Simplifying security in the data center

1. Benjamin Rossignol
Security Consulting Systems Engineer
berossig@cisco.com
Simplifying Security
in the Data Center

2. How do we Simplify the Secure Data Center?

3. • Introduction
• Micro-Segmentation
• Secure VDI
• ACI-TrustSec Integration
• Security Feedback Loop with Firepower
Agenda

4. ACI Service Graphs Keep it Simple
ACI Web Contract
Consumer Provider
Managed/Unmanaged
Devices
Client EPG Web EPG
S
ACI Allows for Easier Services Insertion

5. L4-L7 Service Automation: Support for All Devices
Any Device and Cluster Manager Support
L4-L7 Service Automation L4-L7 Services
Cisco ACI™
Services Graph
L4- L7 Device Package No Device Package Service Cluster Manager
• Centralized L4-L7 service configuration and management
• Full L4-L7 service automation (with device package)
• Large ecosystem and investment protection
• Security policy follows workload
• Centralized security provisioning and visibility
• Automated service insertion and chaining
• Support for any L4-L7 device
• New support for L4-L7 cluster managers
Embedded
Security
Micro-
Segmentation
Security
Automation
Encryption Analytics

6. Same Policy Model across physical and any
virtualization or cloud technology
VM
1
VM
2
VM
1
VM
1
VM
2
KVM OpFlex
Agent
V(X)LAN
Open
vSwitch
ESXi Cisco
AVS
V(X)LAN
VMware
DVS
Hyper-V MSFT vSwitch
V(X)LAN
Docker OpFlex
Agent
V(X)LAN
Open
vSwitch
VM
1
VM
1
VM
2
VM
1
Docker1 Docker2
Docker1 Docker2
OpFlex OpFlex OpFlex OpFlex
Bare Metal
VLAN

7. Can we use Micro Segmentation within ACI to effectively
isolate application traffic?
Using Micro Segmentation

8. Macro Segmentation
Development
Datacenter
Production
Campus
The separation of Trusted and
Untrusted environments.
Examples:
• Internet
• Campus
• Datacenter
• Development
• Production
Service
Graphs
Firewalls
ACLs
EPGs
Internet

9. Micro Segmentation
Application
Web Tier
Database
Campus
Ring-fencing, or isolation
application traffic to a specific
set of servers within a
datacenter.
Examples:
• Web Tier to Application
• Application to Database
Service
Graphs
EPGs
Virtual
Firewalls

10. vDS Cisco AVS IP/MAC EPG Hyper-V vSwitch Open vSwitch Open vSwitch
VLAN
VLAN or
VXLAN
VLAN or
VXLAN VLANVLANVLAN
Micro-Segmentation with ACI
EPG-Web
Micro-Segmentation Across any Workload
Attributes Type
MAC Address Filter Network
IP Address Filter Network
VNic Dn (vNIC domain name) VM
VM Identifier VM
VM Name VM
Hypervisor Identifier VM
VMM Domain VM
Datacenter VM
Custom Attribute
(VMWare AVS/vDS only)
VM
Operating System VM
opflex opflex opflex

11. vDS Cisco AVS IP/MAC EPG Hyper-V vSwitch Open vSwitch Open vSwitch
VLAN
VLAN or
VXLAN
VLAN or
VXLAN VLANVLANVLAN
MAC-EPG Support in ACI
MAC-EPG-Web
Micro-Segmentation Across any Workload
Attributes Type
MAC Address Filter Network
IP Address Filter Network
VNic Dn (vNIC domain name) VM
VM Identifier VM
VM Name VM
Hypervisor Identifier VM
VMM Domain VM
Datacenter VM
Custom Attribute
(VMWare AVS/vDS only)
VM
Operating System VM

