Yonatan Klein, Director of Product Management (AlgoSec)
While your network extended beyond the confines of the physical data center and you started using Software Defined Networks (SDN) such as Cisco ACI, managing security policies within your hybrid estate is complex.
Each part of your network estate is managed in its own independent silo instead of being holistically managed.
Learn how to unify, consolidate and automate your entire network security policy management including both the Cisco ACI SDN fabric and elements outside the SDN fabric.
In this webinar, Yonatan Klein, Director of Product Management at AlgoSec, explains how to centralize your security policy management throughout your network and the unique challenges required to manage an SDN fabric, such as Cisco ACI, in order get the most out of your entire network.
He covers how to:
- Proactively assess risk throughout your network, including Cisco ACI contracts, and recommend the necessary changes to eliminate misconfigurations and compliance violations
- Gain full visibility and unify security policy management of your entire hybrid network estate, simulate traffic routes and security policy for ACI and other network devices
- Manage traffic change requests in a holistic manner, including automatically pushing security policy changes to Cisco ACI by creating contracts and filters to enforce data center whitelist policy; as well as identifying and provisioning changes to firewalls both within the ACI fabric as well as other network security controls that are on-premises and in the cloud
Six Myths about Ontologies: The Basics of Formal Ontology
Cisco ACI & Hybrid Networks - Breaking Down Silos with Central Policy Management
1. Cisco ACI and your
entire hybrid network
Breaking down the Silos with
Holistic Central Policy Management
Yonatan Klein
Director, Product Management
2. POLL #1:
HOW MANY CISCO TECHNOLOGIES DO YOU RUN IN YOUR DATA
CENTERS?
(FIREWALLS, ROUTERS, ACI SDN, TETRATION, ISE ETC.)
Please vote using the “Votes from Audience” tab in your BrightTALK panel
2
• None
• 1
• 2-4
• More than 5
3. WELCOME
Have a question? Submit it via the chat tab or email us:
This webinar is being recorded!
The recording will be emailed to you after the webinar
And the slides will be available in the attachments tab
Follow AlgoSec online !
3
marketing@algosec.com
4. Risky & Compliance
Policy visibility
AlgoSec and Cisco ACI
AGENDA
AlgoSec Background
Case Study
Network-wide change automation
Consider also service graphs
AlgoSec and Tetration
5. Founded 2004
1800+ Enterprise Customers
Serving 20 of the Fortune 50
24/7 Support via 3 Global Centers
Passionate about Customer
Satisfaction
5
CORPORATE OVERVIEW
2 | Confidential
6. 6 | Confidential
AlgoSec enables
companies to align
security with their
business processes
Business-driven Agility
Business-driven Visibility
Business-driven Security
BUSINESS DRIVEN SECURITY MANAGEMENT
7. Business-Driven Security Business-Driven Agility
Business-Driven Network Security Policy Management
Unified Visibility Across Cloud, SDN & On-Premise Enterprise Networks
BUSINESS-DRIVEN SECURITY MANAGEMENT
USE CASES
7
Auditing &
Compliance
Risk
Management
Business
Continuity
Cloud
Security
Change
Management
Incident Response DevOpsMicro-
Segmentation
Digital
Transformation
9. Risky & Compliance
Policy visibility
AlgoSec and Cisco
AGENDA
AlgoSec Background
Case Study
Network-wide change automation
Consider also service graphs
AlgoSec and Tetration
10. SUPERIOR SUPPORT FOR
CISCO DEVICES
• Existing
• Security: ASA, FirePOWER
• Networking: IOS, Nexus
• Private Cloud: ACI
• SD-Access: ISE
• Discovery: Tetration
10 | Confidential
STRONG PARTNERSHIP
• Synergetic use-cases
• ACI adoption
• Tetration value proposition
• Technical cooperation
• Business cooperation
FOCUS
ALGOSEC CISCO FOCUS
11. 11 | Confidential
CHALLENGES
CUSTOMERS
ARE FACING
WHY ALGOSEC FOR CISCO ACI
Cisco Application Centric Infrastructure (ACI) facilitates application agility and data center automation. This
SDN architecture integrates physical and virtual environments, both on-premises and on multiple public
clouds, under one policy model for networks, servers, storage, services, and security.
