated by Cisco • Suitable for commercial customers and SaaS-first/SaaS-only customers • Flexible pricing model, lower barrier to entry • Quick turn up • Scales to up to 25,000 workloads Cisco Tetration : As-a-Service Option Cisco Tetration as a Service Coming in Q2CY18
  • 32. 32© 2017 Cisco and/or its affiliates. All rights reserved. Ecosystem
  • 33. Cisco Tetration Analytics: Ecosystem Cisco Tetration Analytics™ Application Dependency Layer4-7 Services Enforcement Visibility and Optimization Insight exchange
  • 34. Open In summary: Platform built for scale and flexibility Real time and scalable Holistic workload protection Easy to use • Every packet, every flow • Application segmentation for 1000s of applications • Extends visibility to process and software packages • Long term data retention • Consistent application segmentation • Any workload, anywhere • Process behavior deviations • Software package vulnerability • One touch deployment • Self monitoring • Self diagnostics • Standard web UI • REST API (pull) • Event notification (push) • Tetration applications