Cisco has been sharing a tremendous amount of information about how Application Centric Infrastructure (ACI) operates with the Nexus 9000 series hardware.  Cisco has provided partners and customers with training on the details of ACI configuration with the Application Policy Infrastructure Controller (APIC).  As we all get up to speed on ACI and APIC configuration we are anxious to find out how security is provided with this new network system.  The policies created by APIC compliment the security protections that companies use to protect their mission-critical data center applications.

 

In an ACI environment, the APIC is used to configure tenants which are logical separations of networks.  Within those tenants are Layer-3 private networks which can be thought of as Virtual Routing and Forwarding (VRF) and provides separation of the IP routing tables.  Bridge Domains (BDs) are configured to define a Layer-2 boundary for the subnets within the L3 private network.  End-Point Groups (EPGs) are configured to designate the hosts that are grouped in such a way that they will all have the same policy.  Finally, the APIC is used to create uni-directional or bi-directional contracts which form Application Network Profiles (ANPs) that define traffic flows that are permitted within the ACI fabric.  These hierarchical policies can then be manipulated in ways to streamline the creation of new environment.

 

In a data-center or cloud environment there are many security threats.  Systems and applications that have exposed vulnerabilities can be the target of attacks.  Attacker aim to gain access to one vulnerable system inside an organization: this could be an end-user computer or a data center server.  If the compromise is successful and there are no filters between systems, then the attacker can easily navigate through the entire DMZ or corporate intranet.  Once compromised, that system is the used by the attacker to pivot and start to attack the nearby systems.  Logical separation of servers and services in a data center networks into enclaves or virtual networks is considered a security best practice.  The separation of systems can be thought of as the popular security strategy “Diversity of Defense” which was mentioned in Building Internet Firewalls, by Elizabeth D. Zwicky, Simon Cooper and D. Brent Chapman.  In an ACI environment, the logical constructs of Tenants, L3 Private Networks, Bridge Domains (BDs), and End-Point Groups (EPGs) divide up the environment into compartments and enclaves that separate systems and make pivoting to nearby systems challenging.

 

The policies that are configured in the APIC represents the application traffic patterns that are permitted between the end points connected to the ACI fabric.  The Application Network Profiles (ANP) and Contracts define which protocols are permitted to flow between end-points.  Add to this the fact that Cisco ACI has an implicit drop policy.  Taboos can also be configured to drop traffic matching specific policies.  This can be thought of as similar to the default “Fail-Safe Stance” that was also mentioned in Building Internet Firewalls.  Security practitioners often refer to this concept as “That which is not permitted is dropped”.  The ACI Application Network Profile (ANP) represents the policy that defines “that which is permitted” part.  All other traffic will not be forwarded.  Based on “prima facie”, this sounds pretty strong and may mean that we do not need a firewall within the environment.

 

Once the ANP is created within the APIC, the ACI policies are then applied onto the stateless hardware in the data center fabric.  The Nexus 9000 switches use the APIC configuration to determine how packets are forwarded across the ACI fabric.  The ACI fabric that uses VXLAN provides for a stateless hash-based equal-cost-multi-path (ECMP) forwarding that allows for extremely high bandwidth data center environments.  Because the hardware is stateless, this means that connection state is not held within the leaf or spine fabric switches.  The fact that connection state is not being maintained means that the fabric does not have the same level of security as a modern stateful firewall.  There is a Cisco Adaptive Security Appliance (ASA) article that describes the importance of a stateful firewall in an SDN or ACI environment. Similarly load balancers and other middle-box systems also operate in a stateless way with ACI.  Therefore, if you require fully-stateful firewalling or load balancing, then you need to employ service-chaining using virtual, but still stateful, appliances.

 

Cisco’s ACI provides a high-performance data center fabric that can implement the policies created by APIC.  The ACI infrastructure and the APIC policies create logical separation of systems and define the application traffic that is permitted.  However, the fact that these are stateless policies means that they do not have the same level of security as a stateful packet filtering system or a security appliance that is performing as a stateful proxy.  We must remember that, even in a Cisco ACI environment we still need additional stateful security services to protect the systems connected to the ACI fabric.  We do not want to just assume that the ACI is providing stateful security for the end-points and applications.  Using stateful firewall virtual systems and service chaining are configurable within the APIC.  ACI and the policies configured in the APIC can complement and augment to the security of the entire data center environment, but they should not be relied on as the only security measure in place to protect the data center assets.