Tetration Analytics - Network...

Tetration Analytics - Network Analytics & Machine Learning Enhancing Data Center Security and Operations

Mike Herbert, Principal Engineer, INSBU

BRKDCN-2040

• Tetration (or hyper-4) is the next hyperoperation after exponentiation, and is defined as iterated exponentiation

• It’s bigger than a Google [sic] (Googol)

• And yes the developers are a bunch of mathematical geeks

Okay what does Tetration Mean?

BRKDCN-2040 3

Tetration Analytics Platform

Introduction

We Are at the Cusp of a Major Shift

DIGITAL EXPERIENCESEFFICIENCY SIMPLICITY | SPEED

Adoption

IT as a Service IaaS | PaaS | SaaS | XaaS

Flexible Consumption Models

CONSOLIDATIONVIRTUALISATION

HYBRID

CLOUDS

2000 2010 2015 The Next 5+ Years

AUTOMATION

TRADITIONAL DATA CENTRE

We are here

CLOUD DATA CENTRE

Efficiency

BRKDCN-2040 5

Modern data centers are getting increasingly complex

• Zero trust model

• Multi cloud orchestration

• Application portability

Hybrid cloud

• Increase in east-west traffic

• Expanded attack surface

• Open source

Big and fast data

• Continuous development

• Application mobility

• Micro services

Rapid app deployment

BRKDCN-2040 6

What if you could actually look at every

data packet header that has ever

traversed the network without sampling?

BRKDCN-2040 7

Tetration Analytics Platform Every Packet, Every Flow, Every Speed

BRKDCN-2040 8

Cisco Tetration Analytics™

Network

Pervasive

Visibility

and Forensics

Application

Insight

Policy

Compliance

Cisco Tetration Analytics

Application

Insights

Policy Simulation

and Impact

Assessment

Automated

Whitelist Policy

Generation

Forensics:

Every Packet,

Every Flow, Every

Policy Compliance

and Auditability

BRKDCN-2040 9

Cisco Tetration AnalyticsPervasive Sensor Framework

Provides correlation of data sources across entire application infrastructure

Enables identification of point events and provides insight into overall systems behavior

Monitors end-to-end lifecycle of application connectivity

BRKDCN-2040 10

Information

about Consumer

– Provider and

type of traffic

Detail

information

about the flow

Datacenter Wide Traffic Flow Visibility

BRKDCN-2040 11

Application Discovery and Endpoint Grouping

Cisco Tetration

Analytics™

Platform

BM VM VM BM

Brownfield

BM VM VM VM BM

Cisco Nexus® 9000 Series

Bare-metal, VM, & switch telemetry

VM telemetry (AMI …)

Bare-metal & VM telemetry

Network-only sensors, host-only sensors, or both (preferred)

Bare metal and VM

On-premises and cloud workloads (AWS)

Unsupervised machine learning

Behavior analysis

BRKDCN-2040 12

Whitelist Policy Recommendation

Application Discovery

AppTier

DBTier

Storage

WebTier

Storage

Policy Enforcement(Future Roadmap)

Whitelist Policy Recommendation(Available in JSON, XML, and YAML)

BRKDCN-2040 13

Real-Time and Historical Policy Simulation

• Validating policy impact assessment in real time

• Simulating policy changes over historic traffic

• View traffic “outliers” for quick intelligence

• Audit becomes a function of continuous machine learning

Cisco Tetration

Analytics™

PlatformVM BM

BRKDCN-2040 14

Policy Compliance

• Identify policy deviations

in real-time

• Review and update

whitelist policy with one click

• Policy lifecycle

management

Cisco Tetration

Analytics™

PlatformVM

BRKDCN-2040 15

Tetration Analytics

Servers

Buffer Stats

Process

Compute

Application

InsightsPolicy Forensics

Tetration Analytics EnginePB Scale Secure Appliance

Ecosystem

Partners

Network

Network flows

ation &

BRKDCN-2040 16

Architecture - Sensors

Tetration Analytics Architecture Overview

Analytics Engine

Cisco Tetration

Analytics™

Platform

Visualization and

Reporting

Web GUI

REST API

Push Events

Data Collection

Host Sensors

Network Sensors

3rd-Party

Metadata Sources

Tetration

Telemetry

Configuration

Cisco Nexus®

92160YC-X

Cisco Nexus

93180YC-EX

BRKDCN-2040 18

Pervasive Sensors

Host Sensors NW Sensors 3rd Party

IP Watch Lists

Load Balancers

Linux VM

Windows Server VM

Bare Metal(Linux and Windows Server)

