יום ראשון, 10 בנובמבר 2013

Cisco ACI - Security Challenges key notes


"Cisco’s ACI delivers centralized application-driven policy automation and management of, and visibility into, both physical and virtual environments as a single system. It is optimized to support an “application anywhere” model, with complete freedom of application movement and placement. This novel approach empowers IT teams to offer cloud-based services to their customers directly, with the associated service-level agreements (SLAs) and performance requirements for the most demanding business applications".

Cisco ACI Architecture brings new challenges to security Domain in the Data Cetner.
In this short blog I will try to address some of the security challenge face the insieme group  responsible to develop the ACI.

Automation
With ACI solution cisco aim solve the slowness of the IT department, By automation the way application deployed in the datacenter.
To deploy new application ACI will use "application profile", this profile contain all the detail need from network perspective like:  vlan connectivity, routing, computing, storage and security.  Same analogy to service-profile in UCS world.
Let's take for example deployment of SharePoint application with ACI.
IS security policy for internal SharePoint or external internet SharePoint is the same?
Different application will need different custom security policy.


APIC - Control Plane
The APIC will use control plane protocol to be able talk with other entities. APIC will needs to provision, configure and measure for health status check.
There must be strong authentication method for new devices to connect to APIC control plane, the connection must be secured with very strong and fast encryption.

Attacking the APIC
One of the most common attack methods to take down public service is DDoS-distributed denial-of-service attack attack.
The APIC will need to be able have internal mechanism to protect himself from this form of attack.


Compromise of the APIC
APIC is the heart of ACI architecture, one of the biggest threats to all ACI architecture is unauthorized access or compromise of the APIC that control the entire entities.
The OS of the APIC will need to be build from harden custom kernel  instead of public Linux kernel with minimum open services.
The ip address for access to APIC need to narrow for few specific  management IP's


 Northbound interfaces API
One of the key of ACI is the ability of Third-party application to be able to communicate with APIC. Northbound Interface allows Cloud management system like openstack or cloupia to program and Orchestration the APIC.
what if an attacker manages to inject a malicious script into a third-party solution which returns that script in an API response that you are handling

