Professional Documents
Culture Documents
Brksec 3004
Brksec 3004
Brksec 3004
Security in ACI
Introduce •
•
Couple of years in IT Services - IBM
Decade in Cisco Engineering
Myself • 7 years in Technical Marketing
BRKSEC-3004 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
Agenda
• Introduction
• The Case for SDN
• Cisco Next Gen DC Security
• Orchestration and Segmentation Rock
Stars
• Tetration in ACI
• Data sources and policy recommendation
• Conclusion
Cisco Spark
Questions?
Use Cisco Spark to communicate
with the speaker after the session
How
1. Find this session in the Cisco Live Mobile App
2. Click “Join the Discussion”
3. Install Spark or go directly to the space
4. Enter messages/questions in the space
cs.co/ciscolivebot#BRKSEC-3004
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Introduction
The Case for SDN
Business Drivers for Programmable Architectures
BRKSEC-3004 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
Cisco Next Gen DC Security
Cisco Data Centre Security
BRKSEC-3004 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
Cisco Data Centre Portfolio Overview
Fabric Compute Analytics
ACI Fabric Spine/Leaf UCS Tetration
Fiber Interconnects
Nexus Switching
BRKSEC-3004 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
Cisco Security Portfolio Overview
Firewall/IPS/AMP Analytics Cloud
Firepower NGFW/NGIPS/AMP StealthWatch Enterprise ASAv, FMCv, NGFWv
AWS, Azure
FMC
ASAv, FMCv, NGFWv on Hypervisor
StealthWatch Cloud Umbrella & CloudLock
Cisco ASA
BRKSEC-3004 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
Application Centric Infrastructure
Robust Transport - Nexus9000 Switch Fabric Centralised Management - APIC
Orchestrate networking
and L4-L7 Services
Add any hypervisor or
physical workloads
Controls CLOS of N9ks
VLAN pooling
Any subnet anywhere
Embrace open systems, APIs, and abstracted models to benefit any type of workload
Endpoint Group (EPG): Contract: Service Graph (Chain): Programmability:
A collection of virtual or A set of rules governing A chain of L4-L7 services Northbound API to script
physical endpoints in a base or communication between inspecting traffic between full network creation, with
micro-segmented grouping endpoint groups endpoint groups. L4-L7 services
BRKSEC-3004 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
ACI Fabric Building Blocks
End Point Groups Service Graphs
BRKSEC-3004 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
Service Automation Through Device Package Device Package
Device Specification
<dev type= “f5”>
<service type= “slb”>
<param name= “vip”>
<dev ident=“210.1.1.1”
Protocol Intrusion
TCP Inspect, NAT, ALG
AVC, File Protection
Route through
Transparent Mode Router is First Route through
Inline IPS Mode Router is First
FW to GW Hop to Host IPS to GW Hop to Host
Similar Mode
Routed L3 Bridging but not the Bump in a Wire IPS
Device Device Same
1
ASA FW
BRKSEC-3004 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
Cisco Firepower Security Software Capabilities
NGFW (FTD) App
Firewall App (ASA) NGIPS Function
(ASA+Sourcefire)
ASA App Classic Sourcefire FTD App Firewall Modes
Transparent & Routed NGIPSv
FP7000/8000 FPR2100
FPR4100
FPR2100
ASAv FPR2100 NGFWv
FPR9300
FPR4100 NGFWv
FPR4100
ASA5585-X
FPR9300 FPR9300 (EoS announced)
BRKSEC-3004 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
NGFW/NGIPS Bypass Capable Appliances
NGFW IPS-only Ports NGIPS
Bypass
function can
Firepower 9300 not be used FirePOWER8000
with FTD HA
or Cluster.
Firepower 4100
BRKSEC-3004 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
Cisco ASA 9.8 Software
Campus Network
BRKSEC-3004 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
Cisco ASA Contexts and Policies on CLI
P1-ASA5525-1/master/asa1(config)# show run context pod15
context pod15
allocate-interface Management0/0 In System Context, admin defines user
allocate-interface Port-channel10.3015 contexts with separate interfaces, policies,
allocate-interface Port-channel10.3065 routing table, and management access.
config-url disk0:/pod15.cfg
!
