cisco tetration...cisco tetration analytics demo ing. guenter herold area manager datacenter cisco...

Cisco TetrationAnalyticsDemo

Ing. Guenter Herold

Area Manager Datacenter

Cisco Austria GmbH

15. – 16. marec 2017| Cisco Connect | Portorož, Slovenija

Agenda

Introduction

Theory

Demonstration


Innovation Through Engineering

<9Months

spent on

Planning$1B

OPEX

Shifts

DLT members

changing

roles

8>1000Employees

involved in Open

Source Projects

30%of FY15 revenue are based on

Agile and DevOps

Engineering contributed

Cisco Net Income growth

of 6% (Q3’15)

25,000 $6.3B

+1000Employees on

Open Source

Projects


Agile and DevOps



of 6% (Q3’15)

Alpha

Projects

190 Tetration patents

Cisco TetrationAnalytics™


Architecture

Intent (May)

Assurance (Can)Analytics (Did)

Configuration Analysis

“Very Large State-

Space”

Traffic Analysis

“Lots of Data”

Guarantees

Compliance

Consistency

POLICY

ACI

ADM

Security

Forensics

BRKDCN-2040 6


Innovation Through Engineering

<9Months

spent on

Planning$1B

OPEX

Shifts

DLT members

changing

roles

8>1000Employees

involved in Open

Source Projects


Agile and DevOps25,000 $6.3B

+1000Employees on

Open Source

Projects


Agile and DevOps



of 6% (Q3’15)

Alpha

Projects

190 Tetration patents

Cisco TetrationAnalytics™


Cisco Tetration AnalyticsFocus Areas

Cisco Tetration

Analytics™

Visibility and

Forensics

Application

InsightPolicy

Compliance

New

Application

Segmentation

(Automated Policy

Enforcement)

ActionTETRATION ANALYTICS 1.0

(Policy Recommendation)

TETRATION ANALYTICS 2.0(Application Segmentation)


Cisco Tetration Analytics Use Cases

Application

Insight and

Dependency

Forensics:

Every Packet,

Every Flow,

Every Speed

Policy

Compliance

and Auditability

Policy

Simulation and

Impact

Assessment

Automated

Whitelist Policy

Generation

New

Application

Segmentation

(Automated

Policy

Enforcement)


Information

about Consumer

– Provider and

type of traffic

Detail

information

about the flow

Datacenter Wide Traffic Flow Visibility


You Can’t Protect What You Don’t See

60% of data is stolen in

HOURS

85%of point-of-sale intrusions

aren’t discovered for

WEEKS

54%of breaches remain

undiscovered for

MONTHS

51%increase in companies

reporting a $10 million

or more loss in the last

3 YEARS

“A community that hides in plain sight avoids detection and attacks swiftly.”— Cisco Security Annual Security Report.


http://www.asd.gov.au/infosec/mitigationstrategies.htm

Whitelist Policy Model

http://www.asd.gov.au/infosec/mitigationstrategies.htm


Whitelist Policy Recommendation

Application Discovery

AppTier

DBTier

Storage

WebTier

Storage

Policy Enforcement

Whitelist Policy Recommendation(Available in JSON, XML, and YAML)


Real-Time and Historical Policy Simulation

• Validating policy impact assessment in real time

• Simulating policy changes over historic traffic

• View traffic “outliers” for quick intelligence

• Audit becomes a function of continuous machine learning

Cisco Tetration

Analytics™

PlatformVM BM

VMVM

BM VM

VMVM

VM BM

VMVM

VM


Policy Compliance

• Identify policy deviations

in real-time

• Review and update

whitelist policy with one click

• Policy lifecycle management

VM BM

VMVM

BM VM

VMVM

VM BM

VMVM

VM

Cisco Tetration

Analytics™

PlatformVM

BM

VM


Application Discovery (DC Network)• Dependency Mapping (Security)

• Dependency Mapping (Migrations)

Visibility• Flow Search

• Deviation Detection

Policy Management • Simulation and Impact Assessment

• Compliance

Security Policy Enforcement• Auditing

• Security Enforcement

• Policy Verification ~ ‘what if’

