Cisco Application Centric Infrastructure Security
Home SDNCisco Software-Defined Networking — Cisco Application Centric Infrastructure Security

Take a holistic, system-based approach to data center security with Cisco Application Centric Infrastructure Security (ACI) Solutions. These solutions provide a common policy-based operational model across ACI ready networks. As a result, you can reduce cost and complexity without compromising data center functionality. Cisco ACI Security Solutions can be managed as a pool of resources, allowing administrators to intelligently stitch them to applications and transactions using the Cisco Application Policy Infrastructure Controller (APIC). With Cisco ACI Security Solutions they scale on demand, has programmable automation, and provides transparent policy-based security for both physical and virtual environments. Cisco Application Centric Infrastructure Security Solutions allow organizations to take full advantage of the power, flexibility, and performance of their new ACI data center environments without compromising functionality or security. For organizations implementing ACI fabric architecture, the updated ASA 5585-X and ASAv solutions can be fully integrated into the ACI fabric.

Cisco’s ACI seeks to address the data center operator’s need for automated provisioning, programmatic management, and comprehensive orchestration. Rather than decoupling the control plane from the data plane, ACI applies a policy model designed to capture application requirements and auto mate deployment across the network, regardless of whether the applications are virtualized or running on bare metal. This approach is what Cisco calls a declarative management model, which involves the voluntary cooperation of individuals or agents that publish their intentions via commitments to each other. The intentions are abstract, thus, for example, an application policy would state its requirements, and the underlying infrastructure would interpret how best to satisfy those requirements based on their inherent capabilities. Another networking option for cloud computing is provided by OpenStack, which provides a default framework — called Neutron — for customers to consume networking services, as well as a set of northbound and southbound APIs.

Cisco Application Centric Infrastructure Security SDN

The appliance has been fully and transparently integrated into the fabric of the next-gen Cisco Application Centric Infrastructure SDN Infrastructure data center architecture. For those deployments, the Cisco Application Centric Infrastructure SDN Controller provides a single point of control for both network and security management. It can provision the appliance’s security as a service, manage policy, and monitor the entire network and security environment for a unified view. This approach removes the limitations of traditional network oriented security solutions, allowing for significantly streamlined provisioning. In the Cisco ACI topology independent environment, Cisco ASAv services are managed as a pool of security resources. These resources can be selected and attached to specific applications or transactions to provide dynamic, scalable, policy based security. It supports both traditional and next-gen software SDN and Cisco Application Centric Infrastructure environments to provide policy enforcement and threat inspection across multi site environments.

Cisco Application Centric Infrastructure

SDN separate control plane functions from data plane functions and are often defined in narrow technical terms. Software-defined security leverages the philosophy and fundamental architecture of SDN but broadens the opportunity by integrating into more environments. The SDN “hub and spokes” approach ties together a controller where security policies are defined and evaluated with enforcement nodes that implement the policies, all done dynamically and in real-time. Leveraging a policy language that is abstracted to the application layer enables applicable policies to be applied at the appropriate enforcement nodes to maintain flexibility and alignment with the components of the application in use. The result is a security architecture that is easier to manage efficiently and an opportunity for maximum effectiveness. Cisco ACI is designed to address the data and security needs of the modern data center.

Security  For Next-Gen Data Centers

Security solutions for next-gen data centers must enable organizations to generate maximum business value from their investments in these data centers. This requires that such security solutions drive value by being integrated, policy based, robust, agile, and scalable. Well-designed and well-implemented security solutions with these characteristics create value by saving time and effort for management and provisioning of security solutions, by reducing the operational and business impact of security threats, and by ensuring that security does not inhibit the data center’s ability to support and drive the business. As a result, such security solutions enable next-gen data c enters by being integrated for efficiencies and reduced risk. Security products that integrate both with solutions supporting organizations’ traditional data center environments and with other security products being used in the next-gen data center environment generate time savings and reduce risk.
Cisco Application Centric Infrastructure SDN

APIC

The Cisco Application Policy Infrastructure Controller (Cisco APIC) is the unifying point of automation and management for the Application Centric Infrastructure (Cisco ACI) fabric. The Cisco APIC provides centralized access to all fabric information, optimizes the application lifecycle for scale and performance, and supports flexible application provisioning across physical and virtual resources. Designed for automation, programmability, and centralized management, the Cisco APIC itself exposes northbound APIs through XML and JSON. It provides both a Command-Line Interface (CLI) and GUI which utilize the APIs to manage the fabric holistically. OpFlex is a new open and extensible southbound protocol that supplies policy directly to data center networks.