P1-ASA5525-1/master/asa1(config)# changeto context pod15
P1-ASA5525-1/master/asa1/pod15(config)# sh ip
System IP Addresses: Group IP addresses/subnets
Interface Name IP address Subnet mask
Management0/0 management 10.10.10.169 255.255.0.0 manually via CLI or dynamically via
Port-channel10.3015 outside 20.40.0.10 255.255.255.0 APIC, ISE/TrustSec, or vCenter.
Port-channel10.3065 web 10.50.0.10 255.255.255.0
access-list hr_to_payroll extended permit tcp security-group name HR object __$EPG$_pod40-aprof-payroll eq www
BRKSEC-3004 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
Cisco Firepower NGFW 6.2.1 Software
Campus Network
Includes ASA Features & Modes, then adds:
Inline IPS Mode of Insertion
Firepower Threat-Centric Features
vPC FMC
AVC, NGIPS, URL Filtering, AMP, Host
Outside & Web Web to App
Discovery, Identity, and ThreatGrid Zones in Zones in
FTD Rules
Security zones for policy separation FTD Rules
Web App
BRKSEC-3004 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
Cisco NGFW Zone-Based Policies in FMC
Create Categories Security Zones Application N/S rules allow http app
and Group Rules Separate Policies Visibility and only on port 80. Intrusion,
Assign a Zone to Control Block it on any other port. Malware Policy
each Interface
BRKSEC-3004 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
Future Vision: Multiple Logical Devices
• Multiple ASA/FTD application containers on a single blade
• Each application instance represents a tenant
• CPU/memory resources are dedicated to an instance at provisioning
• Physical and logical VLAN separation at Supervisor
FTD Instance A FTD Instance B FTD Context C FTD Context D ASA Context A
4 CPU 2 CPU 12 CPU 4 CPU 12 CPU
Firepower 4100 or Firepower 9300 module
BRKSEC-3004 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 27
ACI Service Graph:
Redirection vs. Stitching
Service Graph – Policy Based Redirect (One-arm)
Subject A
Filters(ssh,ndmp)
web EPG Direct via Fabric app EPG
SVI
1
2
SVI BD1 (SVI1)
Subject B
Filters(http,ftp)
Inspected
PBR service graph uses subject filter to BD2 We can inspect traffic between two
‘redirect ‘traffic to device. Fabric SVI2 injects EPGs (app and web) residing in the
packets into device one-arm interface. Firewall Consumer/Provider
same BD1 (same subnet) or
side shadow EPG
uses a default route to return packets to fabric. Routed Firewall different BDs (different subnets).
Go-To Device
L4-L7 Device
BRKSEC-3004 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
Service Graph Stitching – Physical L4-L7 Device
web app
BRKSEC-3004 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
Service Graph Stitching – GoTo or GoThrough
web app
GoTo GoThrough
When routed firewall is
L2-attached to EPGs, EP Transparent/IPS device, needs
routes must point to a firewall fabric to flood broadcasts
interface. Different subnet is through device. The same
defined in each EPG / BD. L4-L7 Device subnet spans two EPGs / BDs.
