SlideShare una empresa de Scribd logo

Using Tetration for application security and policy enforcement in multi-vendor environments.

Descargar como PPTX, PDF
Joel W. King
Joel W. King

Network engineers increasingly must view the network as one big software system, which streams telemetry data from software sensors and network devices to an analytics engine. To implement the whitelist-based segmentation and zero-trust policy model generated from the data analysis, automation is a requirement when dealing with tens of thousands of workloads and complex rules. This session examines how Cisco Tetration Analytics combined with automation can be used to implement a zero-trust policy model on multi-vendor network fabrics, firewalls and application delivery controllers.

Tecnología
1 de 34
Using Tetration for application security and policy enforcement in multi-vendor environments. Joel W. King Engineering and Innovations Network Solutions
Network engineers increasingly must view the network as one big software system, which streams telemetry data from software sensors and network devices to an analytics engine. To implement the whitelist-based segmentation and zero-trust policy model generated from the data analysis, automation is a requirement when dealing with tens of thousands of workloads and complex rules. This session examines how Cisco Tetration Analytics combined with automation can be used to implement a zero-trust policy model on multi-vendor network fabrics, firewalls and application delivery controllers. Using Tetration for application security and policy enforcement in multi-vendor environments.
 Joel W. King Principal Architect World Wide Technology Research Triangle Park, NC  Experience AMP Incorporated, Network Architect Cisco, Cisco Validated Designs (CVDs) NetApp, Big Data: Video Surveillance Storage  Contact Info linkedin.com/in/programmablenetworks @joelwking joel.king@wwt.com DevNet Create 2018
…. Very topical for us -- talk on implementing Zero Trust with automation and Tetration … … Personally, I think ZT will replace perimeter security model within 5-7 years, and already we're hearing customers ask about it. … ----------------------------------------------- Gene Geddes | Chief Scientist, Security Solutions | World Wide Technology
#SILICONVALLEYINSTL Deploy Sensors Inventory Tetration Network Policy Publisher Under the Hood Resources
SHARE ACT TRACE HUNT BEHAVIORS THREATS TRIAGE DETECTION TELEMETRY INVENTORY Can you collaborate with trusted partners to disrupt adversary campaigns? Can you deploy proven countermeasures to evict and recover? During an intrusion, can you observe adversary activity in real time? Can you detect an adversary that is already embedded? Can you detect adversary activity within your environment? Who are your adversaries? What are their capabilities? Can you accurately classify detection results? Can you detect unauthorized activity? Do you have visibility across your assets? Can you name the assets you are defending? What is it doing? Should it? What’s on my network?
Automated whitelist policy Zero-trust, application segmentation Cisco Tetration Analytics​ Illumio​ VMware vRNI
telemetry agent installation 1 2 3 inventory policy enforcement iptables | firewall publisher kafka INVENTORY NETWORK DEVICES
Data Collection Layer Cisco Tetration Analytics™ NETWORKING [TELEMETRY ONLY] Data Consumption Layer REST API KAFKA MESSAGE BUS
#SILICONVALLEYINSTL
 Deploy Software Sensors setup_tetration_sensor.yml  Dynamic Inventory inventory/sensors.py  Network Policy Publisher library/tetration_network_policy.py PLUGINS MODULES ANSIBLE PLAYBOOK DATA REST API https://github.com/joelwking/ansible-tetration
#SILICONVALLEYINSTL Deploy Sensors
Data Collection Layer Cisco Tetration Analytics™ 39-RU 8-RU SaaS 25,000 | 5,000 | 1,000 NETWORK INFRASTRUCTURE NetFlow | ERSPAN VM Appliance COMPUTE or virtual appliance
 Extensive matrix of Windows | Unix | Linux  Package and version dependencies e.g. rpm (even in Ubuntu/Debian)  Different agent RPMs for … o Agent type, e.g. enforcement, visibility o Target system, e.g. CentOS 6.0 vs 7.0 o Latest version covers 34 RPMs  Agent downloaded from GUI
 Rather than PDF …  ./setup_tetration_sensor.yml [administrator@centos-ansible-1 ~]$ uname Linux [administrator@centos-ansible-1 ~]$ -r -bash: -r: command not found [administrator@centos-ansible-1 ~]$ uname -r 3.10.0-862.el7.x86_64 command: uname -r value: 3.10.0-862.el7.x86_64 command: cat /etc/shells value: /bin/sh command: dmidecode -V value: 3.0 command: openssl version -a value: OpenSSL 1.0.2k-fips command: cpio --version value: cpio (GNU cpio) 2.11 command: sed --version value: sed (GNU sed) 4.2.2 command: awk --version value: GNU Awk 4.0.2 command: flock -V value: flock from util-linux 2.23.2 command: iptables --version value: iptables v1.4.21 command: ipset --version value: ipset v6.29, ansible-tetration/setup_tetration_sensor.yml
#SILICONVALLEYINSTL Inventory
ANSIBLE AUTOMATION ENGINE CMDB INVENTORY HOSTS NETWORK DEVICES PLUGINS CLI MODULES PUBLIC / PRIVATE CLOUD PUBLIC / PRIVATE CLOUD CORE NETWORK COMMUNITY NOW.PY EC2.PY VMWARE_FACTS ANSIBLE PLAYBOOK Cisco Tetration Analytics™ SENSORS.PY ansible-tetration/inventory/sensors.py
$ ansible-inventory --host centos-ansible-1 -i ./inventory/sensors.py { "agent_type": "ENFORCER", "auto_upgrade_opt_out": false, "cpu_quota_mode": 1, "cpu_quota_usec": 30000, "current_sw_version": "2.3.1.41-1-enforcer", "data_plane_disabled": false, "enable_forensics": false, "enable_pid_lookup": false, "host_name": "centos-ansible-1", "interfaces": [ { "family_type": "IPV4", "ip": "10.255.40.139", "mac": "00:50:56:b9:62:58", "name": "ens160", "netmask": "255.255.255.0", "vrf": "Default", "vrf_id": 1 }, [snip] ], "last_config_fetch_at": 1537905092, "last_software_update_at": 1535054507, "platform": "CentOS-7.5", "uuid": "965e77504bf605d62c575231fa3d56463aed38bf" } ansible-inventory --host centos-ansible-1 -i ./inventory/sensors.py
#SILICONVALLEYINSTL Tetration Network Policy Publisher
3policy enforcement iptables | firewall publisher kafka NETWORK DEVICES INFRASTRUCTURE
BROKER ADD TENANT ADD VRF AGENT CONFIG ENABLE ENFORCEMENT CREATE INTENT ADD SCOPE CREATE APP START ADM RUN ENABLE ENFORCEMENT VERIFY DATATAP CREATION DOWNLOAD CERTIFICATES ./producer-tnp-12.cert/ ├── kafkaBrokerIps.txt ├── KafkaCA.cert ├── KafkaConsumerCA.cert ├── KafkaConsumerPrivateKey.key └── topic.txt 10.253.239.14:9093Tnp-12 NETWORK PROGRAMMABILITY DEVELOPER ADM ANALYST
Network Policy Publisher ANSIBLE PLAYBOOK aci_create_filters.yml BROKER message publisher policy subscription MODULES tetration_network_policy.py Alerts every minute for enforcement Released in 2.3.1.41 April 2018
- name: Tetration Network Policy tetration_network_policy: broker: "192.0.2.1:9093" topic: "Tnp-2" cert_directory: "{{ playbook_dir }}/files/certificates/producer-tnp-2.cert/" https://github.com/joelwking/ansible-tetration/blob/master/aci_create_filters.yml 262
#SILICONVALLEYINSTL
 … designed to deal with millions of firehose-style events generated in rapid succession…  … clients will never receive messages automatically. They have to explicitly ask for a message … https://thenewstack.io/apache-kafka-primer/  … Protocol Buffers are a way of encoding structured data in an efficient yet extensible format. …  Google open source and supported for popular programming languages  Fast and efficient (than JSON or XML) https://codeclimate.com/blog/choose-protocol-buffers/
topic='Tnp-12', partition=0 https://codebeautify.org/jsonviewer/cbfc04c7 NETWORK DEVICES
UPDATE_START UPDATE UPDATE_END Tetration Network Policy Kafka message(s) topic partition offset key value Google Protocol Buffer len( value ) == 8 EARLIEST LATEST
 Also know as: “GPB” or “protobufs”  What are they?  Method of serializing structured data  XML | JSON uses strings to identify the key  Protobufs uses integers to represent the key  Sender and receiver share a .proto definition file  Why Use Protocol Buffers?  Performance: Smaller and faster than XML  More compact (smaller packets, messages)  Faster, less CPU to encode / decode https://developers.google.com/protocol-buffers/docs/pythontutorial protoc Define Compile Import
UPDATE_ENDUPDATE_START
#SILICONVALLEYINSTL
 AnsibleFest 2018: Using Ansible Tower to implement security policies and telemetry streaming for hybrid clouds https://github.com/joelwking/ansible-tetration  DevNetCreate 2018: Applying a whitelist policy generated by Cisco Tetration to an ACI network fabric. https://www.wwt.com/all-blog/devnet-create-2018/  Cisco Tetration Light-board: Cloud Workload Protection https://youtu.be/Hd56GVVr_AE  Cisco Code Exchange https://developer.cisco.com/codeexchange/#search=tetration
David Goeckler, EVP / GM of Cisco's Networking and Security … turning the whole network into essentially a big software system where you define your policy in one place … That policy gets translated into what you want the network to do, and then you have an automation layer that activates all of those changes across your network fabric. https://www.networkworld.com/article/3280959/lan-wan/cisco-s-david-goeckeler-talks-security-networking-software-and-sd-wan-outlook.html
 Traditional Firewalls as perimeter security are becoming obsolete  Future is white-list segmentation, Zero Trust model  View the network as a software system, use automation to apply policy https://www.wwt.com/all-blog/ansible-tower-implementing-security-policy/
Using Tetration for application security and policy enforcement in multi-vendor environments.

