Professional Documents
Culture Documents
BRKACI-2040-A Multi-Cloud Segmentation Journey Through Big Data With Tetration PDF
BRKACI-2040-A Multi-Cloud Segmentation Journey Through Big Data With Tetration PDF
A multi-cloud
segmentation journey
through big data
With Tetration
Remi Philippe
Tim Garner
BRKACI-2040
#CLUS
Why are you here?
The goal of this session is simple: we begin with an existing
environment, full of applications and shared services, all running on
top of a mixture of infrastructures, on-premises, and multiple clouds,
deployed on bare metals, VMs, and containers - it's messy, just like
the world you work on. We then take a freshly deployed Tetration
and together walk through the step-by-step process of defining and
enforcing segmentation policy through a combination of hierarchical
"ground rules" and automated application policy discovery.
#CLUS BRKACI-2040 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
Agenda
• Why do we segment workloads?
• What makes it hard across multiple clouds?
• Multiple workload types (bare metals, VMs, containers)?
• Gathering the necessary telemetry data
• Gathering the necessary context data
• From vCenter, AWS, Kubernetes, Load balancers, Campus
• Defining a step-by-step segmentation strategy
• Setting zone-to-zone rules
• Generating application segmentation rules
• Building advanced segmentation rules
• Care and feeding of segmentation
• Review and Conclusions
#CLUS BRKACI-2040 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
Cisco Webex Teams
Questions?
Use Cisco Webex Teams to chat
with the speaker after the session
How
1 Find this session in the Cisco Live Mobile App
2 Click “Join the Discussion”
3 Install Webex Teams or go directly to the team space
4 Enter messages/questions in the team space
#CLUS © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
Segmentation in
the Real World
#CLUS BRKACI-2040 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
Why do we segment, by example?
Demo
(and 383 million users)
#CLUS BRKACI-2040 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
Now the REAL
World
VMware Campus
#CLUS BRKACI-2040 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
DC
Firewalls
VMware Campus
#CLUS BRKACI-2040 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
DC
Firewalls
#CLUS BRKACI-2040 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
DC Direct
Firewalls Connect
db
server
struts
server
db
server
struts
server file
server
security group
#CLUS BRKACI-2040 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
DC Direct
Firewalls Connect
Mainframes
db
server
struts
server
db
server
struts
server file
server
security group
#CLUS BRKACI-2040 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
DC Direct
Firewalls Connect
Mainframes
db
server
struts
server
db
server
struts
server file
server
security group
#CLUS BRKACI-2040 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
The Network Guy
• I’ve got a few ACLs for you
#CLUS BRKACI-2040 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
The Network Guy
• I’ve got a few ACLs for you
CYA Protection
#CLUS BRKACI-2040 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
The Mainframe Guy
• Talk to the network folks.
Not touching the mainframe
#CLUS BRKACI-2040 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
The Virtualization Guy
• I have an UI! Give me 30 mins
to click through the 10
screens in 2 browsers.
#CLUS BRKACI-2040 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
The Kubernetes Guy
• It’s easy, just match my POD selector
and allow traffic in my CNI
#CLUS BRKACI-2040 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
The Security Girl
#CLUS BRKACI-2040 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
Bad Guys
#CLUS BRKACI-2040 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
Big Data?
Where is this Big Data?
#CLUS BRKACI-2040 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
Source of Data
• In order to design a segmentation policy, we need data
• In the form of flow data
• IP X talked to IP Y over port Z
• In the form of context
• port Z is being served by HTTPD
#CLUS BRKACI-2040 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
Source of Data
• In order to design a segmentation policy, we need data
• In the form of flow data
• IP X talked to IP Y over port Z
• In the form of context
• port Z is being served by HTTPD
• In the form of user data
• IP X has tag App=SAP…
cisco@sjc15-jenkins1:~$ sudo netstat -anlp | grep java
tcp6 0 0 :::8080 :::* LISTEN 1806/java
udp6 0 0 :::5353 :::* 1806/java
udp6 0 0 :::33848 :::* 1806/java
cisco@sjc15-jenkins1:~$ ps -ef | grep 1806
jenkins 1806 1804 0 May24 ? 00:04:38 /usr/bin/java -Djava.awt.headless=true -jar
/usr/share/jenkins/jenkins.war --webroot=/var/cache/jenkins/war --httpPort=8080
cisco@sjc15-jenkins1:~$
#CLUS BRKACI-2040 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 27
See a Problem?
• We’re looking for 3 different type of data
• Context
• Flow
• Process
#CLUS BRKACI-2040 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
What Happens?
#CLUS BRKACI-2040 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
What Happens?
#CLUS BRKACI-2040 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
What Happens?
#CLUS BRKACI-2040 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
What Happens?
Containers anyone?
How do you know what process is running behind a port?
Socket: TCP/45862 Socket: TCP/80
Process Data State: ESTABLISHED
Process: Chrome
State: LISTEN
Process: HTTPD
Hash: 0xabcdef01 Hash: 0xabcdef02
#CLUS BRKACI-2040 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
What Happens?
