Get Started with Cisco Secure Workload

Today’s networks include applications running in a hybrid multicloud environment that uses bare metal, virtualization, and cloud-based and container-based workloads. The key challenge in such an environment is improving application and data security without compromising on agility. Cisco Secure Workload provides comprehensive workload protection by bringing security closer to applications and tailoring the security posture that is based on the application behavior. Secure Workload achieves this tailoring by using advanced machine learning and behavior analysis techniques. It provides a ready-to-use solution to support the following security use cases:

  • Implement a zero-trust model with microsegmentation policies that allow only traffic that is required for business purposes.

  • Identify anomalies on workloads using behavioral baselining and analysis.

  • Detect Common Vulnerabilities and Exposures in the software packages that are installed on the servers.

  • Recommend quarantining of servers if vulnerabilities persist after enforcing policies and blocking communication.

Workloads and IP Addresses in Secure Workload

In Cisco Secure Workload, a workload can be an agent workload (software agents installed on hosts or workloads) or an agentless cloud workload (cloud connectors-Azure, AWS or GCP). IP addresses refer to the IPs that are not associated with agent workloads or agentless cloud workloads.


Attention

Due to recent GUI updates, some of the images or screenshots used in the user guide may not fully reflect the current design of the product. We recommend using this guide in conjunction with the latest version of the software for the most accurate visual reference.


Note

To view the End User License Agreement and Supplemental End User License Agreement for your product, see End User License Agreement and Supplemental End User License Agreements.

Tour of the Wizard

Welcome to Secure Workload where assigning labels and grouping your workloads is essential to the power of Secure Workload. In Secure Workload, onboarding is a user-friendly and guided approach to help you set up and deploy applications securely in your environment. You can segment your network to allow only the traffic that is required for your business, and block all other communications.

To help you get started, from the navigation menu, choose Overview to navigate to the Quick Start wizard. The wizard typically prepares Secure Workload to start creating segmentation policies to control traffic on your network, presents a series of steps, each focusing on a specific security aspect, and prompts users to make informed choices for configuring their workload securely.

The following user roles can access the wizard:

  • Site Administrator: Provides the ability to manage users, agents, and more. The site administrator can view and edit all features and data. There must be at least one site admin.

  • Customer Support: Provides access to cluster maintenance features. Allows the same access as a Site Administrator but cannot modify users. Typically for Technical Support or Advanced Services roles.

  • Scope Owner: Manages and defines the scope of workloads, ensures policy compliance, and oversees workload security within the designated scope.

For more information on roles and responsibilities, see the Secure Workload User Guide.

Install Software Agents

Cisco Secure Workload supports various types of software agents for different environments, including virtual machines, bare metal servers, containers, Windows servers, Windows desktops, Linux servers, Kubernetes, AIX, and Solaris systems. These agents provide deep visibility and enforcement capabilities. The agent installer can be downloaded directly from Secure Workload, and it supports installation, upgrade, and monitoring functionalities. For more information see the Cisco Secure Workload Guide.

You can install software agents on your application workloads. The software agents collect information about the network interfaces and the active processes running on the host system.

There are two ways how you can install the software agents:

  • Agent Script installer: Use this method for installing, tracking, and troubleshooting of issues while installing the software agents. Supported platforms are Linux, Windows, Kubernetes, AIX, and Solaris.

  • Agent Image installer: Download the software agent image to install a specific version and software agent type for your platform. Supported platforms are Linux and Windows.

The onboarding wizard walks you through the process of installing the agents based on the selected installer method. For information on software agent installation, see the instructions on the Secure Workload UI and the Secure Workload User Guide.

Group and Label Workloads

The organization assigns labels to a group of workloads to create a scope. The hierarchical scope tree helps to divide the workloads into smaller groups, while reserving the lowest branch in the scope tree for individual applications.

Select a parent scope from the scope tree to create a new scope, which contains a subset of the members from the parent scope.

