Brksec 2048-demystifying aci-security

Demystifying ACI Security
Fabien Gandola, CSE Security for EMEA
BRKSEC-2048

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco Spark
Questions?
Use Cisco Spark to communicate
with the speaker after the session
1. Find this session in the Cisco Live Mobile App
2. Click “Join the Discussion”
3. Install Spark or go directly to the space
4. Enter messages/questions in the space
How
cs.co/ciscolivebot#BRKSEC-2048

In Conclusion
• ACI helps tackling DC Security Challenges by :
 Integrating security in the Application
 Accelerating security deployment
 Automating security insertion
• Cisco Security helps better protect your DC by :
 Providing leading edge technologies
 Integrating smoothly in ACI architecture
 Providing a full security framework
BRKSEC-2048 5

Business Trends and
Datacenter Challenges

What Changed ?
• Virtualization
BRKSEC-2048 8

What Changed ?
• Virtualization
• Requirements for security for
East-West Traffic
BRKSEC-2048 9

What Changed ?
• Virtualization
East-West Traffic
• Architecture with Multiple
active Data Centers
BRKSEC-2048 10

What Changed ?
• Virtualization
East-West Traffic
• Architecture with Multiple
active Data Centers
• Hybrid Data Center with
Public Cloud Solution
BRKSEC-2048 11

Digitization generates DC Challenges
10I000 0II0 00 0III000
I00I III0I III00II 0II00II
Protect
Infrastructure and
Critical Data
24x7
Manage Data
Deluge and Device
Proliferation
Defend Across the
Extended DC
Physical + Virtual + Cloud
Enable
Business Growth
New Business Value
New Business Models
BRKSEC-2048 12

The Cisco Advantage
• Control North/South traffic with NGFW
• Scale and HA with Clustering
• Inspect North/South traffic with NGIPS
• Segment and Protect virtual enclave with
ASAv and FTDv
An Architectural Approach
Physical
Hosts
NGIPS
NGFW
Clustering
BRKSEC-2048 13

…Leveraging the Infrastructure…
NGIPS
ASA FW
Clustering
BRKSEC-2048 14

NGIPS
ASA FW
Clustering
NGA
Virtual
FlowSensor
Lancope Stealhwatch
Leverage your Cisco Infrastructure to
fight Advanced Pervasive Threats
BRKSEC-2048 15

NGIPS
ASA FW
Clustering
NGA
Virtual
FlowSensor
Lancope Stealhwatch
Leverage your Cisco Infrastructure to
fight Advanced Pervasive Threats
TrustSec with Security Group Tagging
SGT
SGT SGT
SGT
SGT
SGT
SGT
SGT
ISE SGT
Simplify
Automate
Accelerate
Standardize
SGT
BRKSEC-2048 16

…Ready for Next Generation DataCenter.
Physical
Hosts
NGIPS
ASA FW
Clustering
BRKSEC-2048 17

…Ready for Next Generation DataCenter.
VIRTUAL ENDPOINT
ACI Fabric
PHYSICAL ENDPOINT
SERVICE NODES
SECURITY NODES
Application Centric Infrastructure
- Scalable
- Simple
- Flexible
- Reliable
- Automated
- Secured
BRKSEC-2048 18

Feature Product Matrix
ASA/FTD FTD StealthWatch TrustSec
Access Control
Segmentation
Context Discovery
Threat Detection
Threat Protection
APT Detection
Forensic Analysis
Compliance
BRKSEC-2048 19

Feature Product Matrix with ACI
ASA/FTD FTD StealthWatch TrustSec
Access Control
Segmentation
Context Discovery
Threat Detection
Threat Protection
APT Detection
Forensic Analysis
Compliance
BRKSEC-2048 20

Applications All Around Us
…are the driving force of business that are being…
Rapidly developed and
Deployed at scale
…while requiring…
Frequent updates and
Highest Availability (SLAs)
BRKSEC-2048 22

Challenge for Infrastructure
…to keep up with the pace of change
imposed on the:
Network
Security
…functions, while maintaining application:
Capacity
Resiliency
BRKSEC-2048 23

Software-Defined Networking
…Comes to the Rescue
“…is an emerging architecture that is dynamic, manageable, cost-
effective, and adaptable, making it ideal for the high-bandwidth, dynamic
nature of today's applications. This architecture decouples the network
control and forwarding functions enabling the network control to become
directly programmable and the underlying infrastructure to be abstracted
for applications and network services.”
Source: www.opennetworking.org
BRKSEC-2048 24

What are the critical Security Functions
in the DataCenter ?

Protect Mobile Access
to the Data Center
Micro-
Segmentation
Protect Data Center
North-South
Server Quarantine
Automation
Segment Access to
Data Center Resources
Consistent Policies across
Cloud, Virtual & Physical
Secure
Application Tiers
Application Security
Policies Automation
Critical Security Functions
BRKSEC-2048 26

Agenda
Introduction Use Cases Conclusion
Esqueixada Mel i matóFaves a la Catalana

Use Cases
Basic Access Control
 Basic Segmentation
 Micro-Segmentation
 Access Control with NGFW
 Segmentation with NGFW
 Threat Detection with IDS
 Threat Protection with IPS
 Where is my automation in there ?
 Behavior Anomaly Detection
 More Granular Access Control
Faves a la Catalana

About me…
Fabien Gandola – fgandola@cisco.com
TSA Cyber Security EMEAR
19 years in Cisco

ACI Devices Role
“App”“DB”
Service
Consumers
Leaf Nodes
Service Producers
APIC Controller
Spine Nodes
BRKSEC-2048 38

TRUST BASED ON LOCATION
(Traditional DC Switch)
Servers 2 and 3 can
communicate unless blacklisted
1 42 3
No communication allowed between
Servers 2 and 3 unless there is a whitelist policy
ZERO TRUST ARCHITECTURE
(Nexus 9K with ACI)
EPG 1
“WEB”
EPG 2
“APP”
1 2 3 4
ACI Whitelist Policy supports “Zero Trust” Model
Whitelist policy = Explicitly configured ACI contract between EPG 1 and EPG 2
allowing traffic between their members
BRKSEC-2048 39

External
Network
App DBWeb
QoS
Filter
QoS
Service
QoS
Filter
ACI uses a policy based approach that
focuses on the application.
The Heart of ACI
BRKSEC-2048 40

ACI Communication Abstraction
ACI Fabric
APIC
Security Services
“App”“DB”
BRKSEC-2048 41

ACI Fabric
APIC
Security Services
Security Policy
“App” → “DB”
All TCP/UDP:
- Accept
- Redirect to FW and IPS
All Other :
- Drop
“App”“DB”
BRKSEC-2048 42

ACI Fabric
APIC
Security Services
Security Policy
All TCP/UDP:
- Accept
All Other :
- Drop
“App”“DB”
BRKSEC-2048 43

What are the ACI Building Blocks ?
BRKSEC-2048 44

First, we need a way to identify and group together end points.
Web Tier App Tier DB Tier
EP EP EP
EP
EP
EP
EP
EP EP
EP
EP EP
A Policy Based on Groups
BRKSEC-2048 45

“EPG Web” “EPG DB”
EP EP
EP
EP
EP
“EPG App”
EP EP
EP EP
EP
EP EP
In the ACI model, we do this using the End Point Group (EPG).
End Point Group
BRKSEC-2048 46

Endpoint Groups Communications
Devices within an Endpoint group can communicate, provided that they have IP reachability (provided by the
Bridge Domain/VRF).
Communication between Endpoint groups is, by default, not permitted.
“EPG Web”
EP
EP
EP
EP
“EPG App”
EP EP
EP EP
“EPG DB”
EP EP
EP EP
BRKSEC-2048 47

“EPG Web”
EP
EP
EP
EP
“EPG App”
EP EP
EP EP
“EPG DB”
EP EP
EP EP
Contract
Once we have our EPGs defined, we need to create policies to
determine how they communicate with each other.
BRKSEC-2048 48

“EPG Web”
EP
EP
EP
EP
“EPG App”
EP EP
EP EP
“EPG DB”
EP EP
EP EP
Contract : Kind of reflexive “Stateless” ACLs
Filters
TCP: 80
TCP: 443
A contract typically refers to one or
more ‘filters’ to define specific
protocols & ports allowed between
EPGs.
BRKSEC-2048 49

Create a Contract
BRKSEC-2048 50

L3out
Access Control From Outside
EPG
Web
EPG
App
EPG
DB
Contract
Client-Web
Perimeter Stateless Access Control
BRKSEC-2048 51

How Secure is the Fabric to rely on it for
Security ?