Recomendados

Super-NetOps Source of Truth
Super-NetOps Source of TruthSuper-NetOps Source of Truth
Super-NetOps Source of Truth
Joel W. King
 
World Wide Technology | Red Hat Ansible for Networking Workshop
World Wide Technology | Red Hat Ansible for Networking WorkshopWorld Wide Technology | Red Hat Ansible for Networking Workshop
World Wide Technology | Red Hat Ansible for Networking Workshop
Joel W. King
 
From 70 Networking Tasks to a Single Click by WWT: Building an F5 Solution wi...
From 70 Networking Tasks to a Single Click by WWT: Building an F5 Solution wi...From 70 Networking Tasks to a Single Click by WWT: Building an F5 Solution wi...
From 70 Networking Tasks to a Single Click by WWT: Building an F5 Solution wi...
Joel W. King
 
Meraki Virtual Hackathon: app for Splunk Phantom
Meraki Virtual Hackathon: app for Splunk PhantomMeraki Virtual Hackathon: app for Splunk Phantom
Meraki Virtual Hackathon: app for Splunk Phantom
Joel W. King
 
Enabling policy migration in the Data Center with Ansible
Enabling policy migration in the Data Center with AnsibleEnabling policy migration in the Data Center with Ansible
Enabling policy migration in the Data Center with Ansible
Joel W. King
 
API 102: Programming with Meraki APIs
API 102: Programming with Meraki APIsAPI 102: Programming with Meraki APIs
API 102: Programming with Meraki APIs
Joel W. King
 
