The integration of the Cisco ACI architecture with Catbird delivers an asset-based approach for compliance automation and enforcement. Catbird organizes applications into shared policy groups, called TrustZones®. Catbird TrustZones policy is applied based upon published compliance standards and frameworks, continuously monitoring for configuration changes, gathering evidence of control for audit, and taking immediate enforcement actions in case of changes that may compromise security and compliance posture.
Cisco ACI enables Catbird insertion anywhere in the network fabric, providing centralized management, ensuring automated security and compliance policy and elastic scaling. With Cisco ACI and Catbird, policy compliance is now continuous, enforced in real-time and fully automated, with visibility and control that exceeds that which is possible in conventional physical environments. The combined solution, with Catbird supporting the ACI policy model and APIC controller, will provide active policy automation and enforcement of industry standards such as PCI DSS 3.0, ISO 27001, HIPAA, and FISMA, reducing the cost and complexity of compliance and increasing the flexibility and elasticity of the application network.
Key Features of Catbird 6.0:
- Multi-hypervisor support* – Consistent security policy automation and compliance enforcement across Microsoft Hyper-VTM and VMware vSphere®.
- Management API – Enterprises and service providers can now integrate security policy and compliance enforcement into their existing provisioning and management processes. Catbird 6.0 API includes ACL and alert operations, asset searching and enumeration, compliance state retrieval, event operations, and Catbird TrustZones® management and configuration.
- Expanded role-based administrative functions* – Six roles including auditor, operator, firewall operator, and compliance officer, allowing customers to precisely align policy management with existing administration, security and compliance roles.
- Enhanced continuous monitoring – SCAP configuration checking allows users to download security benchmarks from the National Institute of Standards and Technology (NIST) and the Center for Internet Security (CIS) and run configuration checks against those benchmarks. With SCAP, customers can continuously monitor their security posture based upon codified security benchmarks established by credible third parties and define configuration checks that are a requirement for organizations including federal government agencies.
- Cisco & VMware virtual firewall integration – First security policy automation and enforcement solution to orchestrate two of the industry's leading virtual firewalls, Cisco Virtual Secure Gateway (VSG) and VMware vCloud® Networking and SecurityTM. Customers can track and maintain the status of virtual firewalls and other security controls continuously, such as IDS/IPS, NAC, and virtual infrastructure monitoring, no matter where assets move on the network and what changes are made.
Feb 2014
Cisco announced last week that its rapidly expanding ACI ecosystem now includes the A10 Networks aCloud Services Architecture based on the Thunder ADC Application Delivery Controllers, as well as the Catbird IDS/IPS virtual security solutions. These new ACI ecosystem vendors are announcing support for the ACI policy model and integration with the Application Infrastructure Policy Controller (APIC) which will accelerate and automate deployment and provisioning of these services into application networks. This should also resolve any speculation that the ACI ecosystem would not be including technology vendors that compete with Cisco’s other lines of business, as Cisco expands the solution alternatives for customers.
Each of the solutions will rely on two primary capabilities of the APIC and ACI to provide a policy-based automation framework and policy-based service insertion technology. A policy-based automation framework enables resources to be dynamically provisioned and configured according to application requirements. As a result, core services such as firewalls, application delivery controllers (ADC) and Layer 4 through 7 switches can be consumed by applications and made ready to use in a single automated step.
A policy-based service insertion solution automates the step of routing network traffic to the correct services based on application policies. The automated addition, removal, and reordering of services allows applications to quickly change the resources that they require without the need to rewire and reconfigure the network or relocate the services. For example, if the business decision is made to use a web application firewall found in a modern ADC as a cost-effective way of achieving PCI compliance, administrators would simply need to redefine the policy for the services that should be used for the related applications. The Cisco APIC can dynamically distribute new policies to the infrastructure and service nodes in minutes, without requiring the network be manually changed.
Integrating L4-7 Services in the Open ACI Architecture
So,
when technology vendors like these expressly commit to supporting the
ACI architecture, what is the integration model to the APIC controller
and the ACI fabric? First of all, service automation requires a vendor
device package (see below), which is an XML structure defining the
attributes, policies and capabilities of the supported L4-7 device. When
APIC provisions new application networks that require these services,
the device package is loaded into APIC, along with device-specific
Python scripts. APIC then uses the device configuration model to pass
appropriate configuration details to the device. Script handlers on the
device are integrated through REST APIs on the device or CLI.
No comments:
Post a Comment