#CLUS BRKACI-2040 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 33
What Happens?
#CLUS BRKACI-2040 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
What Happens?
#CLUS BRKACI-2040 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
What Happens?
#CLUS BRKACI-2040 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 36
Now the Complete fully correlated Picture
#CLUS BRKACI-2040 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
Oops, we forgot the Load Balancers?
• So Far™, we’ve never seen a network without a load balancer
• They have the tendency to NAT and ”break” flows
2.2.2.2
2.2.2.2
#CLUS BRKACI-2040 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 41
Which Context Data to Use?
• Some data is pulled at the source and can
be trusted
• Flow Data
• Data you use depends on who you trust
• At the end of the day, your segmentation
will rely on these tags
• Do you trust the kube guy to set his tags?
• Trust the load balancer team?
• Trust the CMDB data (quality)?
#CLUS BRKACI-2040 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 42
Which Context Data to Use?
• Some data is pulled at the source and can
be trusted
• Flow Data
• Data you use depends on who you trust
• At the end of the day, your segmentation
will rely on these tags
• Do you trust the kube guy to set his tags?
• Trust the load balancer team?
• Trust the CMDB data (quality)?
#CLUS BRKACI-2040 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 43
Let’s Tag!
Demo
Ok, where are we at?
• At this point, we have:
• Communication Data (flows)
• Annotated with Machine Data (process)
• Combined with Context (cmdb, orchestrator)
#CLUS BRKACI-2040 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 45
From 0 to uSeg
Boiling the Ocean
• Number 1 problem we see?
Trying to get to uSeg in 1-shot
• Guaranteed Failure
• Guaranteed Rollback
• Guaranteed unhappy life (+wife +boss)
#CLUS BRKACI-2040 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 47
Step 1 – Zone Based
Firewall
Firewall
VM C VM BM
VM C VM BM BM C
BM VM C Firewall
BM VM C BM VM VM
C VM C BM C VM BM
C VM C VM C C
VM BM VM VM
Firewall
VM BM BM BM BM C
C C VM BM BM BM
C
VM BM C BM BM VM
Zone Based
Segmentation BM BM C
BM C VM BM VM C
C BM BM VM
VM BM VM C
Group 1 BM Bare Metal Server
Group 2 VM Virtual Machine
Group 3
C Container
#CLUS BRKACI-2040 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 48
Step 2 – Application Based
VM C VM BM VM C VM BM
BM VM C BM VM C
C VM C C VM C
BM C VM BM
VM VM BM C VM
BM VM VM
C C C C C BM VM VM
C C
VM BM BM BM Application
BM BM C Based BM BM C VM BM BM BM BM
Segmentation
C BM BM VM VM BM BM VM
VM BM VM C VM BM C
Group 3
C Container
#CLUS BRKACI-2040 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 49
Step 3 –Micro Segmentation
VM C VM BM VM C VM BM
BM VM C BM VM C
C VM C C VM C
VM BM C VM VM BM C VM
C C C C BM VM VM C C C C BM VM VM
Micro
BM BM C VM BM BM BM BM Segmentation BM BM C VM BM BM BM BM
VM BM BM VM VM BM BM VM
VM BM C VM BM C
Group 3
C Container
#CLUS BRKACI-2040 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 50
Sounds simple right? It is.
(With the Right Tools)
Step 1 – Zone Based
Firewall
Firewall
VM C VM BM
VM C VM BM BM C
BM VM C Firewall
BM VM C BM VM VM
C VM C BM C VM BM
C VM C VM C C
VM BM VM VM
Firewall
VM BM BM BM BM C
C C VM BM BM BM
C
VM BM C BM BM VM
Zone Based
Segmentation BM BM C
BM C VM BM VM C
C BM BM VM
VM BM VM C
Group 1 BM Bare Metal Server
Group 2 VM Virtual Machine
Group 3
C Container
#CLUS BRKACI-2040 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 52
Organizational Layout (scope tree)
Bottle
MiniDC
DC AWS Azure
#CLUS BRKACI-2040 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 53
Exploring the Zones…
• Based on Scopes, we can explore
our zones view
#CLUS BRKACI-2040 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 54
And translate this view
AnyConnect User: remi App: Intranet
Context Data ISE Posture: Trusted
Location: Paris, FR
Location: SJC
Data: Internal
AD Group: Engineering ESX: host-1
#CLUS BRKACI-2040 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 55
Let’s Define our “Zones”
Demo
Step 2 – Application Based
VM C VM BM VM C VM BM
BM VM C BM VM C
C VM C C VM C
BM C VM BM
VM VM BM C VM
BM VM VM
C C C C C BM VM VM
C C
VM BM BM BM Application
BM BM C Based BM BM C VM BM BM BM BM
Segmentation
C BM BM VM VM BM BM VM
VM BM VM C VM BM C
Group 3
C Container
#CLUS BRKACI-2040 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 57
Organizational Layout (scope tree)
Bottle
MiniDC
DC AWS Azure
#CLUS BRKACI-2040 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 58
Run ADM ”loosely”
• When generating ADM data, you can go with automated grouping
• Or Suggest a Grouping
• In order keep the groups large, we will match a scope to a cluster
• By doing this, you will only show application to application
communications
#CLUS BRKACI-2040 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 59
Run ADM ”loosely”
#CLUS BRKACI-2040 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 60