BRKSEC-3004 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
Service Graph Stitching – GoTo L3out (Routed)
web-prod
app
1
SVI
10.1.0.x/24
L3out
10.3.0.x/24 app EPG portgroup
web-test BD2
BRKSEC-3004 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
Service Graph - Virtual Device
Cisco Virtualized Advanced Security Toolkit
Firepower NGFWv 6.2 Firepower NGIPSv 6.2 FMCv 6.2 ASAv 9.9
Amazon Microsoft Amazon Unified Amazon Firewall Microsoft
NGFW NGIPS Web Services Azure
Web Services Azure Web Services
Manager
Microsoft
KVM VMware VMware VMware KVM KVM Hyper-V
VMware
FTD device package Unmanaged Mode FMC hybrid mode with ACI ASA device package
Resource Consumption by Platform(vCPUs,RAM):
NGFWv(4,8G) NGIPSv(4,4G) FMCv(4,8G) ASAv5(1,1G) ASAv10(1,2G) ASAv30(4,8G) ASAv50(8,16G)
BRKSEC-3004 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
Service Graph Stitching – Virtual L4-L7 Device
web app
BRKSEC-3004 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
Advanced Security in ACI
Evolution in ACI Customer Adoption
1 2 3
Fabric Insertion
APIC in
Control
BRKSEC-3004 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
Programmatic Approach with Security
BRKSEC-3004 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
Demo ACI by Design:
L4-L7 Device Automation Workflow
rebuild-mypod.bash
+ quarantine
contracts:
out-to-web (ASA)
web-to-app (ASA)
app-to-db (FTD)
BRKSEC-3004 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 40
LABSEC-3335 – DC Security Lab
ASA5525 Cluster ASA5525 Dynamic EPG
NGFWv (FTDv)
Routed L3FW Context PBR GoTo L3FW
Routed Mode
Dynamic Routing to vPC RoutedL3FW Context
GoTo Non-PBR
GoTo Non-PBR One-Arm Mode
External VRF
vrf40net
Internal VRF – pod40net
Outside host out-to-web contract Web host web-to-app App host app-to-db DB host
Contract Contract Contract
10.70.0.101 IP 10.1.0.101/16 IP 10.1.40.102/16 IP 10.2.0.103
Outside Network Web EPG App EPG DB EPG
BD1 (web) BD2 (db)
BRKSEC-3004 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 41
Firepower NGFWv HA in ACI
python
scripts api-client
FTDv HA
Step 1 pair
Orchestrate FTDv
FMC
config to secure App
to DB communication
BRKSEC-3004 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 42
ASA HA Context in ACI
python
scripts api-client
ASA Context
Step 2 on HA pair
Orchestrate ASA
config to secure Web
to App communication
BRKSEC-3004 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 43
ASA Cluster Context in ACI
python
scripts api-client
BRKSEC-3004 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 44
Deployment:
Cisco Device Packages
Orchestrate Cisco ASA and FTD in ACI Fabric
FMC Remediation
Module for ACI
ASAv NGFWv
Firepower
FPR9300 ASA5585-X (EoS) ASAv50 Virtual FTD Management
FPR9300, FPR4100,
FPR4100/2100 ASA5500-X ASAv30 FPR2100 Console
Run ASA app Divert to SFR ASAv10 Run FTD app (FMC)
ASA Embedded FirePOWER Config added manually Access & Threat Policies
Services - Threat Polices via FMC, outside of URL filter, NGIPS, AMP, etc.
APIC control/visibility
Security team configures via FMC Security team configures via FMC
APIC Configures Tenant Networking and Service Graph Parameters in the ACI Fabric
BRKSEC-3004 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 47
ASA Device Package
ASA Device Package – Two Options: PO and FI
Managed – Service Policy Managed – Service Policy
BRKSEC-3004 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 49
Reference
BRKSEC-3004 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 50
ASA DP Built-In Profiles
BRKSEC-3004 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 51
ASA PO Function Profile – I.e., PBR One-Arm
BRKSEC-3004 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 52
Managed
l3out
vPC App
Resiliency with
10/40/100G Ports, Six SM-44 blades in
Context-1 Context-2
FPR9300 Security North/South East/West
ASA cluster
ASA Cluster
Modules (SM), chassis, 250Gbps TCP 450B
and ACI Leafs. Add Radware DDoS
Firepower 9300s Running ASA App
BRKSEC-3004 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 53
Managed
APIC 2.0+
PBR Service Graph to a Single Interface L3FW ASA
ASA(v)
10.3.0.1
Default or Static Route to SVI
Custom MAC 5585.4100.9300
Fabric directs traffic in and PBR Service Graph
out of the same interface, redirects traffic between
using managed ASA. Must two EPGs within the same
enable this ASA feature: Bridge Domain (subnet).
same-security intra-interface Select type of traffic to
N9k SVIs
We can script a custom MAC One-arm redirect, verses what
BD_pbr
on ASA(v) and set that MAC Graph protocols not to redirect.