Hypervisors

Containers

Available at FCS Next Generation 9K switches Future releases 3rd party Data Sources

Low CPU Overhead (SLA enforced)

Low Network Overhead (SLA enforced)

Highly Secure (Code Signed, Authenticated)

Every flow (No sampling), NO PAYLOAD

Nexus 9200-X

Nexus 9300-EX

BRKDCN-2040 19

Traditional Monitoring Is Showing Its AgeNot suited for Modern Network and Security Operations

Where Data Is Created Where Data Is Useful

Syslog

Server

Syslog

Collector

Scripts

Storage & Analysis

Strong burden on

back-end

Normalize different

encodings, transports, data

models, timestamps

BRKDCN-2040 20

Streaming Telemetry is a game changerMonitoring becomes a big data problem

Where Data Is Created Where Data Is Useful

• Streaming paradigm

• Dense Sensor Framework

• Increased Data Granularity

• Update on every event

• Multiple Data Sources

Volume – Scale of Data

Velocity – Analysis of Streaming Data

Variety – Different Forms of Data

Removing limitations and

complexity

Big Data and

Machine Learning

Problem

BRKDCN-2040 21

Why Multiple Sensors?Example monitoring temperature in a room

Lamp Sensor Plug Sensor

Heater

BRKDCN-2040 22

Tetration SensorsLocations

9732C-EX

HYPERVISORHYPERVISOR

92160CY-X

93180Y-EX

HYPERVISOR

Software Sensor

Processes & Socket

Packet and Flow Events

Hardware Sensor

Packet and Flow Events

Buffer and Switch State

Tetration Cluster

BRKDCN-2040 23

• Embedded Module (Flow Cache)

• Nexus 92160CY-X

• Nexus 93180Y-EX & 9732C-EX Line Cards

• Extracts Meta-Data from the forwarding pipeline

• No latency impact, no performance impact

Hardware Sensor

PRX LUA LUB

Flow Cache

BRKDCN-2040 24

• Not in the data path

• Sits in User Space

• Designed by Kernel Developers

• Secure

• Code Signed

• SLA Enforcement

• CPU and BW throttling

• FCS availability

• Windows

• 2008 / 2008 R2 / 2012 / 2012 R2

• Linux

• RedHat (5.3+, 6.x)

• CentOS (5.11+, 6.x)

• Ubuntu (12.04, 14.04, 14.10)

Software Sensor

Driver

Network Stack

Application

libpcap

Tetration Sensor

BRKDCN-2040 25

• Tetration Cluster runs an internal PKI

• Root CA is per cluster, inserted at Image creation

• Not accessible outside the cluster

• Cannot connect to an external PKI

• Certificate based authentication is performed for the Control Channel

• CN of the certificate is the IP address

• Certificates are rotated every 60 days

• Sensors are code signed

• Signature Authority is Cisco’s code signing certificate

• Code Signature is validated at process start

PKI within the Cluster/Sensor

BRKDCN-2040 26

How Sensor Communicate with the Cluster the First Time?

Config Server

Collector

Sensor

Register with web server via ssl

Assign UUID

Register with web server via ssl

Download config

Send meta data to collectors

BRKDCN-2040 27

Components & CommunicationHardware Sensor

NXOS Agent

Cisco Nexus 9000

Tetration

Cluster

Control Channel

TCP/443

Sensor Data

UDP/5640

Guest ShellAgent Communication

Unix Socket

BRKDCN-2040 28

Components & CommunicationSoftware Sensor

Software Sensor

LINUX/Windows/…

Tetration

Cluster

Control Channel

TCP-SSL 443

Sensor Data

TCP-SSL 5640

Agent Communication

Unix Socket

BRKDCN-2040 29

• Windows 2008• Datacenter, Enterprise, Essentials,

Standard

• Windows 2008 R2• Datacenter, Enterprise, Essentials,

Standard

• Windows 2012• Datacenter, Enterprise, Essentials,

Standard

• Windows 2012 R2• Datacenter, Enterprise, Essentials,

Standard

• RedHat Enterprise Server• 5.3 & above

• 6.x

• CentOS• 5.11 & above

• 6.x

• Ubuntu• 12.04

• 14.04

• 14.10

Currently Supported Platforms

This list ’will’ grow based on what you need and ask for

BRKDCN-2040 30

Methods to deploy the sensor

BRKDCN-2040 31

Coming soon to a GitHub near you

github.com/datacenter

BRKDCN-2040 32

Architecture - Sensor Data

Looking Beyond ConnectivityApplication Processes and Sockets

Provider/Service ProcessConsumer Process

Socket = 443Socket > 1023

Chrome NGINX

• Application developers implement business logic as code that runs as processes and threads

