"Cisco’s
ACI delivers centralized application-driven policy automation and management
of, and visibility into, both physical and virtual environments as a single
system. It is optimized to support an “application anywhere” model, with
complete freedom of application movement and placement. This novel approach
empowers IT teams to offer cloud-based services to their customers directly,
with the associated service-level agreements (SLAs) and performance
requirements for the most demanding business applications".
Cisco
ACI Architecture brings new challenges to security Domain in the Data Cetner.
In
this short blog I will try to address some of the security challenge face the
insieme group responsible to develop the
ACI.
Automation
With
ACI solution cisco aim solve the slowness of the IT department, By automation
the way application deployed in the datacenter.
To
deploy new application ACI will use "application profile", this profile
contain all the detail need from network perspective like: vlan connectivity, routing, computing,
storage and security. Same analogy to
service-profile in UCS world.
Let's
take for example deployment of SharePoint application with ACI.
IS
security policy for internal SharePoint or external internet SharePoint is the
same?
Different
application will need different custom security policy.
APIC
- Control Plane
The
APIC will use control plane protocol to be able talk with other entities. APIC
will needs to provision, configure and measure for health status check.
There
must be strong authentication method for new devices to connect to APIC control
plane, the connection must be secured with very strong and fast encryption.
Attacking
the APIC
One
of the most common attack methods to take down public service is
DDoS-distributed denial-of-service attack attack.
The
APIC will need to be able have internal mechanism to protect himself from this
form of attack.
Compromise
of the APIC
APIC
is the heart of ACI architecture, one of the biggest threats to all ACI
architecture is unauthorized access or compromise of the APIC that control the
entire entities.
The
OS of the APIC will need to be build from harden custom kernel instead of public Linux kernel with minimum
open services.
The
ip address for access to APIC need to narrow for few specific management IP's
Northbound interfaces API
One
of the key of ACI is the ability of Third-party application to be able to
communicate with APIC. Northbound Interface allows Cloud management system like
openstack or cloupia to program and Orchestration the APIC.
what
if an attacker manages to inject a malicious script into a third-party solution
which returns that script in an API response that you are handling
Very Nice Blog !!
השבמחקThanks for sharing a great informative information.
Keep up sharing...
Infrastructure Security Mexico