ACI Fabric Security
• Whitelist Security Model
• APIC Hardening
• APIC Northbound Protocols
• APIC Northbound Authentication
• Two Factor Authentication
(RSA Secure ID)
• APIC to Switch Authentication and
Encryption
• NXOS Image Signing and Verification
• Role Based Access Control
• Audit Logs for all Changes
• Security Compliance Report
• Security Certifications
• MACsec Support
• 802.1X
BRKSEC-2048 53

For more information on ACI fabric security:
http://www.cisco.com/c/en/us/solutions/collateral/data-center-virtualization/application-centric-infrastructure/white-paper-c11-736292.html
BRKSEC-2048 54

Is there away to create Management
zones ?

A Tenant is a container for
all network, security,
troubleshooting and L4 – 7
service policies.
Engineering-Tenant Marketing-Tenant
Tenants
Tenant resources are
isolated from each other,
allowing management by
different administrators.
Tenants can provide traffic and
RBAC isolation…
ACI Fabric
IT Internet
Shared
Services
Test /
Dev
IPTV
BRKSEC-2048 56

• Introduction
• Use Cases :
 Basic Access Control
Basic Segmentation
 Segmentation with NGW
 Where is my Automation in there ?
• Conclusion

“EPG Web”
EP
EP
EP
EP
“EPG App”
EP EP
EP EP
“EPG DB”
EP EP
EP EP
Contract
Once we have our EPGs defined, we need to create policies to
determine how they communicate with each other.
BRKSEC-2048 58

L3out
Segmentation Using Contracts
EPG
Web
EPG
App
EPG
DB
Contract
Client-Web
Contract
Web-App
Contract
App-DB
Stateless Firewall(Contract)
Load Balancer
BRKSEC-2048 59

But what if I want all EPGs to be able to
send syslog, query DNS, communicate
with the AD etc?

vzAny applies rules to all EPGs in a VRF
EPG A
Provider
EPG
vzAny
EPG
vzAny
EPG
vzAny
EPG A
Consumer
EPG
vzAny
Syslog Syslog Syslog
Any EPG can
consume syslog that
EPG A provides
EPG A can consume
Syslog from any EPG
in the VRF
Any EPG in the VRF
can consume or
provide syslog
http://www.cisco.com/c/en/us/td/docs/switches/datacenter/aci/apic/sw/kb/b_KB_Use_vzAny_to_AutomaticallyApplyCommunicationRules_toEPGs.html#concept_F2BC3533BF984F
1F88A18B712ED9C072
BRKSEC-2048 61

But what if I want some EPGs to
communicate freely between
themselves?

Contract Preferred Groups
Allow traffic between a group of EPGs
EPG A EPG B
EPG C EPG D
EPG 1
EPG 2
Contract Preferred Group Alphabet
No contract required within the group Contract required
http://www.cisco.com/c/en/us/td/docs/switches/datacenter/aci/apic/sw/kb/b_APIC_Contract_Preferred_Group.html
BRKSEC-2048 63

Those 2 forms of contracts helps a lot
fighting the number of contracts in
TCAM.

Is that really helping me Compare to
traditional ACLs ????

The abstraction layer provided by the EPG
detaches the security policy from the
infrastructure such as IP address or Vlans.
BRKSEC-2048 66

“EPG Web”
EP
EP
EP
EP
“EPG App”
EP EP
EP EP
“EPG DB”
EP EP
EP EP
Application Profile
Contract Contract
A collection of EPGs and the associated contracts that define
how they communicate form an Application Profile.
Application Profile “My Expenses”
BRKSEC-2048 67

Vmware keeps talking about NSX Micro-
segementation…

• Introduction
• Use Cases :
Micro-Segmentation
• Conclusion

The ACI Micro Segmentation Toolbox
EPGs & Contracts
ACI Policy Model
Intra-EPG isolation
BRKSEC-2048 70

Intra-EPG isolation
• Functional equivalent to Isolated
Private VLAN: ALL endpoints in
EPG are isolated from each
other
• Supported since ACI 1.2(2)
• Can be combined with Micro-
segmented EPG
BRKSEC-2048 71

Intra-EPG endpoint isolation
BRKSEC-2048 72

Micro-segmented EPGs
with attributes• Use of attributes to classify
endpoints in a specific kind of EPG
called µEPG
• Network-based attributes:
IP/MAC
• VM-based attributes: Guest OS,
VM name, ID, vnic, DVS,
Datacenter
• Does not create a Port Group on
VMM (no vnic reassign)
• Supported since ACI 1.1(1)
BRKSEC-2048 73

About Micro-segmented EPGs
• µSeg EPGs are not linked to a “Base” EPG (though virtual endpoints are still
“attached” to their corresponding Port Groups):
• They have their own Bridge Domain  Endpoints addressing must be taken into
consideration in the design
• They have their own set of Contracts  There is no contract inheritance from the “Base”
EPG.
• Attributes are matched using an “OR” operator with a precedence order in case
of conflict
• Any VM in the VMM Domain & Tenant matching an attribute will be put in the µSeg EPG 
Choose wisely the attribute(s) you want to match
• In the last 2 case studies, Custom Attributes would be a natural choice
BRKSEC-2048 74

USE CASE
Use Case #1: Securing infrastructure
Use Case #2: Quarantining compromised endpoints
Use Case #3: Securing an application through Dev,
Test & Prod stages
BRKSEC-2048 75

WAN
Use Case 3: Application life Cycle
WAN
http://172.16.1.100
VIP - 172.16.1.100
Web Application protected
by a NGFW at the perimeter
172.16.10.0/24
Web
VM1
DB
VM
Web
VM2 Single Subnet to
simplify IPAM
tcp/3306
tcp/80
tcp/80
Web
VM1
Web
VM2
VM
MySQL
Joomla Web Application
Web Database
Production
Environment
Load Balancer can reach
web servers, but not the
DB
Web Servers reach DB via
NGFW, but do not need to
talk to each other
BRKSEC-2048 76

Web Database
Dev
WAN
tcp/80
tcp/80
Web
VM1
Web
VM2
VM
MySQL
Web Database
Prod
tcp/3306
http://172.16.1.100/acme
172.16.1.100
Test vDesktops
VM
MySQL
Web
VM3
BRKSEC-2048 77

Web Database
Dev
WAN
tcp/80
tcp/80
Web
VM1
Web
VM2
VM
MySQL
Web Database
Prod
tcp/3306
http://172.16.1.100/acme
172.16.1.100
Test vDesktops
VM
MySQL
Web Database
Test
VM
MySQL
HAProxy
172.16.1.200
Web
VM3
BRKSEC-2048 78

Web Database
Dev
WAN
tcp/80
tcp/80
Web
VM1
Web
VM2
VM
MySQL
Web Database
Prod
tcp/3306
http://172.16.1.100/acme
172.16.1.100
Test vDesktops
VM
MySQL
Web Database
Test
VM
MySQL
HAProxy
172.16.1.200
Web
VM3
BRKSEC-2048 79

Web Database
Dev
WAN
tcp/80
tcp/80
Web
VM1
Web
VM2
VM
MySQL
Web Database
Prod
tcp/3306
http://172.16.1.100/acme
172.16.1.100
Test vDesktops
VM
MySQL
Web Database
Test
VM
MySQL
HAProxy
172.16.1.200
Test Site:
http://172.16.1.200/acme
Web
VM3
BRKSEC-2048 80