Super-NetOps Source of Truth
Super-NetOps Source of TruthSuper-NetOps Source of Truth
Super-NetOps Source of Truth
Joel W. King
 
Under the Hood
Under the HoodUnder the Hood
Under the Hood
Joel W. King
 

Recomendados

Super-NetOps Source of Truth
Super-NetOps Source of TruthSuper-NetOps Source of Truth
Super-NetOps Source of Truth
Joel W. King
 
World Wide Technology | Red Hat Ansible for Networking Workshop
World Wide Technology | Red Hat Ansible for Networking WorkshopWorld Wide Technology | Red Hat Ansible for Networking Workshop
World Wide Technology | Red Hat Ansible for Networking Workshop
Joel W. King
 
From 70 Networking Tasks to a Single Click by WWT: Building an F5 Solution wi...
From 70 Networking Tasks to a Single Click by WWT: Building an F5 Solution wi...From 70 Networking Tasks to a Single Click by WWT: Building an F5 Solution wi...
From 70 Networking Tasks to a Single Click by WWT: Building an F5 Solution wi...
Joel W. King
 
Meraki Virtual Hackathon: app for Splunk Phantom
Meraki Virtual Hackathon: app for Splunk PhantomMeraki Virtual Hackathon: app for Splunk Phantom
Meraki Virtual Hackathon: app for Splunk Phantom
Joel W. King
 
Enabling policy migration in the Data Center with Ansible
Enabling policy migration in the Data Center with AnsibleEnabling policy migration in the Data Center with Ansible
Enabling policy migration in the Data Center with Ansible
Joel W. King
 
API 102: Programming with Meraki APIs
API 102: Programming with Meraki APIsAPI 102: Programming with Meraki APIs
API 102: Programming with Meraki APIs
Joel W. King
 
Super-NetOps Source of Truth
Super-NetOps Source of TruthSuper-NetOps Source of Truth
Super-NetOps Source of Truth
Joel W. King
 
Under the Hood
Under the HoodUnder the Hood
Under the Hood
Joel W. King
 
Using Ansible Tower to implement security policies and telemetry streaming fo...
Using Ansible Tower to implement security policies and telemetry streaming fo...Using Ansible Tower to implement security policies and telemetry streaming fo...
Using Ansible Tower to implement security policies and telemetry streaming fo...
Joel W. King
 
Integrating Ansible Tower with security orchestration and cloud management
Integrating Ansible Tower with security orchestration and cloud managementIntegrating Ansible Tower with security orchestration and cloud management
Integrating Ansible Tower with security orchestration and cloud management
Joel W. King
 
Learn To Think Like A Computer Scientist
Learn To Think Like A Computer ScientistLearn To Think Like A Computer Scientist
Learn To Think Like A Computer Scientist
Joel W. King
 
Business Ready Teleworker Design Guide
Business Ready Teleworker Design GuideBusiness Ready Teleworker Design Guide
Business Ready Teleworker Design Guide
Joel W. King
 
Goodbye CLI, hello API: Leveraging network programmability in security incid...
Goodbye CLI, hello API: Leveraging network programmability in security incid...Goodbye CLI, hello API: Leveraging network programmability in security incid...
Goodbye CLI, hello API: Leveraging network programmability in security incid...
Joel W. King
 
Analytics for Application Security and Policy Enforcement in Cloud Managed Ne...
Analytics for Application Security and Policy Enforcement in Cloud Managed Ne...Analytics for Application Security and Policy Enforcement in Cloud Managed Ne...
Analytics for Application Security and Policy Enforcement in Cloud Managed Ne...
Joel W. King
 
DevNet Study Group: Using a SDK
DevNet Study Group: Using a SDKDevNet Study Group: Using a SDK
DevNet Study Group: Using a SDK
Joel W. King
 
$10,000 Phantom App & Playbook Contest - F5 and Cisco Meraki
$10,000 Phantom App & Playbook Contest - F5 and Cisco Meraki$10,000 Phantom App & Playbook Contest - F5 and Cisco Meraki
$10,000 Phantom App & Playbook Contest - F5 and Cisco Meraki
Joel W. King
 
Sdn users group_january_2016v5
Sdn users group_january_2016v5Sdn users group_january_2016v5
Sdn users group_january_2016v5
Joel W. King
 
Securing Micro Services in Cloud Foundry
Securing Micro Services in Cloud FoundrySecuring Micro Services in Cloud Foundry
Securing Micro Services in Cloud Foundry
PLUMgrid
 
The best of Windows Server 2016 - Thomas Maurer
The best of Windows Server 2016 - Thomas Maurer The best of Windows Server 2016 - Thomas Maurer
The best of Windows Server 2016 - Thomas Maurer
ITCamp
 
DevNetCreate - ACI and Kubernetes Integration
DevNetCreate - ACI and Kubernetes IntegrationDevNetCreate - ACI and Kubernetes Integration
DevNetCreate - ACI and Kubernetes Integration
Hank Preston
 
Create The Internet of Your Things example of a real system - Laurent Ellerbach
Create The Internet of Your Things example of a real system - Laurent EllerbachCreate The Internet of Your Things example of a real system - Laurent Ellerbach
Create The Internet of Your Things example of a real system - Laurent Ellerbach
ITCamp
 
Using Cisco pxGrid for Security Platform Integration: a deep dive
Using Cisco pxGrid for Security Platform Integration: a deep diveUsing Cisco pxGrid for Security Platform Integration: a deep dive
Using Cisco pxGrid for Security Platform Integration: a deep dive
Cisco DevNet
 
StackStorm Product Highlights - DevOps Enterprise 2014 After-Party Ignite Talk
StackStorm Product Highlights - DevOps Enterprise 2014 After-Party Ignite TalkStackStorm Product Highlights - DevOps Enterprise 2014 After-Party Ignite Talk
StackStorm Product Highlights - DevOps Enterprise 2014 After-Party Ignite Talk
StackStorm
 
