BRKACI-2040-A Multi-Cloud Segmentation Journey Through Big Data With Tetration PDF

#CLUS
A multi-cloud
segmentation journey
through big data
With Tetration
Remi Philippe
Tim Garner
BRKACI-2040
#CLUS
Why are you here?
The goal of this session is simple: we begin with an existing
environment, full of applications and shared services, all running on
top of a mixture of infrastructures, on-premises, and multiple clouds,
deployed on bare metals, VMs, and containers - it's messy, just like
the world you work on. We then take a freshly deployed Tetration
and together walk through the step-by-step process of defining and
enforcing segmentation policy through a combination of hierarchical
"ground rules" and automated application policy discovery.
#CLUS BRKACI-2040 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
Agenda
• Why do we segment workloads?
• What makes it hard across multiple clouds?
• Multiple workload types (bare metals, VMs, containers)?
• Gathering the necessary telemetry data
• Gathering the necessary context data
• From vCenter, AWS, Kubernetes, Load balancers, Campus
• Defining a step-by-step segmentation strategy
• Setting zone-to-zone rules
• Generating application segmentation rules
• Building advanced segmentation rules
• Care and feeding of segmentation
• Review and Conclusions
Cisco Webex Teams
Questions?
Use Cisco Webex Teams to chat
with the speaker after the session
How
1 Find this session in the Cisco Live Mobile App
2 Click “Join the Discussion”
3 Install Webex Teams or go directly to the team space
4 Enter messages/questions in the team space
Webex Teams will be moderated cs.co/ciscolivebot#BRKACI-2040

by the speaker until June 16, 2019.
#CLUS © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
Segmentation in
the Real World
…One ACL at a time?!

What the Vendors Say…
Why do we segment, by example?
Demo
(and 383 million users)
Now the REAL
World
…And Security Impossible?!

DC
Firewalls
VMware Campus
DC
Firewalls
VMware Campus
DC
Firewalls
VMware Hyper-V Campus
DC Direct
Firewalls Connect
db
server
struts
server
db
server
struts
server file
server
security group
VMware Hyper-V Campus AWS
DC Direct
Firewalls Connect
Mainframes
db
server
struts
server
db
server
struts
server file
server
security group
VMware Hyper-V Campus AWS
DC Direct
Firewalls Connect
Mainframes
db
server
struts
server
db
server
struts
server file
server
security group
VMware Hyper-V Containers Campus AWS
The Network Guy
• I’ve got a few ACLs for you
The Network Guy
• I’ve got a few ACLs for you
CYA Protection
The Mainframe Guy
• Talk to the network folks.
Not touching the mainframe
The Virtualization Guy
• I have an UI! Give me 30 mins
to click through the 10
screens in 2 browsers.
The Kubernetes Guy
• It’s easy, just match my POD selector
and allow traffic in my CNI
The Security Girl
Bad Guys
Big Data?
Where is this Big Data?
…If you know where to look?!

Source of Data
• In order to design a segmentation policy, we need data
• In the form of flow data
• IP X talked to IP Y over port Z
Source of Data
• In the form of context
• port Z is being served by HTTPD
cisco@sjc15-jenkins1:~$ sudo netstat -anlp | grep java

tcp6 0 0 :::8080 :::* LISTEN 1806/java
udp6 0 0 :::5353 :::* 1806/java
udp6 0 0 :::33848 :::* 1806/java
cisco@sjc15-jenkins1:~$ ps -ef | grep 1806
jenkins 1806 1804 0 May24 ? 00:04:38 /usr/bin/java -Djava.awt.headless=true -jar
/usr/share/jenkins/jenkins.war --webroot=/var/cache/jenkins/war --httpPort=8080
cisco@sjc15-jenkins1:~$
Source of Data
• In the form of context
• port Z is being served by HTTPD
• In the form of user data
• IP X has tag App=SAP…
cisco@sjc15-jenkins1:~$ sudo netstat -anlp | grep java
tcp6 0 0 :::8080 :::* LISTEN 1806/java
udp6 0 0 :::5353 :::* 1806/java
udp6 0 0 :::33848 :::* 1806/java
cisco@sjc15-jenkins1:~$ ps -ef | grep 1806
jenkins 1806 1804 0 May24 ? 00:04:38 /usr/bin/java -Djava.awt.headless=true -jar
/usr/share/jenkins/jenkins.war --webroot=/var/cache/jenkins/war --httpPort=8080
cisco@sjc15-jenkins1:~$
See a Problem?
• We’re looking for 3 different type of data
• Context
• Flow
• Process
• All come in different shape and form

