New SDN Solution Provides Greater Network Security and Agility

Enterprise data centers face constantly evolving application needs and complex traffic variance. Cisco’s application-centric infrastructure (ACI) provides the missing link that finally lets applications guide networking behavior.

Here’s why: ACI is based on tight integration between physical and virtual elements. When software-defined networking (SDN) depends on software only, networks can experience workflow bottlenecks since traffic has to flow through virtual routers and edge gateways.

ACI eliminates this dynamic since its workloads can reside anywhere on the network fabric, creating a network administrator’s dream: consistent, predictable network performance.

A few key components of ACI networking include:

  • Unification of data center and cloud infrastructure
    With ACI, programming focuses on application provisioning, including all the networking, security and application services infrastructure. In addition, it optimizes the network fabric for both virtual and physical workloads/connections. This model also extends to servers and storage to bring together the entire data center and cloud infrastructure.
  • Centralized control of numerous endpoints
    ACI technology is designed to seamlessly work across virtual and physical machines with policies that follow applications wherever they reside. Most SDN-type controllers use OpenFlow for data path manipulation, which creates an Imperative control plane with no control/intelligence embedded in the data path. ACI uses a controller called APIC which centralizes policy and pushes some of the intelligence to the data path.
  • Advanced security
    APIC also makes it possible to have third-party services integration for advanced security, load balancing, and monitoring from a variety of vendors and products that can easily integrate within administrator-defined policies with ACI architecture. This includes integration with different cloud environments via northbound APIs on the APIC.

By being based on a declarative and integrated overlay model, ACI can render policies across Nexus 9000 switch, an Open vSwitch (OVS), and/or to a GOLF device. This means less infrastructure, increased speed, availability, and visibility for data throughput across the network.

The Many Business Benefits of ACI

 The Many Business Benefits of ACI

ACI delivers benefits that improve operational agility, cost structures, and growth. Most businesses can realize all the following benefits of a properly implemented ACI architecture:

  • Supports rapid application change by reducing complexity through a framework that can automate virtual and physical infrastructure provisioning and simplify resource management.
  • Automation of daily operational tasks to reduce error and operational costs
  • Improves user application experiences through quicker response times
  • Reduce application deployment times from weeks to minutes to improve IT alignment with business objectives and policy requirements
  • Greater agility through policy-driven automation for cloud deployments
  • Stronger infrastructure security, visibility, and analytics for regulatory compliance
  • Integration across multiple cloud providers for common network management across hybrid environment allowing granular security policies and application management
  • One provisioning point
  • Physical and virtual workload connectivity and visibility
  • No need for software for hypervisors compatibility and integration
  • Portable configuration template creation
  • Simplified application architecture mapping into the networking configuration
  • Firewall, load balancers and other L4-7 service insertion and automation

One of the foundational aspects of SDN and now ACI is having an advanced and agile network security framework. ACI takes that security possibility to the next level with a more refined approach to network micro-segmentation.

Agile Security with Cisco ACI’s Micro-Segmentation Approach

Agile Security with Cisco ACI’s Micro-Segmentation Approach

One of the biggest drawbacks of traditional non-SDN networks is that security requires implementation of hardware-based firewall solutions that gate access by IP addresses or other security policies. This means physical changes to the network environment will nullify the existing applied policies.

Firewall access control lists can have millions of rules. This makes it impossible to individually define and manage each device and user as well as configure the network for every application and IP address. As more users and devices become part of the network via IoT and branch locations, the business continues to evolve its business-critical applications, which calls for a completely new approach to security.

Besides there being many SDN architecture and security benefits, micro-segmentation (dividing the network into smaller protection zones) has become an important tool. Here is another area where ACI has ushered in a new approach to protecting groups through the use of automation and micro-segmentation. ACI also extends that ability across multisite environments so that policy-driven automation can be pushed out to multiple data centers for application mobility and disaster recovery.

Cisco’s micro-segmentation approach lets administrators set up groups of endpoints that can apply to a mix of virtual machines or physical servers. These can be grouped and named regardless of their IP address. Once the groups are defined, security and forwarding policies can be dynamically assigned.

The ability to define groups that share policy needs means they can be enforced everywhere. Group-based policy management, and the micro-segmentation it provides, is an increasingly important security measure. As applications, devices, and users become more distributed,  threats become more sophisticated and debilitating.  Segmentation via ACI can deliver numerous benefits including:

  • Extending group management to campuses, branches, and virtual private networks
  • Automatic configuration of the data center network infrastructure based on defined policies
  • Persistent security regardless of how or where the workload is moved including across cloud domains
  • Workload security policy programming based on importance or sensitivity
  • Automated response security policy programming such as shutting down access if data is inappropriately accessed

Ultimately, ACI provides businesses with an easily configured and managed end-to-end segmentation and policy enforcement approach. But getting from a list of perceived benefits to true implementation requires setting the right course.

Plotting a Course to ACI Implementation

Plotting a Course to ACI Implementation

Today, enterprises have so many options with SDN and ACI; it can be difficult to know where to begin the integration process. Addressing this issue requires a partner with the expertise in traditional and new networking approaches. They can then support development of a clear plan for implementation and how to make it a reality.

Acadia Technology Group brings a proven track record in helping enterprises capitalize on the advantages of software-defined networking along with traditional networking technology. Contact us today to learn how we can partner with you to create tangible improvements in your enterprise operations through custom network design.

Cyber Security Threat Guide