Beginner's guide to net devops with cisco devnet and ansible
Beginner's guide to net devops with cisco devnet and ansibleBeginner's guide to net devops with cisco devnet and ansible
Beginner's guide to net devops with cisco devnet and ansible
cong tuan
 
TechWiseTV Workshop: Software-Defined Access
TechWiseTV Workshop: Software-Defined AccessTechWiseTV Workshop: Software-Defined Access
TechWiseTV Workshop: Software-Defined Access
Robb Boyd
 
Azure tales: a real world CQRS and ES Deep Dive - Andrea Saltarello
Azure tales: a real world CQRS and ES Deep Dive - Andrea SaltarelloAzure tales: a real world CQRS and ES Deep Dive - Andrea Saltarello
Azure tales: a real world CQRS and ES Deep Dive - Andrea Saltarello
ITCamp
 
(SACON) Madhu Akula - Automated Defense Using Cloud Service Aws, Azure, Gcp
(SACON) Madhu Akula - Automated Defense Using Cloud Service Aws, Azure, Gcp(SACON) Madhu Akula - Automated Defense Using Cloud Service Aws, Azure, Gcp
(SACON) Madhu Akula - Automated Defense Using Cloud Service Aws, Azure, Gcp
Priyanka Aash
 
How we built Packet's bare metal cloud platform
How we built Packet's bare metal cloud platformHow we built Packet's bare metal cloud platform
How we built Packet's bare metal cloud platform
Packet
 
Enabling NFV features in kubernetes
Enabling NFV features in kubernetesEnabling NFV features in kubernetes
Enabling NFV features in kubernetes
Kuralamudhan Ramakrishnan
 
OVNC 2015-Software-Defined Networking: Where Are We Today?
OVNC 2015-Software-Defined Networking: Where Are We Today?OVNC 2015-Software-Defined Networking: Where Are We Today?
OVNC 2015-Software-Defined Networking: Where Are We Today?
NAIM Networks, Inc.
 

Más contenido relacionado

La actualidad más candente

Using Ansible Tower to implement security policies and telemetry streaming fo...
Using Ansible Tower to implement security policies and telemetry streaming fo...Using Ansible Tower to implement security policies and telemetry streaming fo...
Using Ansible Tower to implement security policies and telemetry streaming fo...
Joel W. King
 
Goodbye CLI, hello API: Leveraging network programmability in security incid...
Goodbye CLI, hello API: Leveraging network programmability in security incid...Goodbye CLI, hello API: Leveraging network programmability in security incid...
Goodbye CLI, hello API: Leveraging network programmability in security incid...
Joel W. King
 
DevNetCreate - ACI and Kubernetes Integration
DevNetCreate - ACI and Kubernetes IntegrationDevNetCreate - ACI and Kubernetes Integration
DevNetCreate - ACI and Kubernetes Integration
Hank Preston
 
Using Cisco pxGrid for Security Platform Integration: a deep dive
Using Cisco pxGrid for Security Platform Integration: a deep diveUsing Cisco pxGrid for Security Platform Integration: a deep dive
Using Cisco pxGrid for Security Platform Integration: a deep dive
Cisco DevNet
 
Beginner's guide to net devops with cisco devnet and ansible
Beginner's guide to net devops with cisco devnet and ansibleBeginner's guide to net devops with cisco devnet and ansible
Beginner's guide to net devops with cisco devnet and ansible
cong tuan
 

La actualidad más candente (20)

Using Ansible Tower to implement security policies and telemetry streaming fo...
Using Ansible Tower to implement security policies and telemetry streaming fo...Using Ansible Tower to implement security policies and telemetry streaming fo...
Using Ansible Tower to implement security policies and telemetry streaming fo...
 
Integrating Ansible Tower with security orchestration and cloud management
Integrating Ansible Tower with security orchestration and cloud managementIntegrating Ansible Tower with security orchestration and cloud management
Integrating Ansible Tower with security orchestration and cloud management
 
Learn To Think Like A Computer Scientist
Learn To Think Like A Computer ScientistLearn To Think Like A Computer Scientist
Learn To Think Like A Computer Scientist
 
Business Ready Teleworker Design Guide
Business Ready Teleworker Design GuideBusiness Ready Teleworker Design Guide
Business Ready Teleworker Design Guide
 
Goodbye CLI, hello API: Leveraging network programmability in security incid...
Goodbye CLI, hello API: Leveraging network programmability in security incid...Goodbye CLI, hello API: Leveraging network programmability in security incid...
Goodbye CLI, hello API: Leveraging network programmability in security incid...
 
Analytics for Application Security and Policy Enforcement in Cloud Managed Ne...
Analytics for Application Security and Policy Enforcement in Cloud Managed Ne...Analytics for Application Security and Policy Enforcement in Cloud Managed Ne...
Analytics for Application Security and Policy Enforcement in Cloud Managed Ne...
 
DevNet Study Group: Using a SDK
DevNet Study Group: Using a SDKDevNet Study Group: Using a SDK
DevNet Study Group: Using a SDK
 
$10,000 Phantom App & Playbook Contest - F5 and Cisco Meraki
$10,000 Phantom App & Playbook Contest - F5 and Cisco Meraki$10,000 Phantom App & Playbook Contest - F5 and Cisco Meraki
$10,000 Phantom App & Playbook Contest - F5 and Cisco Meraki
 
Sdn users group_january_2016v5
Sdn users group_january_2016v5Sdn users group_january_2016v5
Sdn users group_january_2016v5
 
Securing Micro Services in Cloud Foundry
Securing Micro Services in Cloud FoundrySecuring Micro Services in Cloud Foundry
Securing Micro Services in Cloud Foundry
 
The best of Windows Server 2016 - Thomas Maurer
The best of Windows Server 2016 - Thomas Maurer The best of Windows Server 2016 - Thomas Maurer
The best of Windows Server 2016 - Thomas Maurer
 