12. • MAC-EPG is a micro-segmented EPG with endpoint membership based on
MAC address attribute list which is derived from endpoints of a Base EPG
• Scoped at BD level
• MAC-EPGs can have large mac-lists
• Usecases: Migrations, Security Feedback Loop, etc …
MAC-EPG (Micro-Segmentation)
BD1/subnet1
Base EPG
MAC-EPG-1 MAC-EPG-N
Contract
Within BD traffic is Bridged
BD2/subnet2
Base EPG
MAC-EPG-1
Inter BD traffic is Routed
Contract

13. MicroSegmentation Demo
with ACI

14. User Segmentation and VDI
Campus
PC
PC
PC
Datacenter
SalesIT
HR
VDI
EPG
Server
EPG
NGFW /
NGIPS
NGFW /
NGIPSSolution provides:
Next-Generation Security (NGFW, NGIPS, AMP) with
Identity controls.
VDI Farm is one big flat subnet, with lateral blocking. Need
to provide secure access to Servers.

15. Secure VDI Usecase Flow:
User-Identity Micro-Segmentation with FirePower + ACI
Usecase 1 Usecase 2
Shipping

16. Consuming Micro-Segmentation
User-Identity Micro-Segmentation with ACI
Src-EPG Dest-EPG
Contract
Src-EPG Dest-EPG
Contract
AD based
User
Identify
Policy
Concept
Solution Intra-EPG
Isolation
ACI Service Graph w/ Firepower
Enforce User-Identity Based
Network Access Control Policy
Red User can only Access Red VMs
Green User can only Access Green VMs
ACI Policy
Model
Extension
Shipping

17. Secure VDI Usecase:
User-Identity Micro-Segmentation with FirePower + ACI
Campus Network
providerconsumer
Firepower 4100 / 9300
FTD Image
vPC
Contract L3out
service-graph with
FirePower
FMC Active
Directory
SF User
Agent
VDI
EPG
L3out
Users Initiate
VDI session
VDI Farm - one big flat subnet but
VMs isolated, blocking lateral
User-Identity
Network Access Control
Policy
Server
EPG
Users (AD Group:
VDI Session)
Destination
Network (Server
EPG)
Group A
1.0.0.1 <= VDI IP
1.0.0.2
Destination Subnet
10.0.0.0/30
Group B
3.0.0.1
Destination
20.0.0.1
SourceFire Policy
Shipping

18. Secure VDI
Demonstration

19. User Segmentation
Campus
Control of which systems or
applications within a datacenter
a user or group can connect to.
PC
PC
PC
8 SGT / Sales
3 SGT/ HR
99 SGT / IT
Trustsec / Security Group Tags
VLAN Assignment
Passive Identity from Active Directory
Datacenter

20. Problem: Disjointed Identity & Security Policy Domains
Between Campus and Data Center
TrustSec domain
Voice Employee Supplier BYOD
Campus / Branch / Non-Fabric
TrustSec Policy Domain
Voic
e
VLA
N
Data
VLAN
Web App DB
ACI Fabric
Data Center
APIC Policy Domain
APIC
WAN
Disjoint: Identity, Grouping
Policy Domains
TrustSec Policy Domain APIC Policy Domain
• Today customer has two disjointed identity and security policy domains in Campus and Data Center:
• TrustSec User Identity, SGT and SGACL in Campus
• APIC App Endpoint Identity, EPG and Contract in Data Center
• Customer Requirement:
• Need Common “Identity,” Tagging and “Security Policy” between TrustSec and ACI domains

21. TrustSec/ISE Policy Domain
CMD/SGT
ACI Policy Domain
TrustSec
Border Router
(ASR1K Initially)
Higher Scale Data Plane Solution
SXP
SGT <-> EPG
translation
WA
N
IPSec, DMVPN,
GETVPN, OTP
Policy Plane (REST API)
Routing Plane (MP-BGP EVPN)
“Trusted Mode”
Data Plane (GBP VXLAN)
ISE Builds Translation Table
1. GET: VRF-ID, Class-ID
2. SGT <==> VRF-ID, Class-ID
Download
Translation
Table
EPG Starts on ASR1k
2
3
4
Target
Q2-CY17
1
ASR1k(config)# cts sg-epg translations
Golf L3out
Leaf: -EX only