Web Database
Dev
WAN
tcp/80
tcp/80
Web
VM1
Web
VM2
VM
MySQL
Web Database
Prod
tcp/3306
http://172.16.1.100/acme
172.16.1.100
Test vDesktops
VM
MySQL
Web Database
Test
VM
MySQL
HAProxy
172.16.1.200
Test Site:
http://172.16.1.200/acme
Web
VM3
BRKSEC-2048 81

Web Database
Dev
WAN
tcp/80
tcp/80
Web
VM1
Web
VM2
VM
MySQL
Web Database
Prod
tcp/3306
http://172.16.1.100/acme
172.16.1.100
Test vDesktops
VM
MySQL
Web Database
Test
VM
MySQL
HAProxy
172.16.1.200
Test Site:
http://172.16.1.200/acme
Web
VM3
BRKSEC-2048 82

Web Database
Dev
WAN
tcp/80
tcp/80
Web
VM1
Web
VM2
VM
MySQL
Web Database
Prod
tcp/3306
http://172.16.1.100/acme
172.16.1.100
Test vDesktops
VM
MySQL
Web Database
Test
VM
MySQL
HAProxy
172.16.1.200
Test Site:
http://172.16.1.200/acme
Web
VM3
Pool automatically updated
by APIC when VM moves
into uEPG
New VM added to NGFW
rules allowing DB access
BRKSEC-2048 83

Web Database
Dev
WAN
tcp/80
tcp/80
VM
MySQL
Web Database
Prod
tcp/3306
http://172.16.1.100/acme
172.16.1.100
Test vDesktops
VM
MySQL
Web Database
Test
VM
MySQL
HAProxy
172.16.1.200
Test Site:
http://172.16.1.200/acme
Web
VM3
Pool automatically updated
by APIC when VM moves
into uEPG
New VM added to NGFW
rules allowing DB access
BRKSEC-2048 84

Micro Segmented EPGs with VM Attributes
WAN/INTERNET
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
vSphere Clusters MGMT &
Storage
Production
Clusters
Test
Clusters
V
M
V
M
V
M
V
M
BRKSEC-2048 85

ACI has a wide segmentation support
Intra-EPG • DVS since
ACI 1.2(2)
• AVS since ACI
1.3(1)
• Roadmap • Supported
since ACI
1.2(2)
• Supported
since ACI
1.2(2)
Micro-
segmentation
• DVS since
ACI 1.3(1)
with
9300-EX
hardware
• AVS since ACI
1.1(1)
• Microsoft
Virtual
Switch
since ACI
1.2(1)
• Roadmap • IP EPG since
ACI 1.2(1)
with -E
hardware
• MAC EPG
planned
BRKSEC-2048 86

Micro-Segmentation HW Support
1st generation (-E) (-EX)
AVS Useg (VM, IP, MAC) Yes Yes Yes
Microsoft Useg (VM, IP, MAC) Yes Yes Yes
vDS Useg (VM, IP, MAC) No No Yes
Bare-Metal (IP-EPG) No Yes* Yes*
Bare-Metal (MAC-EPG) N/A Yes Yes
Openstack (GBP) No Future Future
Container No Future Future
* Caveat: IP-EPGs must be in 2 subnets
BRKSEC-2048 87

EPGs & Contracts
ACI Policy Model
Intra-EPG isolation
Micro-segmented EPGs
with attributes
Intra-EPG Contracts
BRKSEC-2048 88

• Introduction
• Use Cases :
Access Control with NGFW
 Segmentation with NGFW
• Conclusion

Cisco ACI Supports Flexible East-West Security Models
L4 Stateless Security
Firewall at Each
Leaf Switch
Servers (Physical or Virtual)
► L4 Distributed Stateless Firewall
L4 Stateless Firewall Attached
to Every Server Port
Line Rate Policy Enforcement
Policy Follows Workloads
Advanced Protection with NGFW, IPS/IDS,
DDoS Services Insertion
Sizing at Scale: Can add ASA Cluster
L4-7 Security Policy Applied
Consistently for Any Workload
L4−7 Security via Cisco ACI™
Service Graph►
L4-7 Security Services
(physical or virtual,
location independent)
Cisco ACI Services
Graph
L4-7 Visibility and Control
BRKSEC-2048 90

Why Inserting Security Services ?
• Stateless Segmentation not sufficient for compliance
• More granular Access Control (i.e. user or group based)
• Dynamic protocol requiring better inspection
• Better protection and detection mechanisms
BRKSEC-2048 91

Where to Insert Security Services in the Fabric ?
NGFW Appliance and Virtual NGIPS Appliance and Virtual
WE DON’T REALLY CARE !!!!
BRKSEC-2048 92

How to Insert Security Services
• Network Stitching ACI L2 Fabric
• Service graph insertion
• Unmanaged
• Managed with Device package
• Managed Hybrid
Match the requirements and operation
model of the DC and Security Team
BRKSEC-2048 93

Flexible Options for Services Insertion
• APIC defines Tenants
• EPG is VLAN/Subnet
• Fabric GW/Routing
• No Device Package:
-Network Policy Mode
SecOps Control Service
• Orchestrate with Vendor:
- Service Policy or
- Service Manager
Device Packages
EPG
Web
EPG
App
EPG
DB
EPG
Web
EPG
App
EPG
DB
Unmanaged Service Graphs
EPG
Web
EPG
App
EPG
DB
Managed Service Graphs
ACI L2 Fabric Service Graph
No Package
Service Graph
Managed
APIC in
Control
BRKSEC-2048 94

L2 Network Stitching
EPG
Web
EPG
App
EPG
DB
BD Web BD App BD DB
- Each Interfaces of the Firewall is
set to belong to the different EPG
- The Forwarding decision is 100%
network centric, and doesn’t
involve APIC
- NO CONTRACT NEEDED
- No Integration with APIC
When use this method :
- When policy is quite static
- When more than 2 interfaces
needed on the FW
BRKSEC-2048 95

Service Graph technology was designed to
automate and accelerate the deployment of
L4-L7 sevices in the network.

Why Use Service Graph ?
• Security is fully inserted to the Application as the service graph is an extension
of the contract in the Application Profile
• Granular way to send traffic to the Security Service using the contract
• Configuration Templates
• Automation of the Network configuration both for Fabric and Security appliance (
with Device Package)
• Statistics and health score automatically collected for the services
• Dynamic update of the ACLs based on End point discovery in the EPG
• Insert several services seamlessly with Service Chaining
BRKSEC-2048 97

ACI Zero Trust Model
ACI Fabric
APIC
“App”“DB”
CONTRACT
BRKSEC-2048 98

Build a Policy with Service Graph
ACI Fabric
APIC
Security Services
Security Policy
All TCP/UDP:
- Accept
All Other :
- Drop
“App”“DB”
BRKSEC-2048 99

“EPG Web”
EP
EP
EP
EP
“EPG App”
EP EP
EP EP
“EPG DB”
EP EP
EP EP
Service Graph
Contract Contract
In order to add L4-7 services such as security, you can add a
Service Graph to a contract to redirect traffic to a Service
Producer such as an ASA or Firepower NGIPS
BRKSEC-2048 100

Add a Service graph to a Contract
BRKSEC-2048 101

Service Automation Through Device Package
Device Package
Device Specification
<dev type= “f5”>
<service type= “slb”>
<param name= “vip”>
<dev ident=“210.1.1.1”
<validator=“ip”
<hidden=“no”>
<locked=“yes”>
Cisco APIC – Policy Element
Script Engine
APIC Node
BRKSEC-2048 102

Device Package
<dev ident=“210.1.1.1”
<validator=“ip”
<hidden=“no”>
<locked=“yes”>
Script Engine
APIC Node
• Service automation requires a vendor
device package. It is a zip file
containing
BRKSEC-2048 103

