Modern data centers are under unrelenting attack. East-west traffic security breaches are happening every day. According to Cisco, 75 percent of all attacks take only minutes to begin stealing data but take longer to detect. Once discovered, several weeks may pass before full containment and remediation are achieved. Today's data centers require a variety of "tools" to deal with sophisticated attack vectors. Network segmentation is a proven tool deployed in data centers.
While the broad constructs of segmentation are relevant, today's application and security requirements mandate increasingly granular methods that are more secure and operationally simpler. This has led to the evolution of "microsegmentation" to address the following:
Cisco's Application Centric Infrastructure (ACI) takes a very elegant approach to microsegmentation with policy definition separating segments from the broadcast domain.
Figure 1
It uses an application-aware construct called End-Point Group (EPG) that allows application designers to define the group of endpoints that belong to the EPG regardless of their IP address or the subnet they belong to (Figure 1). Further, the endpoint can be a physical server, a virtual machine, a Linux container or even legacy mainframes -i.e. the type of endpoint is normalized, thereby offering great simplicity and flexibility in their treatment.
Cisco ACI provides consistent micro-segmentation support for VMware VDS, Microsoft Hyper-V virtual switch, KVM*and bare-metal endpoints and containers, which allows granular endpoint security enforcement. Customers can dynamically enforce forwarding and security policies, quarantine compromised or rogue end points based on virtual machine attributes (such as Name, Guest OS, VM Identifier) and/or network attributes (such as IP address), and also remediation places cleaned end-points back to base EPG.
ACI micro-segmentation allows users to create micro-segments across multiple VMM and physical domains in a consistent policy driven framework, that allows operational flexibility and choice for customers.
Micro-segmentation to Quarantine Vulnerable VMs Across Multi-Hypervisor |
|
Micro-segmentation of a Multi-tiered Application with L4-L7 Service Insertion |
|
Micro-segmentation of a Multi-tiered Ap--plication for Remediation |
|
Cisco ACI micro-segmentation can provide enhanced security for east-west traffic within the data center. Its true value lies in its integration with application design and holistic network policy, and transparent interoperability with a wide variety of hypervisors, bare-metal servers, Layer 4 through 7 devices, and orchestration platforms.
For More Information:
Video: Cisco ACI and IT Security Automation Saves the Day
White Paper: Data Center Microsegmentation: Enhance Security for Data Center Traffic