• TCP/IP which forms a foundation of the Internet was designed to allow these application processes

to interact via sockets

• Application logic can be viewed on one level as the interaction between a group of processes and

their associated sockets

• Understanding the inter-process communication and mapping that directly to the infrastructure

provides a direct correlation between the application and the infrastructure

BRKDCN-2040 34

Looking Beyond ConnectivityApplication Processes and Sockets

#create an INET, STREAMing socket

serversocket = socket.socket(

socket.AF_INET, socket.SOCK_STREAM)

#bind the socket to a public host,

# and a well-known port

serversocket.bind((socket.gethostname(), 80))

#become a server socket

serversocket.listen(5)

#create an INET, STREAMing socket

s = socket.socket(

socket.AF_INET, socket.SOCK_STREAM)

#now connect to the web server on port 80

# - the normal http port

s.connect(("www.mcmillan-inc.com", 80))

Provider/Service ProcessConsumer Process

Socket = 80Socket > 1023

Chrome NGINX

What do we mean by Application VisibilityInternet Stack

Application

Transport

Network

Data Link

Physical

Application

Transport

Network

Data Link

Physical

Network

Data Link

Physical

Network

Data Link

Physical

Sockets

ProcessProcess

Sockets

ProcessProcess

What Does Tetration Sensor CollectSocket Connectivity, the data flows

Application

Transport

Network

Data Link

Physical

Application

Transport

Network

Data Link

Physical

Network

Data Link

Physical

Network

Data Link

Physical

Sockets

ProcessProcess

Sockets

ProcessProcess

What does the Sensor Collect Context

Application

Transport

Network

Data Link

Physical

Application

Transport

Network

Data Link

Physical

Network

Data Link

Physical

Network

Data Link

Physical

Sockets

ProcessProcess

Sockets

ProcessProcess

Process Information:

Which process is it, who started it, etc.

Device Information: Buffer/ACL Drops, etc.

Sensor DataProcess Information

• Host Sensor collects

information about the

consumer and provider

processes

• /proc

• runtime system

information (e.g.

system memory,

devices mounted,

hardware

configuration, etc).

BRKDCN-2040 39

Additional ContextExternal Data Sources

Application

Transport

Network

Data Link

Physical

Application

Transport

Network

Data Link

Physical

Network

Data Link

Physical

Network

Data Link

Physical

Sockets

ProcessProcess

Sockets

ProcessProcess

Tetration

Analytics Engine

CMDB, DNS,

whois, Talos

(future), etc.

Pervasive Sensors

What does the Sensor CollectSocket Level Flow Information + Context Information

• Understanding of what happens TO ‘and’ INSIDE a flow

• Distributions (packet sizes, TCP windows…)

• Burstiness

Length

Accumulated Flow Information (Volume…)

Per Packet Variations

• Anomaly detection

• Latency (application and network)

• Events

• VXLAN information

BRKDCN-2040 41

Full vs. Sampled What happens when you sample?

Full Packet Stream

Flow A

Flow B

Flow C

SYN SYNACK ACK FIN

Flow D

BRKDCN-2040 42

Full vs. Sampled Reasons and Use Cases for Both

• Sampling has it’s use cases, in SP environments for example

• High Volume, no behavioral analysis

• Sampling provides a good statistical model

• For Trends

• For Traffic Visibility

• For Volume Indication

• Depending on the number of flows and type of flows

• Mice flows can go completely unseen

• Connection Oriented flows may not be tracked properly (missed flags)

• Accuracy of the flow increases with the packet count

• Type of sampling and quality of entropy

• Entropy is very important

Sampled Full

BRKDCN-2040 43

Tetration Examines every packet

Full Packet Stream

• Variability ’within’ the flow

• Variability ‘between’ the flows

• Changes ‘within’ the flow

BRKDCN-2040 44

Ethernet

Header

Ethernet

Header

HeaderPayload

Ethernet

Header

HeaderPayload

Ethernet

Header

HeaderPayload

Meta-Data – Including Overlay VXLAN/GRE/IPinIP Encapsulated Header

Privacy Risk

Collects the Meta-Data not the Packet

BRKDCN-2040 45

• COS

• Overlay Type (Native, 802.1q / 802.1p, VXLAN, iVXLAN, NVGRE, NSH, other)