• AWS is different from Azure and GCP
• vSphere vs Hyper-V vs KVM
• Sampled Netflow vs Streaming Telemetry
• First Step is to combine this data in a usable way

• Good news, Tetration does that for you!
What Happens?
IP: 1.2.3.4 IP: 4.3.2.1

Flow Data Src Port: 45862
Protocol: TCP
Dst Port: 80
Protocol: TCP
Flags: SYN, ACK Flags: SYN, ACK
Collected from AnyConnect
Collected by the Software Agent
What Happens?
IP: 1.2.3.4 IP: 4.3.2.1

Protocol: TCP
Dst Port: 80
Protocol: TCP
Why are flags Important?
What Happens?
IP: 1.2.3.4 IP: 4.3.2.1

Protocol: TCP
Dst Port: 80
Protocol: TCP
Flags: SYN, ACK Flags: RST, ACK
What if the flags were like this?

Should I consider that a legit flow?
What Happens?
Containers anyone?
How do you know what process is running behind a port?
Socket: TCP/45862 Socket: TCP/80
Process Data State: ESTABLISHED
Process: Chrome
State: LISTEN
Process: HTTPD
Hash: 0xabcdef01 Hash: 0xabcdef02
What Happens?

Process: Chrome
State: LISTEN
Process: HTTPD
How do you know if you’re whitelisting a malware?
What Happens?
Do you know who this is?

inet6 fe80::e4bf:83ff:fe1e:3276%awdl0
AnyConnect User: remi App: Intranet

Context Data ISE Posture: Trusted
Location: Paris, FR
Location: SJC
Data: Internal
AD Group: Engineering ESX: host-1
What Happens?
Do you know where this workload is?

Location: Paris, FR
Location: SJC
Data: Internal
What Happens?
What does Service Now say?

Location: Paris, FR
Location: SJC
Data: Internal
Now the Complete fully correlated Picture
IP: 1.2.3.4 IP: 4.3.2.1

Protocol: TCP
Dst Port: 80
Protocol: TCP

Process: Chrome
State: LISTEN
Process: HTTPD

Location: Paris, FR
Location: SJC
Data: Internal
Oops, we forgot the Load Balancers?
• So Far™, we’ve never seen a network without a load balancer
• They have the tendency to NAT and ”break” flows
2.2.2.2
1.1.1.1 1.1.1.2 2.2.2.1

2.2.2.3
• Without visibility at the SLB level, what does the server see?
2.2.2.2
1.1.1.1 1.1.1.2 2.2.2.1

2.2.2.3
• Is our goal to define 2.2.2.1 -> 2.2.2.2/3 or…
• Is it to define 1.1.1.1 -> 2.2.2.2/3?
2.2.2.2
1.1.1.1 1.1.1.2 2.2.2.1

2.2.2.3
Now the Complete fully correlated Picture with LB
IP: 1.2.3.4 IP: 4.3.2.1

Protocol: TCP
Dst Port: 80
Protocol: TCP

Process: Chrome
State: LISTEN
Process: HTTPD
AnyConnect User: remi VIP: 1.1.1.2 App: Intranet

