During our successful networking event at Minus5 Ice Bar on Monday evening (check out the photos from the event), one customer asked me, how does vArmour DSS work with Cisco ACI and Cisco Tetration? Short answer: we drive out complexity, reduce costs, and improve security; but so many solutions claim to do that. The answer he was looking for was more about why and how we do it.
I started asking questions. How long he’s used virtualization in his environment: 10 years. During that time, his organization done a minimum of two hardware refreshes, 1,000s of maintenance mode and vMotion events, and had multiple system administrators modifying systems. There have been 3-5 waves of SAN events (refreshes, add-ons, etc.) and, like most companies have gone through, at least one move and one major data center consolidation. I asked what the probability is that his administrators had documented every move, add or change based upon the app, system, IP, MAC or other systems to which a workload is connected is. He responded with zero, it simply never happened.
So what does all that mean? It means he has pretty minimal visibility into what is happening inside his data center. In fact, we find most customers have never mapped IP to system to application, have little orientation on where an app lives, what it does, or what is connected to it. This slows his time to market with new applications, it adds cost and complexity to his data center, and it makes him less agile as he grows his network.Find your photos from the event.
This is where Cisco and vArmour have a combined solution to deliver continuous monitoring, advanced analytics, and data center optimization benefits. The combination of Tetration with vArmour DSS gives companies’ instant answers to almost any question that they ask about top talkers and application dependency mapping. Secondly, with vArmour DSS, companies get a threat lens to the data, so they can start to understand risks, detect anomalies, and identify misconfigurations.
I asked the customer, "How many segments do you have in your network?" I defined segment as an address space with a gateway, firewall or some kind of control between it (the address space) and the rest of the network. He said roughly 400. My next question was, "how challenging is that to trouble shoot when you have a network issue? How does troubleshooting change when there’s a firewall vs. an ACL?" His response, “it's difficult enough without a firewall, but it becomes a bigger issue with one.”
vArmour and Cisco solve this the segmentation problem by making networking simpler. Cisco moves the network configuration from access control list rules to policy-based networking. Here, network administrators build security policies based upon the application. The network (ACI) does the rest. On top of ACI, vArmour DSS delivers stateful inspection with security policy enforcement up to Layer 7. This combination of vArmour DSS and ACI pulls together all of the 2-4 controls in ACI, complements them with 4-7 controls in vArmour, and aggregates all telemetry between both systems into Tetration, so customers can achieve speed, security, and compliance.
I explained that the combined vArmour and Cisco approach allows data center architects and network administrators to design resource pools and flatten network topology. This drives the complexity out of the network. Operators work with a simple network construct, without sacrificing security or the ability to meet regulatory compliance. And then, I shared how the customer has choice and flexibility to segment or micro-segment, based upon the demands of the business or application. Customers can add security to sensitive assets with a strict policy up to L7 or have a less granular policy for less sensitive assets. Customers can respond to event compartmentalizing and isolating assets on-demand. And best of all – it’s all way simpler than any other micro-segmentation solution on the market today.