10.3.0.2
on the PBR redirect.
http
EPG APP EPG DB
Rock ssh (file copy) BD1
Star
Protected
Servers
DHCP: 10.1.0.100 – 10.1.0.140
BRKSEC-3004 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 54
FTD Device Package
Security team configures via FMC
BRKSEC-3004 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 56
Reference
BRKSEC-3004 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 57
FTD DP Built-In Profiles
BRKSEC-3004 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 58
FMC Pre-Defined (Existing) Rule SECURITY
BRKSEC-3004 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 59
APIC Attaches Traffic to FMC ACP & Rules
ftd-policy
ftd-rule1
ftd-rule2
BRKSEC-3004 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 63
FTD Routed Device Info Created from APIC
BRKSEC-3004 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 64
FTD Transparent Device
Interface Names:
webnic / appnic
Security Zones:
web-zone / app-zone
BVI ID and IP:
BVI5 / 10.1.0.104/24
BRKSEC-3004 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 65
FTD IPS Inline
Interface Names:
webnic / appnic
Security Zones:
web-zone / app-zone
Inline Set Name:
web-app-ips
BRKSEC-3004 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 63
Matching FTD/ACI Deployment Modes
GoThrough
Service Graph
• NGIPS/IDS Modes
• Inline (managed)
Copy
• or Inline TAP (unmanaged)
Service
• Passive (unmanaged) Graph
BRKSEC-3004 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 67
APIC VMware VLAN Trunk Port Group
BRKSEC-3004 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 68
Assign Trunk Port Group to FTDv vNICs
BRKSEC-3004 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 69
FTDv Go-To Service Graph – vNIC Pairs
app db
FTDv
NGFWv
BRKSEC-3004 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 67
FTDv Go-Through Service Graph – vNIC Pairs
web app
vNIC2 vNIC3
consumer provider
SG portgroup SG portgroup
BVI10
10.1.0.100
FTDv
NGFWv
BRKSEC-3004 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 68
FTD NGIPS Service Graph with HA or Bypass
web app
Node-101 Node-102
vlan401 vlan216
1/46
1/5 1/5 1/45
vlan1001 vlan1001
• FMC REST-APIs in upcoming releases will allow these additions to the device package:
• Static Routing*
• Port-channels*
• FTD Clustering*
* Planned in the next release, to support upcoming FMC 6.2(3). Join beta!
BRKSEC-3004 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 70
Security Beta Programs
• Security Beta Products Customer Benefits
BRKSEC-3004 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 71
Dynamic Policy from ACI
Attachment Notification on Service Graph Terminals
P2-ASA5525-1/pod37# show object-group
object-group network __$EPG$_pod37-wan-out-out-l3out3
network-object 10.70.0.0 255.255.255.0
ACE Object-group
BRKSEC-3004 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 74
ASA Device Package
EPG
IP1
EPG
IP2
EPG
IP3
Flat BD2 Subnet 10.1.0.0/16 - DHCP EPG
IP10
EPG
IP11
EPG
IP12
BRKSEC-3004 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 75
FTD Device Package
BRKSEC-3004 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 76
Combine with Dynamic Policy
From Campus
ASA Device Package
Marketing SXP
Engineering App EPG
BRKSEC-3004 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 78
ASA Device Package
Marketing SXP
Engineering Engr App EPG
Campus
BRKSEC-3004 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 79
Rapid Threat Containment
FMC to APIC Rapid Threat Containment
Step 4: APIC quickly contains/quarantines Step 3: Attack event is configured to trigger
the infected App1 workload into an isolated remediation module for APIC that uses NB API to
uSeg EPG contain the infected host in ACI fabric
4 3
ACI Fabric
FMC
1 2
App2 Infected App1
BRKSEC-3004 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 81
Reference
BRKSEC-3004 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 82
Better Together:
Cisco ACI and Security
SF / TS Agent
BRKSEC-3004 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 84
Cisco ACI Recommend two sessions to watch:
Fabric and Policy Domain Evolution BRKACI-2016 – ACI Layer 4-7 Integration
BRKACI-3502 – ACI Multisite Deployment
ACI Single Pod Fabric ACI Stretched Fabric ACI Multi-Pod Fabric ACI Multisite
IPN IP
Pod ‘A’ Pod ‘n’ Fabric ‘A’ Fabric ‘n’
… …
APIC Cluster
ACI 1.1 ACI 2.0 - Multiple ACI 3.0 - Multiple Availability Zones …more to
ACI 1.0 Leaf/Spine come!
