Tetration - Datacenter Analytics...Analytics Engine Visualization and Reporting Web GUI REST API...

Cisco TetrationAnalytics + DemoIng. Guenter HeroldArea Manager DatacenterCisco Austria GmbH

5 - 7 April 2017 | Cisco Connect | Pula, Croatia

Agenda

Introduction

Theory

Demonstration



Innovation Through Engineering

<9Months spent on Planning

$1B OPEX Shifts

DLT memberschanging roles

8>1000 Employees involved in Open Source Projects

30% of FY15 revenue are based onAgile and DevOps

Engineering contributed Cisco Net Income growth

of 6% (Q3’15)

25,000 $6.3B

+1000 Employees on Open Source Projects

30% of FY15 revenue are based onAgile and DevOps

Engineering contributed Cisco Net Income growth

of 6% (Q3’15)

Alpha Projects

190 Tetration patentsCisco Tetration

Analytics™


Architecture

Intent (May)

Assurance (Can)Analytics (Did)

Configuration Analysis“Very Large State-Space”

Traffic Analysis“Lots of Data”

Guarantees Compliance Consistency

POLICYACI

ADMSecurity

Forensics

BRKDCN-2040 6


Cisco Tetration AnalyticsFocus Areas

Cisco Tetration Analytics™

Visibility andForensics

Application Insight

Policy

Compliance

New

Application Segmentation(Automated Policy

Enforcement)

ActionTETRATION ANALYTICS 1.0

(Policy Recommendation)TETRATION ANALYTICS 2.0

(Application Segmentation)


Cisco Tetration Analytics Use Cases

ApplicationInsight and

Dependency

Forensics: Every Packet, Every Flow, Every Speed

Policy Compliance

and Auditability

Policy Simulation and

Impact Assessment

Automated Whitelist Policy

Generation

New

Application Segmentation

(Automated Policy

Enforcement)


Information about Consumer

– Provider and type of traffic

Detail information

about the flow

Datacenter Wide Traffic Flow Visibility


You Can’t Protect What You Don’t See

60% of data is stolen inHOURS

85% of point-of-sale intrusions aren’t discovered for WEEKS

54% of breaches remain undiscovered forMONTHS

51%increase in companies reporting a $10 millionor more loss in the last

3 YEARS

“A community that hides in plain sight avoids detection and attacks swiftly.”— Cisco Security Annual Security Report.


http://www.asd.gov.au/infosec/mitigationstrategies.htm

Whitelist Policy Model


Whitelist Policy Recommendation

Application Discovery

AppTier

DBTier

Storage

WebTier

Storage

Policy Enforcement

Whitelist Policy Recommendation(Available in JSON, XML, and YAML)


Real-Time and Historical Policy Simulation

• Validating policy impact assessment in real time• Simulating policy changes over historic traffic

• View traffic “outliers” for quick intelligence • Audit becomes a function of continuous machine learning

Cisco TetrationAnalytics™

PlatformVM BM

VMVM

BM VM

VMVM

VM BM

VMVM

VM


Policy Compliance

• Identify policy deviations in real-time

• Review and update whitelist policy with one click

• Policy lifecycle management

VM BM

VMVM

BM VM

VMVM

VM BM

VMVM

VM


PlatformVM

BM

VM


Application Discovery (DC Network)• Dependency Mapping (Security) • Dependency Mapping (Migrations)

Visibility• Flow Search• Deviation Detection

Policy Management • Simulation and Impact Assessment• Compliance

Security Policy Enforcement• Auditing• Security Enforcement • Policy Verification ~ ‘what if’• Threat Detection / DDOS / …

IncreasedVisibility

InsightfulData

Policy Discovery/Enforce/

Mgmt

The Real Value is Business and Operational Insight

5 - 7 April 2017 | Cisco Connect | Pula, CroatiaBRKDCN-2040 16


5 - 7 April 2017 | Cisco Connect | Pula, Croatia 18



Visual Query with Flow Exploration

v Replay flow details like a DVR

v Information mapped across 25 different dimensions

Thick lines indicate common flowsFaint lines indicate uncommon flows


Outliers• Switch on Outlier view to

highlight uncommon flows

• Outlier dimension is highlighted with purple circle

BRKDCN-2040 21



What was seen on the network that was out of

Policy

Permitted Traffic Seen on the

network

Policy Compliance Verification & Simulation


All of the Architectures Look Similar BUT,

You can not create knowledge without informationDifferent Telemetry Data will enable different insights