Location: Paris, FR
Pool: Servers Location: SJC
Data: Internal
Which Context Data to Use?
• Some data is pulled at the source and can
be trusted
• Flow Data
• Data you use depends on who you trust
• At the end of the day, your segmentation
will rely on these tags
• Do you trust the kube guy to set his tags?
• Trust the load balancer team?
• Trust the CMDB data (quality)?
• One thing you should NOT trust

• Excel files… Here’s why…
Which Context Data to Use?
• Some data is pulled at the source and can
be trusted
• Flow Data
• Data you use depends on who you trust
• At the end of the day, your segmentation
will rely on these tags
• Do you trust the kube guy to set his tags?
• Trust the load balancer team?
• Trust the CMDB data (quality)?
• One thing you should NOT trust

• Excel files… Here’s why…
Let’s Tag!
Demo
Ok, where are we at?
• At this point, we have:
• Communication Data (flows)
• Annotated with Machine Data (process)
• Combined with Context (cmdb, orchestrator)
• We now need to build up a policy
From 0 to uSeg
Boiling the Ocean
• Number 1 problem we see?
Trying to get to uSeg in 1-shot
• Guaranteed Failure
• Guaranteed Rollback
• Guaranteed unhappy life (+wife +boss)
• uSeg is a Journey, let’s look at

this
Step 1 – Zone Based
Firewall
Firewall
VM C VM BM
VM C VM BM BM C
BM VM C Firewall
BM VM C BM VM VM
C VM C BM C VM BM
C VM C VM C C
VM BM VM VM
Firewall
VM BM BM BM BM C
C C VM BM BM BM
C
VM BM C BM BM VM
Zone Based
Segmentation BM BM C
BM C VM BM VM C
C BM BM VM
VM BM VM C
Group 1 BM Bare Metal Server
Group 2 VM Virtual Machine
Group 3
C Container
Step 2 – Application Based
VM C VM BM VM C VM BM
BM VM C BM VM C
C VM C C VM C
BM C VM BM
VM VM BM C VM
BM VM VM
C C C C C BM VM VM
C C
VM BM BM BM Application
BM BM C Based BM BM C VM BM BM BM BM
Segmentation
C BM BM VM VM BM BM VM
VM BM VM C VM BM C

Group 3
C Container
Step 3 –Micro Segmentation
BM VM C BM VM C
C VM C C VM C
VM BM C VM VM BM C VM
C C C C BM VM VM C C C C BM VM VM
Micro
BM BM C VM BM BM BM BM Segmentation BM BM C VM BM BM BM BM
VM BM BM VM VM BM BM VM
VM BM C VM BM C

Group 3
C Container
Sounds simple right? It is.
(With the Right Tools)
Step 1 – Zone Based
Firewall
Firewall
VM C VM BM
VM C VM BM BM C
BM VM C Firewall
BM VM C BM VM VM
C VM C BM C VM BM
C VM C VM C C
VM BM VM VM
Firewall
VM BM BM BM BM C
C C VM BM BM BM
C
VM BM C BM BM VM
Zone Based
Segmentation BM BM C
BM C VM BM VM C
C BM BM VM
VM BM VM C
Group 3
C Container
Organizational Layout (scope tree)
Bottle
MiniDC
DC AWS Azure
Exploring the Zones…
• Based on Scopes, we can explore
our zones view
And translate this view
Location: Paris, FR
Location: SJC
Data: Internal
• Remember this context data?

• Let’s define some global rules
• Only Engineering Group can talk to Dev Servers
• 8.8.8.8 and 8.8.4.4 are the only approved DNS servers
• A Confidential Server cannot connect Outside the company
• A host running AV with Hash 0xabcd can access the AV headend
Let’s Define our “Zones”
Demo
Step 2 – Application Based
BM VM C BM VM C
C VM C C VM C
BM C VM BM
VM VM BM C VM
BM VM VM
C C C C C BM VM VM
C C
VM BM BM BM Application
BM BM C Based BM BM C VM BM BM BM BM
Segmentation
C BM BM VM VM BM BM VM
VM BM VM C VM BM C