• Source TEP or Port ID

• Destination TEP

• Disposition (RPF or Port Security failure, Policy drop, redirect or span)

• Port type (spine to leaf or leaf to host)

Sensor DataFlow Data – Forwarding

BRKDCN-2040 46

• Bytes, Packet Count

• IP options present

• IP length error

• DF bit set

• Fragment seen

• Last TTL

• Accumulated TCP flags

• Last ACK / SEQ

• Sampled Packet length

• Sampled Packet ID

Sensor Data Accumulated Flow Information

BRKDCN-2040 47

• Flow Cache has the notion of “bins” to build histograms

• TCP options length (8 bits)

• Payload length (12 bits)

• Receive window (6 bits)

• This means more visibility on the activity of flow

• Bin sizes are configurable

• Bins don’t need to be of equal size (but need to be contiguous)

• Last bin will capture the configured size and above

Sensor Data Histogram Bins

1 0 1 0 1 0 0 0

82 bits

0 bits

165 bits

Export

0 0 1 1 1 0 0 0

82 bits

130 bits

165 bits

Export

=Histogram of

the flow

BRKDCN-2040 48

• Measure the “burstiness” of a flow

• Current Burst

• Max Burst

• Burst Index

• Flowlets

• Burst are measured in 32k interval

• Each export period is divided by 128

• Flowlets are activity after a silence period (configurable)

Sensor Data Burst

0 1 2 3 128

Current – 128

Max – 128

Burst Index - 0

Current – 256

Max – 256

Burst Index - 3

Current – 1024

Max – 1024

Burst Index - 80

Current – 32

Max – 256

Burst Index - 3

Current – 0

Max – 1024

Burst Index - 80

Max Burst occurred at 62.5ms with a value of 1024 and 2 flowlets

SilenceFlowlet #1 Flowlet #2

BRKDCN-2040 49

• TTL changed

• IP reserved flags are not 0

• DF bit has changed

• Ping of death

• Fragment is too small to contain L4 header (TCP, UDP and SCTP)

• TCP SYN and FIN are set

• TCP SYN and RST are set

• TCP FIN, PSH and URG are set

• TCP flags are zero’d

• TCP SYN with data

• TCP FIN with no ACK

• TCP RST with no ACK

• TCP SYN, FIN, RST and ACK zero’d

• URG set but no URG pointer

• URG pointer with no URG flag

• TCP seq outside the expected range

• TCP seq is less than expected (rexmit)

Sensor Data Anomaly List

BRKDCN-2040 50

• Way of approximating the RTT based on specific packet characteristics

• Preset ACK & SEQ

• Approximation as this includes the OS network stack

• Uses sampling, sample taken every 8192 bytes (by default, configurable)

• Tracks ACK for these specific SEQ and creates an event for each

• By using this global configuration, if return path is via another switch the ACK is still tracked

Sensor Data Events RTT Sample

BRKDCN-2040 51

RTT Sample – Example

TCP SEQN 8192

Event Triggered

TCP SEQN 100

Event time stamped

TCP ACK 100 TCP ACK 8192

Event time stamped

RTT = Event ACK TS – Event SEQ TS

BRKDCN-2040 52

• Mouse Packet

• Export the first “n” packets of a flow (configurable)

• Analytics Changed

• A parameter of the flow has changed (bit mask comparison), 1 mask configurable

• Packet Value Match

• A packet field contains a specific value, 1 field configurable (mask + value)

Sensor Data Events

BRKDCN-2040 53

• Let’s take this Web page request as an example

• Assumption is that it’s the first connection, this is a new flow

• One flow is created per direction

Sensor Data Example

76 77 78 79 82 83 84 85 86 88 89

Flow Export

Flow A A A A A AB B B B B

BRKDCN-2040 54

First Packet Event

76 77 78 79 82 83 84 85 86 88 89

Event Triggered

BRKDCN-2040 55

Mouse Packet Event

76 77 78 79 82 83 84 85 86 88 89

Length 78 74 66 178 66 1299 66 66 66 66 66

• n = 2 (2nd packet of a flow, within an export interval)

Event Triggered

BRKDCN-2040 56

Analytics Changed Event

76 77 78 79 82 83 84 85 86 88 89

Event Triggered

• Bitmask = sampled packet length (in the flow analytics TCAM)

