Cisco ACI and AlgoSec Integration (ActiveChange Demo)

Ecosystem | Cisco ACI and AlgoSec Integration (ActiveChange Demo) Subscribe

nhanced Security Policy Visibility and Change, Risk, and Compliance Management

Through the integration of AlgoSec and the Cisco® Application Centric Infrastructure (Cisco ACI™) architecture, customers can monitor security policy changes across their Cisco ACI system, obtain risk and compliance context for both managed and unmanaged security devices, and extend automation across their entire security
environment.

For more information contact AlgoSec at info@algosec.com or visit our website at www.algosec.com

View transcript

hello I'm an air-cushion L VP of technology at alga SEC in the next few minutes I'm going to demonstrate how a user can be used to automate connectivity management in a next-generation data center based on Cisco ACI so let's have a look at our environment so we have our data center managed by Cisco ACI the APIC is managing the spine and lift switches we potentially also have some firewalls within the data center these can be defined as layer 4 to layer 7 services either cisco firewalls or any other vendors controlling the east-west traffic in many cases we will also have parameter firewalls around the data center again of the different vendors or maybe further upstream in addition we have cloud infrastructure so we have cloud security groups protecting our Amazon or Asia workloads and connecting to all these pieces in the network we have algo SiC algis that can connect to all these different vendors and platforms through their api's and then provide end-to-end visibility across your entire network this visibility can then be leveraged either for understanding what's going on troubleshooting making changes in operational activities etc but also for risk analysis and compliance in addition alga SEC also has a workflow automation part which allows automatic provisioning consistently across the different vendors and platforms we will soon see that part in action specifically in regards to Cisco ACI on top of all that we have our business context layer business flow which serves as a repository of the connectivity requirements of each application this repository can then be used either by application developers or application owners to get some visibility into their specific applications connectivity and also things like risks compliance vulnerabilities etc in the context of their own application but it is also extremely important for the network and firewall teams to see the business context of everything they do whenever they touch if shut down the server perform maintenance on the firewall etc they can easily see what would be the business impact what are the relevant business applications that will be affected etc this concept is very much aligned with a CIS application centric approach so let's see how algo SEC can be used for automatic provisioning of connectivity within the data center so this is my a CI environment under this tenant is broad one I have created the building application this application has two servers and some clients connecting to the web server and let's say we want to create some new connectivity in this application from the web server into the app server so let's create this change in Alba set we'll create a new change request and let's choose the right networks for the exchange request alternatively I could use predefined names or the EPG names from ACI itself and let's say we need to port 135 and we'll create a change request note that I created this change request from the UI but alternatively I could have uploaded a CSV file with the list of flows or used in the api's al-ghasem provides okay so I see that algo sec has detected that the ACI is relevant for this change and needs to be updated specifically the a is prot one tenant in this case it was an internal east-west traffic change if it was something external then probably some parameter firewalls would have also been picked let's continue with that and now before actually committing the change algo stick will perform a risk check to verify that the quested change adheres to the to the pre-approved security policy including either after the box best practices or customized company security policy in this case we can see that the port we chose 135 is considered risky its MSRP C it's considered a risk even with between internal networks we will choose to approve it anyway in this case next step is to implement the change algo sec now calculates how exactly this change needs to be implemented whether something needs to be changed on the ACI itself and how and we can see that a work order was generated apparently we need to create a new filter for the TCP 135 port and we also need to add a new contract under this tenant and this new contract will use the existing web EPG as the consumer and existing app EPG as the provider and of course utilize our newly created filter and as the next step I will hit implement on device and now I'll go slack we'll go ahead and push this change to a peak you've add northbound api's okay implementation is incomplete let's have a look and back to our a peak here we can see the newly created contract it's using a newly created filter on TCP 135 allowing access from the web server to the application server note that I did all this step-by-step just to show the different parts of the workflow but in reality this can be defined as zero touch work flow where everything is happening automatically within minutes and it will only stop in case some predefined condition was met things like a high risk was detected so before implementing the change you want someone to manually approve it or something of that nature also note that if other firewalls were involved in the process either within the data center or on the parameter or potentially cloud security groups those would have been picked by Al Bocek as well and similarly changes would have been pushed to their management as well and with that we will conclude our demonstration thank you

Videos

Ecosystem | Cisco ACI and AlgoSec Integration (ActiveChange Demo) Subscribe

Related videos

Application Segmentation with Cisco Tetration & AlgoSec

Demo: AlgoSec's Cisco ACI App Center

Cisco ACI and AlgoSec Integration (Overview and Demo)

AlgoSec and Cisco Tetration Analytics Demo