• Threat Detection / DDOS / …

Increased

Visibility

Insightful

Data

Policy

Discovery

/Enforce/

Mgmt

The Real Value is Business and Operational Insight


Tetration Analytics Architecture Overview

Analytics Engine

Cisco Tetration

Analytics™

Platform

Visualization and

Reporting

Web GUI

REST API

Push Events

Data Collection

Host Sensors

Network Sensors

3rd-Party

Metadata Sources

Tetration

Telemetry

Configuration

Data

Cisco Nexus®

92160YC-X

Cisco Nexus

93180YC-EX

VM


Tetration Analytics Data Sources

• New! Enforcement Point (Software agents)

• Low CPU Overhead (SLA enforced)

• Low Network Overhead (SLA enforced)

• Highly Secure (Code Signed, Authenticated)

• Every Flow (No sampling), NO PAYLOAD

*Note: No per-packet Telemetry, Not an enforcement point

Software Sensors

Universal*(Basic Sensor for other OS)

Linux VM

Windows Server VM

Bare Metal(Linux and Windows Server)

Available Now

Nexus 9200-X

Nexus 9300-EX

Network SensorsNext Generation 9K switches

Third Party Sources

Asset Tagging

Load Balancers

IP Address Management

CMDB

…

3rd party Data Sources


Application Discovery and Endpoint Grouping

Cisco Tetration

Analytics™

Platform

BM VM VM BM

BM VM VM BM

Brownfield

BM VM VM VM BM

Cisco Nexus® 9000 Series

Bare-metal, VM, & switch telemetry

VM telemetry (AMI …)

Bare-metal & VM telemetry

BM VM

BMVM

VM BM

VMVM

VM BM

BMVM

BM

Network-only sensors, host-only sensors, or both (preferred)

Bare metal and VM

On-premises and cloud workloads (AWS)

Unsupervised machine learning

Behavior analysis


30BRKDCN-2040

What does the Sensor Collect

Application

Transport

Network

Data Link

Physical

Application

Transport

Network

Data Link

Physical

Network

Data Link

Physical

Network

Data Link

Physical

Sockets

ProcessProcess

Sockets

ProcessProcess

Process Information:

Which process is it, who

started it, etc.

Device Information: Buffer/ACL Drops, etc.


Different Problems will need Different Data Sources

Application

Transport

Network

Data Link

Physical

Network

Data Link

Physical

Sockets

ProcessProcess

Network Heath,

Performance,

Monitoring,

Capacity

Application

Heath,

Performance,

Monitoring,

DiscoverySecurity,

Application

Troubleshooting


Hardware Sensor and Software Sensor

Accumulated Flow Information (Volume…)

Software Sensor

Process mapping

Process ID

Process owner

Hardware Sensor

Tunnel endpoints

Buffer utilization

Burst detections

Packet drops

Flowdetails

Interpacket variations


What We Discovered: To and From DVProd Database

Internet

IP Storage NAS

TA Cluster

Hadoop

Prod DBs

Non-Prod DBs

Labs

Kicker

Infra APPs

DB Proxy

Monitoring APPs

Internet

Non-Production Databases

LABs


Tetration Analytics and

Before

• Complex data center environment

• Lack of automation

• Lack of understanding into each tenant environment

• Exposure to risk of downtime too great to migrate applications safely

After

• Visibility across multi-tenant data center

• Move from tribal knowledge to data-driven decision making

• Reduction in time to understand application dependencies

• Migration to ACI with little downtime risk


• Understanding of what happens INSIDE a flow

• Distributions (packet sizes, TCP windows…)

• Burstiness

• Anomaly detection

• Latency (application and network)

• VXLAN information

• High rate export capabilities

• 100ms for Hardware

• 1s for Software

Data Points

35


• What happens around this flow?

• Which process owns this flow?

• Who runs it?

• What are the buffer status?