Device Package
<dev ident=“210.1.1.1”
<validator=“ip”
<hidden=“no”>
<locked=“yes”>
Device Model
Script Engine
APIC Node
containing
− Device specification (XML file)
BRKSEC-2048 104

Device Package
<dev ident=“210.1.1.1”
<validator=“ip”
<hidden=“no”>
<locked=“yes”>
Device Model
Device-Specific Python Scripts
Script Engine
APIC Node
containing
− Device scripts (Python)
BRKSEC-2048 105

Device Package
<dev ident=“210.1.1.1”
<validator=“ip”
<hidden=“no”>
<locked=“yes”>
Device Model
Cisco APIC Script Interface
Script Engine
APIC Node
containing
• Cisco® APIC interfaces with the device
using device Python scripts
BRKSEC-2048 106

Device Package
<dev ident=“210.1.1.1”
<validator=“ip”
<hidden=“no”>
<locked=“yes”>
Device Model
Script Engine
APIC Node
containing
• Cisco APIC uses the device
configuration model provided in the
package to pass appropriate
configurations to the device scripts
• Device script handlers interface with
the device using its REST or CLI
interface
BRKSEC-2048 107

Device Package
<dev ident=“210.1.1.1”
<validator=“ip”
<hidden=“no”>
<locked=“yes”>
Device Model
Script Engine
APIC Node
containing
interface
Device Interface: REST/CLI
Service Device
Service automation
requires a vendor device
package. Itis a zip file
containing
Device specification
(XML file)
Device scripts (Python)
BRKSEC-2048 108

Device Package
<dev ident=“210.1.1.1”
<validator=“ip”
<hidden=“no”>
<locked=“yes”>
Device Model
Script Engine
APIC Node
containing
interface
Device Interface: REST/CLI
Service Device
Service automation
requires a vendor device
package. Itis a zip file
containing
Device specification
(XML file)
Device scripts (Python)
Device Manager Console
BRKSEC-2048 109

FTD Device Package 1.0
Hybrid Mode – NGFW configuration ownership is shared between APIC & FMC
• Service Manager Model – Firepower Management Center (FMC)
• APIC orchestrates the following FTD items using FMC REST-API:
• FTD(v) interfaces – virtual switch port-groups or VLAN sub-interfaces
• NGFW/IPS mode (Routed FW, Transparent FW BVI, or NGIPS Inline Pair)
• Consumer and Provider Security Zones, and their Rule direction: bidir or unidir
• Create a new or update existing Access Control Policy (ACP) Rule
• APIC creates a new Deny Rule(s), requiring Security Admin to update this rule before traffic is
allowed. Admin can update Rule comments to ensure the Rule remains in FMC on graph detach.
• APIC updates existing Allow Rule(s), by inserting security zones to previously configured FMC
Rules with an appropriate threat and access protocol configuration.
BRKSEC-2048 110

FTD Device Package Features Coming Soon
• FMC REST-APIs in upcoming releases will allow these additions to the device package:
• Dynamic or Static Routing
• Port-channels
• FTD Failover or Clustering
• Access Control Policy Rule Ports/IPs
• Upcoming Firepower NGFW features to improve ACI integration:
• FTD multiple contexts (separate Access Control Policies per Tenant)
BRKSEC-2048 111

Why Use Managed Service Graph ?
• Full Tenant orchestration with L4-L7 services
• ACL changes on the firewall can be offloaded to custom tools, using Northbound
API
• ASA-like device package allows for very fast deployment of security
• APIC monitors the service health and validates configuration
• Flexibility gained with Device Manager model where APIC orchestrates data
plane while allowing SecOps team to manage the policy with the same
tools
BRKSEC-2048 112

Why Use Unmanaged Service Graph ?
• Continuity of the SecOps management workflows and tools
• No device package available from a Vendor
• Quicker migration of security appliance configs and policies into ACI fabric
• Allow use of the full spectrum of product features, not just the features
supported by the device package
BRKSEC-2048 113

Can we get the benefits of the Device
Package without the Drawbacks ?

Service Graph Hybrid Managed
• Leverage the network and interface configuration automation from APIC
with the Device Package
• Leverage the External Security management solution for the security team to
create the security policy
• Use the Service graph to tie together the policy and the network insertion
BRKSEC-2048 115

FTD Device Package Workflow
1. Existing Rule - Security Admin uses FMC to create an ACP Rule to be used
with the new service graph. The rule includes allowed protocols, NGIPS, and
AMP protections.
o Network Admin uses APIC to attach Security Zones to a given Rule, directing service
graph traffic to an appropriate NGFW inspections.
2. New Rule – Network Admin uses APIC to create a new security Rule on FMC
using the service graph. This is a Deny rule, preventing traffic flow until
Security Admin gets a changes to update it.
o Security Admin uses FMC to update the new ACP Rule with an appropriate allowed
protocol, NGIPS, and AMP policy. To prevent deletion of this rule on service graph
detach, Security Admin can preserve configured security policy by updating ACP Rule
comments.
BRKSEC-2048 116

Until recently, Security service insertion
was looking like that :

L3out
Perimeter FW Goto Mode
Enclave with Single Segment
EPG
Web
EPG
App
EPG
DB
Contract
Client-Web
Contract
Web-App
Contract
App-DB
Perimeter Stateful Firewall
Load Balancer
BRKSEC-2048 118

Engineering-Tenant
VRF aka Context aka Private Network
VRF(also called contexts) are
defined within a tenant to allow
isolated and potentially
overlapping IP address space.
VRF-1
VRF-2
VRF-3
VRF-4
BRKSEC-2048 119

Engineering-Tenant
Bridge Domain: Not a VLAN but almost…
VRF-1
VRF-2
VRF-3
VRF-4
Within a private network, one
or more bridge domains must
be defined.
A bridge domain is a L2
forwarding construct within
the fabric, used to constrain
broadcast and multicast traffic
Bridge Domain 1
Bridge Domain 2
Bridge Domain 3
Bridge Domain 4
Bridge Domain 5
Bridge Domain 7
Bridge Domain 8
Bridge Domain 6
BRKSEC-2048 120

In Summary
Tenant “University”
PN “Engineering” PN “Business”
Subnet 172.1.1.0/24
Subnet 172.1.2.0/24
…
Subnet 172.20.1.0/24
EPG
Web
EPG
App
Bridge Domain 172
Subnet 10.1.1.0/24
EPG
DB
Bridge Domain 10
Policy “HTTP”
Policy “SQL”
Subnet 10.1.1.0/24
Subnet 10.1.2.0/24
…
Bridge Domain 100
EPG
App
EPG
Web
EPG
DB
Policy “HTTP”
Policy “SQL”
InfrastructureApps
BRKSEC-2048 121

Use Case 1 (Topology)
192.168.11.100/24
L3out
0.0.0.0/0
192.168.11.200/24
192.168.11.1/24
GW: 192.168.11.254
172.16.10.1
172.16.10.254
10.1.1.254 10.1.1.1
EPG
Web
EPG
DB
EPG
App
192.168.11.254
BD: ASA-external BD: ASA-internal
Typically Web services
would be nated or load-
balanced.
BRKSEC-2048 122

L3out
Perimeter FW in GoTo mode
Enclave with Multiple Segment
EPG
Web
EPG
App
EPG
DB
Contract
Client-Web
Contract
Web-App
Contract
App-DB
Perimeter Stateful Firewall
Load Balancer
BRKSEC-2048 123

Topology
VIP1: 110 TCP 80
VIP2: 120 TCP 5001
VIP3: 130 TCP 6001
192.168.10.200/24
GW: 192.168.10.254
BD: App
192.168.12.1/24
GW: 192.168.12.254
L3out
0.0.0.0/0
BD: LB
BD: DB
192.168.13.1/24
GW: 192.168.13.254
BD: Web
192.168.11.1/24
GW: 192.168.11.254
172.16.10.1
172.16.10.254
10.1.1.254 10.1.1.1
EPG
Web
EPG
DB
EPG
App
172.16.11.1
172.16.11.254
Reuse same L4-L7 Device
• ADC Interface: reusable
• VIP: different for each deployment
BD: ASA-external BD: ASA-internal
BRKSEC-2048 124

Security Service insertion had to be
thought carefully while the fabric was
designed.