On this window, organize your workloads into groups in a hierarchical structure. Break down your network into hierarchical groups to allow more flexibility and scalable policy discovery and definition.

The wizard helps to apply labels to their workloads, which are key parameters that describe a workload or endpoint represented as a key-value pair. These labels are then grouped into scopes, and workloads are automatically grouped into scopes based on their associated labels. You can define segmentation policies based on scopes.

Hover over each block or scope in the tree for more information about the type of workloads or hosts it includes.


Note

In the Get Started with Scopes and Labels window, Organization, Infrastructure, Environment and Application are the keys and the text in the gray boxes in-line with each key are the values.

For example, all workloads belonging to Application 1 are defined by these set of labels:

  • Organization = Internal

  • Infrastructure = Data Centers

  • Environment = Pre-Production

  • Application = Application 1

Power of Labels and Scope Trees

Labels drive the power of Secure Workload, and the scope tree created from your labels is more than just a summary of your network. Few of the benefits of using labels are:

  • Labels let you instantly understand your policies, for example:

    "Deny all traffic from Pre-Production to Production"

    Compare the same policy without labels, which is:

    "Deny all traffic from 172.16.0.0/12 to 192.168.0.0/16"

  • Policies based on labels automatically apply (or stop applying) when you add labeled workloads to (or removed from) inventory. Over time, these dynamic groupings based on labels greatly reduce the amount of effort required to maintain your deployment.

  • Workloads are grouped into scopes based on their labels. These groupings let you easily apply policy to related workloads. For example, you can easily apply policy to all applications in the Pre-Production scope.

  • After you create policies in a single scope, the policies can automatically be applied to all workloads in descendant scopes in the tree, minimizing the number of policies you must manage.

    For example, you can easily define and apply policy broadly to all workloads in your organization or narrowly (which is on just the workloads that are part of a specific application) or to any level in between, for example, to all workloads in a data center.

  • You can assign responsibility for each scope to different administrators, delegating policy management to the people who are more familiar with your network.

Build the Hierarchy for Your Organization

Start building your hierarchy or scope tree; this involves identifying and categorizing the assets, determining the scope, defining roles and responsibilities, developing policies and procedures to create a branch of the scope tree.

The wizard guides you through creating a branch of the scope tree. Enter IP addresses or subnets for each blue-outlined scope, the labels are automatically applied based on the scope tree.

Pre-requisites:

  • Gather IP Addresses or Subnets associated with your Pre-Production environment, your data centers, and your Internal network.

  • Gather as many IP addresses or subnets as you can, you can add the additional IP addresses or subnets later.

  • As you build your tree, you can add IP addresses or subnets for the other scopes in the tree (the gray blocks).

To create the scope tree, perform the following tasks:

Define the Internal Scope

The internal scope includes all IP addresses that define your organization's internal network, including public and private IP addresses.

The wizard walks you through adding IP addresses to each scope in the tree branch. As you add addresses, the wizard assigns labels to each address that defines the scope.

For example, on this Scope Setup window, the wizard assigns the label 
Organization=Internal
to each IP address.

By default, the wizard adds the IP addresses in the private internet address space as defined in RFC 1918


Note

All the IP addresses need not be entered at once, but you must include the IP addresses associated with your chosen application, you can add the rest of the IP addresses at a later time.

Define the Data Center Scope

This scope includes the IP addresses that define your on-premises data centers. Enter the IP addresses/subnets that define your internal network


Note

Scope names should be short and meaningful.

On this window, enter the IP addresses that you have entered for the organization, these addresses must be a subset of the addresses for your internal network. If you have multiple data centers, include all of them in this scope so you can define a single set of policies.


Note

You can always add more addresses at a later stage. For instance, the wizard assigns these labels to each of the IP addresses:

Organization=Internal
Infrastructure=Data Centers

Define the Pre-Production Scope

This scope includes IP addresses of non-production applications and hosts, such as development, lab, test, or staging systems.