Analytics EngineVisualization and

Reporting

Web GUI

REST API

Push Events

Telemetry Sources

Application

Transport

Network

Data Link

Physical

SocketsProcessProcess


Analytics EngineVisualization and

Reporting

Web GUI

REST API

Push Events

Telemetry Sources

The ‘algorithms’ are what provide the foundation of value

The building blocks can be common (HDFS2, SPARK, …)

Application

Transport

Network

Data Link

Physical

SocketsProcessProcess

All of the Architectures Look Similar BUT,


Tetration Analytics Architecture Overview

Analytics Engine


Platform

Visualization and Reporting

Web GUI

REST API

Push Events

Data Collection

Host Sensors

Network Sensors

3rd-Party Metadata Sources

TetrationTelemetry

ConfigurationData

Cisco Nexus®

92160YC-XCisco Nexus 93180YC-EX

VM


Tetration Analytics Data Sources

• New! Enforcement Point (Software agents)• Low CPU Overhead (SLA enforced)• Low Network Overhead (SLA enforced)

• Highly Secure (Code Signed, Authenticated)• Every Flow (No sampling), NO PAYLOAD

*Note: No per-packet Telemetry, Not an enforcement point

Software Sensors

Universal*(Basic Sensor for other OS)

Linux VM

Windows Server VM

Bare Metal(Linux and Windows Server)

Available Now

Nexus 9200-X

Nexus 9300-EX

Network SensorsNext Generation 9K switches

Third Party Sources

Asset Tagging

Load Balancers

IP Address Management

CMDB

…

3rd party Data Sources


Application Discovery and Endpoint Grouping


Platform

BM VM VM BM

BM VM VM BM

Brownfield

BM VM VM VM BM

Cisco Nexus® 9000 Series

Bare-metal, VM, & switch telemetry

VM telemetry (AMI …)

Bare-metal & VM telemetry

BM VM

BMVM

VM BM

VMVM

VM BM

BMVM

BM

Network-only sensors, host-only sensors, or both (preferred)

Bare metal and VM

On-premises and cloud workloads (AWS)

Unsupervised machine learning

Behavior analysis


What does the Sensor Collect

Application

Transport

Network

Data Link

Physical

Application

Transport

Network

Data Link

Physical

Network

Data Link

Physical

Network

Data Link

Physical

Sockets

ProcessProcess

Sockets

ProcessProcess

Process Information:

Which process is it, who

started it, etc.

Device Information: Buffer/ACL Drops, etc.


Different Problems will need Different Data Sources

Application

Transport

Network

Data Link

Physical

Network

Data Link

Physical

Sockets

ProcessProcess

Network Heath, Performance, Monitoring,

Capacity

Application Heath,

Performance, Monitoring, DiscoverySecurity,

Application Troubleshooting


Hardware Sensor and Software Sensor

Accumulated Flow Information (Volume…)

Software Sensor

Process mapping

Process ID

Process owner

Hardware Sensor

Tunnel endpoints

Buffer utilization

Burst detections

Packet drops

Flowdetails

Interpacket variations


What We Discovered: To and From DVProd Database

Internet

IP Storage NAS

TA Cluster

Hadoop

Prod DBs

Non-Prod DBs

Labs

Kicker

Infra APPs

DB Proxy

Monitoring APPs

Internet

Non-Production DatabasesLABs


Tetration Analytics and

Before

• Complex data center environment

• Lack of automation

• Lack of understanding into each tenant environment

• Exposure to risk of downtime too great to migrate applications safely

After

• Visibility across multi-tenant data center

• Move from tribal knowledge to data-driven decision making

• Reduction in time to understand application dependencies

• Migration to ACI with little downtime risk


• Understanding of what happens INSIDE a flow• Distributions (packet sizes, TCP windows…)• Burstiness• Anomaly detection• Latency (application and network)• VXLAN information

• High rate export capabilities• 100ms for Hardware• 1s for Software

Data Points

34


• What happens around this flow?• Which process owns this flow?• Who runs it?• What are the buffer status?

