Upload
truongphuc
View
236
Download
5
Embed Size (px)
Citation preview
Cisco TetrationAnalytics + DemoIng. Guenter HeroldArea Manager DatacenterCisco Austria GmbH
5 - 7 April 2017 | Cisco Connect | Pula, Croatia
Agenda
Introduction
Theory
Demonstration
5 - 7 April 2017 | Cisco Connect | Pula, Croatia
5 - 7 April 2017 | Cisco Connect | Pula, Croatia
Innovation Through Engineering
<9Months spent on Planning
$1B OPEX Shifts
DLT memberschanging roles
8>1000 Employees involved in Open Source Projects
30% of FY15 revenue are based onAgile and DevOps
Engineering contributed Cisco Net Income growth
of 6% (Q3’15)
25,000 $6.3B
+1000 Employees on Open Source Projects
30% of FY15 revenue are based onAgile and DevOps
Engineering contributed Cisco Net Income growth
of 6% (Q3’15)
Alpha Projects
190 Tetration patentsCisco Tetration
Analytics™
5 - 7 April 2017 | Cisco Connect | Pula, Croatia
Architecture
Intent (May)
Assurance (Can)Analytics (Did)
Configuration Analysis“Very Large State-Space”
Traffic Analysis“Lots of Data”
Guarantees Compliance Consistency
POLICYACI
ADMSecurity
Forensics
BRKDCN-2040 6
5 - 7 April 2017 | Cisco Connect | Pula, Croatia
Cisco Tetration AnalyticsFocus Areas
Cisco Tetration Analytics™
Visibility andForensics
Application Insight
Policy
Compliance
New
Application Segmentation(Automated Policy
Enforcement)
ActionTETRATION ANALYTICS 1.0
(Policy Recommendation)TETRATION ANALYTICS 2.0
(Application Segmentation)
5 - 7 April 2017 | Cisco Connect | Pula, Croatia
Cisco Tetration Analytics Use Cases
ApplicationInsight and
Dependency
Forensics: Every Packet, Every Flow, Every Speed
Policy Compliance
and Auditability
Policy Simulation and
Impact Assessment
Automated Whitelist Policy
Generation
New
Application Segmentation
(Automated Policy
Enforcement)
5 - 7 April 2017 | Cisco Connect | Pula, Croatia
Information about Consumer
– Provider and type of traffic
Detail information
about the flow
Datacenter Wide Traffic Flow Visibility
5 - 7 April 2017 | Cisco Connect | Pula, Croatia
You Can’t Protect What You Don’t See
60% of data is stolen inHOURS
85% of point-of-sale intrusions aren’t discovered for WEEKS
54% of breaches remain undiscovered forMONTHS
51%increase in companies reporting a $10 millionor more loss in the last
3 YEARS
“A community that hides in plain sight avoids detection and attacks swiftly.”— Cisco Security Annual Security Report.
5 - 7 April 2017 | Cisco Connect | Pula, Croatia
http://www.asd.gov.au/infosec/mitigationstrategies.htm
Whitelist Policy Model
5 - 7 April 2017 | Cisco Connect | Pula, Croatia
Whitelist Policy Recommendation
Application Discovery
AppTier
DBTier
Storage
WebTier
Storage
Policy Enforcement
Whitelist Policy Recommendation(Available in JSON, XML, and YAML)
5 - 7 April 2017 | Cisco Connect | Pula, Croatia
Real-Time and Historical Policy Simulation
• Validating policy impact assessment in real time• Simulating policy changes over historic traffic
• View traffic “outliers” for quick intelligence • Audit becomes a function of continuous machine learning
Cisco TetrationAnalytics™
PlatformVM BM
VMVM
BM VM
VMVM
VM BM
VMVM
VM
5 - 7 April 2017 | Cisco Connect | Pula, Croatia
Policy Compliance
• Identify policy deviations in real-time
• Review and update whitelist policy with one click
• Policy lifecycle management
VM BM
VMVM
BM VM
VMVM
VM BM
VMVM
VM
Cisco TetrationAnalytics™
PlatformVM
BM
VM
5 - 7 April 2017 | Cisco Connect | Pula, Croatia
Application Discovery (DC Network)• Dependency Mapping (Security) • Dependency Mapping (Migrations)
Visibility• Flow Search• Deviation Detection
Policy Management • Simulation and Impact Assessment• Compliance