Policy Based Redirect is your Best Friend
Before Service graph is deployed
EPG
Web
EPG
DB
EPG
App
BD: App
192.168.12.1/24
GW: 192.168.12.254
BD: DB
192.168.13.1/24
GW: 192.168.13.254
BD: DB
192.168.11.1/24
GW: 192.168.11.254
192.168.11.254 192.168.12.254 192.168.13.254
APIC relies on
Routing to forward
traffic from Server in
EPG WEB to Server
in EPB APP based
on contract
BRKSEC-2048 127

Policy Based Redirect is your Best Friend
With PBR Service Graph
EPG
Web
EPG
DB
EPG
App
BD: App
192.168.12.1/24
GW: 192.168.12.254
BD: DB
192.168.13.1/24
GW: 192.168.13.254
BD: DB
192.168.11.1/24
GW: 192.168.11.254
192.168.11.254 192.168.12.254 192.168.13.254
BD: ASA-external
L3 Enabled
BD: ASA-external
L3 Enabled
192.168.100.0/30 192.168.100.4/30
192.168.100.1 192.168.100.5
APIC relies on PBR to redirect
the traffic defined in the contract
to the Security Service
BRKSEC-2048 128

Fabien, PBR seems great to insert
service at L3 but how does that help for
segmentation ?

• Introduction
• Use Cases :
Segmentation with NGFW
• Conclusion

PBR for micro-Segmentation
Based only on Contract
EPG
Web
EPG
DB
EPG
App
BD: MyApp
192.168.10.0/24
L3 Enabled
192.168.10.254
192.168.10.100 192.168.10.200
Because this is a
communication
between two End-
points in different
EPG, the
forwarding decision
is made in the leaf
switch
BRKSEC-2048 131

Leveraging PBR
BD: ASA
L3 Enabled
EPG
Web
EPG
DB
EPG
App
BD: MyApp
192.168.10.0/24
L3 Enabled
192.168.10.254
192.168.10.100 192.168.10.200
192.168.200.254
192.168.200.254
Because the traffic goes to Leaf
Switch where PBR rules are
enforced, traffic will be sent to the
security service defined in the
Service Graph.
BRKSEC-2048 132

Leveraging PBR
BD: ASA
L3 EnabledEPG
Web
EPG
DB
EPG
App
BD: MyApp
192.168.10.0/24
L3 Enabled
192.168.10.254
192.168.10.100 192.168.10.200
192.168.200.254
192.168.200.254
The Firewall must be in ONE ARM
as source and destination are in the
same Subnet. It must allow traffic
in and out via the same interface.
BRKSEC-2048 133

Demonstration :
Policy Based Redirect

There is a risk for the L4-7 Service
Graph to be bypassed if there is
more than one contract between the
2 EPGs.
Policy Based Redirect Consideration
BRKSEC-2048 135

The most precise contract will be applied.
PBR Consideration Explanation
EPG
Web
EPG
App
Contract 1: Permit TCP any any  Service Graph Firewall
EPG
Web
EPG
App
Contract 2: Permit TCP any any eq HTTP
BRKSEC-2048 136

The most precise contract will be applied !!!
PBR Consideration Explanation
EPG
Web
EPG
App
Contract 1: Permit TCP any any  Service Graph Firewall
EPG
Web
EPG
App
Contract 2: Permit TCP any any eq HTTP
Because contract 2 is more precise,
the HTTP traffic between EPG Web
and EPG App will not be sent to the
Firewall for inspection.
BRKSEC-2048 137

Proper RBAC configuration and
Auditing are key to enfore roles and
responsabilities

Policy Based Redirect Requirements
• APIC must be v 2.0.1 or Higher
• The Service switch must be at least ‘-EX’ or more recent
• If not all the fabric is ‘-EX’, the Service switch must be dedicated to Services (i.e.
no workload connected with the L4-7 services)
BRKSEC-2048 139

• Introduction
• Use Cases :
Threat Detection with IDS
• Conclusion

IDS Insertion in ACI
• Traditional Span mechanism based on EPG source/Destination
• NEW Copy Service :
• Specific Service graph
• As based attached to contract, leverage Subject for a more granular selection of traffic
than SPAN
- Require –EX leaf switch
- Support only one device per copy cluster
BRKSEC-2048 142

ACI Integration with SPAN
BRKSEC-2048 143

BRKSEC-2048 144

SPAN: Add Source
BRKSEC-2048 145

SPAN: Add Source
BRKSEC-2048 146

Service Copy Configuration Steps
• Identify the source and destination endpoint groups.
• Configure the contract that specifies what to copy according to the subject and what is
allowed in the contract filter.
• Configure Layer 4 to Layer 7 copy devices that identify the target devices and specify the
ports where they attach.
• Use the copy service as part of a Layer 4 to Layer 7 service graph template.
• Configure a device selection policy that specifies which device will receive the traffic from
the service graph. When you configure the device selection policy, you specify the
contract, service graph, copy cluster, and cluster logical interface that is in copy device.
BRKSEC-2048 147

Copy Service : Service Graph Template
https://www.cisco.com/c/en/us/td/docs/switches/datacenter/aci/apic/sw/1-x/L4-
L7_Services_Deployment/guide/b_L4L7_Deploy_ver211/b_L4L7_Deploy_ver211_chapter_01101.html
#id_28562
BRKSEC-2048 148

• Introduction
• Use Cases :
Threat Protection with IPS
• Conclusion

Cisco Firepower Threat Defense Features
Cisco Firepower Threat Defense Full Feature-Set - NGFW
Cisco
Firepower
Threat Defense
6.2
 L2-L7 Firewall with L3 (Routed), L2 (Transparent IRB or Inline-NGIPS) Modes
 Scalable CGNAT, ACL, Dynamic Routing, Fail-to-Wire I/O modules
 Application Inspection, PKI for Site-to-Site VPN, Onbox Manager
 Inter-chassis cluster, FlexConfig, REST-APIs, Packet Tracer/Capture
 NSS Leading Next-Gen IPS - SourceFIRE
 Comprehensive Threat Prevention, L7 Application Visibility and Control
 Security Intelligence (C&C, Botnets, IP, DNS, etc.), Threat / Risk Reports
 Blocking of Files by Type, Protocol, and Direction, Protocol Rate Limiting
 Access Control: Enforcement by Application and User AD integration
 Switch, Routing, NAT Options, and ISE PxGRID integration
 URL Filtering, Malware Blocking, Continuous File Analysis
 Malware Network Trajectory, User-based IOCs, URL lookup
 AMP public & private cloud with ThreatGrid, FMC-ThreatGrid APIs
 Firepower Management Center (fka. FireSIGHT or Defense Center)
BRKSEC-2048 150

GoThrough Perimeter NGIPS
The Server gateway is out of the fabric
EPG
Web
192.168.12.50/24
GW: 192.168.12.254
EPG
DB
EPG
App
192.168.12.254
BD: ASA-external
L3 enabled
192.168.12.100/24
GW: 192.168.12.254
192.168.12.50/24
GW: 192.168.12.254
BD: ASA-internal
No L3
VRF
MyApp
Service Graph will not allow each Bridge Domain on each side to have L3
enabled. This might prevent to use Dynamic Update for ACL on the FW
VRF OutSide
BRKSEC-2048 151