Group 3
C Container
Bottle
MiniDC
DC AWS Azure
Apps Services Databases Apps Databases Apps Databases
Run ADM ”loosely”
• When generating ADM data, you can go with automated grouping
• Or Suggest a Grouping
• In order keep the groups large, we will match a scope to a cluster
• By doing this, you will only show application to application
communications
Run ADM ”loosely”
And “lock” the cluster
Let’s Define our “Applications”
Demo
Step 3 –Micro Segmentation
BM VM C BM VM C
C VM C C VM C
VM BM C VM VM BM C VM
C C C C BM VM VM C C C C BM VM VM
Micro
BM BM C VM BM BM BM BM Segmentation BM BM C VM BM BM BM BM
VM BM BM VM VM BM BM VM
VM BM C VM BM C

Group 3
C Container
Bottle
MiniDC
DC AWS Azure
Apps Services Databases Apps Databases Apps Databases
Payment Builder Postgres Oracle Blog Mongo Blog Mongo
Follow the White Rabbit
• At this point, we have App to App Enforcement
• We’re going to remove our user defined cluster in order to start
automatic grouping / tagging
What does ADM Do? Grouping
DC1
DC2
DC = DC1
What does ADM Do? Tagging App = DB
DC = DC1
App = HRMS DC1
App = FIN
DC = DC1
App = FIN
Alternate Grouping
Suggestion
DC = DC2
App = FIN DC2
DC = DC2
App = MAIL
Let’s Define our “Micro-Segments”
Demo
Enforcement
Where to Enforce?
• Where to enforce depends on multiple factors
• What is supported for enforcement?
• Are there any regulatory requirements (e.g. stateful vs stateless for PCI)?
• What is the volume of traffic expected?
• What is the rate of change?
• Are the endpoints potential DDoS targets?
• How granular do I need to go?
• Do I need a change request for every change?
Host Based Enforcement
• Enforcing on the host is:
• The most scalable way of enforcing
• The most complete way of enforcing (process-based policies)
• So… If you must implement 1000 policies on 100 VMs…
1000 policies 2x 500 policies 100x 10 policies
Somewhere Else
• Creates a Policy Stream Updates in near Real Time
• Implemented in OpenSource or via Partners
• Algosec Intent:
Consumer: type=and, filter=[{type=eq, field=vrf_id, value=42},{type=subnet,
• Tufin field=ip, value=172.200.1.0/24, subnet=172.200.1.0/24},{type=contains,
field=host_name, value=client},unsafeSubnetValue=null]
Provider: type=and, filter=[{type=eq, field=vrf_id, value=42},{type=subnet,

field=ip, value=172.200.1.0/24, subnet=172.200.1.0/24},{type=eq,
field=host_name, value=server-blue},unsafeSubnetValue=null]
Action: ALLOW
Ports / Protocol: [protocol:TCP port_ranges:<start_port:90 end_port:90 > ]
https://github.com/tetration-exchange/pol-client-go
Operations
What does Host Based Enforcement do?
How are policies enforced within* a workspace?
*in other words, when you control both servers
dport 80 dport 80
OUTPUT NEW, ESTAB NEW, ESTAB INPUT
sport 80 sport 80
INPUT ESTAB ESTAB
OUTPUT
server1 server2
How are policies enforced between workspaces?
*in other words, when you control only one server
dport 80
OUTPUT NEW, ESTAB INPUT
sport 80
INPUT ESTAB
OUTPUT
server1 server2
How are policies enforced between workspaces?
dport 80 dport 80
OUTPUT NEW, ESTAB NEW, ESTAB INPUT
sport 80 sport 80
INPUT ESTAB ESTAB
OUTPUT
server1 server2
Up to date with Immunizations?
OUTPUT policies protects

workloads by preventing
traffic from getting out…
Up to date with Immunizations?
…And INPUT protects other