יום רביעי, 6 בנובמבר 2013

Application Centric Infrastructure ACI - FAQ

What is ACI?
A. Cisco® Application Centric Infrastructure (ACI) is an innovative architecture that provides a common management framework for the network, application, security, and IT operations teams, to help make IT more agile while reducing application deployment time.
Cisco’s ACI delivers centralized application-driven policy automation and management of, and visibility into, both physical and virtual environments as a single system. It is optimized to support an “application anywhere” model, with complete freedom of application movement and placement. This novel approach empowers IT teams to offer cloud-based services to their customers directly, with the associated service-level agreements (SLAs) and performance requirements for the most demanding business applications.
What are the components of ACI?
A. ACI embraces hardware, software, and application-specific integrated circuit (ASIC) elements as part of the overall architecture. The primary components of ACI will include a centralized fabric controller, the Cisco Application Policy Infrastructure Controller (Cisco APIC); ACI-ready networking switches (for example, the new Cisco Nexus® 9000 Series Switches); and a rich set of ecosystem elements made possible by an open approach. Cisco also offers a portfolio of professional and technical services for ACI and the Nexus 9000 Series. All components of ACI will continue to be sold through Cisco’s channel partners and direct sales as well as through ecosystem partners as appropriate. Two portfolios of Cisco Branded Services are available to partners to help enable and secure the Cisco ACI: Cisco Services for Cisco ACI and Cisco Services to Secure Cisco Data Center Infrastructure. To learn more about these services visit http://www.cisco.com/en/US/ prod/collateral/switches/ps9441/ps13386/at-a-glance-aci-services.pdf or contact your local Cisco partner services development manager (PSDM); send any queries to as-aci-support@cisco.com.
Are technology partners affected by ACI?
A. ACI is designed as an open architecture from the ground up. Cisco, with Insieme, is actively developing a complete technology ecosystem in seven key areas:
1. Orchestration, automation, and management
2. Configuration and compliance
3. Monitoring and diagnostics
4. Traffic flow and analysis
5. Security
6. Network services
7. Storage and virtualization© 2013 Cisco Systems, Inc and/or its affiliates. All rights reserved.
Will ACI be integrated into VCE products?
A. Yes, as indicated by VCE Chief Technology Officer Trey Layton’s recent blog post (https://blog. vce.com/innovation/future-vblock-systems-and-application-centric-infrastructures/), ACI will be deployed in future VCE™ Vblock™ Systems.
How is ACI different from SDN and Cisco ONE?
A. Cisco Open Network Environment (Cisco ONE: www.cisco.com/go/one) is the industry’s broadest approach to making networks open, programmable, and application aware. It is cross architectural and supports service provider, branch, campus, and data center deployments. Cisco ONE advocates open standards, open APIs, and open source, for a variety of network deployment options, including software-defined networking (SDN) models. It includes elements of orchestration, automation policy and analytics to expose the value of networks.
Cisco ACI supports all aspects of open networking and delivers on the Cisco ONE strategy, embracing open APIs, open source, and open standards. The vision of ACI extends beyond the network to include other infrastructure elements such as computing and storage, while supporting an open ecosystem of technology and developer partners. It also goes beyond traditional SDN and overlay network virtualization models, with an application-centric design built from the ground up for next-generation data center and cloud requirements.
How does ACI address white-label boxes?
A. Cisco’s approach is to bring in tight integration between hardware, software, and ASICs and to provide a systems approach, which creates a better customer experience, delivers operational simplicity, and lowers TCO. These outcomes are not achievable through commodity white-label boxes.
Does ACI represent a vendor lock-in?
A. No. The ACI approach is built on open principles with an emphasis on open and published APIs, open source, open standards, and an open ecosystem model with the intent to facilitate integration with a heterogeneous, multivendor data center environment.
Will the Cisco Nexus 9000 Series cause the existing Nexus portfolio to become obsolete? Will Cisco continue to invest in the existing Nexus portfolio?
A. The existing Nexus portfolio will not become obsolete; in fact, Cisco has announced the evolution of its Unified Fabric portfolio with the current Nexus platforms to deliver new innovations such as Dynamic Fabric Automation on the Nexus 7000 and 6000 Series as well as the new F3 line cards on the Nexus 7000 Series. In addition, new models were introduced recently in the Nexus 3000 and 6000 Series. Cisco has a committed roadmap showing delivery of many new platforms, modules, and features over the course of FY14 alone. Customers who invested in the existing Nexus portfolio can continue on the same path if they choose, as Cisco continues to build and invest in these platforms.
Cisco has always talked about investment protection. What is the investment protection offered here?
A. Cisco is expanding the Nexus portfolio with Nexus 9000 Series switches built on the proven NX-OS to meet the increasing application demands in the data center. © 2013 Cisco Systems, Inc and/or its affiliates. All rights reserved.
Can I mix ACI deployments with existing Nexus installations?
A. No, but platforms such as the Nexus 7000 Series participate in ACI deployments for data center interconnect, WAN environments, extranet, and Internet deployments.
How are you positioning ACI compared to existing Nexus offerings?
A. A use-case-led approach is being adopted for advising customers on when to adopt the Nexus 9000 Series and where the current products within the Nexus portfolio make the most sense. These are generic recommendations, with actual positioning to be decided by account teams on a case-by-case basis.
Can you describe the hardware used in building ACI?
A. The Nexus 9000 Series is based on both merchant and custom ASICs as part of a “merchant plus” strategy to provide maximum benefits to the data center infrastructure. Custom ASICs are used, enabling Cisco to take advantage of its experience and insights to differentiate its platforms.
Why are there so many controllers? Extensible Network Controller (XNC)? OpenDaylight? Cisco APIC? What should customers choose?
A. Customer use cases and feature requirements vary depending on their deployment model. In keeping with this, Cisco has developed controllers based on deployment models, for maximum impact. While XNC is a network controller based on classic SDN principles, the Cisco APIC is expected to be a much broader data center infrastructure controller designed from the ground up to be application centric. OpenDaylight is an open source initiative that Cisco has committed to contribute to under the Linux foundation, but it is not sold or supported by Cisco.
Is Cisco still committed to XNC and OpenDaylight?
A. Yes.
Will the Cisco APIC support the existing Nexus installed base?
A. The Cisco APIC is an integral part of the Cisco Nexus 9000, in which the hardware is designed from the ground up to provide a tightly integrated solution for ACI environments.
What will this announcement mean to Cisco’s existing installed base that has invested in Nexus platforms over the past several years? Is Cisco going to continue to invest in the current portfolio?
A. Cisco has introduced new innovations in the past few months on its modular and fixed platforms and will continue to do so, based on customer requirements.
How should customers approach adoption of the new Nexus 9000 Series and ACI into existing architectures?
A. During refresh or expansion cycles, customers will be able to evaluate the new offerings and decide on the best approach for their environment, in conjunction with guidance from Cisco solution sales experts on a case-by-case basis