NGIPS between App Tiers
EPG
Web
EPG
DB
EPG
App
BD: Web
L3 Disabled
192.168.12.254
BD: ASA-external
L3 Enabled
BD: App
L3 Disabled
BD: DB
L3 Disabled
VRF
web
VRF
DB
VRF
App
VRF outside
Service Graph will not allow each Bridge Domain on each side to have L3
enabled. This might prevent to use Dynamic Update for ACL on the FW
BRKSEC-2048 152

My Best Practices
• For new deployment PBR is recommended when possible
EPG
Web
EPG
DB
EPG
App
BD: MyApp
192.168.10.0/24
L3 Enabled
192.168.10.100 192.168.10.200
BRKSEC-2048 154

My Best practices
• Leverage L4-7 security services for the access control of an enclave or security
zone
EPG
Web
EPG
DB
EPG
App
App1
EPG
Web
EPG
DB
EPG
App
App 2
EPG
Web
EPG
DB
EPG
App
App3
BRKSEC-2048 155

My Best practices
• Leverage L4-7 security services for the access control of an enclave or security zone
• Leverage Contracts within an Enclave for segmentation
EPG
Web
EPG
DB
EPG
App
App1
EPG
Web
EPG
DB
EPG
App
App 2
EPG
Web
EPG
DB
EPG
App
App3
BRKSEC-2048 156

Best practices
• For new deployment PBR is
recommended when possible
• Leverage L4-7 security services for the
access control of an enclave or security
zone
• Leverage Contracts within an Enclave for
segmentation
• Enhanced Segmentation and Threat
Detection with L4-7 Services in
sensitive area
EPG
Web
EPG
DB
EPG
App
App1
EPG
Web
EPG
DB
EPG
App
App 2
EPG
Web
EPG
DB
EPG
App
App3
BRKSEC-2048 157

Best practices
zone
segmentation
Detection with L4-7 Services in sensitive
area
• Leverage IDS for visibility and
dynamically change security policy
when potential threat detected.
EPG
Web
EPG
DB
EPG
App
App1
EPG
Web
EPG
DB
EPG
App
App 2
EPG
Web
EPG
DB
EPG
App
App3
BRKSEC-2048 158

Best practices
zone
segmentation
area
EPG
Web
EPG
DB
EPG
App
App1
EPG
Web
EPG
DB
EPG
App
App 2
EPG
Web
EPG
DB
EPG
App
App3
BRKSEC-2048 159

Best practices
zone
segmentation
area
EPG
Web
EPG
DB
EPG
App
App1
EPG
Web
EPG
DB
EPG
App
App 2
EPG
Web
EPG
DB
EPG
App
App3
BRKSEC-2048 160

Best practices
zone
segmentation
area
EPG
Web
EPG
DB
EPG
App
App1
EPG
Web
EPG
DB
EPG
App
App 2
EPG
Web
EPG
DB
EPG
App
App3
BRKSEC-2048 161

Best practices
zone
segmentation
area
EPG
Web
EPG
DB
EPG
App
App1
EPG
Web
EPG
DB
EPG
App
App 2
EPG
Web
EPG
DB
EPG
App
App3
BRKSEC-2048 162

• Introduction
• Use Cases :
Where is my Automation in there ?
• Conclusion

Dynamic Update to EPG Object-Group
web
Consumer
app
Provider
ACE
192.168.10.200192.168.20.200
Object-group
192.168.10.101
New
192.168.10.102
New
object-group network __$EPG$_pod37-aprof-app
network-object host 192.168.10.101
network-object host 192.168.10.102
access-list access-list-inbound extended permit tcp any object-group __$EPG$_pod37-aprof-app eq www
2: APIC create object-group for the EPG.
1: Enable “Attachment Notification”
on function connector internal.
3: APIC add new endpoints to object-group
(192.168.10.101, 192.168.102)
APIC dynamically detects new endpoint,
ASA subscribes to attach/detach event,
and ASA device package automatically
adds EPs to object-group
ASA Device Package
BRKSEC-2048 164

FMC to APIC Rapid Threat Containment
DB EPG
ACI Fabric
App EPG
Infected App1
Step 1: Infected End Point launches an attack
that NGFW(v), FirePOWER Services in ASA,
or FirePOWER(v) appliance blocks inline
Step 2: Intrusion event is generated and sent to
FMC revealing information about the infected host
Step 3: Attack event is configured to trigger
remediation module for APIC that uses NB API to
contain the infected host in ACI fabric
1
FMC
App2
2
34
Step 4: APIC quickly contains/quarantines
the infected App1 workload into an isolated
uSeg EPG
BRKSEC-2048 165

Management tools for every organization
APIC GUI
API - Automation
vCenter Plugin
NX-OS
Style CLI
Choose the
right one!
BRKSEC-2048 166

Cisco ACI interface summary
Cisco ACI
network
APIC
(single point of
management)
CLI
Advanced GUI
Basic GUI
REST
REST client
ACI toolkit
Python SDK
Ruby SDK
Powershell SDK
BRKSEC-2048 167

I don’t know Anything about Scripting !!!
BRKSEC-2048 168

Sniffer: API Inspector
• API calls made by GUI are captured
• GET, POST
• Navigating through panes fetches
data with GET requests
• Submitting configuration changes
uses POST requests
• Record your GUI interaction as
JSON-based REST calls
• Modify and replay with tools like
Postman
BRKSEC-2048 169

Capturing API Calls
BRKSEC-2048 170

Capturing API Calls
BRKSEC-2048 171

Capturing API Calls
BRKSEC-2048 172

Capturing API Calls
BRKSEC-2048 173

Capturing API Calls
BRKSEC-2048 174

Capturing API Calls
POST
url: http://172.23.3.215/api/node/mo/uni/tn-Cisco.json
{
"fvTenant": {
"attributes": {
"name": "Cisco",
"status": "created"
},
"children": []
}
}
BRKSEC-2048 175

Save Objects in JSON format
BRKSEC-2048 176

BRKSEC-2048 177

BRKSEC-2048 178

Edit Your Jason Code
BRKSEC-2048 179

Arya is a tool that takes XML or JSON
object documents as input and outputs
them as Python code leveraging the
ACI Python SDK.
https://github.com/datacenter/arya
Arya - ACI REST Python Adapter
BRKSEC-2048 180

Arya Example
BRKSEC-2048 181

Demo : Automation with API scripts

• Introduction
• Use Cases :
 Access Control with ASA/NGFW
 Segmentation with ASA/NGFW
More Granular Access Control
• Conclusion

access-list 102 permit tcp 37.85.170.24 0.0.0.127 lt 3146 77.26.232.98 0.0.0.127 gt 1462
access-list 102 permit tcp 155.237.22.232 0.0.0.127 gt 1843 239.16.35.19 0.0.1.255 lt 4384
access-list 102 permit icmp 136.237.66.158 255.255.255.255 eq 946 119.186.148.222 0.255.255.255 eq 878
access-list 102 permit ip 129.100.41.114 255.255.255.255 gt 3972 47.135.28.103 0.0.0.255 eq 467
with TrustSec
Traditional Security Policy
TrustSec Security Policy
Security Control Automation
Simplified Access Management
Improved Security Efficacy
Network Fabric
Switch Router DC FW DC SwitchWireless
Flexible and Scalable Policy Enforcement
Segmentation
Software Defined
BRKSEC-2048 184

Enabling Group-Based Policies across the Enterprise
• Cohesive security policy
• Simplified security management
• End-to-End segmentation
Voice Employee Supplier BYOD
Campus / Branch / Non-ACI DC
TrustSec Policy Domain
Voice
VLAN
Data
VLAN
Web App DB
ACI Fabric
Data Center
APIC Policy Domain
APIC
DC
ACI Policy DomainTrustSec Policy Domain
BRKSEC-2048 185

Voice
VLAN
Data
VLAN
Web App DB
ACI Fabric
Data Center
APIC Policy Domain
APIC
DC
ISE 2.1
BRKSEC-2048 186

Voice
VLAN
Data
VLAN
Web App DB
ACI Fabric
Data Center
APIC Policy Domain
APIC
DC
BRKSEC-2048 187

