Briefings In Brief 098: Cisco Tetration Enables Microsegmentation And App Dependency Mapping

Cisco Systems sponsored a Security Field Day event on October 21st 2020 to provide a deep dive into its Tetration product. Drew Conry-Murray attended (virtually) as a delegate. In this Briefings in Brief episode, Ethan Banks and Drew dive into details of Cisco’s presentation to get an update on Tetration, and Ethan finds out if Drew was actually paying attention. What Is Tetration? * It was originally launched in 2016 for data center analytics * At present, Tetration focuses on two major use cases: application dependency mapping and microsegmentation. You can use Tetration to map application dependencies and relationships among apps both on premises and in the public cloud * Once you understand those dependencies, you can then apply fine-grained segmentation policies via allow/deny lists to ensure that apps only interact with the right systems and services * You can implement global rules (all Windows applications should talk to Active Directory) as well as more fine-grained rules Tetration Architecture * 2 main components. One is the Big data Analytics platform that ingests packet and flow data to build its application maps. This platform also serves as a policy store * Second is an agent that sits on application hosts, be they physical servers, VMs, or cloud hosts. The hosts collect packet and flow data to send to the analytics platform. The hosts also program a local host firewall with the requisite rules to enforce policies. For Windows machines that would be a local Windows firewall, and for Linux boxes it’s IP Tables. Agent hosts are managed in the same console where you review application dependencies * The Big Data analytics platform can run on premises or as a SaaS option. The SaaS option came out in 2018. Before that, you had to spend big $$ on a full or half rack of servers and storage. We’re confident the subscription service is still reassuringly expensive… How Does It Work? * You choose an application, deploy the agents, and start collecting packet and flow data * Over time (days to weeks), the analytics platform maps out dependencies and services. You can also pull in information from vCenter, ServiceNow, IPAM, and other sources * Once you feel like you have a sufficient grasp of the application’s dependencies and behaviors, you create policies that will be translated into host firewall rules * You can test these rules before you deploy. This is a key feature! Before you push to production, you can test the rules against the analytics platform to find out if you’ve broken anything. The system can show you that a specific rule blocks the app from connecting to the backup server. Cheers to you for learning that before you caused a bunch of storage admins to freak out! * As applications change or new apps get updated, you can rejigger rules as part of your operational process, whether it’s a CI/CD pipeline or a set of tickets through your ITSM * Use cases include segmenting apps and systems that touch credit card data and would therefore be in scope for PCI, for example Doesn’t Cisco ACI Already Have Microsegmentation? * Yes it does. But it doesn’t help you understand the consequences of segmentation or how to best implement segmentation. And Tetration is decoupled from the network infrastructure, unlike ACI * You can run ACI for the fabric and use Tetration for the segmentation and compliance management if that appeals to you Doesn’t Cisco Already Have AppDynamics? * Yes, and you can learn application dependencies with AppDynamics, but AppDynamics is performance monitoring product. Tetration isn’t going to tell you much about application performance.