“ “
12. BUT CISCO ACI IS ALREADY SDN, WHY DO WE NEED ALGOSEC?
12 | Confidential
13. ALGOSEC MANAGES THE HYBRID NETWORK
13 Confidential
ACI
Data Center
Data Center FWs (L4-L7 services)
• Visibility & Compliance
• Automatic Provisioning
• Business Applications
Perimeter & Upstream FWs
14. POLL #2:
WHAT IS YOUR MOST CRITICAL CHALLENGE WITH MANAGING
NETWORK SECURITY?
Please vote using the “Votes from Audience” tab in your BrightTALK panel
14
• Lack of overall visibility
• Missing qualified personnel (too many platform to manage)
• Hard to keep up with SLA to stake holder requests
• Maintenance and cleanup of policy
15. ALGOSEC OFFERING – APPLIED TO
Significantly simplify
and reduce audit
preparation efforts
and costs - supports
all the industry
regulatory standards
Security policy visibility
across the entire
network, including
Cisco ACI
Automated security policy
change management for
multi-vendor devices
across the entire estate,
including policy push
Risk and compliance
analysis for Cisco ACI
contracts alongside
firewall security policies
16. Risky & Compliance
Policy visibility
AlgoSec and Cisco
AGENDA
AlgoSec Background
Case Study
Network-wide change automation
Consider also service graphs
AlgoSec and Tetration
20. Risky & Compliance
Policy visibility
AlgoSec and Cisco
AGENDA
AlgoSec Background
Case Study
Network-wide change automation
Consider also service graphs
AlgoSec and Tetration
21. • Continuous visibility to the network risk
posture of your ACI fabric
• Group reporting for the security posture of
the entire network
• Based on the organization’s Risk Profile
• Regulatory Compliance (e.g., PCI, GDPR)
• C-Level charts and dashboards
• What-if risk analysis to avoid new risks
during change management
RISK AND COMPLIANCE
ASSESSMENT
21
27. 27 | Confidential
Validate the
change
Map
devices in
path
Check for
risk
involved
Plan the
Rules
Implement
the change
on the
devices
CHANGE AUTOMATION
Request a
network
change
39. Risky & Compliance
Policy visibility
AlgoSec and Cisco
AGENDA
AlgoSec Background
Case Study
Network-wide change automation
Consider also service graphs
AlgoSec and Tetration
40. POLL #3:
DO YOU EMPLOY A MICROSEGMENTATION STRATEGY?
Please vote using the “Votes from Audience” tab in your BrightTALK panel
40
• Yes, our datacenters are already designed with microsegmentation filtering
• We have plans to introduce a microsegmentation design
• This is not planned, we keep perimeter firewalls only
42. SERVICE GRAPHS IN ACI
Challenge: provision ALL
relevant security controls
42 |
“Cisco designed the service graph technology to
automate the deployment of an L4-L7service in the
network. Cisco ACI doesn’t provision the L4-L7 device
itself, but it can configure it as part of the same
configuration that creates tenants, bridge domains, and
Endpoint Groups (EPGs).”
43. SGR SUPPORT- IDENTIFYING RELEVANT DEVICES
1. An ACI tenant found relevant
for the requested traffic
2. Two firewalls automatically
added by customizable logic as
they are part of an SGR defined
on the ACI tenant found below
44. 44 | Confidential
CHALLENGES
CUSTOMERS
ARE FACING
ALGOSEC & CISCO TETRATION
Cisco Tetration offers holistic workload protection for multicloud data centers by
enabling a zero-trust model using segmentation. This approach allows you to
identify security incidents faster, contain lateral movement, and reduce your
attack surface. Tetration's infrastructure-agnostic approach supports both on-
premises and public cloud workloads.
“ “
45. ALGOSEC & TETRATION – JOINT SOLUTION
Green field (Micro-segmentation)
• Discover application connectivity
and dependencies
• Risk and compliance analysis
• Generate optimized micro-
segmentation security policies
• Push policies to various security
devices (firewalls, SDN, end-point)
• Extend Tetration’s enforcement to
network security devices
• Automatically map business applications to
underlying network security infrastructure
• Business-driven risk, vulnerability and
compliance analysis as well as policy
management and rule cleanup
Unique!