DevNetCreate - ACI and Kubernetes Integration
DevNetCreate - ACI and Kubernetes IntegrationDevNetCreate - ACI and Kubernetes Integration
DevNetCreate - ACI and Kubernetes Integration
 
Create The Internet of Your Things example of a real system - Laurent Ellerbach
Create The Internet of Your Things example of a real system - Laurent EllerbachCreate The Internet of Your Things example of a real system - Laurent Ellerbach
Create The Internet of Your Things example of a real system - Laurent Ellerbach
 
Using Cisco pxGrid for Security Platform Integration: a deep dive
Using Cisco pxGrid for Security Platform Integration: a deep diveUsing Cisco pxGrid for Security Platform Integration: a deep dive
Using Cisco pxGrid for Security Platform Integration: a deep dive
 
StackStorm Product Highlights - DevOps Enterprise 2014 After-Party Ignite Talk
StackStorm Product Highlights - DevOps Enterprise 2014 After-Party Ignite TalkStackStorm Product Highlights - DevOps Enterprise 2014 After-Party Ignite Talk
StackStorm Product Highlights - DevOps Enterprise 2014 After-Party Ignite Talk
 
Beginner's guide to net devops with cisco devnet and ansible
Beginner's guide to net devops with cisco devnet and ansibleBeginner's guide to net devops with cisco devnet and ansible
Beginner's guide to net devops with cisco devnet and ansible
 
TechWiseTV Workshop: Software-Defined Access
TechWiseTV Workshop: Software-Defined AccessTechWiseTV Workshop: Software-Defined Access
TechWiseTV Workshop: Software-Defined Access
 
Azure tales: a real world CQRS and ES Deep Dive - Andrea Saltarello
Azure tales: a real world CQRS and ES Deep Dive - Andrea SaltarelloAzure tales: a real world CQRS and ES Deep Dive - Andrea Saltarello
Azure tales: a real world CQRS and ES Deep Dive - Andrea Saltarello
 
(SACON) Madhu Akula - Automated Defense Using Cloud Service Aws, Azure, Gcp
(SACON) Madhu Akula - Automated Defense Using Cloud Service Aws, Azure, Gcp(SACON) Madhu Akula - Automated Defense Using Cloud Service Aws, Azure, Gcp
(SACON) Madhu Akula - Automated Defense Using Cloud Service Aws, Azure, Gcp
 
How we built Packet's bare metal cloud platform
How we built Packet's bare metal cloud platformHow we built Packet's bare metal cloud platform
How we built Packet's bare metal cloud platform
 

Similar a Using Tetration for application security and policy enforcement in multi-vendor environments.

Application and Network Orchestration using Heat & Tosca
Application and Network Orchestration using Heat & ToscaApplication and Network Orchestration using Heat & Tosca
Application and Network Orchestration using Heat & Tosca
Nati Shalom
 
Enabling Innovative Business Opportunities Through Secure Cloud Adoption - Se...
Enabling Innovative Business Opportunities Through Secure Cloud Adoption - Se...Enabling Innovative Business Opportunities Through Secure Cloud Adoption - Se...
Enabling Innovative Business Opportunities Through Secure Cloud Adoption - Se...
Amazon Web Services
 
26.1.7 lab snort and firewall rules
26.1.7 lab snort and firewall rules26.1.7 lab snort and firewall rules
26.1.7 lab snort and firewall rules
Freddy Buenaño
 

Similar a Using Tetration for application security and policy enforcement in multi-vendor environments. (20)

Enabling NFV features in kubernetes
Enabling NFV features in kubernetesEnabling NFV features in kubernetes
Enabling NFV features in kubernetes
 
OVNC 2015-Software-Defined Networking: Where Are We Today?
OVNC 2015-Software-Defined Networking: Where Are We Today?OVNC 2015-Software-Defined Networking: Where Are We Today?
OVNC 2015-Software-Defined Networking: Where Are We Today?
 
Application and Network Orchestration using Heat & Tosca
Application and Network Orchestration using Heat & ToscaApplication and Network Orchestration using Heat & Tosca
Application and Network Orchestration using Heat & Tosca
 
Cisco Connect 2018 Malaysia - Secure data center-building a secure zero-trus...
Cisco Connect 2018 Malaysia - Secure data center-building a secure zero-trus...Cisco Connect 2018 Malaysia - Secure data center-building a secure zero-trus...
Cisco Connect 2018 Malaysia - Secure data center-building a secure zero-trus...
 
Enabling Innovative Business Opportunities Through Secure Cloud Adoption - Se...
Enabling Innovative Business Opportunities Through Secure Cloud Adoption - Se...Enabling Innovative Business Opportunities Through Secure Cloud Adoption - Se...
Enabling Innovative Business Opportunities Through Secure Cloud Adoption - Se...
 
Architecting Secure Web Systems
Architecting Secure Web SystemsArchitecting Secure Web Systems
Architecting Secure Web Systems
 
Phoenix Data Conference - Big Data Analytics for IoT 11/4/17
Phoenix Data Conference - Big Data Analytics for IoT 11/4/17Phoenix Data Conference - Big Data Analytics for IoT 11/4/17
Phoenix Data Conference - Big Data Analytics for IoT 11/4/17
 
26.1.7 lab snort and firewall rules
26.1.7 lab snort and firewall rules26.1.7 lab snort and firewall rules
26.1.7 lab snort and firewall rules
 
Cisco Connect 2018 Thailand - Software defined access a transformational appr...
Cisco Connect 2018 Thailand - Software defined access a transformational appr...Cisco Connect 2018 Thailand - Software defined access a transformational appr...
Cisco Connect 2018 Thailand - Software defined access a transformational appr...
 