Let’s Define our “Applications”
Demo
Step 3 –Micro Segmentation
VM C VM BM VM C VM BM
BM VM C BM VM C
C VM C C VM C
VM BM C VM VM BM C VM
C C C C BM VM VM C C C C BM VM VM
Micro
BM BM C VM BM BM BM BM Segmentation BM BM C VM BM BM BM BM
VM BM BM VM VM BM BM VM
VM BM C VM BM C
Group 3
C Container
#CLUS BRKACI-2040 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 62
Organizational Layout (scope tree)
Bottle
MiniDC
DC AWS Azure
#CLUS BRKACI-2040 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 63
Follow the White Rabbit
• At this point, we have App to App Enforcement
• We’re going to remove our user defined cluster in order to start
automatic grouping / tagging
#CLUS BRKACI-2040 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 64
What does ADM Do? Grouping
DC1
DC2
#CLUS BRKACI-2040 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 65
DC = DC1
What does ADM Do? Tagging App = DB
DC = DC1
App = HRMS DC1
App = FIN
DC = DC1
App = FIN
Alternate Grouping
Suggestion
DC = DC2
App = FIN DC2
DC = DC2
App = MAIL
#CLUS BRKACI-2040 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 66
Let’s Define our “Micro-Segments”
Demo
Enforcement
Where to Enforce?
• Where to enforce depends on multiple factors
• What is supported for enforcement?
• Are there any regulatory requirements (e.g. stateful vs stateless for PCI)?
• What is the volume of traffic expected?
• What is the rate of change?
• Are the endpoints potential DDoS targets?
• How granular do I need to go?
• Do I need a change request for every change?
#CLUS BRKACI-2040 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 69
Host Based Enforcement
• Enforcing on the host is:
• The most scalable way of enforcing
• The most complete way of enforcing (process-based policies)
#CLUS BRKACI-2040 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 70
Somewhere Else
• Creates a Policy Stream Updates in near Real Time
• Implemented in OpenSource or via Partners
• Algosec Intent:
Consumer: type=and, filter=[{type=eq, field=vrf_id, value=42},{type=subnet,
• Tufin field=ip, value=172.200.1.0/24, subnet=172.200.1.0/24},{type=contains,
field=host_name, value=client},unsafeSubnetValue=null]
Action: ALLOW
https://github.com/tetration-exchange/pol-client-go
#CLUS BRKACI-2040 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 71
Operations
What does Host Based Enforcement do?
How are policies enforced within* a workspace?
*in other words, when you control both servers
dport 80 dport 80
OUTPUT NEW, ESTAB NEW, ESTAB INPUT
sport 80 sport 80
INPUT ESTAB ESTAB
OUTPUT
server1 server2
#CLUS BRKACI-2040 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 74
How are policies enforced between workspaces?
*in other words, when you control only one server
dport 80
OUTPUT NEW, ESTAB INPUT
sport 80
INPUT ESTAB
OUTPUT
server1 server2
#CLUS BRKACI-2040 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 75
How are policies enforced between workspaces?
dport 80 dport 80
OUTPUT NEW, ESTAB NEW, ESTAB INPUT
sport 80 sport 80
INPUT ESTAB ESTAB
OUTPUT
server1 server2
#CLUS BRKACI-2040 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 76
Up to date with Immunizations?
#CLUS BRKACI-2040 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 77
Up to date with Immunizations?
#CLUS BRKACI-2040 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 78
How do you track enforcement?
Checking on Enforcement
• There are 2 ways to check on enforcement
• Login to a server: pretty high chance you have better things to do and
that Admins don’t want you on their server!
• Check from the Tetration console: get an easy summary view of
enforcement
#CLUS BRKACI-2040 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 80
Checking On Enforcement
Demo
In Summary
…And Secure!
What did we achieve?
• We started with a fresh environment
• Deployed Zone Based policies that reflect global enterprise rules
• Deployed App-App Policies to segment further
• Went down the Micro-Segments
• Pushed this policy across 2 clouds, 1 DC and 2 environments
• Managed this policy from a central point and tracked compliance to
a central location
#CLUS BRKACI-2040 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 83
All this…. In 2 hours!
#CLUS BRKACI-2040 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 84
Complete your
online session • Please complete your session survey
evaluation after each session. Your feedback
is very important.
• Complete a minimum of 4 session
surveys and the Overall Conference
survey (starting on Thursday) to
receive your Cisco Live water bottle.
• All surveys can be taken in the Cisco Live
Mobile App or by logging in to the Session
Catalog on ciscolive.cisco.com/us.
Cisco Live sessions will be available for viewing
on demand after the event at ciscolive.cisco.com.
#CLUS BRKACI-2040 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 85
Continue your education
Demos in the
Walk-in labs
Cisco campus
#CLUS BRKACI-2040 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 86
Thank you
#CLUS
#CLUS