TrustSec Security Groups Provisioned in ACI
ISE Dynamically provisions TrustSec
Security Groups in ACI Fabric
ACI
TrustSec
Security Groups
TrustSec Groups represented as
External EPGs
APIC
DC
Max: 200 Security Groups
Up to 4000/32 mappings (gen1)
Up to 10K/32 mappings (gen2) (-EX)
BRKSEC-2048 188

TrustSec Groups Shared with ACI
BRKSEC-2048 189

TrustSec Groups Shared with ACI
BRKSEC-2048 190

Sharing Application Context to TrustSec Policies
ISE dynamically learns internal EPGs
and
VM Bindings from ACI fabric
ACI
VM1
VM1000
TrustSec Domain
TrustSec
ACI Fabric
TrustSec Policies Controlling
Access to ACI Data Centers
APIC
DC
BRKSEC-2048 191

Sharing ACI Endpoint Groups to TrustSec
• EPG suffix added to Security Group name
•IP-SGT bindings from ACI can be propagated over SXP TrustSec devices and to pxGrid peers
BRKSEC-2048 192

Data Plane Integration
New Capabilities:
• Take current SGT propagation methods (DMVPN, GETVPN, SXP, IPSEC, GRE, LISP/VXLAN
(campus fabric) into ACI fabric
Benefits:
• Greater scale (remove IP/Group info from leaf)
• Seamless integration
BRKSEC-2048 193

Sharing Context Across the Enterprise
Enterprise
Backbone
ACI Policy Domain
ACI Spine (N9K)
ISE
BYOD
10.1.10.220
Web
10.1.100.52
TrustSec Border Device
(ASR 1K)
ACI Border Leaf
APIC
DC

Enterprise
Backbone
ACI Policy Domain
ACI Spine (N9K)
ISE
BYOD
10.1.10.220
Web
10.1.100.52
(ASR 1K)
ACI Border Leaf
5
SRC:10.1.10.220
DST: 10.1.100.52
SGT: 5
APIC
DC

Enterprise
Backbone
ACI Policy Domain
ACI Spine (N9K)
ISE
BYOD
10.1.10.220
Web
10.1.100.52
(ASR 1K)
SGT/EPG
Namespace Alignment
ACI Border Leaf
CMD iVXLAN5
SRC:10.1.10.220
DST: 10.1.100.52
SGT: 5
Class ID
SGT # to EPG #
Translation Table
APIC
DC

Enterprise
Backbone
ACI Policy Domain
ACI Spine (N9K)
ISE
BYOD
10.1.10.220
Web
10.1.100.52
(ASR 1K)
SGT/EPG
Namespace Alignment
ACI Border Leaf
CMD iVXLAN5
SRC:10.1.10.220
DST: 10.1.100.52
SGT: 5
#
SRC:10.1.10.220
DST: 10.1.100.52
Class ID
Class ID
SGT # to EPG #
Translation Table
APIC
DC

• Introduction
• Use Cases :
Behavior Anomaly Detection
• Conclusion

Verizon Report
BRKSEC-2048 203

Kill Chain: Post Breach
Firewall
IPS
Web Sec
N-AV
Email Sec
Threat Detection
BRKSEC-2048 204

Firewall
IPS
Web Sec
N-AV
Email Sec
Threat Detection
BRKSEC-2048 205

1. Command
and Control
Firewall
IPS
Web Sec
N-AV
Email Sec
Threat Detection
BRKSEC-2048 206

1. Command
and Control
2. Reconnaissance
Firewall
IPS
Web Sec
N-AV
Email Sec
Threat Detection
BRKSEC-2048 207

1. Command
and Control
2. Reconnaissance
3.Propagation
Firewall
IPS
Web Sec
N-AV
Email Sec
Threat Detection
BRKSEC-2048 208

1. Command
and Control
2. Reconnaissance
3.Propagation
Firewall
IPS
Web Sec
N-AV
Email Sec
Threat Detection
BRKSEC-2048 209

1. Command
and Control
2. Reconnaissance
3.Propagation
4. Data Theft
Firewall
IPS
Web Sec
N-AV
Email Sec
Threat Detection
BRKSEC-2048 210

1. Command
and Control
2. Reconnaissance
3.Propagation
4. Data Theft
Firewall
IPS
Web Sec
N-AV
Email Sec
Threat Detection
BRKSEC-2048 211

1. Command
and Control
2. Reconnaissance
3.Propagation
4. Data Theft
Firewall
IPS
Web Sec
N-AV
Email Sec
Threat Detection
BRKSEC-2048 212

1. Command
and Control
2. Reconnaissance
3.Propagation
4. Data Theft
Firewall
IPS
Web Sec
N-AV
Email Sec
Routers
Switches
Firewall
Threat Detection
BRKSEC-2048 213

1. Command
and Control
2. Reconnaissance
3.Propagation
4. Data Theft
Scalable Network Defense
Firewall
IPS
Web Sec
N-AV
Email Sec
Threat Detection
Routers
Switches
Firewall
BRKSEC-2048 214

Cisco CTD Solution: Providing Scalable Visibility
Drilling into a single flow yields a plethora of information
BRKSEC-2048 215

Collect & Analyze Flows
1 2
• # Concurrent flows
• Packets per second
• Bits per second
• New flows created
• Number of SYNs sent
• Time of day
• Number of SYNs
received
• Rate of connection
resets
• Duration of the flow
• Over 80+ other
attributes
Establish Baseline of Behaviors
Alarm on Anomalies & Changes in Behavior
threshold
threshold
threshold
threshold
Critical Servers Exchange Server Web Servers Marketing
Anomaly detected in
host behavior
3
Flow-based Anomaly Detection
BRKSEC-2048 216

Behavior-Based Attack Detection
High Concern Index indicates a
significant number of suspicious events
that deviate from established baselines
Host Groups Host CI CI% Alarms Alerts
Desktops 10.10.101.118 865,645,669 8,656% High Concern
Index
Ping, Ping_Scan, TCP_Scan
BRKSEC-2048 217

 Reveal Data Loss. Code can be hidden in the enterprise to export of sensitive
information back to the attacker. This Data Leakage may occur rapidly or over time.
NetFlow Security Use cases
 Identify BotNet Command & Control Activity. BotNets are implanted in the enterprise
to execute commands from their Bot herders to send SPAM, Denial of Service attacks, or
other malicious acts.
 Detect Sophisticated and Persistent Threats. Malware that makes it past perimeter
security can remain in the enterprise waiting to strike as lurking threats. These may be
zero day threats that do not yet have an antivirus signature or be hard to detect for other
reasons.
 Find Internally Spread Malware. Network interior malware proliferation can occur across
hosts for the purpose gathering security reconnaissance data, data exfiltration or network
backdoors.
 Uncover Network Reconnaissance. Some attacks will probe the network looking for
attack vectors to be utilized by custom-crafted cyber threats.
It Can :
BRKSEC-2048 218

Cisco Network
StealthWatch
FlowCollector
StealthWatch
Management
Console
NetFlow
Users/Devices
Cisco ISE
NBAR NSEL
StealthWatch Solution Components
StealthWatch
FlowSensor
StealthWatch
FlowSensor
VE
NetFlow
StealthWatch
FlowReplicator
Other
tools/collectors
BRKSEC-2048 219

Cisco Netflow Generation Appliance (NGA)
StealthWatch
FlowCollector
StealthWatch
Management
Console
https
Data Center
Switch
Cisco
NGA
SPAN or
passive Tap
NetFlow
 Offloads NetFlow Generation to Dedicated High-Performance
 End-to-end flow information collected across multiple network
observation points using SPAN and passive TAP
 Up to 6 destinations
• 4x10G Monitoring Interfaces
• 80M Active Flow Cache
• Targets 200K Flow record export per sec
NGA
 Very high volume
 Less boxes and more
centralized deployment
Flow Sensor
 Less scalable
 More capabilities like Deep
Packet inspection and URL data
Create Netflow Records
BRKSEC-2048 220

How do I send Traffic to my FlowSensor ?