Cisco project ideas
Cisco project ideasCisco project ideas
Cisco project ideas
 
Firepower ngfw internet
Firepower ngfw internetFirepower ngfw internet
Firepower ngfw internet
 
HP Helion Webinar #5 - Security Beyond Firewalls
HP Helion Webinar #5 - Security Beyond FirewallsHP Helion Webinar #5 - Security Beyond Firewalls
HP Helion Webinar #5 - Security Beyond Firewalls
 
Workshop - Openstack, Cloud Computing, Virtualization
Workshop - Openstack, Cloud Computing, VirtualizationWorkshop - Openstack, Cloud Computing, Virtualization
Workshop - Openstack, Cloud Computing, Virtualization
 
Openstack workshop @ Kalasalingam
Openstack workshop @ KalasalingamOpenstack workshop @ Kalasalingam
Openstack workshop @ Kalasalingam
 
Splunk App for Stream
Splunk App for StreamSplunk App for Stream
Splunk App for Stream
 
IoT on azure
IoT on azureIoT on azure
IoT on azure
 
Simplifying the secure data center
Simplifying the secure data centerSimplifying the secure data center
Simplifying the secure data center
 
Hope, fear, and the data center time machine
Hope, fear, and the data center time machineHope, fear, and the data center time machine
Hope, fear, and the data center time machine
 
Netsft2017 day in_life_of_nfv
Netsft2017 day in_life_of_nfvNetsft2017 day in_life_of_nfv
Netsft2017 day in_life_of_nfv
 
Cisco Cyber Threat Defense for the Data Center Solution: Cisco Validated Design
Cisco Cyber Threat Defense for the Data Center Solution: Cisco Validated DesignCisco Cyber Threat Defense for the Data Center Solution: Cisco Validated Design
Cisco Cyber Threat Defense for the Data Center Solution: Cisco Validated Design
 

Más de Joel W. King

Using Terraform to manage the configuration of a Cisco ACI fabric.
Using Terraform to manage the configuration of a Cisco ACI fabric.Using Terraform to manage the configuration of a Cisco ACI fabric.
Using Terraform to manage the configuration of a Cisco ACI fabric.
Joel W. King
 

Más de Joel W. King (14)

DevNetCreate_2021_joelwking.pptx
DevNetCreate_2021_joelwking.pptxDevNetCreate_2021_joelwking.pptx
DevNetCreate_2021_joelwking.pptx
 
BRKEVT-2311_joeking_pbr.pptx
BRKEVT-2311_joeking_pbr.pptxBRKEVT-2311_joeking_pbr.pptx
BRKEVT-2311_joeking_pbr.pptx
 
Introduction to GraphQL using Nautobot and Arista cEOS
Introduction to GraphQL using Nautobot and Arista cEOSIntroduction to GraphQL using Nautobot and Arista cEOS
Introduction to GraphQL using Nautobot and Arista cEOS
 
NetDevOps Development Environments
NetDevOps Development EnvironmentsNetDevOps Development Environments
NetDevOps Development Environments
 
DevNet Associate : Python introduction
DevNet Associate : Python introductionDevNet Associate : Python introduction
DevNet Associate : Python introduction
 
Using Batfish for Network Analysis
Using Batfish for Network AnalysisUsing Batfish for Network Analysis
Using Batfish for Network Analysis
 
Using Terraform to manage the configuration of a Cisco ACI fabric.
Using Terraform to manage the configuration of a Cisco ACI fabric.Using Terraform to manage the configuration of a Cisco ACI fabric.
Using Terraform to manage the configuration of a Cisco ACI fabric.
 
Cisco IP Video Surveillance Design Guide
Cisco IP Video Surveillance Design GuideCisco IP Video Surveillance Design Guide
Cisco IP Video Surveillance Design Guide
 
Data manipulation for configuration management using Ansible
Data manipulation for configuration management using AnsibleData manipulation for configuration management using Ansible
Data manipulation for configuration management using Ansible
 
Foray into Ansible Content Collections
Foray into Ansible Content CollectionsForay into Ansible Content Collections
Foray into Ansible Content Collections
 
Introduction to Git for Network Engineers (Lab Guide)
Introduction to Git for Network Engineers (Lab Guide)Introduction to Git for Network Engineers (Lab Guide)
Introduction to Git for Network Engineers (Lab Guide)
 
Introduction to Git for Network Engineers
Introduction to Git for Network EngineersIntroduction to Git for Network Engineers
Introduction to Git for Network Engineers
 
What is Code?
What is Code?What is Code?
What is Code?
 
Phantom app: Ansible Tower
Phantom app: Ansible TowerPhantom app: Ansible Tower
Phantom app: Ansible Tower
 

Último

Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 

Último (20)

Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
A Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusA Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source Milvus
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 

Using Tetration for application security and policy enforcement in multi-vendor environments.