Length 78 74 66 178 66 1299 66 66 66 66 66

Sampled 78 78 66 66 66 1299 66 66 66 66 66

BRKDCN-2040 57

Packet Value Match Event

76 77 78 79 82 83 84 85 86 88 89

Event Triggered

TTL 64 58 64 64 58 58 64 64 58 58 64

• TTL = 64

BRKDCN-2040 58

Pervasive VisibilityFlow Search and Forensics

Architecture - Cluster

Tetration Analytics Architecture Overview

Analytics Engine

Cisco Tetration

Analytics™

Platform

Visualization and

Reporting

Web GUI

REST API

Push Events

Data Collection

Host Sensors

Network Sensors

3rd-Party

Metadata Sources

Tetration

Telemetry

Configuration

Cisco Nexus®

92160YC-X

Cisco Nexus

93180YC-EX

BRKDCN-2040 66

The Analytics ClusterComponents

• Hadoop Based Platform

• Self managed

• One touch deployment

• Tiered System

• Heavy Compute for Machine Learning

• Caching for light speed queries

• Extensibility (future)

• Messaging Bus

• API Access

Long Term Storage

(Data Lake)

Caching

(Search)

Front End

Compute

(Data Cleaning and

Analytics)

BRKDCN-2040 67

• The Analytics Cluster operates as an appliance

• Avoids the need for in house Big Data, Analytics expertise

• Supported by Cisco TAC

• Self Monitoring

• The cluster leverages a sensor architecture to track it’s state and provides event based notifications for

• Software upgrades and full install are all automated

The Analytics ClusterAppliance

BRKDCN-2040 68

Cluster Monitoring and Maintenance

Collector Monitoring and Maintenance

Sensor Monitoring and MaintenanceSensor Throttled

Hardware Sensor Monitoring

FCS Analytics Cluster Configurations

4 x 3-Phase PDU

22.5 KW Peak Power

4 x 1-Phase PDU

11.5 KW Peak PowerBRKDCN-2040 73

Options for Future Cluster Models

Analytics EngineThe Platform

• Hadoop Based Platform

• Self managed

• One touch deployment

• Tiered System

• Heavy Compute for Machine Learning

• Caching for light speed queries

• Extensibility (future)

• Messaging Bus

• API Access

Long Term Storage

(Data Lake)

Caching

(Search)

Front End

Compute

(Data Cleaning and

Analytics)

BRKDCN-2040 75

Front EndGUI, RESTful API, Messaging BUS

• Servers hosting

front end

processes

• GUI and

Operational

Interfaces

• RESTful API

(post FCS)

• Messaging BUS

(post FCS)

Data ProcessingPipeline

• Data Ingest and Processing

• Multiple Pipelines for different processing activities

• Scaled to Millions of events per second

Caching LayerNatural Language Search

Caching LayerSearch

• Caching Layer provides a large in memory and flash based data store for real time searches

e.g. 16 weeks of policy delta data accessible for real time search

Data Lake HDFS Storage

• Long Term Storage for collected observations, for pipeline processing tasks, etc

• Usage is based on

• Time Based Retention

• Space Based Retention

• Greedy Retention

• Max possible Retention period will depend on cluster size and observation rate

14.10 K hours of available capacity at the current collection rates (587 days)

BRKDCN-2040

Standard Data Analytics PipelineTetration Data Analysis

Prep &

cleansing

Aggregation

Statistical Analysis

Prediction Tools

Automated

Discovery&

Evaluation

Reporting,

Visualization

or Alerts

De-duplication, unification of uni-directional flows into bi-directional,

annotate flows with context information, etc.

Sensor Collectors

Various Pipelines (e.g. ADM) process the data to derive

appropriate insights

GUI, REST API, Kafka, Policy Export, …

BRKDCN-2040 81

Data Collection Sensor to Collector

Prep &

cleansing

Aggregation

Prediction Tools

Automated

Discovery&

Evaluation

Reporting,

Visualization

or Alerts

Data Prep

Prep &

cleansing

Aggregation

Prediction Tools

Automated

Discovery&

Evaluation

Reporting,

Visualization

or Alerts

• De-duplication, unification of uni-directional flows into bi-directional, annotate flows with context information, etc.

