When it comes to information security, the old “M&M” model – hard and crunchy on the outside, soft and chewy on the inside – is no longer enough to protect networks against today’s sophisticated attacks. The classic perimeter-centric approach to security architecture assumes that because all data center devices exist inside a hardened security perimeter, they should be safe from outside incursion. But as the most high-profile data breaches have shown, even “inside” devices are vulnerable to attack.
Cisco’s Application Centric Infrastructure (ACI) provides next-generation security capabilities that allow system administrators to apply the security policies they want wherever they want them in the network. As Cisco Vice-President Scott Harrell explains in this video, ACI automates and centrally manages security policies across physical and virtual boundaries so administrators have a variety of ways to tackle changing security needs.
Microsegmentation is one emerging security strategy made possible by ACI. Designed to thwart determined hackers who penetrate one data center device, then use it as a platform to launch further attacks on the data center, microsegmentation contains such intrusions by essentially dividing the data center into smaller, more-protected zones.
In a recent blog post, Shashi Kiran, Cisco Senior Director of Data Center and cloud networking, explains ACI’s elegant new approach to microsegmentation, making it a powerful tool in the arsenal of security or network administrators.
Instead of a single, hardened perimeter defense with free traffic flow inside, a microsegmented data center has security services provisioned at the perimeter, between application tiers, and even between devices within tiers. So even if one device is compromised, breaches can be contained to a smaller fault domain.
Microsegmentation is becoming more important for network security as modern application design greatly increases the ratio of east-west traffic to north-south traffic. By some estimates, data centers may have five times as much east-west traffic as north-south traffic as dozens or hundreds of web, application, and database servers communicate to deliver services. Microsegmentation helps security administrators:
- Programmatically define segments on an increasingly granular basis for greater flexibility (e.g. to limit lateral movement of a threat or to quarantine a compromised endpoint in a broader system)
- Leverage programmability to automate segment and policy management across the entire application lifecycle, from instantiation through de-commissioning
- Enhance security and scale by enabling a Zero-Trust approach for heterogeneous workloads
The Cisco ACI Approach to Microsegmentation for Security
Network segmentation itself is not new, but traditional segmentation is too broad and unscalable to meet today’s application and security demands. Traditionally, network administrators achieved network segmentation by allocating subnets for different applications and mapping them to VLANs. This approach leads to the undesired mapping of IP subnets to applications, as well as an explosion of ACLs when subnet based policies are not sufficient. Security and granularity come at the cost of higher expense and complexity.
As Kiran explains in his blog post, ACI enables administrators to define policy to separate segments from the broadcast domain. An application-aware construct called an end-point group (EPG) allows application designers to define the group of endpoints that belong to the EPG regardless of IP address or the subnet they belong to. An endpoint can be a physical server, a virtual machine, a Linux container, or even a legacy mainframe.
At the same time, ACI still preserves the traditional segment, now called a bridge domain (BD). IP subnets can still be assigned to BDs, so the approach helps preserve any existing operational models. Check out the blog post to learn more, including how ACI helps achieve attribute-based microsegmentation.