There’s a lot of talk about SDN solutions today such as Cisco’s Application Centric Infrastructure. In fact, Cisco ACI is
All of that is wonderful, that is as long as IT is taking care of the most important facet of all – keeping the network secure. Having the agility and responsiveness to allow users to easily access the analytical information they need or to provision desired resources in a matter of minutes is all well and good, but if the integrity of those resources are compromised then it all doesn’t really matter. Having an infrastructure that provides an elastic fertile ecosystem for application developers is great, but if that innovation is accessed in an unauthorized manner, then all of those benefits are instantly nullified. [click to tweet]
To put it simply, security is job #1! That’s why Cisco ACI provides embedded security and policy-based automation to ensure that your provisioned resources are secured through an evolutionary process called microsegmentation. The idea of segmenting the network is nothing new. Your firewall segments areas of your network such as LAN, DMZ, Internet, etc. Think of Ransomware and how it seeks out connected drives. Some new strains of it can even seek out a company’s backups if they exist on the same segment as the infected device.
Microsegmentation with Cisco ACI is about separating segments from the broadcast domain by creating policy definitions. It uses a new application-aware construct called the endpoint group, or EPG, that allows application designers to define the endpoints that belong to the EPG regardless of their IP addresses or the subnets to which they belong. An endpoint can be a physical server, a virtual machine, a Linux container or a mainframe computer. ACI provides microsegmentation support for VMware vSphere Distributed Switch, Microsoft Hyper-V virtual switch, and bare-metal endpoints—the type of endpoint is irrelevant. You just need all of them secured regardless of IP address, MAC address, endpoint type or network location.
This idea of microsegmentation is then compounded with the core principle of conducting a zero-trust approach to each and every device. Resources can be provisioned on a grand scale and in quick fashion, but they aren’t trusted upon boot up. A device is inaccessible until it has been issued a preconfigured policy which then, and only then, allows it the ability to communicate with other devices in the network. IT personnel can quarantine compromised or rogue endpoints or limit the lateral movement of a threat quickly and easily. With ACI, there is no window of vulnerability during the provisioning process.
Policy-based automation is the embedded security that is at the very core of Cisco Application Centric Infrastructure. An EPG by definition is a microsegment, and its security enforcement policy is defined by a contract that consists of a built-in stateless whitelist firewall and Layer 4 through Layer 7 (L4- L7) service insertion policy that supports a robust ecosystem of L4-L7 partners for next-generation firewall (NGFW) and next-generation intrusion prevention system (NG-IPS). You can make your policies as granular as necessary, creating a unique policy model for within one policy model for networks, servers, storage and services.
By instilling this protected means of microsegmentation, complimented by automated granular policies, Cisco ACI helps lower TCO of your infrastructure investments, on top of all of the other means through which it reduces costs and adds value as well. Cisco ACI is the complete package, which is why it is the premier SDN solution in the market today. Interested in learning more? Check out our white paper titled "Using Cisco ACI as a Technology-based Catalyst for IT Transformation"