Friday, March 10, 2017

The Power of Accurate and Open Application Discovery

Cisco Tetration Analytics brings the power of Big Data and Analytics to the data center network, and is designed to derive real actionable insights out of that data without an IT organization having to have any Data Science experience.  One of Tetration's key strengths is it's ability to automatically untangle the spiderweb of applications deployed in the datacenter.  These applications are made of VMs, physical hosts, clusters, load-balancers, containers.  They require shared services.  They may be in a private data center or in a cloud environment.  They are often times secured at the edge with very little security within the application environment, and there is often little visibility inside that secured edge.  Most companies have applications that have lived in their datacenters for years and documentation either doesn't exist or is out of date.  Tetration can look inside all of the network traffic in a datacenter, and leveraging it's machine learning capabilities it can create a map of all of the applications, their components, and their inter-dependent relationships with minimal human input.

Tetration's Application Dependency Mapping application is designed with security in mind with the goal of enabling whitelist policies.  To do this, the maps must be granular and extremely accurate.  Tetration is designed to see everything, and to learn over time. The results are continuously monitored, and can be automatically updated as the data center evolves.

Once discovered, a user can manipulate the map via the GUI, but the data can also be exported in a standard open JSON format.  That policy export includes all of the hosts that are discovered, along with their membership to clusters and applications.  It includes relationships data on the network relationships between all of those hosts, what ports and protocols they leverage to communicate, and who needs to talk for an application to function.  It turns out that this is a really powerful feature.  JSON is an extremely easy format to manipulate with scripting languages, and there are a number of processes that we can simplify once we have this information.  For example, PCI requires auditing firewall rules every 6 months with an understanding that every rule has a purpose and a knowledge of that that purpose is.  For firewalls with thousands of rules, this is extremely difficult.  The missing piece of information to script this audit is not an understanding of how firewall rules work, but an understanding the application network policy.  With the open policy format discovered by Tetration, this a much easier task.  Because it's exported in JSON, it's not tied to a single vendor or use case, but could be easily adapted for any network enforcement device.  Cisco provides an open source tool to export this policy to ACI, but that code is now being used to generate CSV's for import to a CMDB, ASA configurations, and even Amazon AWS Security Groups.

The last one is particularly interesting as many cloud providers offer segmentation mechanisms, and for businesses moving to the cloud, it's important to understand how to leverage these tools to improve security.  Unfortunately it's common for applications deployed in the cloud to use very generic security policy because of a lack of a detailed understanding of how the components of an application communicate.  Tetration can help significantly lock down the cloud environment by leveraging it's policy discovery to create those rules.  The video below shows the process of leveraging policy exported from Tetration to dynamically lock down an environment deployed in AWS.



You can try some of this functionality (including sample Tetration policy exports) with the ACI Toolkit on Github in the Configpush application:

Open policy export is just one of several features that enable open access to the data in Tetration.  Tetration comes with a full RESTful API and an on-box application development environment open up a world of possibilities.

No comments:

Post a Comment