Unlike commonly used SDN protocols, it supplies application policy, not low-level configuration, to network devices. This allows devices to self-configure and freely expose new innovation. By centralizing policy but distributing control, networks can become much more scalable, resilient, and interoperable. Cisco and partners are submitting OpFlex to the IETF for standardization to OpenDaylight for open source SDN implementations. An OpFlex agent will be available free from Github for leading hypervisors, switches, and Layer-4 to Layer-7 services. A reference implementation on OVS will be available. Cisco APIC is completely removed from the data path. This means the fabric can still forward traffic even when communication with the Cisco APIC is lost.

Benefits

Cisco ACI, a industry-leading Software-Defined Networking (SDN) solution, offers a unique blend of mapping hardware and software capabilities through a unified application-based policy model. Cisco ACI increases business agility and lowers TCO by automating IT tasks, enhancing security, and increasing operational efficiency. Automate IT workflows and help organizations shorten app deployment from weeks to minutes. Secure applications through whitelist model, policy enforcement, and micro-segmentation. Build programmable SDN fabrics leveraging open APIs and over 65 Cisco ACI global partner ecosystems.

Deploy, scale, and migrate applications seamlessly across multiple hybrid data centers. Cisco Application Policy Infrastructure Controller (APIC) provides single-click access to all Cisco ACI fabric information, enabling network automation, programmability, and centralized management. Integrate virtual and physical workloads in a programmable, multihypervisor fabric to build a multi service cloud data center. Smoothly transition from a traditional data center to SDN with a common, policy-enforced approach. Migrate to Cisco ACI and build on your existing Cisco NX-OS infrastructure.

Features

For organizations implementing Cisco Application Centric Infrastructure fabric architecture, the updated Cisco ASA 5585-X and Cisco Adaptive Security Virtual Appliance (ASAv) solutions can be fully integrated into the Cisco Application Centric Infrastructure fabric. Cisco Adaptive Security Device Manager — this no cost GUI based single device management option can be used for configuring, monitoring, and troubleshooting the virtual and physical appliances. Cisco Security Manager — you can use this solution for comprehensive multi device deployment and management of both the virtual appliance and the physical Cisco ASA 5500-X appliances.

Command line interface — a flexible command based management interface uses scripting for quick provisioning and automation of the appliances. The virtual appliance, along with the physical Cisco ASA 5500-X next generation firewalls can be managed by security administrators as a pool of resources that scale on demand. It provides programmable automation for deployment and management and uses a common policy based operational model across physical and virtual environments, reducing cost and complexity.

Intercloud Fabric

The Cisco Intercloud Fabric And Hybrid Cloud installation documentation and videos go a long way to get you started, however we wanted to provide a bit more information to help you prepare for Cisco Intercloud Fabric installation, configuration and connection to either AWS or Azure or both. First you’ll need an account at the cloud provider, the account needs and capabilities are different for each provider. Amazon AWS — standard AWS account, account policy requirements.

You will need full Amazon EC2 access policy, full AWS S3 access policy — if you are going to deploy Windows images, full AWS Marketplace — if you are going to deploy Intercloud Cisco Fabric Router, and to deploy the Intercloud Fabric Router in Amazon AWS Market Place you will need to accept the terms for the image. Cisco Intercloud Fabric Router and Cisco Intercloud Fabric Firewall are not yet deployable in Azure, download the presentation on Cisco’s website for a step by step guide to getting an AWS or Azure account. Cisco Intercloud Fabric And Hybrid Cloud — Cloud Access Keys.

ISE

Reduce risks and contain threats by dynamically controlling network access. Cisco ISE Identity Services Engine can assess vulnerabilities and apply threat intelligence. It can also contain a suspicious device for remediation. We call this Cisco Rapid Threat Containment. Get answers fast about threats on your network and stop them even faster. Cisco Rapid Threat Containment uses an open integration of Cisco’s security products, technologies from Cisco security partners, and the network control of the Cisco Identity Services Engine (ISE). In addition, you can protect critical data through the solution’s Cisco Threat Centric NAC feature, Dynamically change your users’ access privileges when their threat or vulnerability scores go up.

Cisco ISE transforms the network from a simple conduit for data into a security enforcer that accelerates the time to detection and time to resolution of threats. The Cisco pxGrid (Platform Exchange Grid) is an open, scalable, and IETF standards driven data sharing and threat control platform. Now your multiple security products can work together. With Cisco pxGrid, security operations teams can also automate to get answers and contain threats faster.

Network Automation

To meet its growth demands for applications, hosting and cloud services, a client became the first telecom company in the world to deploy Cisco Application Centric Infrastructure (ACI) and Cisco Nexus 9000 series switches as the foundation for its next-gen data center. A client used the expertise of end-to-end Cisco Services to deploy Cisco ACI, which provided a turnkey approach that was agile, cost-effective, and scalable.

The client used the expertise of end-to-end Cisco Services to deploy Cisco ACI, which provided a turnkey approach that was agile, cost-effective, and scalable. Increasing its competitive advantage, Du now has an application-focused fabric and a foundation for cloud automation and orchestration that supports an extensible, highly secure multitenant environment based on open standards.