Have an account?

  •   Personalized content
  •   Your products and support

Need an account?

Create an account

Cisco Tetration Application Segmentation Data Sheet

Data Sheet

Available Languages

Download Options

  • PDF
    (506.2 KB)
    View with Adobe Reader on a variety of devices
Updated:June 23, 2020

Available Languages

Download Options

  • PDF
    (506.2 KB)
    View with Adobe Reader on a variety of devices
Updated:June 23, 2020


The Cisco Tetration platform allows you to better secure yourworkloads and application by containing lateral movement using microsegmentation. It simplifies the implementation of microsegmentation by automating policy generation and consistently enforcing it across on-premises data centers and private and public clouds.

Product overview

Today, applications are the critical entities in the data center. All the infrastructure decisions are being made based on the application structure, consumption, and service delivery models. Applications are also dynamic, using virtualization, containerization, micro-services, and workload mobility technologies, with communication patterns between application components constantly changing. To provide a secure infrastructure for these dynamic applications, the traditional perimeter-based static security model is not sufficient. A allowlist-based zero-trust model needs to be implemented in the data center to better protect the applications, and the solution should offer a consistent and infrastructure-independent approach that includes support for public clouds.

The Cisco Tetration platform offers its application segmentation capability to address these challenges in a scalable and efficient way. This capability enables data center and security operations team to automate enforcement of granular application segmentation policy for their mission-critical applications running in both on-premises data centers and the public cloud. By applying a consistent policy across bare-metal, virtualized, on- premises data centers and public and private clouds, this model significantly reduces the data center surface that is vulnerable to attack. It also increases operation efficiency through automation of routine tasks associated with data center security. These tasks include discovering and defining application segments, collaboratively defining policies to align with broader organizational business policies, and securing these segments through automated policy enforcement. This platform also automatically identifies application behavior deviations and invokes appropriate workflows for policy updates.

Three unique functions enable application segmentation in the Cisco Tetration platform: metadata based policy definitions, application workspaces, and one-click policy enforcement (Figure 1). Segmentation efficiency is increased through automation and analytics. Analytics-based insights enable an administrator to gain a unique perspective on the data center’s operations and serve as a catalyst to increase efficiency.

Related image, diagram or screenshot

Figure 1.       

Cisco Tetration application segmentation

Metadata based policy definitions

Zero trust policy definition is not just about defining what is required for application to work but it should also include elements such as who can access this application, from where this application can be accessed and policy elements related to the workload context. Cisco Tetration provides the capability for administrators to integrate such elements into the allowlist policy through annotations (Figure 2). Using a robust vocabulary of keywords and judiciously using Boolean operations, an administrator can define policies governing specific workload characteristics: for example, a policy specifying that production database servers should not communicate with the Internet.

Each workload can have multiple tags that can add organizational and operational semantics to provide the additional context. These tags can be imported from external systems—for example, a Configuration Management Database (CMDB) imported through an API, when using integration with Cisco AnyConnect®, Cisco Identity Services Engine (ISE), or from orchestration systems such as VMware vCenter.

Related image, diagram or screenshot

Figure 2.       

Associating business context using real-time asset tagging

These applications and workloads can be referred to by these tags, and complex queries can be constructed using these tags as references. When such capability is used, Tetration platform dynamically maps the specific workloads to these tags. When a new workload, say a VM comes online with specific attributes, Cisco Tetration ensures that it receives the right policy without a need for a manual intervention.

Application workspaces

The challenge in creating a data center security framework is to develop a final policy set that can be enforced across a large number of workloads in a heterogeneous environment. Policy definition using traditional infrastructure and tools is a time-consuming, manual process and does not meet the dynamic requirements of modern applications. It results in a policy set that is static and insufficient to secure modern applications, with policy skewed to the needs of one application at the expense of the specific interests of others.