Security Policy Enforcement• Auditing• Security Enforcement • Policy Verification ~ ‘what if’• Threat Detection / DDOS / …
IncreasedVisibility
InsightfulData
Policy Discovery/Enforce/
Mgmt
The Real Value is Business and Operational Insight
5 - 7 April 2017 | Cisco Connect | Pula, CroatiaBRKDCN-2040 16
5 - 7 April 2017 | Cisco Connect | Pula, CroatiaBRKDCN-2040 17
5 - 7 April 2017 | Cisco Connect | Pula, Croatia 18
5 - 7 April 2017 | Cisco Connect | Pula, Croatia 19
5 - 7 April 2017 | Cisco Connect | Pula, CroatiaBRKDCN-2040 20
Visual Query with Flow Exploration
v Replay flow details like a DVR
v Information mapped across 25 different dimensions
Thick lines indicate common flowsFaint lines indicate uncommon flows
5 - 7 April 2017 | Cisco Connect | Pula, Croatia
Outliers• Switch on Outlier view to
highlight uncommon flows
• Outlier dimension is highlighted with purple circle
BRKDCN-2040 21
5 - 7 April 2017 | Cisco Connect | Pula, Croatia 22
5 - 7 April 2017 | Cisco Connect | Pula, Croatia 23
What was seen on the network that was out of
Policy
Permitted Traffic Seen on the
network
Policy Compliance Verification & Simulation
5 - 7 April 2017 | Cisco Connect | Pula, Croatia
All of the Architectures Look Similar BUT,
You can not create knowledge without informationDifferent Telemetry Data will enable different insights
Analytics EngineVisualization and
Reporting
Web GUI
REST API
Push Events
Telemetry Sources
Application
Transport
Network
Data Link
Physical
SocketsProcessProcess
5 - 7 April 2017 | Cisco Connect | Pula, Croatia
Analytics EngineVisualization and
Reporting
Web GUI
REST API
Push Events
Telemetry Sources
The ‘algorithms’ are what provide the foundation of value
The building blocks can be common (HDFS2, SPARK, …)
Application
Transport
Network
Data Link
Physical
SocketsProcessProcess
All of the Architectures Look Similar BUT,
5 - 7 April 2017 | Cisco Connect | Pula, Croatia
Tetration Analytics Architecture Overview
Analytics Engine
Cisco TetrationAnalytics™
Platform
Visualization and Reporting
Web GUI
REST API
Push Events
Data Collection
Host Sensors
Network Sensors
3rd-Party Metadata Sources
TetrationTelemetry
ConfigurationData
Cisco Nexus®
92160YC-XCisco Nexus 93180YC-EX
VM
5 - 7 April 2017 | Cisco Connect | Pula, Croatia
Tetration Analytics Data Sources
• New! Enforcement Point (Software agents)• Low CPU Overhead (SLA enforced)• Low Network Overhead (SLA enforced)
• Highly Secure (Code Signed, Authenticated)• Every Flow (No sampling), NO PAYLOAD
*Note: No per-packet Telemetry, Not an enforcement point
Software Sensors
Universal*(Basic Sensor for other OS)
Linux VM
Windows Server VM
Bare Metal(Linux and Windows Server)
Available Now
Nexus 9200-X
Nexus 9300-EX
Network SensorsNext Generation 9K switches
Third Party Sources
Asset Tagging
Load Balancers
IP Address Management
CMDB
…
3rd party Data Sources
5 - 7 April 2017 | Cisco Connect | Pula, Croatia
Application Discovery and Endpoint Grouping
Cisco TetrationAnalytics™
Platform
BM VM VM BM
BM VM VM BM
Brownfield
BM VM VM VM BM
Cisco Nexus® 9000 Series
Bare-metal, VM, & switch telemetry
VM telemetry (AMI …)
Bare-metal & VM telemetry
BM VM
BMVM
VM BM
VMVM
VM BM
BMVM
BM
Network-only sensors, host-only sensors, or both (preferred)
Bare metal and VM
On-premises and cloud workloads (AWS)
Unsupervised machine learning
Behavior analysis
5 - 7 April 2017 | Cisco Connect | Pula, Croatia 29
What does the Sensor Collect
Application
Transport
Network
Data Link
Physical
Application
Transport
Network
Data Link
Physical
Network
Data Link
Physical
Network
Data Link
Physical
Sockets
ProcessProcess
Sockets
ProcessProcess
Process Information:
Which process is it, who
started it, etc.