Collector

Application

Transport

Network

Data Link

Physical

Application

Transport

Network

Data Link

Physical

Network

Data Link

Physical

Network

Data Link

Physical

Sockets

ProcessProcess

Sockets

ProcessProcess

Analyzing the Data

Prep &

cleansing

Aggregation

Prediction Tools

Automated

Discovery&

Evaluation

Reporting,

Visualization

or Alerts

• Endpoints are iteratively compared with each other to find which “profiles” are most similar

• Sensor Data: Ports provided and consumed, Addresses sent and received from, Properties of network flows, Running processes, Process originating flow, Hostname,

• External Context: Load balancers / DNS / route tags

• Human approved clusters from current or other workspaces and base cluster definition

• This is an example of where we use machine leaning

Machine Learning

Cognitive Computing - Finding and remembering all the

relationships between data, querying the matrix of relationships

(Watson)

Machine Learning - Remember what has happened before and

then look at new data coming in that context to try and find

patterns, build up a body of knowledge and then use that data to

make a decision based on the new data. Can machines

remember and apply what they remember to new data

Deep Learning - Not trying to maintain data and relationships

over time but analyze that data through better representations

and create model to learn these representations from large scale

unlabeled data. Succession analysis

BRKDCN-2040 85

Machine Learning

A "Field of study that gives computers the ability to learn

without being explicitly programmed“ Arthur Samuel (1959)

The programmers construction of algorithms that can learn from and make

predictions on data (as opposed to static programming instructions).

7:00 am = 65 degrees

How warm will it be at 8:30 am tomorrow?

77.5 degrees

Supervised learning: Linear regression , Logistics regression, SVMs

Unsupervised learning: K-means, PCA, Anomaly detection

BRKDCN-2040 86

ADM ClusteringMachine Learning Example

Randomly initialize cluster centroids

Repeat {for = 1 to

:= index (from 1 to ) of cluster centroid closest to

for = 1 to := average (mean) of points assigned to cluster

K-means AlgorithmFinding the Clusters

BRKDCN-2040 88

SilhouettingValidation of the Cluster

https://en.wikipedia.org/wiki/Silhouette_(clustering)

• The silhouette value is a measure of how similar an object is to its own cluster (cohesion) compared to other clusters (separation)

• Produces a higher degree of probability that the clustering is representational

BRKDCN-2040

Results of the Clustering Machine Learning

BRKDCN-2040

Tuning Cluster GranularityTuning the Algorithms

1 2 1 1 1

BRKDCN-2040 100

Analyzing the DataFitting the Curve

Prep &

cleansing

Aggregation

Prediction Tools

Automated

Discovery&

Evaluation

Reporting,

Visualization

or Alerts

• Every data set (e.g. flow) is examined to find the best function that describes it’s behaviour

• Comparison within and between ‘flows’ can be used to find ‘outlier’ or anomaly conditions

Visual Query with Flow Exploration

Replay flow details like a DVR

Information mapped across 25 different dimensions

Thick lines indicate common flows

Faint lines indicate uncommon flows

OutliersWhat does ot look like it ‘fits’

• Switch on Outlier view to

highlight uncommon flows

• Outlier dimension is

highlighted with purple

circle

BRKDCN-2040 103

Tetration Application Insight

Why This Approach Is Different

App Insight derived based on actual communication

Automated grouping of similar endpoints in a cluster

Flexibility of using hardware or software sensors

Keep your App Insight up-to-date based on application evolution

BRKDCN-2040 105

Dependencies

Why should I understand them?

106BRKDCN-2040

Why should I understand

What can I do with this information?

107BRKDCN-2040

Why should I understand dependencies?

Identify a single point of failure that should be replicated

Find all the parts of a service that should be migrated together to the cloud

Replace infrastructure components of an undocumented application

ACI application profiles, end point groups, and contracts based on applications

BRKDCN-2040 108

Load Balancer Database

Application Dependency Mapping

BRKDCN-2040 109

Understand the communication

BRKDCN-2040 110

Initial recommendations

Load BalancerApp

DatabaseCache

BRKDCN-2040 111

Optional and minimal human supervision

Load Balancer

Database

CacheBRKDCN-2040 112

Approve the clustering

Load Balancer

Database

BRKDCN-2040 113

Enforcement Anywhere

Tetration

Analytics™

Cisco ACI™ and Cisco Nexus® 9000 Series

Standalone

Linux and Microsoft Windows

Servers and VM

PublicCloud

Whitelist policyWhitelist policy{

"src_name": "App",

"dst_name": "Web",

"whitelist": [

{"port": [ 0, 0 ],"proto": 1,"action": "ALLOW"},

{"port": [ 80, 80 ],"proto": 6,"action": "ALLOW"},

{"port": [ 443, 443 ],"proto": 6,"action":

"ALLOW"}

• Cisco ACI EGP/Contract Integration via Cisco ACI Toolkit

• Traditional Network ACL

• Firewall Rules

• Host Firewall Rules

Amazon

Services

Microsoft

Google

BRKDCN-2040 115

Application Centric, Okay but how do I get there?