22. TrustSec/ISE Policy Domain
CMD/SGT
ACI Policy Domain
TrustSec
Border Router
(ASR1K Initially)
Campus to ACI Flow
SXP
SGT <-> EPG
translation
WA
N
IPSec, DMVPN,
GETVPN, OTP SGT-EPG
iVXLAN
Contract Applied on Leaf
Lookup:s-class, d-class, policy
APP-EPG
Golf L3out
Target
Q2-CY17

23. TrustSec/ISE Policy Domain
CMD/SGT
ACI Policy Domain
TrustSec
Border Router
(ASR1K Initially)
ACI to Campus Flow
SXP
SGT <-> EPG
translation
WA
N
IPSec, DMVPN,
GETVPN, OTP
SGT-EPG
iVXLAN
VzAny Contract
Permit-all or filter ports
APP-EPG
Golf L3out
Target
Q2-CY17
Per-Host Policy
in ASR1k

24. TrustSec
Domain
Phase 1
Identity and Policy Propagation between
ISE and APIC
No SGT tags sent to ACI
Enforcement at N9300 border leaf
Leverage IP address as User identifier
Scale: ~10k/Leaf
Works with existing ACI infra: N9300
leafs and N9500 Spines
Target Timeframe: Shipping now
Solution: Normalize Identity and SGT/EPG
Phase 2
Policy Mapping between ISE and APIC AND Data
plane Integration (ASR1K or ACI Spine)
ASR1K DCI translates SGT  EPG-Class-ID
Enforcement at N9300 leaf
Scale: SGT/ EPG namespace
Works with existing N9300 leafs, requires upgrade
of N9500 spines (line card/ fabric module available
mid CY16)
Target Timeframe: Q2 CY17
TrustSec
Domain
ACI
Domain
SGT  EPG
SGT  EPG
ACI
Domain
iVXLANSGT
ASR1k
Shipping Q2-CY17

25. Security Feedback Loop

26. Firepower, in all its forms, supports:
Correlation Polices and Remediation Modules,
allowing us to take a customized action based on defined
behavior on the network.
Example:
If a server is attacked by host in my PCI network, I want to block the attacker.
Security Feedback Loop

27. Consuming Micro-Segmentation
ACI and SourceFire – Security Closed Feedback Loop
CORP
EPG
FW
NGIPS
10.1.0.234
Attack
Web
EPG
REM
EPG
QUA
EPG
FW
FireSIGHT
Management
Center
REST Calls to
APIC NB API
Move VM
To Quarantine
Quarantine for RemediationPost Remediation Move Cleaned VM
Status:
1. Cisco on Cisco solution (ACI + Security BU)
2. Remediation module in FMC used for security
feedback loop (no, device package required)
3. Productization for VMware vDS, AVS and BM
is shipping
• Quarantine IP-EPG creation
• Quarantine bad endpoints using IP-
EPG only
4. Tested 150 IP-EPG creation and TBD
endpoints
5. NGIPS stitching has no dependencies on
Remediation module. NGIPS Stitching can we
with device package or not. Both options
supported.
Demo Video: https://youtu.be/zSfDT1-47Hg

28. Security Feedback Loop, continued…

29. Security Feedback Loop, continued…
Cisco has just released the
new ACI Remediation Module
for Firepower!

30. Security Feedback Loop, continued…

31. Security Feedback Loop
Demonstration

32. • FMC Remediation Module for ACI Documentation
http://www.cisco.com/c/dam/en/us/td/docs/security/asa/apic/quick-start/guide/fmc-rm-qsg1x.pdf
• FMC Remediation Module for ACI YouTube Video
https://www.youtube.com/watch?v=zSfDT1-47Hg&feature=youtu.be
• Micro Segmentation Demo on YouTube
https://youtu.be/EEs7B1dKVjE
Additional Resources