• But also external information

• GeoDB, DNS, reputation lists…

Context Information

36


Ethernet

Header

IP

Header

UDP

Header

VXLAN

Header

Ethernet

Header

IP

Header

TCP

HeaderPayload

Ethernet

Header

IP

Header

TCP

HeaderPayload

Ethernet

Header

IP

Header

UDP

HeaderPayload

Meta-Data – Including Overlay VXLAN/GRE/IPinIP Encapsulated Header

Privacy Risk

Collects the Meta-Data not the Packet


Sensor Technology

• RHEL (64 bit) – 5.x,6.x,7.x

• CentOS (64 bit) – 5.x,6.x,7.x

• Oracle Linux (64 bit) – 6.x,7.x

• SUSE – 11.2,11.3,11.4,12.1, 12.2

• Ubuntu – 12.04,14.04,14.10

• Windows Server 2008 R1/R2

Essentials / Standard /

Enterprise/DataCenter

• Windows Server 2012

R2/R2/Essentials/Standard/

Enterprise/DataCenter

• Mainfarme ZVM (trial)

• AIX-ppc 5.3,6.1,7.1,7.2 (trial)

• Solaris (x86_64)

• RHL 4.x,5.x (31 bit -386/amd)

• CentOS – 4.x, 5.x (32 bit)

• Windows XP,2003 (32 bit)

• Windows Server 2008 (32 bit)

Standard Sensors HW Sensors UniversalSensors

Cisco Nexus 9K

Leave with:

• 92160YC-X

• 93180YC-EX

Spine with:

• X9732C-EX C*


Tetration Analytics: Deployment Options

Cisco Tetration Analytics

(Large Form Factor)

• Suitable for deployments more than 1000 workloads

• Built in redundancy

• Scales up to 10,000 workloads

Includes:

• 36 x UCS C-220 servers

• 3 x Nexus 9300 switches

Cisco Tetration-M (Small Form Factor)

• Suitable for deployments under 1000 workloads

Includes:

• 6 x UCS C-220 servers

• 2 x Nexus 9300 switches

Cisco Tetration Cloud

• Software deployed in AWS

• Suitable for deployments under 1000 workloads

• AWS instance owned by customer

On-Premise Options Public Cloud

Amazon Web

Services


Host Based Enforcement

VLANs

ACLs

7K 5K 2K

Subnets

Workload

EPGs

ACI

Contracts

BDs

Workload

Security Groups

Hypervisor

Port Groups

Security Rules

Workload

Security Rules

AWS

Security Groups

Interfaces

Workload

A trusted module inside the workload enforces your intent


Security

Same level of security, any infrastructure.

Application

Infrastructure

Denies Allows

Process

End Point

Intent is rendered as security rules in native host firewalls


Application

Network Infrastructure

Denies Allows

Process

End Point

Application

Cloud Infrastructure

Denies Allows

Process

End Point

Bare metal Cloud

Any Infrastructure

Any Networking

Same Security Model

Rich Context

Application

Network Infrastructure

Denies Allows

Process

End Point

Application

Denies Allows

Process

End Point

Hypervisor Virtual Network

Virtual


Mobility

Security Rules

VLANs

ACLs

7K 5K 2K Cloud

Security Groups

Interfaces

Subnets

EP EP

Tetration calculates all necessary rule changes and

automatically applies

Intent stays with the endpoint, no matter the infrastructure it resides on


Why should I understand dependencies?

Identify a single point of failure that should be replicated

Find all the parts of a service that should be migrated

together to the cloud

Replace infrastructure components of an undocumented

application

ACI application profiles, end point groups, and contracts

based on applications

45


Load Balancer Database

App

Application Dependency Mapping

46


Understand the communication

Load Balancer Database

App

47


Initial recommendations

Load BalancerApp

DatabaseCache

48


Optional and minimal human supervision

Load Balancer

App

Database

Cache49


Approve the clustering

Load Balancer

App

Database

50


Enforcement Anywhere

Cisco

Tetration

Analytics™

Cisco ACI™ and Cisco Nexus® 9000 Series

Standalone

Linux and Microsoft Windows

Servers and VM

PublicCloud

Data

Whitelist policyWhitelist policy{

"src_name": "App",

"dst_name": "Web",

"whitelist": [

{"port": [ 0, 0 ],"proto": 1,"action": "ALLOW"},

{"port": [ 80, 80 ],"proto": 6,"action": "ALLOW"},

{"port": [ 443, 443 ],"proto": 6,"action":

"ALLOW"}

]

}

• Cisco ACI EGP/Contract Integration via Cisco ACI Toolkit

• Traditional Network ACL

• Firewall Rules

• Host Firewall Rules

Amazon

Web

Services

Microsoft

Azure

Google

Cloud

51

Demo Time

cisco tetration...cisco tetration analytics demo ing. guenter herold area manager datacenter cisco...

Documents