Geographically Networks (Pods) in a (Fabrics) in a Single Region ’and’
Single Pod Fabric
Stretch a single single Availability Zone Multi-Region Policy Management
fabric (Fabric)
Firewall Integration
BRKSEC-3004 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 85
Troubles Today with ASA / FTD Cluster & Multi-Pod
Extended BD Between all PODs
Inter-Pod Network
Pod ‘A’ Pod ‘n’
TECSEC-2273 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 86
Future
IPN
PBR Policy
Applied Here
APIC Cluster PBR Policy
Applied Here
L3Out-1 L3Out-2
WAN WAN
TECSEC-2273 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 87
Now, what if I am not ready to give
up control of my ASA or FTD?
Fabric Insertion
APIC in
Control
BRKSEC-3004 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 89
1
• Design calls for a large number of service graphs and contracts (scalability of
ACI fabric must be considered)
• Fastest migration of security services and policies into ACI fabric
(VLANs to EPGs, Subnets and Security appliances enforce policy)
• Use the security product in the same fashion as you do in traditional networks
• Relieves Services of the controller validation and monitoring
• Less complexity compared to service graph but also no PBR redirect benefits
• You can use cut-in Firewall designs, ensuring all traffic to/from DC is secured
(Note: ACI fabric attaches independently to campus L3out and firewall when
service graphs are configured)
BRKSEC-3004 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 90
1 ACI Fabric is L2
Have flexibility for APIC to manage EPGs, and attach security directly into EPGs.
Endpoint Group (EPG) Contract Service Chain Programmability
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
No Service Graph
Slave
TECSEC-2273 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 92
Can I still use orchestration with out
APIC?
Device Specification
"dn": "uni/tn-%s/lDevVip-
%s/vFTD-l3fw" %
(tenant_name,l47_dev_name),
"name": "FTD-HA1",
"host": fmc_ip,
"virtual": virtual,
…
Device Configuration
(0, '', 4548): {
'dn': "uni/vDev-[uni/tn-pod3/lDevVip-vFTD-l3fw]-tn-[uni/tn-pod3]-ctx-pod3net",
'transaction': 0, FTD FMC
'ackedstate': 0, (FTD Manager)
'value': {
(4, 'SecurityZone', zone1): { device package
'state': 2,
'transaction': 0,
Device Interface: REST/CLI
Device JSON Configuration FTD FI Device Package can still help! You
is recorded in the APIC debug.log under can automate FTD fabric insertion
/data/devicescript/CISCO.FTD_FI.1.0/logs/ configuration with out using APIC
BRKSEC-3004 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 94
Reference
1) Scripting Host that you can use to program FMC (I suggest Linux)
2) Install Python interpreter, 2.7.3 or later
3) Download FTD 1.0.2 Device Package for ACI from Cisco.com
(see the previous slide for location of the package)
4) Download Github config and unconfig python scripts
https://github.com/cisco-security/FMC-REST-API-scripts
5) Create manual-devpkg directory (choose the name as appropriate)
BRKSEC-3004 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 95
Reference
user@api-client:~/manual-devpkg/ftd-fi$ ls -l
total 220
-r--r--r-- 1 user user 34355 2017-12-07 15:32 device_script.py Python procedured writted by security BU
to provision given FTD configuration
-r--r--r-- 1 user user 25110 2017-12-07 15:34 device_script.pyc
-r--r--r-- 1 user user 28600 2017-11-11 22:29 device_specification.xml Device spec defines the model
Of our FTD device package
drwxrwxr-x 4 user user 4096 2017-12-07 15:34 devpkg
BRKSEC-3004 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 96
Reference
BRKSEC-3004 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 97
FTDv Routed EPG-attached Firewall Integration
NGFWv (FTDv)
Routed Mode
EPG-attached vNICs
python
FTDv scripts api-client
10.1.0.1 10.2.0.1 FMC
Service Manager
SVI/Subnet 10.1.0.2/24
Network Adapter 5 & 6 are
already statically assigned
to App and DB EPGs
Web host App host app-to-db DB host FTDv needs to use g0/3 as
IP 10.1.0.101/16
Src: 10.1.0.102 app EPG end-point and
IP 10.1.pod#.102/16 Dst: 10.2.0.103 IP 10.2.0.103 g0/4 as db EPG end-point
Web EPG App EPG DB EPG
BD1 (web) BD2 (db)
BRKSEC-3004 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 98
Is there a way to use service graph
but keep control of my ASA & FTD?