workloads in case of breach
(of workload or process)!
How do you track enforcement?
Checking on Enforcement
• There are 2 ways to check on enforcement
• Login to a server: pretty high chance you have better things to do and
that Admins don’t want you on their server!
• Check from the Tetration console: get an easy summary view of
enforcement
Checking On Enforcement
Demo
In Summary
…And Secure!
What did we achieve?
• We started with a fresh environment
• Deployed Zone Based policies that reflect global enterprise rules
• Deployed App-App Policies to segment further
• Went down the Micro-Segments
• Pushed this policy across 2 clouds, 1 DC and 2 environments
• Managed this policy from a central point and tracked compliance to
a central location
All this…. In 2 hours!
Complete your
online session • Please complete your session survey
evaluation after each session. Your feedback
is very important.
• Complete a minimum of 4 session
surveys and the Overall Conference
survey (starting on Thursday) to
receive your Cisco Live water bottle.
• All surveys can be taken in the Cisco Live
Mobile App or by logging in to the Session
Catalog on ciscolive.cisco.com/us.
Cisco Live sessions will be available for viewing
on demand after the event at ciscolive.cisco.com.
Continue your education
Demos in the
Walk-in labs
Cisco campus
Meet the engineer

Related sessions
1:1 meetings
Thank you
#CLUS
#CLUS

BRKACI-2040-A Multi-Cloud Segmentation Journey Through Big Data With Tetration PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

BRKACI-2040-A Multi-Cloud Segmentation Journey Through Big Data With Tetration PDF

Uploaded by

Copyright:

Available Formats

#CLUS

Webex Teams will be moderated cs.co/ciscolivebot#BRKACI-2040

…One ACL at a time?!

…And Security Impossible?!

VMware Hyper-V Campus

VMware Hyper-V Campus AWS

VMware Hyper-V Campus AWS

VMware Hyper-V Containers Campus AWS

…If you know where to look?!

cisco@sjc15-jenkins1:~$ sudo netstat -anlp | grep java

• All come in different shape and form

• First Step is to combine this data in a usable way

IP: 1.2.3.4 IP: 4.3.2.1

Collected from AnyConnect

Collected by the Software Agent

IP: 1.2.3.4 IP: 4.3.2.1

Why are flags Important?

IP: 1.2.3.4 IP: 4.3.2.1

What if the flags were like this?

Socket: TCP/45862 Socket: TCP/80

How do you know if you’re whitelisting a malware?

Do you know who this is?

AnyConnect User: remi App: Intranet

Do you know where this workload is?

AnyConnect User: remi App: Intranet

What does Service Now say?

AnyConnect User: remi App: Intranet

IP: 1.2.3.4 IP: 4.3.2.1

Socket: TCP/45862 Socket: TCP/80

AnyConnect User: remi App: Intranet

1.1.1.1 1.1.1.2 2.2.2.1

1.1.1.1 1.1.1.2 2.2.2.1

1.1.1.1 1.1.1.2 2.2.2.1

IP: 1.2.3.4 IP: 4.3.2.1

Socket: TCP/45862 Socket: TCP/80

AnyConnect User: remi VIP: 1.1.1.2 App: Intranet

• One thing you should NOT trust

• One thing you should NOT trust

• We now need to build up a policy

• uSeg is a Journey, let’s look at

Group 1 BM Bare Metal Server

Group 1 BM Bare Metal Server

• Remember this context data?

Group 1 BM Bare Metal Server

Apps Services Databases Apps Databases Apps Databases

And “lock” the cluster

Group 1 BM Bare Metal Server

Apps Services Databases Apps Databases Apps Databases

Payment Builder Postgres Oracle Blog Mongo Blog Mongo

• So… If you must implement 1000 policies on 100 VMs…

1000 policies 2x 500 policies 100x 10 policies

Provider: type=and, filter=[{type=eq, field=vrf_id, value=42},{type=subnet,

Ports / Protocol: [protocol:TCP port_ranges:<start_port:90 end_port:90 > ]

OUTPUT policies protects

…And INPUT protects other

Meet the engineer

You might also like