Policy Creation Flow

Export Clusters and Policies in JSON/XML format

Import Policy using ACI Toolkit

Automatic creation of EPGs and Contracts

ACI Toolkit

DataNetwork

Policy

Application Policy

Nexus 9K

Cisco TetrationAnalytics™

BRKDCN-2040 117

ACI Toolkit• Simple toolkit built on top of APIC API

• Set of simple python classes

• Python Library

• Used to generate REST API calls

• Runs locally

• Small number of classes

• ~30 currently

• “Intuitive” names

• Not full functionality, most common

• Focused primarily on configuration

• Preserves ACI basic concepts

• Tenants, EPGs, Contracts, etc.

ACI Toolkit

Commands

Custom

Python

Scripts

BRKDCN-2040 118

• Runs as a command line tool or a REST service. The initial expected usage is as a command line tool.

• https://github.com/datacenter/acitoolkit/tree/master/applications/configpush

• Command line tool is here:

• https://github.com/datacenter/acitoolkit/blob/master/applications/configpush/apic_tool.py

• Takes the JSON provided by Tetration and pushes to the APIC. It requires the APIC credentials and which tenant/app profile to place the EPGs.

• https://acitoolkit.readthedocs.io/en/latest/

Configpush Application

BRKDCN-2040 119

• python apic_tool.py -husage: apic_tool.py [-h] [--maxlogfiles MAXLOGFILES]

[--debug [{verbose,warnings,critical}]] [--config CONFIG][-u URL] [-l LOGIN] [-p PASSWORD] [--displayonly][--tenant TENANT] [--app APP]

• optional arguments:-h, --help show this help message and exit--maxlogfiles MAXLOGFILES Maximum number of log files (default is 10)--debug [{verbose,warnings,critical}] Enable debug messages.--config CONFIG Configuration file-u URL, --url URL APIC IP address-l LOGIN, --login LOGIN APIC login ID.-p PASSWORD, --password PASSWORD APIC login password.--displayonly Only display the JSON configuration. Do not

actually push to the APIC.--tenant TENANT Tenant name for the configuration--app APP Application profile name for the configuration

Configpush Application Syntax

BRKDCN-2040 120

Policy Simulation and Compliance

We know the expected communication

BRKDCN-2040 122

Publish, export, and enforce Policy

Load BalancerApp Database

172.31.185.158

172.31.185.152

172.31.185.154

172.31.185.156

172.31.185.149

172.31.185.150

172.31.185.151

BRKDCN-2040 123

172.31.185.158

172.31.185.152

172.31.185.154

172.31.185.156

172.31.185.149

172.31.185.150

172.31.185.151

Load Balancer

Provides Port 3306

BRKDCN-2040 124

172.31.185.158

172.31.185.152

172.31.185.154

172.31.185.156

172.31.185.149

172.31.185.150

172.31.185.151

Database

Provides Port 3306

Load Balancer

Provides Port 3306

BRKDCN-2040 125

But how do we map this to real life?

172.31.185.152

172.31.185.154

172.31.185.156

172.31.185.149

172.31.185.150

172.31.185.151

BRKDCN-2040 126

172.31.185.158

172.31.185.152

172.31.185.154

172.31.185.156

172.31.185.149

172.31.185.150

172.31.185.151

BRKDCN-2040 127

172.31.185.158

172.31.185.152

172.31.185.154

172.31.185.156

172.31.185.149

172.31.185.150

172.31.185.151

Misdroppedpackets!

BRKDCN-2040 128

172.31.185.158

172.31.185.152

172.31.185.154

172.31.185.156

172.31.185.149

172.31.185.150

172.31.185.151

Escaped out of policy flow!

Misdroppedpackets!

BRKDCN-2040 129

What was seen

on the network

that was out of

Policy

Permitted Traffic

Seen on the

network

Policy Compliance Verification & Simulation

Summary

ACI Architecture

Intent (May)

Assurance (Can)Analytics (Did)

Configuration Analysis

“Very Large State-Space”

Traffic Analysis

“Lots of Data”

Guarantees

Compliance

Consistency

Security

Forensics

BRKDCN-2040 134

Summary

Pervasive flow

telemetry that

supports

infrastructure for

multiple data

centers at scale

Ready-to-use

solution to address

critical data center

operational

use cases

Self-monitoring

and eliminate the

need for

in-house big data

expertise

Open platform

and northbound

APIs enable

transparent

integration

Accelerated

adoption and

comprehensive

Solution

support with

Services

BRKDCN-2040 135

Complete Your Online Session Evaluation

Learn online with Cisco Live!