The Cisco Tetration platform uses modern big data technologies to offer organizations familiar features such as workflows and workspaces. Application workspaces enable collaboration across organizational boundaries without sacrificing specific interests. Multiple resource pools are isolated from one another using these workspaces and scopes. An application segmentation policy can span multiple workspaces.

A workspace is a collection of topology views, asset inventories, and policies that is saved as a snapshot and supports version control. Version control enables rollback to restore the workspace to a previously validated snapshot. Multiple workspaces can be owned by a single tenant and can be included in workflows that mirror the organization’s structure and processes. Workspaces can be shared within a tenant and can be orchestrated in a workflow. The workflow accelerates the evolution of the data center’s security framework, which includes the policy, inventory, and topology from the discovery stage to the final commit stage. Using this approach, microsegmentation policy includes the granular allowlist policy generated as part of Cisco Tetration application insight, and it also includes other predefined policies from higher-level entities such as security operations. The Cisco Tetration platform then normalizes this policy based on the priority and hierarchy before enforcing it.

Policy enforcement and compliance

The Cisco Tetration platform allows you to merge the absolute policy, which may be part of the corporate policy, with the automated segmentation policy generated through application workspaces. After the policy set governing the application segmentation is committed, an administrator can trigger its enforcement with a single click.

Automated policy enforcement is performed through the Cisco Tetration software sensors running on the workload itself. The software sensors orchestrate the stateful policy enforcement using operating system capabilities such as ipsets and iptables in the case of Linux servers, and the Microsoft Windows advanced firewall in the case of Microsoft Windows servers. With this approach, effective application segmentation can be achieved across hybrid data center infrastructure (on premises and in the public cloud).

In addition, in a virtualized environment, this mechanism helps ensure that application segmentation policy moves with the workload, allowing you to increase application mobility without having to be concerned with infrastructure- specific segmentation policy. As the application dependencies and communication patterns evolve, the platform updates policy automatically (Figure 3).

Related image, diagram or screenshot

Figure 3.       

Policy enforcement

Features and benefits

Table 1 lists that main features and benefits of Cisco Tetration application segmentation.

Table 1.      Main features



Containment of lateral movement using microsegmentation

Plug zero-day vulnerabilities.

Secure hybrid multicloud workloads and contain lateral movement using microsegmentation. The Cisco Tetration platform allows only the required traffic between application components and users, blocking everything else. This approach prevents a persistent threat from entering or searching for additional vulnerabilities.

Distributed deployment architecture

Deploy a scalable deployment architecture for heterogeneous workloads distributed across a hybrid data center.

Application segmentation is achieved through deployment of two main components: software sensors as policy enforcement points and the Cisco Tetration platform. Sensors are installed on the workload, which can be a bare-metal system or a virtual machine. The back-end Cisco Tetration platform enforces the policy through software sensors. The platform comes with a large data store that supports workflows that scale to multiple tenants and roles and helps manage the lifecycle of millions of policies across thousands of applications.

Automation of microsegmentation policies based on workload context

  Eliminate time-consuming manual creation of resource lists to segment applications. Define application segmentation default and absolute policies using asset tags.
  Quickly develop consistent policies for applications using real-time asset tagging:
  Associate rich business context with the servers.
  Define policies based on users and user groups that need access.

Integrate with vCenter, Kubernetes, OpenShift, and other CMDB systems to automatically bring in the workload context.

Endpoint device and user context

  Either collect telemetry from Cisco AnyConnect agent running on endpoint devices such as laptops, desktops, smart phones, etc., or collect endpoint device information from Cisco ISE.
  This provides information on the user, device name, FQDN, and the processes running on the device as well as what URLs or applications were accessed.
  Correlate the user data with the user group within an organization.
  Define specific policies for segmentation, using user and user-group information, that can be enforced on the workloads.

Application workspaces

Socialize and collaborate on policy definition and validation across organizational boundaries. Define, discover, visualize, and validate the data center security policy framework through multifaceted click-through views of topology, policy, and resources. Use built-in workflows to collaboratively define a policy set for policy enforcement across microsegments.