Ongoing + Brown field
47. Risky & Compliance
Policy visibility
AlgoSec and Cisco
AGENDA
AlgoSec Background
Case Study
Network-wide change automation
Consider also service graphs
AlgoSec and Tetration
48. Data Center
ACI
SOLUTION OVERVIEW – LARGE EUROPEAN BANK
Visibility
Automatic Provisioning
Business Context
Perimeter & Upstream FWs
Data center firewalls
(East-West filtering)
• Tetration performs application dependency mapping
• AlgoSec automatically updated and generates security policy
• AlgoSec automatically creates Cisco ACI contracts and updates
relevant Fortinet firewall policies in data center
• AlgoSec automatically updates perimeter & upstream firewalls
as needed
49. 49 |
TAKEAWAYS
AlgoSec focus on Cisco technology
This means AlgoSec maintains market leadership in Cisco support
Micro-Segmentation is key to tight network security
Tetration and AlgoSec help with micro-segmentation design and provisioning
SDN does not mean all your problems are gone
AlgoSec considers connectivity of your SDN to rest of the network; assures security
AlgoSec’s Cisco support isn’t just about Firewalls
Also Cisco ACI, Routers, identity and more
51. Connect with AlgoSec
Where You Are
Q&A
51
Send us your questions
Request a Free Evaluation:
marketing@algosec.com youtube.com/user/AlgoSec
linkedin.com/company/AlgoSec
facebook.com/AlgoSec
twitter.com/AlgoSec
www.AlgoSec.com/blog
52. UPCOMING WEBINARS
• Aug 6
Putting the “NetSec” into DevOps
with Network Security
Automation
• Aug 13
What to ask before choosing a
Network Security Management
Solution
• Sept 26
Microsegmentation
53. THE PREMIER EVENT FOR
ALGOSEC CUSTOMERS &
CHANNEL PARTNERS
53
Australia – September
Dallas, TX – October 21-24
2019
www.algosec.com/algosummit
In the previous slide it seemed like cisco was yet another device. We are going to speak about why it’s more than that.
Here’s a bit about our organization, we’ve been around since 2004, since then we’ve created a worldwide name for ourselves as leaders in both technology and in customer satisfaction, its not a coincidence that 20 of the fortune 50 companies are Algosec customers.
So what is this unique Algosec product you’ve been hearing about?
Network security is often seen as a burden, being extremely complex and taking up a lot of time, this can hurt a business trying to keep with the speed of the market but also wanting to keep the security at the highest level.
Algosec can assist you in enhancing your organizations security, by automatically assessing vulnerabilities, managing compliance and prioritizing rules.
By automatically enhancing your security, this will allow you organization the agility and speed it needs to not be held up by security.
I am guessing that you are all familiar with this slide showing the wide support we have of various network devices and technologies.
<click>
We see here two instances of Cisco, and this is what we areoing to talk about today. <click>
So Cisco is a focus area for AlgoSec. As Cisco is such a dominant vendor for networking in general and inside the data center in specific. There is actually quite a large set of Cisco devices and technology that AlgoSec supports. Details …
<click>
Another reason for this focus is the fact that we have a very strong partnership with Cisco. We identified mutually synergetic use cases that help with ACI adoption, with increasing the Tetration value proposition. So it’s a two way street.
There is a strong technical cooperation that means we can get information ahead of releases and close support in everything we do. And we also cooperate on the business level.
Cisco ACI is based on an acquisition that provides Software Defined Networking solution based on Cisco network elements (leaf switches and others).
Neat capabilities:
Ability to define contracts (rules) without considering the underlying network
Ability to define service graphs – determine that specific network traffic would go through network services such as filtering, DLP, optimization and more.
This is how the ACI GUI looks like. And this is “software defined” so you can define new “contracts” or rules and apply them to the ACI fabric keeping the intent in mind rather than the physical elements and routes.
So … one may ask – why do we need AlgoSec? This is automation ready, this is centrally managed, right?
The truth is simply – that the hybrid network is much more complex than that.
Data Center firewalls – some managed by the ACI and some aren’t
Public Cloud security controls – cloud native security controls (security groups, NACLs etc.) and virtual traditional firewalls
Previous comments
customers can now process and apply security policy changes quickly, assess and reduce risk, ensure compliance and maintain a strong security posture across their entire environment – thereby rapidly realizing the full potential of their Cisco ACI deployment.
Reduces the time and effort through automation – making sure things are in sync
Mention inside and outside the data center
Single place to see all your stuff –
end-to-end
Continuous compliance
customers can now process and apply security policy changes quickly, assess and reduce risk, ensure compliance and maintain a strong security posture across their entire environment – thereby rapidly realizing the full potential of their Cisco ACI deployment.
