Application-Aware Microsegmentation on Cisco ACI

Application-Aware Microsegmentation on Cisco ACI

The best enterprise infrastructures today are Agile - this means that they are programmable and automated, with full insight and visibility into every layer of the environment to ensure that the infrastructure stays dynamic and compliant.

One of the prominent network infrastructures today is the Cisco Application Centric Infrastructure, also referred to as Cisco ACI. The Cisco ACI architecture is based upon a highly scalable Spine and Leaf network fabric, delivering great performance and resiliency. Organizations benefit from a centralized configuration model by having one place to manage the switching and routing operational lifecycle. While the ACI architecture is well suited for programmability and orchestration in order to deliver agility up to network Layer 4, it does not solve for application-aware security use cases in the data center.

vArmour DSS Distributed Security System is an innovative data center and cloud security infrastructure solution that delivers a distributed platform with integrated security services including software-based segmentation, microsegmentation, application-aware monitoring, and cyber deception to help organizations protect critical applications and workloads.

Let’s look at the two technologies to understand what they do and why they are such a great fit together.

Cisco ACI:
Cisco ACI is comprised of two components:

  • The Infrastructure component - comprising the hardware that includes spine and leaf switches like the Nexus 9000 series
  • The Automation component - comprising the Cisco Application Policy Infrastructure Controller (Cisco APIC), the controller that allows automation across the data center infrastructure.

An orchestrated network solution like ACI has many benefits:

  1. Network Automation - Orchestrate services and capabilities across the ACI fabric using the Cisco APIC
  2. Scalability - Very high-throughput network infrastructure that can support high-density virtualized environments at scale across the enterprise data center
  3. Workload classification Group workloads logically into categories called Endpoint Policy Groups (EPG). The EPG houses workloads based on workload behavior, responsibilities, and types of applications that they’re running.

Cisco ACI also has limited functionality in a few areas:

  1. Visibility: While ACI certainly provides throughput and bandwidth utilization controls and metrics across your physical infrastructure, it has very limited insight into the “virtualized” infrastructure. For example, when workloads are on the same hypervisor and are members of the same EPG, there is no visibility into if/how those workloads are communicating. Additionally, ACI only provides information up to OSI transport layer (Layer 4), which means it can be very difficult to identify which applications are being leveraged within the data center.
  2. Limited policy enforcement: ACI can only enforce policy on leaf switches based on Layer 4 ports, much like traditional router ACLs. This policy enforcement does not give you the granular ability to enforce policy based on the Layer 7 applications running within your infrastructure. In addition, the ability to assert granular control within an EPG is missing.
  3. Optimized segmentation: Within ACI, in order to fully segment hypervisor based workloads (VMs) you are required to create many EPGs (for full microsegmentation you would need one EPG per VM) and then “hairpin” all traffic to the leaf switch for Contract/ACL processing. Due to this requirement not only does your EPG configuration become more complex but hypervisor uplink capacities are typically reduced as well, impacting the manageability and scalability of the infrastructure.

vArmour DSS Distributed Security System:
vArmour is a distributed security platform with integrated security services and complements ACI.

vArmour delivers:

  • Local Segmentation Services (inter-EPG and intra-EPG): Due to the nature of vArmour’s distributed architecture, a security processing engine (referred to as an Enforcement Point interceptor (EPi)), is placed on each hypervisor as a guest VM. This distributed data plane provides local segmentation services within the hypervisor. Security processing (stateful Layer 7 segmentation) is performed at the VM network interface level, effectively accomplishing local microsegmentation within the hypervisor for all workload traffic (including inter-EPG segmentation). There is no need to hairpin traffic within your network infrastructure, and your ability to fully microsegment is not limited to the number of EPGs that exist within ACI.
  • Centralized Layer 7 Policy: vArmour provides the ability to define full stateful Layer 7 policy within a centralized location. This means that organizations have the flexibility to define both global security policies (applied to all workload traffic) and intent based security policies that only apply to the workloads in support of a specific business application. Security policy is applied to workloads dynamically regardless of network configuration or EPG membership. It’s the perfect mixture of providing an audit-ready agile security solution for individual applications while enforcing organizational security mandates.
  • Full Layer 7 visibility: Because vArmour exists where the workload/VM is connected to the network, the local EPi on each hypervisor has the unique ability to perform real-time Layer 7 analysis (Application ID) on all ingress/egress network flows for each workload. This information can be used to provide agentless application level network telemetry data to external application dependency mapping tools such as Cisco Tetration.



Consider a real-world scenario: You are in the process of migrating a legacy application environment into a new ACI enabled infrastructure. During the migration you encounter difficulties converting your previous VLAN structure to more granular intent based EPGs. As a result you simply migrate your VLANs to EPGs. At this point you identify that one of your EPGs contains a mixture of in-scope PCI assets and out-of-scope assets. To meet your compliance requirements, you implement an ACI integrated vArmour segmentation solution that dynamically detects PCI assets (via workload metadata) and isolates those assets from all out-of-scope EPG members while providing granular Layer 7 ingress control.

With vArmour you can write granular policy and proactively define specific communications that are allowed for applications between workloads. This information can be utilized locally, without the hairpinning bottleneck that we discussed earlier, and also gives you the ability to enforce policy in fine-grained detail for your virtual environment. As a result, you gain complete visibility on applications and workloads in your virtual environment; you can set policy for transactions between applications and leverage the vArmour distributed security platform to extend that policy across your virtual infrastructure. Now, when your workload travels, it does so along with its associated policy, which is enforced no matter where it lands in your environment.

How is all this automation happening? With APIC, you can control various functions across your ACI infrastructure, and automate infrastructure operations. The vArmour controller (known as the Director), with its open APIs, attaches to APIC to fully automate vArmour security within the APIC operational lifecycle and delivers advanced application-aware security across the entire ACI infrastructure.

Better Together with Cisco ACI and vArmour DSS

Together you now have fully automated -

  • Complete application-aware Layer 7 visibility
  • Local microsegmentation within the hypervisor within the EPG, and
  • Enforcement of Layer 7 application policy for each workload within the environment - to establish very granular policies that are mirrored across the entire virtual infrastructure of your data center.



Related Posts