Fabric Insertion
APIC in
Control
BRKSEC-3004 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 100
2
BRKSEC-3004 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 101
2 No Device Package
Customers enable full ACI fabric benefits with out forcing a device package.
Endpoint Group (EPG): Contract: Service Chain: Programmability:
Creation of EPG segments still Is between EPGs and Adds L4-L7 Devices and Northbound API to script
done on APIC, EPs are virtual adds unmanaged Service includes PBR redirect full Tenant network and
machines or physical servers. Graphs (no device pkg). service graph. © 2018 Cisco and/or its affiliates.unmanaged SG creation.
All rights reserved. Cisco Public
Matching ASA and FTD to ACI Deployment Modes
FTD Modes of Operation ACI Service Graph Modes
ASA Modes of Operation
GoTo
• Firewall Modes Service Graph • Firewall Modes
• Routed Routed
• Transparent
Transparent
GoThrough
Service Graph
• NGIPS/IDS Modes
• Inline or Inline TAP
• Passive
Copy
Service Graph
ASA or FTD applications can be added to ACI fabric in an Unmanaged Service Graph mode. You must carefully
design their service graphs and match the mode of operation with ACI fabric workloads.
BRKSEC-3004 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 103
Unmanaged
vPC4
Firepower ACI
Remediation Po1.404 Po1.405
Package is
Applicable FMC consumer provider APIC
FMC manages FTD cluster and config. APIC Go-To Unmanaged Service Graph:
Benefit from scale and state-sharing: Master Slave where FTD is in Routed FW Mode (N/S).
Redundant links (max 16) and Firepower 4100/9300 Clustering Add Go-Through Transparent FW BVIs
appliances (max 6 in FTD cluster) Firepower Threat Defence and inline NGIPS-only ports for E/W
Use BGP or OSPF with ACI L3outs protection inside the fabric.
(FTD) Image
BRKSEC-3004 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 104
Unmanaged
web app
vlan-500 vlan-501
APIC 2.0+
FTD One-Arm PBR Service Graph - GoTo
FTD App
10.3.0.1
Default or Static Route to SVI
Fabric directs traffic in and Custom MAC 0f2d.4100.9300
PBR Service Graph redirects
out of the same interface,
traffic between two EPGs in
using unmanaged FTD app.
the same Bridge Domain
Must use one Security Zone to
(subnet). Select type of traffic
define the ACP rule. Virtual N9k SVIs to redirect, verses what
appliance can also be used. BD_pbr One-arm
protocols to send via fabric.
10.3.0.2 Graph
http
EPG APP EPG DB
Rock ssh (file copy) BD1
Star
Protected
Servers
DHCP: 10.1.0.100 – 10.1.0.140
BRKSEC-3004 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 106
Contract app-to-db: FTDv Unmanaged Graph
NGFWv (FTDv)
Routed Mode
GoTo Non-PBR
python
FTDv scripts api-client
10.1.0.1 10.2.0.1 FMC
Service Manager
SVI/Subnet 10.1.0.2/24 Hybrid Model
APIC will create service
graph port-groups and
assign them to:
Network Adapter 3 & 4
Web host App host app-to-db DB host
IP 10.1.0.101/16
Src: 10.1.0.102 FTDv needs to use g0/1 as
IP 10.1.pod#.102/16 Dst: 10.2.0.103 IP 10.2.0.103 consumer and g0/2 as
Web EPG App EPG DB EPG provider interfaces for the
BD1 (web) BD2 (db) service graph
BRKSEC-3004 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 107
Now, what if I am not sure what Apps
live in my Data Centre and cloud?! How
can Cisco help me build my fabric policy
and ensure compliance?