Mention inside and outside the data center
Single place to see all your stuff
end-to-end
Continuous compliance
In this example we can see we have a group of devices here we decided to name DC SF. It can include the ACI fabric as well as additional devices.
If we want to see all the network security rules associated with a subnet in this data center we can easily search and find matching rules with objects (EPG)s that includes this subnet – both in the ACI fabric as well as in other devices like this Fortinet device we see here.
In the changes tab we can track/audit changes both in the ACI fabric itself as well as in other network devices. This can help us make sure there are no out of band unauthorized changes.
Continuous visibility - Includes both the risk and the underlying contracts that triggered it
Risk Profile – allowing the security admin to define the network segmentation and what traffic is allowed between every two segments. Once defined, the AlgoSec simulates the traffic through the security control and flags the violations to these definitions
Regulatory Compliance – OOB ready compliance reports for every security control, detailing its compliance to every relevant article of various regulatory standards
C-Level charts and dashboards - to track risk and compliance levels over time
Data and reports are exportable and available via APIs.
Here we can see the overall security raring of a device as well as changes to risk over time
Drilling in we can see the list of risks,
We can drill into a risk to see – it means we have HTTP connections entering our network, which is not advised
Further drill down allows us to see the specific rule that allows this traffic, so we can optionally make adjustments
We also have automated regulatory compliance reports, in this case a PCI report (payment card industry regulation) , we can see both an overall compliance score as well as specific pass/fail for each compliance item
Devices in path – includes devices defined in a service graph.
Implement change on the ACI fabric – including ACI specific provisioning
In this simple applications we can see the network flows that are required by this application. In this case – flows to the payment server.
Now let’s assume we want to allow traffic from a partner’s network – a consultant – to our payment server.
We are adding a new flow and call it “consultants to payment server”. The destination object “payment processing” is an already existing EPG and we enable selection from a drop down list.
The source is unknown yet, so we want to create a new object/new EPG; we want to create this EPG and allow the flow.
Once the flow was defined in ABF, we automatically open a new change request so this change can be processed in a way that is both secure and documented.
In the initial plan stage AlgoSec will use it’s network map model to find all the relevant devices in the path. In this case we see we have found two relevant devices in the path: a Juniper firewall that already allows the traffic and the target is within the ACI fabric and currently access to it is blocked. So we need to create a new contract to allow this traffic.
In the initial plan stage AlgoSec will use it’s network map model to find all the relevant devices in the path. In this case we see we have found two relevant devices in the path: a Juniper firewall that already allows the traffic and the target is within the ACI fabric and currently access to it is blocked. So we need to create a new contract to allow this traffic.
The next step in the automation process is a risk check. Before implementing the change, AlgoSec will tell us if it includes any risk. So this is an example of how risks are presented.
There are two types of risks:
- Default out of the box risks- based on best practice as well network segmentation that the network admin or security specialist can define.
So after we have approved the change request we can not go to implementation.
Fireflow suggests we do two things:
Create a new EPG object
Create a new contract that includes this EPG. We can see here the consumer EPG and provider EPG to be used, this is similar to src/dst in other network security controls
We also may define a service graph based on logic we pre-configured. We will talk about service graph more in a minute.
Here we can see the successful; completion report.
In ACI we would be able to see that a new EPG is created, it is attached to the most appropriate bridge domain
And a new contract is created that connects the consultant network to the payment processing server
What this long passage means is Cisco Tetration basically has two parts:
end-point protection: can act as sensor for traffic analysis and perform filtering.
central analytics tool that enables identifying application flows and set central policies.
So here is what the joint solution of Cisco Tetration and AlgoSec can do for you:
In a green field:….
In brown field, which may be a case that Tetration was already deployed or growth from a green field situation:
we can extend the enforcement to not only Tetration endpoints but other network security devices, including ACI
We automate the mapping of business applications to the network security infra
And from that point we can leverage AlgoSec to manage network security – with the business driven context. Including of risk analysis, vulnerabilities, compliance and rule cleanup.
Seed Questions
- How do you connect to the APIC? Using what API?
What if I already have existing EPGs defined in my ACI? Will you always define new ones?
Do you support multi site ACI deployments?
What do I need to do to integrate ACI with algosec
And, before we part – AlgoSummit and Upcoming webinars