  • 1. Using Tetration for application security and policy enforcement in multi-vendor environments. Joel W. King Engineering and Innovations Network Solutions
  • 2. Network engineers increasingly must view the network as one big software system, which streams telemetry data from software sensors and network devices to an analytics engine. To implement the whitelist-based segmentation and zero-trust policy model generated from the data analysis, automation is a requirement when dealing with tens of thousands of workloads and complex rules. This session examines how Cisco Tetration Analytics combined with automation can be used to implement a zero-trust policy model on multi-vendor network fabrics, firewalls and application delivery controllers. Using Tetration for application security and policy enforcement in multi-vendor environments.
  • 3.  Joel W. King Principal Architect World Wide Technology Research Triangle Park, NC  Experience AMP Incorporated, Network Architect Cisco, Cisco Validated Designs (CVDs) NetApp, Big Data: Video Surveillance Storage  Contact Info linkedin.com/in/programmablenetworks @joelwking joel.king@wwt.com DevNet Create 2018
  • 4. …. Very topical for us -- talk on implementing Zero Trust with automation and Tetration … … Personally, I think ZT will replace perimeter security model within 5-7 years, and already we're hearing customers ask about it. … ----------------------------------------------- Gene Geddes | Chief Scientist, Security Solutions | World Wide Technology
  • 5. #SILICONVALLEYINSTL Deploy Sensors Inventory Tetration Network Policy Publisher Under the Hood Resources
  • 6. SHARE ACT TRACE HUNT BEHAVIORS THREATS TRIAGE DETECTION TELEMETRY INVENTORY Can you collaborate with trusted partners to disrupt adversary campaigns? Can you deploy proven countermeasures to evict and recover? During an intrusion, can you observe adversary activity in real time? Can you detect an adversary that is already embedded? Can you detect adversary activity within your environment? Who are your adversaries? What are their capabilities? Can you accurately classify detection results? Can you detect unauthorized activity? Do you have visibility across your assets? Can you name the assets you are defending? What is it doing? Should it? What’s on my network?
  • 7. Automated whitelist policy Zero-trust, application segmentation Cisco Tetration Analytics​ Illumio​ VMware vRNI
  • 9. Data Collection Layer Cisco Tetration Analytics™ NETWORKING [TELEMETRY ONLY] Data Consumption Layer REST API KAFKA MESSAGE BUS
  • 11.  Deploy Software Sensors setup_tetration_sensor.yml  Dynamic Inventory inventory/sensors.py  Network Policy Publisher library/tetration_network_policy.py PLUGINS MODULES ANSIBLE PLAYBOOK DATA REST API https://github.com/joelwking/ansible-tetration
  • 13. Data Collection Layer Cisco Tetration Analytics™ 39-RU 8-RU SaaS 25,000 | 5,000 | 1,000 NETWORK INFRASTRUCTURE NetFlow | ERSPAN VM Appliance COMPUTE or virtual appliance
  • 14.  Extensive matrix of Windows | Unix | Linux  Package and version dependencies e.g. rpm (even in Ubuntu/Debian)  Different agent RPMs for … o Agent type, e.g. enforcement, visibility o Target system, e.g. CentOS 6.0 vs 7.0 o Latest version covers 34 RPMs  Agent downloaded from GUI
  • 15.  Rather than PDF …  ./setup_tetration_sensor.yml [administrator@centos-ansible-1 ~]$ uname Linux [administrator@centos-ansible-1 ~]$ -r -bash: -r: command not found [administrator@centos-ansible-1 ~]$ uname -r 3.10.0-862.el7.x86_64 command: uname -r value: 3.10.0-862.el7.x86_64 command: cat /etc/shells value: /bin/sh command: dmidecode -V value: 3.0 command: openssl version -a value: OpenSSL 1.0.2k-fips command: cpio --version value: cpio (GNU cpio) 2.11 command: sed --version value: sed (GNU sed) 4.2.2 command: awk --version value: GNU Awk 4.0.2 command: flock -V value: flock from util-linux 2.23.2 command: iptables --version value: iptables v1.4.21 command: ipset --version value: ipset v6.29, ansible-tetration/setup_tetration_sensor.yml
  • 17. ANSIBLE AUTOMATION ENGINE CMDB INVENTORY HOSTS NETWORK DEVICES PLUGINS CLI MODULES PUBLIC / PRIVATE CLOUD PUBLIC / PRIVATE CLOUD CORE NETWORK COMMUNITY NOW.PY EC2.PY VMWARE_FACTS ANSIBLE PLAYBOOK Cisco Tetration Analytics™ SENSORS.PY ansible-tetration/inventory/sensors.py
  • 18. $ ansible-inventory --host centos-ansible-1 -i ./inventory/sensors.py { "agent_type": "ENFORCER", "auto_upgrade_opt_out": false, "cpu_quota_mode": 1, "cpu_quota_usec": 30000, "current_sw_version": "2.3.1.41-1-enforcer", "data_plane_disabled": false, "enable_forensics": false, "enable_pid_lookup": false, "host_name": "centos-ansible-1", "interfaces": [ { "family_type": "IPV4", "ip": "10.255.40.139", "mac": "00:50:56:b9:62:58", "name": "ens160", "netmask": "255.255.255.0", "vrf": "Default", "vrf_id": 1 }, [snip] ], "last_config_fetch_at": 1537905092, "last_software_update_at": 1535054507, "platform": "CentOS-7.5", "uuid": "965e77504bf605d62c575231fa3d56463aed38bf" } ansible-inventory --host centos-ansible-1 -i ./inventory/sensors.py
  • 21. BROKER ADD TENANT ADD VRF AGENT CONFIG ENABLE ENFORCEMENT CREATE INTENT ADD SCOPE CREATE APP START ADM RUN ENABLE ENFORCEMENT VERIFY DATATAP CREATION DOWNLOAD CERTIFICATES ./producer-tnp-12.cert/ ├── kafkaBrokerIps.txt ├── KafkaCA.cert ├── KafkaConsumerCA.cert ├── KafkaConsumerPrivateKey.key └── topic.txt 10.253.239.14:9093Tnp-12 NETWORK PROGRAMMABILITY DEVELOPER ADM ANALYST
  • 22. Network Policy Publisher ANSIBLE PLAYBOOK aci_create_filters.yml BROKER message publisher policy subscription MODULES tetration_network_policy.py Alerts every minute for enforcement Released in 2.3.1.41 April 2018
  • 23. - name: Tetration Network Policy tetration_network_policy: broker: "192.0.2.1:9093" topic: "Tnp-2" cert_directory: "{{ playbook_dir }}/files/certificates/producer-tnp-2.cert/" https://github.com/joelwking/ansible-tetration/blob/master/aci_create_filters.yml 262
  • 25.  … designed to deal with millions of firehose-style events generated in rapid succession…  … clients will never receive messages automatically. They have to explicitly ask for a message … https://thenewstack.io/apache-kafka-primer/  … Protocol Buffers are a way of encoding structured data in an efficient yet extensible format. …  Google open source and supported for popular programming languages  Fast and efficient (than JSON or XML) https://codeclimate.com/blog/choose-protocol-buffers/
  • 27. UPDATE_START UPDATE UPDATE_END Tetration Network Policy Kafka message(s) topic partition offset key value Google Protocol Buffer len( value ) == 8 EARLIEST LATEST
  • 28.  Also know as: “GPB” or “protobufs”  What are they?  Method of serializing structured data  XML | JSON uses strings to identify the key  Protobufs uses integers to represent the key  Sender and receiver share a .proto definition file  Why Use Protocol Buffers?  Performance: Smaller and faster than XML  More compact (smaller packets, messages)  Faster, less CPU to encode / decode https://developers.google.com/protocol-buffers/docs/pythontutorial protoc Define Compile Import
  • 31.  AnsibleFest 2018: Using Ansible Tower to implement security policies and telemetry streaming for hybrid clouds https://github.com/joelwking/ansible-tetration  DevNetCreate 2018: Applying a whitelist policy generated by Cisco Tetration to an ACI network fabric. https://www.wwt.com/all-blog/devnet-create-2018/  Cisco Tetration Light-board: Cloud Workload Protection https://youtu.be/Hd56GVVr_AE  Cisco Code Exchange https://developer.cisco.com/codeexchange/#search=tetration
  • 32. David Goeckler, EVP / GM of Cisco's Networking and Security … turning the whole network into essentially a big software system where you define your policy in one place … That policy gets translated into what you want the network to do, and then you have an automation layer that activates all of those changes across your network fabric. https://www.networkworld.com/article/3280959/lan-wan/cisco-s-david-goeckeler-talks-security-networking-software-and-sd-wan-outlook.html
  • 33.  Traditional Firewalls as perimeter security are becoming obsolete  Future is white-list segmentation, Zero Trust model  View the network as a software system, use automation to apply policy https://www.wwt.com/all-blog/ansible-tower-implementing-security-policy/

