Published: July, 2020
Cisco IT gained finer control over network-based application security when we started moving to application-centric infrastructure (ACI) in 2016. Before then, all endpoints on the same subnet could talk to each other. Now, using ACI “contracts,” we can control which specific endpoints within the subnet can communicate with one another.
Now we’re making network-based security easier to manage—and less of a burden on our Nexus switches. The difference: supplementing ACI with Cisco Firepower next-generation firewalls running Firepower Threat Defense (FTD) software.
Approximately 20% of our DC workloads — around 1,000 of 5,000 total — require network-based security. Each of our production data centers has one or more pairs of Cisco Nexus 7000 switches. Before, every protected application had its own VLAN on the switch pair—and each VLAN had its own access control lists (ACLs).
This design had two shortcomings. “One problem is scale,” says Ben Kelly, network architect. “Each pair of Nexus switches can support a limited number of workloads—and we couldn’t easily move workloads from overutilized switch pairs to underutilized pairs. The other problem was how much time it took to manually maintain ACLs for each VLAN — some with thousands of access-list entries.”
We overcame those problems using FTD software. It makes network-based security stronger and easier to manage while also freeing resources on our ACI leaf switches.
Here’s how it works. We use ACI virtual routing forwarding (VRF) contexts to create network security zones: Protected DMZ, Protected Internal, and Internal. Every workload is assigned to a zone. For a standard three-tier application, like supply chain, the web server is typically assigned to the Protected DMZ zone while the application and database servers are assigned to the Protected Internal zone.
“Traffic between workloads in the same network security zone passes through ACI leaf switches, which enforce security policy with contracts,” says Christopher Stokes, network engineer. “Traffic moving between network security zones has to pass through FTD, which enforces security policy with access control policy rules, conserving critical resources on the ACI leaf switches.”
As of May 2020, we had migrated nearly 1,000 workloads, or 100 applications, behind FTD. Figure 1 illustrates this deployment.
The Firepower Management Center (FMC) controller provides centralized command and control for all Firepower firewalls in the same location. To minimize latency when FTD inspects traffic, we used FMC to create pre-filter policies. A feature called FastPath looks at the outer headers (which takes less time than checking the inner headers) to see if the flow is trusted. If so, the traffic is passed through without deeper inspection.
To save time maintaining ACLs, we’re shifting to a software development approach. Compliance with formatting rules is automatically verified every time we check in ACL code. We have a full audit trail of ACL changes thanks to Git, an open source version control system. Git also automates the approval workflow, forwarding change requests from Cisco IT to our InfoSec team for approval. “Together, FTD and Git save us hundreds of hours each quarter,” Kelly says.
We’re starting by using FTD for high-speed packet filtering. Later we’ll add more FTD features and functionality. Plans under consideration include:
To read additional Cisco IT business solution case studies, visit Cisco on Cisco: Inside Cisco IT