Cisco Tetration
Cisco Tetration Platform and ACI
• Establish your Data Centre application dependency mappings
• Detect which apps are talking, group them into EPGs and create Contracts with
appropriate filters
• Using JSON, APIC can 1-click import EPGs and white-list policy for your ACI
Data Centre
• Use ACI App to convert Tetration policy recommendation in ACI configuration
• L4-L7 services currently not included in App, so build those in manually for now
• Github scripts showcase how to import Tetration policy into Cisco Security appliances
BRKSEC-3004 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 109
Whitelist Policy Recommendation
Application Discovery Whitelist Policy Recommendation
(Available in JSON, XML, and YAML)
{
"src_name": "App",
"dst_name": "Web",
"whitelist": [
{"port": [ 0, 0
],"proto": 1,"action":
"ALLOW"},
{"port": [ 80, 80
],"proto": 6,"action":
"ALLOW"},
{"port": [ 443, 443
],"proto": 6,"action":
"ALLOW"}
]
}
TECSEC-2273 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 110
Cisco Tetration Data Sources – Application Maps
For detailed coverage of Tetration, please refer to recording of BRKACI-2604 at CL18 Melbourne.
BRKSEC-3004 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 111
Where can I go for info, if I really,
really, really want to find more
information about this topic?
Refer to my previous Breakouts on this topic.
See Cisco Live EMER Berlin recording of the BRKACI-3004 recording and pdf:
https://www.ciscolive.com/online/connect/sessionDetail.ww?SESSION_ID=94370
• Shows how to integrate ASA multiple contexts with APIC
• Details how to pre-configure ASA clustering and multiple contexts
• Reviews migration of typical security designs into ACI
• Show best practices of ASA cluster data plane and CCL in ACI
• Details ASA failover setup and best practices with Failover link and data plane
BRKSEC-3004 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 113
Additional Resources
List of ACI White Papers - https://www.cisco.com/c/en/us/solutions/data-center-
virtualization/application-centric-infrastructure/white-paper-listing.html
Service Graph design - https://www.cisco.com/c/en/us/solutions/collateral/data-center-
virtualization/application-centric-infrastructure/white-paper-c11-734298.html
ASAv PBR Service Graph - https://www.cisco.com/c/en/us/solutions/collateral/enterprise-
networks/secure-data-center-solution/guide-c07-739765.html
PBR Service Graph Designs - https://www.cisco.com/c/en/us/solutions/data-center-
virtualization/application-centric-infrastructure/white-paper-c11-739971.html
Cisco Advanced Security in ACI Playlist
https://www.youtube.com/playlist?list=PLvnemMVdgW1s77HuPk04VWwP47Y8EvlQl
GitHub python scripting for automation of ASA and FTD service graph with ACI
https://github.com/cisco-security
BRKSEC-3004 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 114
Conclusion
Benefits of Programming with Cisco Security
BRKSEC-3004 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 116
Conclusion
BRKSEC-3004 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 117
Complete Your Online
Session Evaluation
• Give us your feedback and
receive a Cisco Live 2018 Cap
by completing the overall event
evaluation and 5 session
evaluations.
• All evaluations can be completed
via the Cisco Live Mobile App.
Don’t forget: Cisco Live sessions will be
available for viewing on demand after the
event at www.CiscoLive.com/Global.
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Q&A
Continue Your Education
• Demos on the Cisco stand
• Walk-in Self-Paced Labs
• Meet the Expert 1:1 meetings
• Related sessions
BRKSEC-3004 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 120
Thank you
Additional Information
Reference
BRKSEC-3004 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 124
Reference
FP71x0, FP71x5,
Go-To (Routed)
FirePOWER physical PBR works with Routed
FP70x0, FP8100, Unmanaged Go-Through
appliance Fail-to-Wire for IPS
FP8300 (inline IPS)
DP not in plans
Go-Through
FirePOWER NGIPSv VMware N/A
(inline IPS)
LABSEC-3335 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 125