Notas del editor

  1. AN EXCITIING TIME TO BE A NETWORK ENGINEER Network engineers with an interest in Linux administration, DevOps, the ability to code and think like a computer scientist, along with a familiarity with big data and analytics platforms, will be a valuable resource and important to the success of the business.
  2. View the network as a single, software system. Now we look at the network as a whole being one system, with automation to implement policy on the network.
  3. WWT aligning Networking and Security practices. Focus on the foundational components of the pyramid: Inventory, Telemetry … One goal of segmentation is to minimize east-west movement of adversary Segmentation can be achieved across hybrid data center (on premises and in the public cloud)
  4. What does Tetration mean? Tetration is used for the notation of very large numbers. Automated whitelist policy for segmentation - Zero-trust using application segmentation
  5. Automated policy enforcement is performed through the Cisco Tetration Analytics™ software sensors running on the workload itself. The software sensors orchestrate the stateful policy enforcement using operating system capabilities such as ipsets and iptables in the case of Linux servers, and the Microsoft Windows advanced firewall in the case of Microsoft Windows servers. https://www.cisco.com/c/en/us/products/data-center-analytics/tetration-analytics/index.html
  6. Software sensors for telemetry and enforcement. Embedded hardware sensors in Cisco Nexus 9000 Series Switches running in Cisco ACI mode By using IPFIX data from load balancers - Netscalar or F5
  7. View the network as a single, software system. Now we look at the network as a whole being one system, with automation to implement policy on the network.
  8. Ansible is an framework Share data (variables) through modules / plugins and the APIs, databases, files, and Kafka
  9. Embedded hardware sensors in Cisco Nexus 9000 Series Switches running in Cisco ACI mode By using IPFIX data from load balancers - Netscalar or F5 What does Tetration mean? Tetration is used for the notation of very large numbers.
  10. https://www.cisco.com/c/dam/en/us/td/docs/data-center-analytics/tetration-analytics/sw/install/cta_install_guide_for_sensor_agents.pdf
  11. Inventory is the base of the security pyramid Name the assets you are protecting
  12. https://www.cisco.com/c/dam/m/en_sg/dc-innovation/assets/pdfs/enhanced-security-and-operations-with-real-time-analytics.pdf https://<tetration>/documentation/ui/openapi/api_userannotations.html?highlight=tags#set-inventory-tag
  13. Implement security policy - Enforcement on software sensor - Using Ansible to implement policy on network devices.
  14. Prior to release 2.3 in April 2018 – ADM policy is exported and implemented. ADM discovers security groups and policies for the members of this application using the observations in the selected time range.
  15. 2.3.1.41 Introduced April 2018, provides application whitelist policy information through Kafka message bus. Northbound systems can subscribe to this policy information and use it for enforcement through other mechanisms. https://www.cisco.com/c/en/us/td/docs/data-center-analytics/tetration-analytics/sw/release-notes/cta_rn_2_3_1_41.html
  16. View the network as a single, software system. Now we look at the network as a whole being one system, with automation to implement policy on the network.
  17. https://thenewstack.io/apache-kafka-primer/
  18. https://thenewstack.io/apache-kafka-primer/
  19. Kafka messages are comprised of a topic, partition, offset, key and value.
  20. https://blogs.cisco.com/sp/streaming-telemetry-with-google-protocol-buffers
  21. https://en.wikipedia.org/wiki/Unified_Modeling_Language
  22. View the network as a single, software system. Now we look at the network as a whole being one system, with automation to implement policy on the network.
  23. Dave Goeckler, the Executive Vice President and General Manager of Cisco's Networking and Security Business. FY19 imperatives: Mass adoption of Automation and Intent-based Networking. … the future is driving simplicity … https://www.networkworld.com/article/3280959/lan-wan/cisco-s-david-goeckeler-talks-security-networking-software-and-sd-wan-outlook.html