Have an account?

  •   Personalized content
  •   Your products and support

Need an account?

Create an account

Cisco Tetration Application Segmentation Data Sheet

Available Languages

Download Options

  • PDF
    (528.6 KB)
    View with Adobe Reader on a variety of devices
Updated:May 15, 2019
Document ID:1485949475675950

Available Languages

Download Options

  • PDF
    (528.6 KB)
    View with Adobe Reader on a variety of devices
Updated:May 15, 2019
Document ID:1485949475675950
 

 

The Cisco Tetration platform using application insight and white-list based policy model, simplifies the implementation of zero-trust model. It enables effective application segmentation using consistent policy enforcement across on-premises data centers and private and public clouds.

Product Overview

Today, applications are the critical entities in the data center. All the infrastructure decisions are being made based on the application structure, consumption, and service delivery models. Applications are also dynamic, using virtualization, containerization, micro-services, and workload mobility technologies, with communication patterns between application components constantly changing. To provide a secure infrastructure for these dynamic applications, the traditional perimeter-based static security model is not sufficient. A whitelist-based zero-trust model needs to be implemented in the data center to better protect the applications, and the solution should offer a consistent and infrastructure-independent approach that includes support for public clouds.

The Cisco Tetration platform offers its application segmentation capability to address these challenges in a scalable and efficient way. This capability enables data center and security operations team to automate enforcement of highly specific application segmentation policy for their mission-critical applications running in both on-premises data centers and the public cloud. By applying a consistent policy across bare-metal, virtualized, on- premises data centers and public and private clouds, this model significantly reduces the data center surface that is vulnerable to attack. It also increases operation efficiency through automation of routine tasks associated with data center security. These tasks include discovering and defining application segments, collaboratively defining policies to align with broader organizational business policies, and securing these segments through automated policy enforcement. This platform also automatically identifies application behavior deviations and invokes appropriate workflows for policy updates.

Three unique functions enable application segmentation in the Cisco Tetration platform: metadata based policy definitions, application workspaces, and one-click policy enforcement (Figure 1). Segmentation efficiency is increased through automation and analytics. Analytics-based insights enable an administrator to gain a unique perspective on the data center’s operations and serve as a catalyst to increase efficiency.

datasheet-c78-738476_0.jpg

Figure 1.         

Cisco Tetration Application Segmentation

Metadata Based Policy Definitions

Zero trust policy definition is not just about defining what is required for application to work but it should also include elements such as who can access this application, from where this application can be accessed and policy elements related to the workload context. Cisco Tetration provides the capability for administrators to integrate such elements into the whitelist policy through asset tagging (Figure 2). Using a robust vocabulary of keywords and judiciously using Boolean operations, an administrator can define policies governing specific workload characteristics: for example, a policy specifying that production database servers should not communicate with the Internet.

Each workload can have multiple tags that can add organizational and operational semantics to provide the additional context. These tags can be imported from external systems—for example, a Configuration Management Database (CMDB) imported through an API, when using integration with Cisco Anyconnect or from orchestration systems such as Vmware vCenter.

datasheet-c78-738476_1.jpg

Figure 2.         

Associating Business Context Using Real-Time Asset Tagging

These applications and workloads can be referred to by these tags, and complex queries can be constructed using these tags as references. When such capability is used, Tetration platform dynamically maps the specific workloads to these tags. When a new workload, say a VM comes online with specific attributes, Cisco Tetration ensures that it receives the right policy without a need for a manual intervention.

Application Workspaces

The challenge in creating a data center security framework is to develop a final policy set that can be enforced across a large number of workloads in a heterogeneous environment. Policy definition using traditional infrastructure and tools is a time-consuming, manual process and does not meet the dynamic requirements of modern applications. It results in a policy set that is static and insufficient to secure modern applications, with policy skewed to the needs of one application at the expense of the specific interests of others.

The Cisco Tetration platform uses modern big data technologies to offer organizations familiar features such as workflows and workspaces. Application workspaces enable collaboration across organizational boundaries without sacrificing specific interests. Multiple resource pools are isolated from one another using these workspaces and scopes. An application segmentation policy can span multiple workspaces.