Device Information: Buffer/ACL Drops, etc.
5 - 7 April 2017 | Cisco Connect | Pula, Croatia
Different Problems will need Different Data Sources
Application
Transport
Network
Data Link
Physical
Network
Data Link
Physical
Sockets
ProcessProcess
Network Heath, Performance, Monitoring,
Capacity
Application Heath,
Performance, Monitoring, DiscoverySecurity,
Application Troubleshooting
5 - 7 April 2017 | Cisco Connect | Pula, Croatia
Hardware Sensor and Software Sensor
Accumulated Flow Information (Volume…)
Software Sensor
Process mapping
Process ID
Process owner
Hardware Sensor
Tunnel endpoints
Buffer utilization
Burst detections
Packet drops
Flowdetails
Interpacket variations
5 - 7 April 2017 | Cisco Connect | Pula, Croatia
What We Discovered: To and From DVProd Database
Internet
IP Storage NAS
TA Cluster
Hadoop
Prod DBs
Non-Prod DBs
Labs
Kicker
Infra APPs
DB Proxy
Monitoring APPs
Internet
Non-Production DatabasesLABs
5 - 7 April 2017 | Cisco Connect | Pula, Croatia
Tetration Analytics and
Before
• Complex data center environment
• Lack of automation
• Lack of understanding into each tenant environment
• Exposure to risk of downtime too great to migrate applications safely
After
• Visibility across multi-tenant data center
• Move from tribal knowledge to data-driven decision making
• Reduction in time to understand application dependencies
• Migration to ACI with little downtime risk
5 - 7 April 2017 | Cisco Connect | Pula, Croatia
• Understanding of what happens INSIDE a flow• Distributions (packet sizes, TCP windows…)• Burstiness• Anomaly detection• Latency (application and network)• VXLAN information
• High rate export capabilities• 100ms for Hardware• 1s for Software
Data Points
34
5 - 7 April 2017 | Cisco Connect | Pula, Croatia
• What happens around this flow?• Which process owns this flow?• Who runs it?• What are the buffer status?
• But also external information• GeoDB, DNS, reputation lists…
Context Information
35
5 - 7 April 2017 | Cisco Connect | Pula, Croatia
Ethernet Header
IPHeader
UDPHeader
VXLANHeader
Ethernet Header
IPHeader
TCPHeader Payload
Ethernet Header
IPHeader
TCPHeader Payload
Ethernet Header
IPHeader
UDPHeader Payload
Meta-Data – Including Overlay VXLAN/GRE/IPinIP Encapsulated Header
Privacy Risk
Collects the Meta-Data not the Packet
5 - 7 April 2017 | Cisco Connect | Pula, Croatia
Sensor Technology
• RHEL (64 bit) – 5.x,6.x,7.x• CentOS (64 bit) – 5.x,6.x,7.x• Oracle Linux (64 bit) – 6.x,7.x
• SUSE – 11.2,11.3,11.4,12.1, 12.2• Ubuntu – 12.04,14.04,14.10• Windows Server 2008 R1/R2
Essentials / Standard / Enterprise/DataCenter
• Windows Server 2012 R2/R2/Essentials/Standard/ Enterprise/DataCenter
• Mainfarme ZVM (trial)• AIX-ppc 5.3,6.1,7.1,7.2 (trial)• Solaris (x86_64)• RHL 4.x,5.x (31 bit -386/amd)• CentOS – 4.x, 5.x (32 bit)• Windows XP,2003 (32 bit)• Windows Server 2008 (32 bit)
Standard Sensors HW Sensors UniversalSensors
Cisco Nexus 9KLeave with:• 92160YC-X• 93180YC-EXSpine with:• X9732C-EX C*
5 - 7 April 2017 | Cisco Connect | Pula, Croatia
Tetration Analytics: Deployment Options
Cisco Tetration Analytics (Large Form Factor)• Suitable for deployments
more than 1000 workloads• Built in redundancy• Scales up to 10,000
