Understanding the business intent

Superior applications are the foundations of successful businesses. To completely understand the intent of your business is to understand the application requirements and their dependencies. Once deployed, how often do you audit your applications. Do they continue to meet your business expectations? Are these applications secure or do security concerns keep you up all night?

 

One thing is for sure; successful business outcomes can never be left to chance.

Let us understand our applications first

How well do you understand your applications? How about application dependencies? Do you have real-time visibility? How much is enough when sampling application flows for desired telemetry? Are your forensics teams able to meet MTTI  (Mean Time To Investigate) goals? Just a few of the many questions.


A few years ago, finding answers to these questions would mean investing  in a huge task force comprised of 3
rd party analysts, sniffer tools, proprietary software etc. and yet come short on results.

Thankfully, today, the  perfect answer lies just a few clicks away!

1

A wealth of information at a glance. Tetration Dashboard gives you a comprehensive real time view of your application flows identified by port number, associated IP address and host names.

An eye on business compliance

The traditional ways of achieving datacenter compliance are no longer sufficient. Ever expanding application flows by virtue of server virtualization and cloud computing make this process even more complex.

 

Being proactive is the best way to achieve   compliance. Why leave compliance to guesswork?

 

Capturing the business intent

Capturing business intent starts with an holistic understanding of your applications. The Tetration platform collects, stores and analyzes metadata for every packet that flows in the datacenter with a focus on application segmentation, compliance and policy enforcement use cases. The recommended Policy that we see here  is derived from such flows, annotations and contextual data about the endpoints within the datacenter. Combined together with unsupervised machine learning, Cisco Tetration platform is able to provide complete and real time network and flow performance insights for all your applications.

Conveying complex information simply

Complex information when presented simply drives confident decision making.

 

One such example is the visual depiction of your entire application.

 

In this example, The app view provides a visual depiction of the application inter-dependencies and shows the port based information including the consumer, provider and services consumed information based on the flows observed.

 

The traditional CLI based approach to networking simply would not match up.

 

Could this be a potential policy?

This is where insights turn in to actions. What we see here is an example of a recommended policy based on actual telemetry data gathered from hardware and software sensors, then analyzed by Tetration engine using advanced machine learning techniques.

 

Backed by data, Datacenter administrators can now choose to apply the recommended policies in their environments with high level of confidence.

Performing Policy integrity check

Datacenter managers spend tremendous amount of time trying to come up with various checks in place for correctness of applied policies. Such an approach however will always be a reactive one. Unless they continue to monitor the traffic in real-time, which is impractical, applications will continue to experience policy related issues and outages detrimental to the business.

 

Tetration provides an easy way out by letting you test your potential policies against actual production traffic, both real time as well as historical.

Running the policy validation experiment

Running policy experiments against desired traffic in your data center environment is a paradigm shift in the traditional ways of networking. No amount of automation and custom scripting come close to this level of sophistication and offer high level of confidence in creating secure application policies.

 

Creating an experiment is rather easy. We will need to specify the period for the traffic against which we wish to test our potential policy.

Final policy integrity check

A task that seem so simple as this can save a network administrator many hours of manual work and potential application issues, sometimes as drastic as complete application failures resulting in prolonged downtimes detrimental to business.

 

Once the policy integrity check is complete, we will proceed to check the “Escaped” and the “Rejected” tabs to make sure no unwarranted traffic gets through and the results are desirable.

Enforcing policies at the end points

When we typically talk about enforcing policies, we refer to the SDN controller. Tetration however helps us apply and enforce policies at the workloads themselves. You can consider this to be yet another line of defense within your data center perimeter.

Moving on to applications ...

A final word before we move on to activating our business intent.

Tetration enforces consistent security policy applied holistically across each application. Policy is enforced regardless of where the application resides: virtual, bare metal, physical servers, or in private or public clouds, across any vendor’s infrastructure. This new enforcement model binds policies to workload characteristics and behaviors while ensuring that the policy stays intact even as the workload moves.

Activating the business intent – where rubber meets the road

Now is the time to convert insights from Tetration into actions with Application Centric Infrastructure (ACI).

 

Understanding the application behavior is one thing, but managing the application lifecycle as well as the underlying infrastructure for successful business outcomes is another.

 

How do you provide centralized access to all fabric information for maximizing application success. How do you optimize the application lifecycle for scale and performance, and support flexible application provisioning across physical and virtual resources? Welcome to the world of ACI.

Securing your tenants- Excecuting the business intent

Having a high level of confidence while applying a particular policy to your tenants/applications is the key.

 

For the purpose of demonstration, we have already created a tenant. We will see how easy it is to create a whitelist  policy between the End point Groups (EPGs) of that tenant for a particular application.