Note

Ensure you do not include addresses of any applications that are used to conduct actual business, use them for the production scope that you define later.

The IP addresses you enter on this window must be a subset of the addresses you entered for your data centers, include the addresses of your chosen application. Ideally, they should also include pre-production addresses that are not part of the chosen application.


Note

You can always add more addresses at a later stage.

Review Scope Tree, Scopes, and Labels

Before you start creating the scope tree, review the hierarchy that you can see on the left window. The root scope shows labels that were automatically created for all configured IP addresses and subnets. At a later stage in the process, applications are added to this scope tree.

You can expand and collapse branches and scroll down to choose a specific scope. Onthe right pane, you can see the IP addresses and labels assigned to the workloads for the specific scope. On this window, you can review, modify the scope tree before you add an application to this scope.


Note

If you want to view this information after you exit the wizard, from the navigation menu, choose Organize > Scopes and Inventory .

Review Scope Tree

Before you start creating the scope tree, you must review the scope hierarchy. The root scope shows labels that were automatically created for all configured IP addresses and subnets. At a later stage in the process, applications are added to this scope tree.

Quick Start Wizard - Review Scope Tree

You can expand and collapse branches and scroll down to choose a specific scope. On the right pane, you can see the IP addresses and labels assigned to the workloads for the specific scope. In this window, you can review and modify the scope tree before you add an application to the scope.


Note

If you want to view this information after you exit the wizard, from the navigation pane, choose Organize > Scopes and Inventory.

Create Scope Tree

After you review the scope tree, create the scope tree.

Create scope tree

For information on the scope tree, see the Scopes and Inventory section in the Secure Workload User Guide.

Next Steps

Install Agents

Install the SecureWorkload agents on the workloads associated with your chosen application.The data that the agents gather is used to generate suggested policies based on the existing traffic on your network. More the data, more accurate policies are produced. For details, see the Software Agents section in the Secure Workload user guide.

Add Application

Add the first application to your scope tree. Choose a pre-production application running on bare metal or virtual machines in your data center. After adding an application, you can begin discovering policies for this application. For more information, see the Scopes and Inventory section of the Secure Workload user guide.

Set up Common Policies at Internal Scope

Apply a set of common policies at the Internal scope. For example, only allow the traffic through certain port from your network to outside your network.

Users can define policies manually using Clusters, Inventory Filters and Scopes or these can be discovered and generated from flow data using Automatic Policy Discovery.

After you install agents and allow at least a few hours for traffic flow data to accumulate, you can enable Secure Workload to discover policies based on that traffic. For details, see Automatically Discover Policies section of the Secure Workload User Guide.

Apply these policies at Internal (or Inside or Root) scope to effectively review policies.

Add Cloud Connector

If your organization has workloads on AWS, Azure, or GCP, use a cloud connector to add the workloads to your scope tree. For more information, see the Cloud Connectors section in the Secure Workload User Guide.

Quick Start Workflow

Step

Do This

Details

1

(Optional) Take an annotated tour of the wizard

Tour of the Wizard

2

Choose an application to start your segmentation journey.

For best results, follow the guidelines in Choose an Application.

3

Gather IP addresses.

The wizard will request 4 groups of IP addresses.

For more information, see Gather IP Addresses.

4

Run the wizard

To view requirements and access the wizard, see Run the Wizard.

5

Allow time for the agents to gather flow data.

More data produces more accurate policies.

The minimum amount of time required depends on how actively your application is used.

6

Generate ("discover") policies based on your actual flow data.

For information on how to generate policies, see Automatically Generate Policies.

Gather IP Addresses

Gather at least some of the IP addresses in the following list:

  • Addresses that define your internal network

    By default, the wizard uses the standard addresses reserved for private internet use.

  • Addresses that are reserved for your data centers.

    This does not include addresses used by employee computers, cloud or partner services, and centralized IT services.