• Traditional Span mechanism based on EPG source/Destination
• NEW Copy Service :
• Specific Service graph
• As based attached to contract, leverage Subject for a more granular selection of
traffic than SPAN
How Send Traffic to my FlowSensor ?
- Require –EX leaf switch
- Support only one device per copy cluster
BRKSEC-2048 222

BRKSEC-2048 223

BRKSEC-2048 224

SPAN: Add Source
BRKSEC-2048 225

SPAN: Add Source
BRKSEC-2048 226

Service Copy Configuration Steps
• Identify the source and destination endpoint groups.
• Configure the contract that specifies what to copy according to the subject and
what is allowed in the contract filter.
• Configure Layer 4 to Layer 7 copy devices that identify the target devices and
specify the ports where they attach.
• Use the copy service as part of a Layer 4 to Layer 7 service graph template.
• Configure a device selection policy that specifies which device will receive the
traffic from the service graph. When you configure the device selection policy,
you specify the contract, service graph, copy cluster, and cluster logical interface
that is in copy device.
BRKSEC-2048 227

Copy Service : Service Graph Template
https://www.cisco.com/c/en/us/td/docs/switches/datacenter/aci/apic/sw/1-x/L4-
L7_Services_Deployment/guide/b_L4L7_Deploy_ver211/b_L4L7_Deploy_ver211_chapter_01101.html
#id_28562
BRKSEC-2048 228

Tetration Analytics
Whitelist Policy
Recommendation
Recommend
Policy
Enforcement
(Future Roadmap)
Remediate*
SW
Sensors
in Cloud
3rd
Party
HW Sensors
SW Sensors
SW Sensors
Listen
Sensors
Record, Analyze
and Store
Appliance
Application Insights
Policy Simulation / Impact Analysis
Forensics and Compliance
Interact / Verify
Software
3rd Party
Feed
Integrate
*=Roadmap
Nexus 9300-EX

Hardware Sensor and Software Sensor
Accumulated Flow Information (Volume…)
Software Sensor
Process mapping
Process ID
Process owner
Hardware Sensor
Tunnel endpoints
Buffer utilization
Burst detections
Packet drops
Flow
details
Interpacket
variations
BRKSEC-2048 231

Tetration Analytics Highlights
Application Behavior Based Policy
Application
Insights
Automated
Whitelist Policy
Policy Impact
Assessment
Policy
Compliance
Forensics
Every Packet, Any Time, Any Where
BRKSEC-2048 232

Shipping Form Factors for Initial Release
Full Rack Cluster
• 39 Rack Units
• 36 Servers and 3 Switches
• 8 Serving Nodes
• 12 Base Nodes
• 16 Compute Nodes
• Built on UCS C-Series
• Built-in Redundancy
• Full CLOS Network Processing including
Algorithmic Operations
Data retrieval and serving
Telemetry Collection
BRKSEC-2048 233

Internet
DB Proxy
What Is Really Running in my Data Center?
Cisco Tetration Analytics Application Insight—Dependency Map
Use Cisco Tetration
Analytics Outcome and
Link it to Your Services
and Application CMDB
Security
Dependencies
Application
Service Offering
Service
Service Category
(Service Owner)
BRKSEC-2048 234

Application Discovery and Endpoint Grouping
Cisco Tetration
Analytics™
Platform
BM VM VM BM
BM VM VM BM
Brownfield
BM VM VM VM BM
Cisco Nexus® 9000 Series
Bare-metal, VM, &
switch telemetry
VM telemetry
(AMI …)
Bare-metal &
VM telemetry
BM VM
BMVM
VM BM
VMVM
VM BM
BMVM
BM
Network-only sensors,
host-only sensors, or both (preferred)
Bare metal and VM
On-premises and cloud workloads (AWS)
Unsupervised machine
learning
Behavior analysis
BRKSEC-2048 235

Whitelist Policy Recommendation
Application Discovery
App
Tier
DB
Tier
Storage
Web
Tier
Storage
Policy Enforcement
(Future Roadmap)
Whitelist Policy Recommendation
(Available in JSON, XML, and YAML)
BRKSEC-2048 236

Visual Query with Flow Exploration
 Replay flow details like a DVR
 Information mapped across 25 different dimensions
• Thick lines indicate common flows
• Faint lines indicate uncommon flows

Outliers
Switch on Outlier view to
highlight uncommon flows
Outlier dimension is
highlighted with purple circle
BRKSEC-2048 238

Possible malicious DNS traffic
Show all DNS traffic with packets larger then 82 bytes and a flow duration of
greater then 6 seconds.
BRKSEC-2048 239

Tetration Stealthwatch
Datacenter:
Per Packet Telemetry from
Nexus 9000 & Server
Security Anomaly
Detection
Network Wide:
Switching/Routing,
Proxies, Servers, &
Endpoints
Security Forensics
Stealthwatch for Security Analysis
and Policy Monitoring
Application Behavior
Profiling
Automated
Application Grouping
Tetration for Application Analytics and
Application Segmentation
Network as a Sensor in the Data Center
Together
Unmatched
Analytics and Forensics
for
Application and Security
Automated Application
Based Segmentation
Complete Data Control for
Segmentation, Security,
and Forensics
BRKSEC-2048 241

Campus Core Datacenter
Branch
+Cisco
Stealthwatch
Cisco
Stealthwatch Cisco
Stealthwatch
Where is Visibility Needed?
BRKSEC-2048 242

Available Now: Investigative Pivot
Tetration
Analytics
Pivot from Stealthwatch to
Tetration interface during an
Investigation
BRKSEC-2048 243

Monitoring Unified Policy in the Data Centre
Tetration
Analytics
Leverages Stealthwatch Host Group Automation Service
Export workspaces, clusters and applications
discovered in Tetration to Stealthwatch Host Groups
BRKSEC-2048 244

ACIISE 2.1
Tetration
Analytics
App Policy
Shared Policy Groups
Application Based Segmentation
for the Datacenter
Identity Based
Segmentation
Only Cisco can do scalable
granular segmentation end to end
Provide Automated Granular Application Based
Segmentation optimized for in the Datacenter
Provide Identity Based Segmentation
optimized for Branch to Campus to DC
End to End SW Defined Segmentation
BRKSEC-2048 245

Monitoring Unified SGT-ACI Policy
TrustSec Domain
ACI Domain
pci_users
SGT: 16
EV_appProfile_LOB2_App1EPG
SGT: 10005
ACI Domain
Stealthwatch Deployment
Cisco ISE
APIC-DC
syslog
NetFlow
SGT
Definitions
EPG
Definitions
Policy Plane
Integration
Tetration
Analytics
SPAN
Policy
Push
Tetration
Telemetry
BRKSEC-2048 246

• Please complete your Online
Session Evaluations after each
session
• Complete 4 Session Evaluations
& the Overall Conference
Evaluation (available from
Thursday) to receive your Cisco
Live T-shirt
• All surveys can be completed via
the Cisco Live Mobile App or the
Communication Stations
Don’t forget: Cisco Live sessions will be available
for viewing on-demand after the event at
www.ciscolive.com/global/on-demand-library/.
Complete Your Online
Session Evaluation

Continue Your Education
• Demos in the Cisco campus
• Walk-in Self-Paced Labs
• Tech Circle
• Meet the Engineer 1:1 meetings
• Related sessions
250BRKSEC-2048

Brksec 2048-demystifying aci-security

Brksec 2048-demystifying aci-security

Recomendados

Recomendados

Mais conteúdo relacionado

Mais procurados

Mais procurados (20)

Semelhante a Brksec 2048-demystifying aci-security

Semelhante a Brksec 2048-demystifying aci-security (20)

Último

Último (20)

Brksec 2048-demystifying aci-security