Visit us online after the conference

for full access to session videos and

presentations.

www.CiscoLiveAPAC.com

Give us your feedback and receive a

Cisco 2016 T-Shirt by completing the

Overall Event Survey and 5 Session

Evaluations.– Directly from your mobile device on the Cisco Live

Mobile App

– By visiting the Cisco Live Mobile Site http://showcase.genie-connect.com/ciscolivemelbourne2016/

– Visit any Cisco Live Internet Station located

throughout the venue

T-Shirts can be collected Friday 11 March

at Registration

BRKDCN-2040 137

Continue Your Education

• Demos in the Cisco campus

• Walk-in Self-Paced Labs

• Lunch & Learn

• Meet the Engineer 1:1 meetings

• Related sessions

138BRKDCN-2040

Thank you

Tetration Analytics - Network...

Documents

Transcript of Tetration Analytics - Network...

Cisco Tetration ServiceNow Solution Overview · Cisco Tetration Analytics and ServiceNow Solution | Solution Overview 3 The solution provides complete stack service dependency mapping:

Cisco Tetration Analytics & Tufin Orchestration Suite · 2019-01-15 · Cisco Tetration Analytics ™ & Tufin Orchestration Suite The Cisco Tetration Analytics platform uses advanced

Cisco Tetration...Cisco Tetration Analytics Demo Ing. Guenter Herold Area Manager Datacenter Cisco Austria GmbH 15. –16. marec 2017| Cisco Connect | Portorož, Slovenija Agenda Introduction

Monitoring Cisco Tetration Analytics (PowerPack version 103)Monitoring Cisco Tetration Analytics (PowerPack version 103) Author: ScienceLogic, Inc. Created Date: 9/25/2019 10:10:19

Solving for the Analytic Piecewise Extension of Tetration ...andydude.github.io/tetration/archives/tetration2/... · where t(x, y) is the critical function of tetration, and s(x,z)

Tetration - Datacenter Analytics - · PDF file

Cisco Tetration Analytics 2.1.1.31 API Configuration Guide · OpenAPI Authentication — Cisco Tetration Analytics 2.0 documentation Next cluster Users, roles and scope management

Платформа Cisco Tetration Analytics...Платформа Cisco Tetration Analytics Платформа Cisco Tetration Analytics для центров обработки данных

Cisco Datacenters Get Pervasive Visibility and Reduced ... · ©2016 IDC #US41485516 2 To address thesechallenges, Cisco is turning to Tetration Analytics (Cisco Tetration), its turnkey

Vnomic with Cisco ACI and Cisco Tetration Analytics ...Cisco Tetration Analytics dramatically simplifies customers’ zero-trust implementations. Moreover, the platform provides visibility

Cisco Tetration Analytics & Tufin Orchestration Suite · 2017-10-07 · Cisco Tetration Analytics & Tufin Orchestration Suite Solution The Cisco Tetration Analytics platform uses

TechWiseTV Workshop: Tetration Analytics

IDC Business Value Brief: Cisco Tetration Analytics

Платформа Cisco Tetration Analytics

Enhanced security and operations with real time analytics · Le Anh Duc Solution Architect - ASEAN 11 Jan 2018 How to strengthen DC Security with Cisco Tetration Analytics Enhanced

Cisco Connect 2018 – Презентация...Tetration Analytics Business iQ SparkPlatform (SparkBoard, Spark Assistant) Партнерские отношения с GCP, Azure

Cisco Tetration

Cisco Tetration Analytics and AlgoSec: Business ... · Cisco Tetration Analytics and AlgoSec | Solution Overview 3 The integrated solution offers these main features: • Automatically

Cisco Tetration Analytics 플랫폼 · Cisco Tetration Analytics™ 플랫폼(그림 1)은 자동 기계 학습, 행동 패턴 분석, 알고리즘 중심 전략을 통해 이와

TIBCO Spotfire Network Analytics 1 · Introduction. 4 (34) TIBCO® Spotfire® Network Analytics 1.1. 1 Introduction. Welcome to TIBCO ® Spotfire ® Network Analytics! Network Analytics