Tech Bytes

BiB 016: Automated Microsegmentation With Cisco Tetration #NFD16


Listen Later

Cisco Tetration came out of the gate as a deep analytics and insights platform and is rapidly iterating on a variety of use cases. In this briefing, Cisco presented how Tetration can be used for network security. Ethan Banks discusses. Listen via the embedded audio player above.
* Automated microsegmentation was the chief use case cited in this briefing. Cisco described the problem of whitelisting flows between applications, making the point that it’s very difficult to know what the network flow dependency tree looks like between apps. For a human to get the whitelist right is nearly impossible. This is where Tetration steps in.
* Tetration builds a profile of every single endpoint on the network, feeds the profiles through a machine learning algorithm, and then groups endpoints together based on the granularity the customer desires.
* With the groups built, Tetration determines what ports should be opened between which groups. Cisco says that Tetration is going to get this right because it sees every single packet on the wire collected via endpoint agents, hardware sensors, and metadata gathered from network devices. Even short lived microflows will be analyzed, increasing the odds that the whitelist generated by Tetration is going to work correctly.
* For customers with variant seasonal traffic patterns, Tetration comes with an enormous amount of storage to be sure to capture flow patterns over several months, helping to insure that the whitelist generated is valid no matter what the season, although it would take a quarter or so to gather the data needed before deployment.
* Tetration policies can be deployed in a monitor-only mode, so that IT teams can observe what traffic would be dropped before placing the policy into production.
* Particularly risk averse customers have the option to be notified by Tetration when flows are denied by the whitelist, allowing them to add the denied flow to the permit side of the list. Customers can also write their own policies leveraging tag metadata or subnets to be merged in with Tetration’s machine learning generated policies, a nice feature to give Tetration hints about coming infrastructure changes.
* For folks imagining a complex set of five-tuple rules that has to be maintained by hand once Tetration has done its magic, Cisco stresses that Tetration is constantly refactoring the nitty-gritty rule sets as the IT infrastructure changes. Customers just manage intent-based policies that express in a higher level language about what should be allowed to talk to what. No fussy rules management is expected of ops teams, which is just as well since Tetration scales to 1 billion policy rules per Tetration cluster according to Cisco. I don’t know about you, but I don’t want to manage that by hand.
* For folks invested in security platforms other than Tetration, Cisco mentioned that the policies generated by Tetration are exportable, citing AWS, ACI, and even a nebulous “other vendors” as possible targets to import Tetration’s rulesets.
* Cisco also pointed out that Tetration works without caveat across several different workload platforms, including Azure, Google Cloud Platform, and AWS alongside of ACI in the data center. The point being that with the Tetration agent, any workload can be secured no matter where it is. With the press of a button, Cisco demonstrated global policy deployment. Upon accepting the “New host firewall rules will be inserted and any existing rules will be deleted on the relevant hosts,” warning, a policy was deployed to impacted endpoints.
* At the tail-end of the briefing, Cisco dropped the SaaS bomb, mentioning that Cisco Tetration Analytics as a service was coming soon, currently in testing with some select customers.
For more detailed information, watch…
...more
View all episodesView all episodes
Download on the App Store

Tech BytesBy Packet Pushers

  • 5
  • 5
  • 5
  • 5
  • 5

5

5 ratings


More shows like Tech Bytes

View all
Heavy Networking by Packet Pushers

Heavy Networking

326 Listeners

The Everything Feed - All Packet Pushers Pods by Packet Pushers

The Everything Feed - All Packet Pushers Pods

194 Listeners

The Fat Pipe - Most Popular Packet Pushers Pods by Packet Pushers

The Fat Pipe - Most Popular Packet Pushers Pods

70 Listeners

Network Break by Packet Pushers

Network Break

101 Listeners

Darknet Diaries by Jack Rhysider

Darknet Diaries

7,875 Listeners

CISO Series Podcast by David Spark, Mike Johnson, and Andy Ellis

CISO Series Podcast

187 Listeners

IPv6 Buzz by Packet Pushers

IPv6 Buzz

34 Listeners

Day Two DevOps by Packet Pushers

Day Two DevOps

15 Listeners

The Hedge by Russ White

The Hedge

15 Listeners

All-In with Chamath, Jason, Sacks & Friedberg by All-In Podcast, LLC

All-In with Chamath, Jason, Sacks & Friedberg

9,040 Listeners

Heavy Strategy by Packet Pushers

Heavy Strategy

27 Listeners

Heavy Wireless by Packet Pushers

Heavy Wireless

11 Listeners

Packet Protector by Packet Pushers

Packet Protector

6 Listeners

Network Automation Nerds by Packet Pushers

Network Automation Nerds

3 Listeners

Technically Leadership by Packet Pushers

Technically Leadership

0 Listeners

Total Network Operations by Packet Pushers

Total Network Operations

3 Listeners

N Is For Networking by Packet Pushers

N Is For Networking

11 Listeners