A workspace is a collection of topology views, asset inventories, and policies that is saved as a snapshot and supports version control. Version control enables rollback to restore the workspace to a previously validated snapshot. Multiple workspaces can be owned by a single tenant and can be included in workflows that mirror the organization’s structure and processes. Workspaces can be shared within a tenant and can be orchestrated in a workflow. The workflow accelerates the evolution of the data center’s security framework, which includes the policy, inventory, and topology from the discovery stage to the final commit stage. Using this approach, application segmentation policy includes the whitelist policy generated as part of Cisco Tetration application insight, and it also includes other predefined policies from higher-level entities such as security operations. The Cisco Tetration platform then normalizes this policy based on the priority and hierarchy before enforcing it.

Policy Enforcement and Compliance

The Cisco Tetration platform allows you to merge the absolute policy, which may be part of the corporate policy, with the automated segmentation policy generated through application workspaces. After the policy set governing the application segmentation is committed, an administrator can trigger its enforcement with a single click.

Automated policy enforcement is performed through the Cisco Tetration Analytics software sensors running on the workload itself. The software sensors orchestrate the stateful policy enforcement using operating system capabilities such as ipsets and iptables in the case of Linux servers, and the Microsoft Windows advanced firewall in the case of Microsoft Windows servers. With this approach, effective application segmentation can be achieved across hybrid data center infrastructure (on premises and in the public cloud).

In addition, in a virtualized environment, this mechanism helps ensure that application segmentation policy moves with the workload, allowing you to increase application mobility without having to be concerned with infrastructure- specific segmentation policy. As the application dependencies and communication patterns evolve, the platform updates policy automatically (Figure 3).

datasheet-c78-738476_2.jpg

Figure 3.         

Policy Enforcement

Features and Benefits

Table 1 lists that main features and benefits of Cisco Tetration application segmentation.

Table 1.        Main Features

Feature

Description

Zero-day readiness

Plug zero-day vulnerabilities.

Policy from the Cisco Tetration platform allows only the required traffic, blocking everything else. This approach prevents a persistent threat from entering or searching for additional vulnerabilities on day zero.

Distributed deployment architecture

Deploy a scalable deployment architecture for heterogeneous workloads distributed across a hybrid data center.

Application segmentation is achieved through deployment of two main components: software sensors as policy enforcement points and the Cisco Tetration platform. Sensors are installed on the workload, which can be a bare-metal system or a virtual machine. The back-end Cisco Tetration platform enforces the policy through software sensors. The platform comes with a large data store that supports workflows that scale to multiple tenants and roles and helps manage the lifecycle of millions of policies across thousands of applications.

Real-time asset tagging

Eliminate time-consuming manual creation of lists of resources to segment applications. Define application segmentation default and absolute policies using the asset tags.

Real-time asset tagging allows you to associate rich business context with the servers. Administrators can then identify these resources just by using the tags. They can also pre-create inventory filters that will match a specific set of workloads and use these filters within the policy constructs. Any workload that meets the inventory filter criteria will inherit the same policy. This capability enables data center administrators to quickly develop consistent policies for their applications.

Extend policy definitions based on additional context

  Eliminate time-consuming manual creation of resource lists to segment applications. Define application segmentation default and absolute policies using asset tags.
  Quickly develop consistent policies for applications using real-time asset tagging:
   Associate rich business context with the servers
   Define policies based on users and user groups that needs access

Integrate with vCenter, Kubernetes, Openshift and other CMDB systems to automatically bring in the workload context.

Endpoint visibility through Cisco Anyconnect VM

  Collect telemetry from Cisco Anyconnect agent running on end point devices such as laptops, desktops, smart phones, etc.,
  This provides information around user, device name, FQDN, processes running on the device as well as what URL or application was accessed
  Correlate the user data with the user group within an organization
  Define specific policies for segmentation using user and user group information, that can be enforced on the workloads

Application workspaces

Socialize and collaborate on policy definition and validation across organizational boundaries. Define, discover, visualize, and validate the data center security policy framework through multifaceted click-through views of topology, policy, and resources. Use built-in workflows to collaboratively define a policy set for policy enforcement across microsegments.