  • Addresses that define your nonproduction network.

  • Addresses of the workloads that comprise your chosen nonproduction application.

For now, you do not need to have all the addresses; you can always add more addresses later.


Important

Because each of the four bulleted lists represents a subset of the IP addresses list, include IP addresses in each bulleted list among the IP addresses of the list.

Choose an Application

Choose an application for the wizard. An application typically consists of multiple workloads that provide different services such as web services or databases, primary and backup servers. Together, these workloads provide the application's functionality to its users.

Guidelines for Choosing Your Application

Secure Workload supports workloads running on a wide range of platforms and operating systems, including cloud-based and containerized workloads. However, for this wizard, choose an application with workloads that are:

  • Running in your data center.

  • Running on bare metal and or on virtual machines.

  • Running on Windows, Linux, or AIX platforms supported with Secure Workload agents, see Compatibility Matrix.

  • Deployed in a preproduction environment.


Note

You can run the wizard even if you have not chosen an application and gathered IP addresses, but you cannot complete the wizard without doing these things.


Note

If you do not complete the wizard before signing out (or timing out) or navigate to a different part of the Secure workload application (use the left navigation bar), the wizard configurations are not saved.

For details about how to add a scope or add Scope and Labels, see the Scopes and Inventory section of the Cisco Secure Workload User Guide.

Run the Wizard

You can run the wizard whether or not you have chosen an application and gathered IP addresses, but you won't be able to complete the wizard without doing these things.


Important

If you don't complete the wizard before signing out (or timing out) of Secure Workload, or if you navigate to a different part of the application using the left navigation bar, wizard configurations are not saved.

Before you begin

The following user roles can access the wizard:

  • site admin

  • customer support

  • scope owner

Procedure

Step 1

Sign in to Secure Workload.

Step 2

Start the wizard:

If you do not currently have any scopes defined, the wizard appears automatically when you sign in to Secure Workload.

Alternatively:

  • Click the Run the wizard now link in the blue banner at the top of any page.

  • From the navigation pane, choose Overview.

If you have already created scopes, you cannot access the wizard again unless you delete all existing scopes. To do this, see (Optional) Reset the Scope Tree.

Step 3

The wizard explains the things you need to know.

  • Hover over the graphic elements in the wizard to read their descriptions.

  • For more inform, click links and info buttons (info button).

Automatically Generate Policies

Secure Workload generates or discovers policies based on existing traffic between workloads and other hosts. You can modify, supplement, analyze, and eventually approve and enforce policies on the workloads.

Before you begin

  • Install agents on your application's workloads.

  • Allow some time after agent installation for flow data to accumulate.

Procedure

Step 1

On the Next Steps page of the quick start wizard, click Automatically Generate Policies.

Alternatively, you can do the following:

  1. From the navigation pane, choose Defend > Segmentation.

  2. On the navigation pane, in the scope tree or list of scopes, scroll down to the application scope.

  3. Choose Primary in the scope.

Step 2

Choose Manage Policies.

Step 3

Choose Automatically Discover Policies.

Step 4

Choose the time range for the flow data that you want to include:

Step 5

Choose Discover Policies, the generated policies appear on this page.

(Optional) Reset the Scope Tree

(Optional) You can delete the scopes, labels, and scope tree you created using the wizard and run the wizard again.


Tip

If you want to remove some of the created scopes and not run the wizard again, delete individual scopes instead of resetting the entire scope tree. To delete a scope, choose Scope and click Delete.

Before you begin

Make sure you have the scope owner privileges for the root scope.


Note

If you have created more workspaces, policies, or other dependencies, see the Secure Workload user guide for complete information about resetting the scope tree.

Procedure

Step 1

From the navigation menu, choose Organize > Scopes and Inventory.

Step 2

Click the scope at the top of the tree.

Step 3

Click Reset.

Step 4

Confirm your choice.

Step 5

Refresh the browser page if the Reset button changes to Pending Reset.