Stateful Microsegmentation on Cisco ACI
Fully automated and orchestrated secure network fabric
It’s All About the Application

Much of the requirements in IT has been around accelerating the delivery of critical applications and infrastructure and doing so better, cheaper and faster. On a quest to become even more automated, efficient, agile and responsive to the business, organizations continue to decouple IT services from the underlying infrastructure. Software-defined networking (SDN), with solutions such as Cisco Application Centric Infrastructure (ACI), helps by abstracting high-level connectivity needs of the application (performance, security, availability and scale) from the complicated details of network configuration.

In tandem, the requirements around securing the network and applications has evolved as businesses transform their data centers. The adoption of agile infrastructure overwhelms traditional, non-programmatic tools that only offer static, inflexible, device-centric security policies based on ACLs, users, locations or IPs. Organizations are demanding fine-grained, dynamic, and automated policy creation that can be built into DevOps-style orchestration and provisioning systems and are based on application context and intent.

The vArmour Solution

Both Cisco ACI and vArmour DSS Distributed Security System (vArmour DSS) architectures were designed with the application and DevOps-style programmability in mind. As application workloads are being added, modified and moved in an agile data center environment, the security policies and enforcement are carried with the workload. Where Cisco ACI provides a transparent overlay SDN fabric with Layer 4 stateless, coarse-grained policy controls (via an SDN controller, APIC, and Nexus 9K leaf switches), vArmour provides a distributed security fabric that offers both application-aware (Layer 7) deep packet inspection and fine-grained, stateful policy enforcement.

Figure: Integration of Cisco ACI and vArmour DSS

Together, vArmour DSS and Cisco ACI offer a fully automated and orchestrated secure network fabric that delivers full application visibility with stateful application controls to safeguard critical applications and workloads across both physical and virtual environments for better security and compliance.

Better Together Capabilities

vArmour DSS provides a security processing engine (EPI) within each hypervisor as a guest VM that communicates with the vArmour Director (providing supervisory and policy management for the system) that is integrated with Cisco’s APIC. This allows operators to automate and control various network services and capabilities (through APIC) and also deliver advanced application-aware security (through vArmour) across the entire ACI infrastructure.

Local Segmentation Services (inter-EPG and intra-EPG)

vArmour’s distributed data plane provides local segmentation services within the hypervisor. Security processing (stateful Layer 7 segmentation) is performed at the VM network interface level, effectively accomplishing local microsegmentation within the hypervisor for all workload traffic (including intra-EPG segmentation that provides fine-grained controls for hosts in the same EPG). Where vArmour provides intra-EPG segmentation for hosts, Cisco ACI provides inter-EPG segmentation. There is no need to hairpin traffic within the network infrastructure, and the ability to fully micro-segment is not limited to the number of EPGs that exist within ACI.

Centralized Layer 7 Policy

vArmour provides the ability to define full stateful Layer 7 policy within a centralized location. This means that organizations have the flexibility to define both global security policies (applied to all workload traffic) and intent-based security policies that only apply to the workloads in support of a specific business application. Security policy is applied to workloads dynamically regardless of network configuration or EPG membership. It’s the perfect mixture of providing an audit-ready agile security solution for individual applications while enforcing organizational security or compliance-driven mandates.

Full Layer 7 Visibility

Because vArmour exists where the workload/VM is connected to the network, the local security processing engine (EPI) on each hypervisor has the unique ability to perform real-time Layer 7 deep packet inspection (Application ID) on all ingress/egress network flows for each workload. This information can be used to provide agentless application-level network telemetry data to external application dependency mapping tools such as Cisco Tetration.

  • Easy to deploy with transparent insertion into the network
  • Reduce risk with Layer 7 visibility and segmentation`within and between EPGs
  • Increased agility with highly programmable architectures for accelerated service delivery