Follow the built-in workflow to define the policy set for enforcement, or use the workflow as a starter template and edit it to customize it. Refine the workflow further by using Application Dependency Mapping (ADM) and flow search tools to:

  Visualize the application topology
  Visualize the policy map
  Back-test the policy against historic data stored on the cluster appliance
  Troubleshoot policy by clicking through deep dives into the flow data
  Find the detail you need within the entire flow
  Query billions of historical records using schema-based or metadata-tag-based queries and receive a response in less than a second
  Use the collaborative features of the workflow to build consensus across the organization using Role- Based Access Control (RBAC) and workspaces. Then save the policy as a template with version control

One-click policy enforcement on heterogeneous workloads across a hybrid data center

Enforce the security framework using application segmentation and reduce the surface vulnerable to attack.

Enforce policies with a single click. Use the mechanism in Linux and Microsoft Windows environments to enforce security policy. The Cisco Tetration platform normalizes the policy. The final policy set inherits the priorities set by RBAC-authorized users across the workspaces owned by a single tenant.

Software vulnerability detection

Extend the policy enforcement capabilities to quarantine or control server communication based on software vulnerabilities and exposures.

Quickly identify if any of the package versions have known vulnerabilities or exposures, along with the severity. Get an accurate inventory all the servers that have the vulnerable package. Then tie this information to a policy that designates a specific action, such as quarantining a specific server.

User-defined analytics, reports, alerts, and dashboards using custom applications

Use industry-standard notebook applications to create custom live content.

Use custom applications to:

  Create live reports, which can use local data together with external Internet-based context information
  Create custom alerts and avoid alert fatigue
  Build dashboards with graphics using open-source libraries

Policy compliance and notifications

Monitor policy compliance on a minute-by-minute basis and generate alerts for policy noncompliance.

  Generate policy-related alerts through the Kafka messaging interface
  These alerts can be monitored in the user interface. In addition, they can be consumed by other northbound systems such as the Security Incident and Event Management system (SIEM)

Licensing and Licensing Terms

Information regarding the licensing options can be found in the platform datasheet - https://www.cisco.com/c/en/us/products/collateral/data-center-analytics/tetration-analytics/datasheet-c78-737256.html?cachemode=refresh.

Deployment Models and Scale

Information regarding the deployment options and supported scale can be found in the platform datasheet - https://www.cisco.com/c/en/us/products/collateral/data-center-analytics/tetration-analytics/datasheet-c78-737256.html?cachemode=refresh.

Supported Operating Systems

Information regarding the supported operating systems can be found in the platform datasheet - https://www.cisco.com/c/en/us/products/collateral/data-center-analytics/tetration-analytics/datasheet-c78-737256.html?cachemode=refresh.

Ordering Information

Information regarding the ordering options can be found in the platform datasheet - https://www.cisco.com/c/en/us/products/collateral/data-center-analytics/tetration-analytics/datasheet-c78-737256.html.

Put Cisco Expertise to Work to Accelerate Success

Cisco provides professional and support services to help organizations get the most value from the Cisco Tetration platform. Cisco® Services experts help integrate the platform into your production data center environment, define use cases relevant to your business objectives, tune machine learning, and validate policies and compliance to improve application and operation performance. Cisco Solution Support for Cisco Tetration Analytics provides hardware, software, and solution-level support.

One annual contract covers all support needs. With Cisco Tetration Analytics Services expertise, you experience faster time to value, comprehensive adoption in your environment, optimized policies and application performance, and solutionwide support.

Cisco Capital

Flexible Payment Solutions to Help You Achieve Your Objectives

Cisco Capital makes it easier to get the right technology to achieve your objectives, enable business transformation and help you stay competitive. We can help you reduce the total cost of ownership, conserve capital, and accelerate growth. In more than 100 countries, our flexible payment solutions can help you acquire hardware, software, services and complementary third-party equipment in easy, predictable payments. Learn more.

For More Information

For more information about the Cisco Tetration platform, please visit https://www.cisco.com/c/en/us/products/data- center-analytics/tetration-analytics/index.html or contact your local Cisco account representative.

Learn more