1

The Franciscos is a tenant we have defined previously. The application within the tenant has multiple end point groups (EPGs). For simplicity, we have defined three EPGs, namely - Web,App and NFS. We will apply the recommended policy (contracts) between these EPGs.

Automating business intent execution

Making policy changes to an application in your production environments is easier said than done. While there are immense technical implications, the associated process overhead cannot be overlooked. It often involves human interaction such as the virtual administrator talking to the network administrator.

 

ACI unifies the playing field for the various personnel involved by providing a policy based model as well as single pane of management for ease of operations. Such sophistication of automation minimizes frictions around applications deployments.In our example, we will now select a tenant where we need to enforce the recommended policy

Whitelist policy creation – step 1

The APIC GUI is very intuitive. An Application Profile (AP) that represents the application can be found under Tenants. The EPGs defined for this AP are visually depicted.

 

As discussed earlier, the APIC GUI provides a powerful visual depiction of various constructs within our Data center which are logical abstractions of both physical and virtual elements.

 

For now, no relationships exist between the EPGs. In other words, they cannot communicate. We need to specify the rules with which they can if we intend to. This is referred to as “Whitelist policy”

Whitelist policy creation – step 2

To create a contract, just drag the contract icon and drop it between those EPGs you wish to establish communication.

Whitelist policy creation – step 3

A contract is list of rules that establishes communication between the EPGs. Such a list of rules is referred to as a list of filters in ACI.

 

While we create a filter for our contract, here is a little clarification.

 

So far what we have been referring to a “recommended policy” from tetration is in fact a filter. Although many people use the terms interchangeably, a policy in reality is a contract that can contain more than one filters.

Operatinalizing business intent

Half the job done! The business intent that was verified and captured by Tetration by understanding the application has now been operationalized.

 

But what next? How do ensure that nothing will ever go wrong? How will you be sure the policies stay intact? How will you assure yourself a peaceful nights' sleep knowing someone has your back.

 

Assuring business intent

Not many people would disagree being proactive is the best way to achieve compliance.

 

How do you verify the entire network for correctness, giving you the  confidence that your network is always operating consistent with the intent that we captured and operationalized in the earlier sections. How do you ensure connectivity and eliminate potential network outages and vulnerabilities before any business impact occurs by continuously analyzing and verifying the dynamic state of the entire network against intent and policy?

 

That is where Cisco Network Assurance Engine comes into play.

Active policy monitoring to assure business intent

The Network Assurance Engine dashboard provides valuable insights into your network operations with intuitive dashboards that display current and historical trends of Smart Events thereby showing the assured state of the network across time.

 

For the purpose of this demonstration, we will narrow our focus on the policy related issues. We will depict a “fat finger” issue where a filter we previously created was deleted.

Finding a needle in the haystack

Anyone who has debugged network failures can attest to the fact the effort is no less than finding a needle in the haystack.

 

Fortunately for us, real time change analysis with Cisco Network Assurance Engine makes finding such failures a breeze.

 

In just a single click, we are able to determine the existence of a particular contract with a missing contract.

Fixing the issue, proactively

In this case, the Network Assurance Engine is able to pin point the missing filter and recommends the necessary fix.

Policy remediation

A walk in the park really! Network Assurance Engine does all the heavy lifting. All we have to do is add the missing filter back to the contract and we are back in business !

Closing the intent loop

Back in business indeed! But how about protecting the applications from external threats ?

Protecting the intent cycle – above and beyond!

Threat vectors continue to explode. And there is no stopping them. The best we can do is to proactively monitor such threats. So how do you prevent another Equifax situation?

 

Cisco Tetration offers holistic workload protection for multicloud data centers by enabling a zero-trust model using segmentation. This approach allows you to identify security incidents faster, contain lateral movement and reduce your attack surface.

 

For demonstration purposes, we will look into how we can prevent a Equifax type hack where the  attackers exploited the Apache Struts violation.

1

Cisco Tetration Workload Protection includes a multitude of capabilities that are beyond the scope of this walkthrough. This simplistic yet powerful use case is a good way to highlight the simplicity of Cisco Tetration platform in delivering such a powerful use case.

Checking against the Common Vulnerabilities and Exposures (CVE) database

Cisco Tetration platform  cross-checks every software package against the full CVE database looking for vulnerable packages, taking into account the version of the software package, the impact scores, and so on.

 

For demonstation purpose, we will create a policy that will proactively deny access to any endpoints that would have an CVE impact score >=9 . In other words, unless all the endpoints have the latest patches from the CVE database, no access will be granted to them as they may be considered vulnerable.

Defining the CVE policy

We will now enforce the CVE filter.

 

It is worth noticing the simplicity with which we can perform such complex operations while providing network operators the highest level of security their business demands for maximizing profitbality.