Asher Benbenisty, director of product marketing at AlgoSec sets out how organizations should approach managing their ACI deployments holistically with their overall network infrastructure
Demand for software defined networking (SDN) solutions is booming, so much so that the market is expected to rise to $88 billion by 2024. SDN offers multiple benefits, including cost reduction, centralized management, quicker application deployment, enhanced scalability and reduced downtime, so it’s easy to see why it is so appealing to organizations that want to have more flexible and agile networks.
One of the market-leading SDN offerings is Cisco’s Application Centric Infrastructure (ACI), a multi-tenant, intent-driven solution that provides many advanced networking and security capabilities in data centers. As the name implies, ACI focuses on the applications that drive the business rather than the network products. It provides a centralized platform to manage application policies across both physical and virtual workloads. Cisco ACI automates IT workflows and security through whitelisting, policy enforcement and micro-segmentation, which, in turn, enable customers to build agile and secure next-generation data centers.
A key benefit for organizations moving to a virtualized, software-defined environment such as ACI is that it enables and supports micro-segmentation. Such segmentation makes it significantly easier to protect applications and data by constricting the ability of hackers to move laterally across networks.
ACI’s takes micro-segmentation capabilities even further by allowing individual servers to be isolated virtually into secure zones inside the data center. This level of granular application traffic-filtering used to be prohibitively expensive and complicated in hardware-based environments, but virtualization has made it a viable option. What’s more, with ACI, organizations can make network changes on the fly as required, either to serve the dynamic needs of the business or to respond to a security or other problem.
Solving complexity challenges
There is a downside. The rapid provisioning, granular control and agility offered by ACI environments also means that virtualized networks can get very complex, very quickly. As complexity starts to mount, there’s a real risk of human error creeping in, potentially leading to misconfigurations and security holes.
Furthermore, within the ACI environment a range of security and network routing options are available, from ACI’s built-in security controls to leaf switches and virtual firewalls. Management of all these controls needs to be carefully automated and orchestrated to eliminate the need to make time-consuming and error-prone manual changes every time a new application is deployed or a new server is added.
Complexity is further exacerbated by the fact that an organization’s virtualized ACI fabric is likely to co-exist with physical on-premise networks and cloud deployments. The applications that power the business are increasingly likely to span all three of those environments, creating significant challenges for managing application connectivity and security end-to-end.
For example, organizations often integrate other security devices with the ACI fabric for added protection. They deploy firewalls on the perimeter of the data center or within the data center to perform stateful inspection and provide an additional layer of security for east-west traffic. However, this integration between ACI and other firewalls within or on the edge of the data center is limited in nature.
So, while it may be possible to define a dynamic object group within the firewall so that it associates with a tagged virtual machine in the software-defined data center, the integration will not automatically create a new security rule if new connectivity is required for a business application. Any such rule changes will have to be added manually.
Inside and outside the data center
A business application that uses resources within the data center will almost always depend on some resources outside the data center, such as client machines or other servers, requiring connectivity with the wider network. Supporting this has a knock-on effect on devices further away from the data center with which ACI cannot integrate.
If business application owners want to add new applications or make changes to existing ones, ACI can be used to manage the required filtering and connectivity changes inside the data center, but cannot manage the changes that are needed on devices outside the data center. The end result is a hybrid environment that requires a variety of management consoles and techniques to control everything. The security policy change processes become complex and counter the benefits of SDN in the process.
So how can these issues be addressed?
Holistic management
Managing an ACI deployment alongside the rest of the IT infrastructure, while ensuring consistent application of security across the entire network, requires complete visibility and policy change automation of the entire IT estate. This level of visibility and automation can be realized by employing a comprehensive security policy management solution. The solution enables the organization’s security and IT teams to coordinate and harmonize the management of Cisco ACI contracts and policies across all of their networks, whether physical or virtual.
For example, with holistic visibility, network and security teams can utilize Cisco ACI security contracts and extend ACI’s policy-based automation across the enterprise network. If any changes are planned to ACI contracts, rules or policies, the teams can assess how those changes will impact business applications and other security controls across the rest of the enterprise network, even outside the data center.
This capability eliminates the risks of misconfigurations and outages by enabling the impact of changes to be assessed before they are made. It ensures that security teams have control over their entire environment through a single pane of glass, accelerating security processes and overall business agility. Furthermore, organizations are able to achieve more effective management over policies through an approval-based workflow model, with ‘what-if’ risk checks baked into change workflows. Finally, it enables the compliance status of both physical and virtual network functions to be centrally monitored and logged for audit purposes.
By utilizing a security policy management solution to achieve a high and unified level of visibility and control over both an ACI deployment and the wider network, organizations will be well positioned to get the maximum value from their investments in Cisco ACI. They will be able to extend those benefits to the whole infrastructure, automatically, while reducing the potential for errors. It’s a real win-win.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.