Follow the built-in workflow to define the policy set for enforcement, or use the workflow as a starter template and edit it to customize it. Refine the workflow further by using Application Dependency Mapping (ADM) and flow search tools to:

  Visualize the application topology
  Visualize the policy map
  Back-test the policy against historic data stored on the cluster appliance
  Troubleshoot policy by clicking through deep dives into the flow data
  Find the detail you need within the entire flow
  Query billions of historical records using schema-based or metadata-tag-based queries and receive a response in less than a second
  Use the collaborative features of the workflow to build consensus across the organization using Role- Based Access Control (RBAC) and workspaces. Then save the policy as a template with version control

One-click policy enforcement on heterogeneous workloads across a hybrid data center

Enforce the security framework using application segmentation and reduce the surface vulnerable to attack.

Enforce policies with a single click. Use the mechanism in Linux and Microsoft Windows environments to enforce security policy. The Cisco Tetration platform normalizes the policy. The final policy set inherits the priorities set by RBAC-authorized users across the workspaces owned by a single tenant.

Software vulnerability detection

Extend the policy enforcement capabilities to quarantine or control server communication based on software vulnerabilities and exposures.

Quickly identify if any of the package versions have known vulnerabilities or exposures, along with the severity. Get an accurate inventory all the servers that have the vulnerable package. Then tie this information to a policy that designates a specific action, such as quarantining a specific server.

Policy compliance and notifications

Monitor policy compliance on a minute-by-minute basis and generate alerts for policy noncompliance.

  Generate policy-related alerts through the Kafka messaging interface
  These alerts can be monitored in the user interface. In addition, they can be consumed by other northbound systems such as the Security Incident and Event Management system (SIEM)

Licensing and licensing terms

Information regarding the licensing options can be found in the platform datasheet - https://www.cisco.com/c/en/us/products/collateral/data-center-analytics/tetration-analytics/datasheet-c78-737256.html?cachemode=refresh.

Deployment models and scale

Information regarding the deployment options and supported scale can be found in the platform datasheet - https://www.cisco.com/c/en/us/products/collateral/data-center-analytics/tetration-analytics/datasheet-c78-737256.html?cachemode=refresh.

Supported operating systems

Information regarding the supported operating systems can be found in the platform datasheet - https://www.cisco.com/c/en/us/products/collateral/data-center-analytics/tetration-analytics/datasheet-c78-737256.html?cachemode=refresh.

Ordering information

Information regarding the ordering options can be found in the platform datasheet - https://www.cisco.com/c/en/us/products/collateral/data-center-analytics/tetration-analytics/datasheet-c78-737256.html.

Put Cisco expertise to work to accelerate success

Cisco provides professional and support services to help organizations get the most value from the Cisco Tetration platform. Cisco® Services experts help integrate the platform into your production data center environment, define use cases relevant to your business objectives, tune machine learning, and validate policies and compliance to improve application and operation performance. Cisco Solution Support for Cisco Tetration provides hardware, software, and solution-level support.

One annual contract covers all support needs. With Cisco Tetration services expertise, you experience faster time to value, comprehensive adoption in your environment, optimized policies and application performance, and solutionwide support.

Cisco Capital

Flexible payment solutions to help you achieve your objectives

Cisco Capital® makes it easier to get the right technology to achieve your objectives, enable business transformation and help you stay competitive. We can help you reduce the total cost of ownership, conserve capital, and accelerate growth. In more than 100 countries, our flexible payment solutions can help you acquire hardware, software, services and complementary third-party equipment in easy, predictable payments. Learn more.

For more information

For more information about the Cisco Tetration platform, please visit https://www.cisco.com/c/en/us/products/data- center-analytics/tetration-analytics/index.html or contact your local Cisco account representative.

Learn more