Tetration's Application Dependency Mapping application is designed with security in mind with the goal of enabling whitelist policies. To do this, the maps must be granular and extremely accurate. Tetration is designed to see everything, and to learn over time. The results are continuously monitored, and can be automatically updated as the data center evolves.
Once discovered, a user can manipulate the map via the GUI, but the data can also be exported in a standard open JSON format. That policy export includes all of the hosts that are discovered, along with their membership to clusters and applications. It includes relationships data on the network relationships between all of those hosts, what ports and protocols they leverage to communicate, and who needs to talk for an application to function. It turns out that this is a really powerful feature. JSON is an extremely easy format to manipulate with scripting languages, and there are a number of processes that we can simplify once we have this information. For example, PCI requires auditing firewall rules every 6 months with an understanding that every rule has a purpose and a knowledge of that that purpose is. For firewalls with thousands of rules, this is extremely difficult. The missing piece of information to script this audit is not an understanding of how firewall rules work, but an understanding the application network policy. With the open policy format discovered by Tetration, this a much easier task. Because it's exported in JSON, it's not tied to a single vendor or use case, but could be easily adapted for any network enforcement device. Cisco provides an open source tool to export this policy to ACI, but that code is now being used to generate CSV's for import to a CMDB, ASA configurations, and even Amazon AWS Security Groups.
The last one is particularly interesting as many cloud providers offer segmentation mechanisms, and for businesses moving to the cloud, it's important to understand how to leverage these tools to improve security. Unfortunately it's common for applications deployed in the cloud to use very generic security policy because of a lack of a detailed understanding of how the components of an application communicate. Tetration can help significantly lock down the cloud environment by leveraging it's policy discovery to create those rules. The video below shows the process of leveraging policy exported from Tetration to dynamically lock down an environment deployed in AWS.
You can try some of this functionality (including sample Tetration policy exports) with the ACI Toolkit on Github in the Configpush application:
Open policy export is just one of several features that enable open access to the data in Tetration. Tetration comes with a full RESTful API and an on-box application development environment open up a world of possibilities.