• But also external information• GeoDB, DNS, reputation lists…

Context Information

35


Ethernet Header

IPHeader

UDPHeader

VXLANHeader

Ethernet Header

IPHeader

TCPHeader Payload

Ethernet Header

IPHeader

TCPHeader Payload

Ethernet Header

IPHeader

UDPHeader Payload

Meta-Data – Including Overlay VXLAN/GRE/IPinIP Encapsulated Header

Privacy Risk

Collects the Meta-Data not the Packet


Sensor Technology

• RHEL (64 bit) – 5.x,6.x,7.x• CentOS (64 bit) – 5.x,6.x,7.x• Oracle Linux (64 bit) – 6.x,7.x

• SUSE – 11.2,11.3,11.4,12.1, 12.2• Ubuntu – 12.04,14.04,14.10• Windows Server 2008 R1/R2

Essentials / Standard / Enterprise/DataCenter

• Windows Server 2012 R2/R2/Essentials/Standard/ Enterprise/DataCenter

• Mainfarme ZVM (trial)• AIX-ppc 5.3,6.1,7.1,7.2 (trial)• Solaris (x86_64)• RHL 4.x,5.x (31 bit -386/amd)• CentOS – 4.x, 5.x (32 bit)• Windows XP,2003 (32 bit)• Windows Server 2008 (32 bit)

Standard Sensors HW Sensors UniversalSensors

Cisco Nexus 9KLeave with:• 92160YC-X• 93180YC-EXSpine with:• X9732C-EX C*


Tetration Analytics: Deployment Options

Cisco Tetration Analytics (Large Form Factor)• Suitable for deployments

more than 1000 workloads• Built in redundancy• Scales up to 10,000

workloadsIncludes:• 36 x UCS

C-220 servers• 3 x Nexus

9300 switches

Cisco Tetration-M (Small Form Factor)• Suitable for deployments

under 1000 workloadsIncludes:• 6 x UCS C-220 servers• 2 x Nexus 9300 switches

Cisco Tetration Cloud• Software deployed in AWS• Suitable for deployments

under 1000 workloads• AWS instance owned by

customer

On-Premise Options Public Cloud

Amazon Web Services


Host Based Enforcement

VLANs

ACLs

7K 5K 2K

Subnets

Workload

EPGs

ACI

Contracts

BDs

Workload

Security Groups

Hypervisor

Port Groups

Security Rules

Workload

Security Rules

AWS

Security Groups

Interfaces

Workload

A trusted module inside the workload enforces your intent


Security

Same level of security, any infrastructure.

Application

Infrastructure

Denies Allows

Process

End Point

Intent is rendered as security rules in native host firewalls


Application

Network Infrastructure

Denies Allows

Process

End Point

Application

Cloud Infrastructure

Denies Allows

Process

End Point

Bare metal Cloud

Any InfrastructureAny Networking

Same Security ModelRich Context

Application

Network Infrastructure

Denies Allows

Process

End Point

Application

Denies Allows

Process

End Point

Hypervisor Virtual Network

Virtual


Mobility

Security Rules

VLANs

ACLs

7K 5K 2K Cloud

Security Groups

Interfaces

Subnets

EP EP

Tetration calculates all necessary rule changes and

automatically applies

Intent stays with the endpoint, no matter the infrastructure it resides on


Why should I understand dependencies?

Identify a single point of failure that should be replicated

Find all the parts of a service that should be migrated together to the cloud

Replace infrastructure components of an undocumented application

ACI application profiles, end point groups, and contracts based on applications

43


Load Balancer Database

App

Application Dependency Mapping

44


Understand the communication

Load Balancer Database

App

45


Initial recommendations

Load BalancerApp

DatabaseCache

46


Optional and minimal human supervision

Load Balancer

App

Database

Cache47


Approve the clustering

Load Balancer

App

Database

48


Enforcement Anywhere

CiscoTetration

Analytics™

Cisco ACI™ and Cisco Nexus® 9000 Series

Standalone

Linux and Microsoft Windows

Servers and VM

PublicCloud

Data

Whitelist policyWhitelist policy{"src_name": "App","dst_name": "Web","whitelist": [{"port": [ 0, 0 ],"proto": 1,"action": "ALLOW"},{"port": [ 80, 80 ],"proto": 6,"action": "ALLOW"},{"port": [ 443, 443 ],"proto": 6,"action":

"ALLOW"}]}

• Cisco ACI EGP/Contract Integration via Cisco ACI Toolkit

• Traditional Network ACL

• Firewall Rules

• Host Firewall Rules

Amazon Web

Services

MicrosoftAzure

GoogleCloud

49

50

Pres

Demo Time

Date post:	15-May-2020
Category:	Documents
Upload:	others
View:	22 times
Download:	0 times

Tetration - Datacenter Analytics...Analytics Engine Visualization and Reporting Web GUI REST API...

Documents