I was recently speaking to a customer in the critical infrastructure segment who planned to migrate from a legacy Cisco Data Center network to Cisco Nexus 9K and eventually ACI. This customer’s systems were hyper-sensitive, highly regulated and required 100% uptime, as is typical of critical infrastructure.
The customer elected for a two phased migration approach in order to mitigate their risks. Phase 1 would focus on a network-centric migration where the primary goal was to swap out the legacy network and replace with ACI enabled 9K switches. Phase 2 would focus on applications and building out programmatic infrastructure using Cisco ACI. Here, the scope of the project was to deploy ACI and vArmour into a brownfield environment. Initially, the customer felt that vArmour’s only value was in firewall replacement once they migrated to ACI. However, after further investigation, the customer concluded that vArmour added tremendous value across both phases, and elaborated further:
Value in Phase 1: The plan was to focus on a network centric replacement of their existing environment. The task of swapping out their old kit for a new kit was hard enough without making broader changes. Part of the challenge was that the customer had dozens of firewalls isolating hundreds of systems connected via the old kit. Regulators have typically required stateful controls across specific systems and segments. These mandates grew organically over time, while also growing the number of firewalls, firewall policy rules, VLANs and various segments. Ultimately, this organic growth resulted in a lot of complexity in an environment where the network had to perform 100% of the time, even under migration. Therefore, the customer elected for a risk averse implementation where the primary focus was to swap out the legacy hardware for new hardware and migrate all firewalls, VLANs and segments to the new network.
Understanding the customer’s risk appetite, vArmour suggested two ways that the vArmour DSS could mitigate risk in Phase 1:
- vArmour for Visibility- for troubleshooting and asset discovery: With roughly 10 years of virtualized systems in the environment, documentation of all the dependencies between users, networks and applications was difficult to extract without proper tools. Prior to vArmour, tools previously offered by vendors delivered fragments of the data path, missing full Layer 7 context. With vArmour’s Analytics, the customer benefited from full Layer 7 visibility and context enabling a complete view of East / West traffic to baseline before and after migration. When any issues during the migration with connectivity arose, the customer could rely upon vArmour for fast resolution as they could see the full data path. Having a tool in place like vArmour delivering visibility significantly increased the customer’s confidence in their plan.
- vArmour as a Fail Safe: Aware of the gap and visibility within the virtual estate itself, the customer recognized that there was a high likelihood of undocumented dependencies between virtual machines, ACLs and firewall policies. In “Visibility Only” mode (aka Tap mode), vArmour could insert without changing the data path and be able to see all traffic. However, if there was a firewall or ACL policy which broke once the infrastructure was swapped, vArmour could immediately move from “Tap mode” to “Inline mode” and would start enforcing policies as needed. Once moved inline, vArmour could start enforcing policy and the customer could remove the rules and ACLs breaking the connection. In this manner, the customer removed dependencies on the firewalls - this was another major confidence booster.
What made this really compelling for the customer is that there were no changes required to the network topology in order to implement vArmour in Tap mode or Inline mode. Since vArmour lives within the hypervisor, it is topology agnostic with a perfect demarcation between the network fabric topology terminating at the top of rack switch, and the ESXi host node where vArmour resides. When inserted here, the customer could move vArmour into Tap mode for visibility and Inline mode for policy enforcement with any changes to the network. vArmour eliminates the dependency on network construction. Because vArmour sits on the hypervisor as a guest VM, the policy enforcement occurs right next to the asset versus at the North - South edge. Without dependencies on network topology, the customer could apply security policies via vArmour DSS, thus mitigating any risks posed by the firewalls in the migration process. In this way, the customer designed vArmour as fail-safe with their migration architecture and plan.
Value in Phase 2: The customer wanted to continue the migration by implementing ACI and actively retiring firewalls. In this phase, the customer replaced legacy network construction with policy networking. As part of the migration, the customer saw tremendous value in replacing firewalls with the vArmour Distributed Security System.
- Agility: The customer realized that if they were going to orchestrate network, then they would need to orchestrate security as well. Since security needed to be stateful, the security team mandated firewalls or a stateful solution as an equivalent. Unlike traditional stateful controls, this security solution needed to function at an application level where the vArmour DSS abstracted the underlying network from the operator. The solution needed to treat security just like Cisco ACI treats the network -- application centric. Furthermore, the solution needed to be 100% programmatic so any changes in the application infrastructure would result in automatic changes in policy. In this way, the customer could spin up and spin down, move and maintain workloads across the virtual estate without constantly requiring firewall rule changes at network level. The customer saw that the vArmour DSS interprets the networking changes via API calls to both vCenter and APIC for awareness of the network and workload. The vArmour DSS deploys policy with the workload, regardless of location or IP, where the policy follows the workload based upon the application. The vArmour DSS framework makes the state mobile, thus enabling full workload mobility. This vArmour DSS approach eliminates security policy as the bottleneck to agility. Only vArmour could deliver this along with Cisco ACI.
- Reduction in attack surface: The combination of stateless and stateful L7 controls across the virtual estate provided a layered security approach where Cisco ACI performed high-speed functions and vArmour DSS performed the intense security functions. Once segmentation and micro-segmentation policies were rolled out across systems, the environment was fully compartmentalized. The combination reduced the attack surface down to the specific application used to access a system or service. At the same time, the combination offered the flexibility to release security around less sensitive assets as needed.
- Regulatory compliance: The customer had to meet compliance regulations. They saw that the vArmour DSS and Cisco ACI solution can get the auditors off your back in a hurry. For starters, full visibility of east - west traffic creates a rich dataset for reporting. vArmour makes baselining simple and efficient - a report in a few clicks. Second, if a change to a segment or control is required, vArmour can help implement the change immediately across the virtual estate. With the change management record in place, the customer could prove that the change was made immediately. This approach reduced time to compliance for network isolation and segmentation related matters, from months to minutes. vArmour DSS and Cisco ACI combined together to eliminate headaches for operations while keeping auditors happy.
- Cost reduction: The customer was feeling the pain, with firewalls in the data center being expensive to acquire and costly to maintain. For physical firewalls, they had to estimate the size of the box and the number of units needed. They had to consider performance and high availability. Some of these boxes cost upwards of $30k per gigabit of throughput. In a Data Center network where they needed dozens of 40GB uplinks, they were looking at major spend. They thought about going the virtual route, but realized that they were introducing yet another set of bottlenecks. Most virtual firewall appliances have yet to crack the multi-gigabit threshold. And they still had to consider network policies that required constant maintenance and management. They had to keep in mind that a change in the virtual environment would result in a change in their firewall, regardless if it’s virtual or physical. All these moving parts would escalate costs, complexity and operations.
By purchasing vArmour as part of the 9K upgrade and migration, the customer prepared themselves well for:
- Mitigating firewall dependencies
- Visibility in phase 1
- Enabled baselining and troubleshooting, both before and after the migration, to ensure operational continuity
- A back-out plan using vArmour as failsafe in the event of a firewall or ACL issue
These tactics combined to deliver confidence of success during the migration process. Then, as the customer moved from Phase 1 to Phase 2, they could migrate policies simply and efficiently from their legacy network and firewalls as they rolled out Cisco ACI. In this phase, the customer realized tremendous agility to the business while reducing spend, improving security and maintaining regulatory compliance. In the end, the customer created a strong plan to leverage vArmour across both phases of the project to achieve their ultimate goal: A risk-averse migration and an evolution of the data center network that positioned the customer’s business for success in the cloud era.