In our earlier blog, we looked at how Cisco ACI customers can accelerate security management within their ACI environments, to further enhance visibility and agility. But no network is an island: an organization’s virtualized ACI fabric is likely to co-exist with both physical networks and cloud deployments. And the applications which power the business are likely to span all of those environments, which creates real challenges in managing application connectivity and security from end to end.
For example, organizations often integrate other security devices with the ACI fabric for added protection, deploying firewalls on the perimeter of the data center, or within the data center to perform stateful inspection and provide an additional layer of security for east-west traffic. However, this integration between ACI and other firewalls within or on the edge of the data center will be limited in nature.
So, while it may be possible to define a dynamic object group within the firewall so that it associates with a tagged virtual machine in the software-defined data center, the integration will not automatically create a new security rule if new connectivity is required for a business application. This means any such rule changes would have to be added manually.
Furthermore, a business application that uses resources within the data center will almost always depend on resources outside the data center – such as client machines or other servers, requiring connectivity with the wider network. Supporting this has a knock-on effect on devices further away from the data center, which ACI cannot integrate with.
The result is that if business application owners want to add new applications, or make changes to existing ones, ACI can be used to manage the required filtering and connectivity changes inside the data center – but cannot manage the changes that are needed on devices outside the data center. The end result is a hybrid environment which requires several different management consoles and techniques to control it, meaning that security policy change processes become complex, and restrict the benefits of SDN in the process. So how can these issues be addressed?
Holistic security management across your environment
The answer is to use a security policy management solution to extend the required visibility, automation and control over change processes across the organization’s entire network estate – whether on-premise, in the ACI fabric, or in public clouds. Just as security policy management increases visibility and accelerates policy change automation in ACI environments, it extends visibility and orchestration of security management across organizations’ entire physical, virtual and cloud environment.
Using a solution such as AlgoSec’s, which is aware of all the security and network devices both within the ACI software-defined data center and outside it, the organization’s security and IT teams can coordinate and harmonize the management of Cisco ACI contracts and policies across all of their networks, whether they are physical and virtual.
For example, network and security teams can get complete visibility into the Cisco ACI security contracts and extend ACI’s policy-based automation across the enterprise network. If any changes are planned to ACI contracts, rules or policies, the teams can then assess how those changes will impact business applications and other security controls on the rest of the enterprise network, outside the data center. This capability eliminates the risks of misconfigurations and outages by enabling the impact of any changes to be assessed before they are made. It also ensures that security teams have holistic visibility and control over their entire environment through a single pane of glass – accelerating security processes and overall business agility.
Using AlgoSec, security teams can also automatically generate a full range of risk and compliance reports covering their organization’s entire network, not just their ACI environment. This approach gives software defined security across organizations’ hybrid networks, enabling them to get the maximum value from their investments in SDN.
To find out more about how AlgoSec can harmonize the security management of your ACI deployment alongside the rest of the network, watch this webinar with our VP of Technology Anner Kushnir.
Receive notifications of new posts by email.