workloadsIncludes:• 36 x UCS
C-220 servers• 3 x Nexus
9300 switches
Cisco Tetration-M (Small Form Factor)• Suitable for deployments
under 1000 workloadsIncludes:• 6 x UCS C-220 servers• 2 x Nexus 9300 switches
Cisco Tetration Cloud• Software deployed in AWS• Suitable for deployments
under 1000 workloads• AWS instance owned by
customer
On-Premise Options Public Cloud
Amazon Web Services
5 - 7 April 2017 | Cisco Connect | Pula, Croatia
Host Based Enforcement
VLANs
ACLs
7K 5K 2K
Subnets
Workload
EPGs
ACI
Contracts
BDs
Workload
Security Groups
Hypervisor
Port Groups
Security Rules
Workload
Security Rules
AWS
Security Groups
Interfaces
Workload
A trusted module inside the workload enforces your intent
5 - 7 April 2017 | Cisco Connect | Pula, Croatia
Security
Same level of security, any infrastructure.
Application
Infrastructure
Denies Allows
Process
End Point
Intent is rendered as security rules in native host firewalls
5 - 7 April 2017 | Cisco Connect | Pula, Croatia
Application
Network Infrastructure
Denies Allows
Process
End Point
Application
Cloud Infrastructure
Denies Allows
Process
End Point
Bare metal Cloud
Any InfrastructureAny Networking
Same Security ModelRich Context
Application
Network Infrastructure
Denies Allows
Process
End Point
Application
Denies Allows
Process
End Point
Hypervisor Virtual Network
Virtual
5 - 7 April 2017 | Cisco Connect | Pula, Croatia
Mobility
Security Rules
VLANs
ACLs
7K 5K 2K Cloud
Security Groups
Interfaces
Subnets
EP EP
Tetration calculates all necessary rule changes and
automatically applies
Intent stays with the endpoint, no matter the infrastructure it resides on
5 - 7 April 2017 | Cisco Connect | Pula, Croatia
Why should I understand dependencies?
Identify a single point of failure that should be replicated
Find all the parts of a service that should be migrated together to the cloud
Replace infrastructure components of an undocumented application
ACI application profiles, end point groups, and contracts based on applications
43
5 - 7 April 2017 | Cisco Connect | Pula, Croatia
Load Balancer Database
App
Application Dependency Mapping
44
5 - 7 April 2017 | Cisco Connect | Pula, Croatia
Understand the communication
Load Balancer Database
App
45
5 - 7 April 2017 | Cisco Connect | Pula, Croatia
Initial recommendations
Load BalancerApp
DatabaseCache
46
5 - 7 April 2017 | Cisco Connect | Pula, Croatia
Optional and minimal human supervision
Load Balancer
App
Database
Cache47
5 - 7 April 2017 | Cisco Connect | Pula, Croatia
Approve the clustering
Load Balancer
App
Database
48
5 - 7 April 2017 | Cisco Connect | Pula, Croatia
Enforcement Anywhere
CiscoTetration
Analytics™
Cisco ACI™ and Cisco Nexus® 9000 Series
Standalone
Linux and Microsoft Windows
Servers and VM
PublicCloud
Data
Whitelist policyWhitelist policy{"src_name": "App","dst_name": "Web","whitelist": [{"port": [ 0, 0 ],"proto": 1,"action": "ALLOW"},{"port": [ 80, 80 ],"proto": 6,"action": "ALLOW"},{"port": [ 443, 443 ],"proto": 6,"action":
"ALLOW"}]}
• Cisco ACI EGP/Contract Integration via Cisco ACI Toolkit
• Traditional Network ACL
• Firewall Rules
• Host Firewall Rules
Amazon Web
Services
MicrosoftAzure
GoogleCloud
49
50
Pres
Demo Time