We’ve been talking for a while about Cisco ACI’s leadership in SDN security features (like here), and in the design of our fine-grained security policy enforcement between individual workloads, sometimes called microsegmentation. Today, here at Interop, Las Vegas, Cisco is reaffirming its thought leadership in data center security and SDN automation with a couple of announcements, including the integration of Cisco FirePOWER next generation intrusion prevention system (NGIPS) into the ACI security framework. In other news, another ACI ecosystem security partner was announced last week at the RSA Security Conference: Fortinet, who will be integrating their Fortigate firewall platform with ACI.

The Cisco ACI + FirePOWER solution enables real-time detection, mitigation and remediation for advanced security threats inside the data center by combining granular application visibility and control, threat detection, advanced malware protection (AMP) capabilities of FirePOWER NGIPS with ACI microsegmentation, advanced security service insertion, and L4-7 policy automation. To quickly summarize how this all comes together and a sample use case for ACI security, we created the following video:


Available in June, 2015, new ACI advanced security works to protect data centers before, during, and after attacks, dynamically detecting threats and automating incident responses. The Cisco FirePOWER family of security appliances consists of industry-leading NGFW, NGIPS appliances offering best-in-class threat effectiveness, superior visibility and global threat intelligence.

Attack Continuum
FirePOWER + ACI = Automated Security with Advanced Protection Across Attack Continuum for Physical and Virtual

Cisco also announced that third party auditors validated ACI for deployment in payment card industry data security standard (PCI-DSS) compliant networks. Any organization that accepts credit cards needs to comply with the PCI data security standard, but managing and simplifying the scope of compliance can help to reduce compliance costs for these organizations. Independent qualified security assessors (QSA) validated in Cisco labs that ACI can be used to reduce the scope for PCI and simplify segmentation management.

To set the context for this ACI security news, I like to point to three prevailing trends in data center security that are driving many new product requirements in this area:

  1. Moving from peripheral to pervasive, fine-grained security – Perimeter security solutions that block all malicious traffic coming into the data center are great, but they can’t help threats from propagating inside the data center. In a shared, multi-tenant environment where trust between users and applications can no longer be assumed, security solutions have to be in place to protect every workload from every other one, and to protect all tenants from each other. This is several orders of magnitude more complexity than we previously required. This trend has led to the implementation of fine-grained security policies, enforced between individual application workloads (microsegmentation).
  2. The need to automate IT Security operations – In our on-demand, elastic cloud environments, where applications are deployed in minutes, sorting out this complexity, and updating security policies across many potential devices is a logistical nightmare. A security management solution that can automatically update, provision and configure security policies across all applicable devices quickly is required to support the agility required of cloud architectures. Forrester Research even highlighted the need to automate security tasks in their report, “12 Recommendations for your Security Program in 2015”:

    Over the previous 10 years, “attackers are getting better/faster at what they do at a higher rate than defenders are improving their trade.” If CISOs want to ever improve their abilities to detect and respond to adversaries, they must move from reactive to proactive operations through automation. Every bit of operational friction that S&R pros can reduce using automation will result in a more-agile security posture that makes detecting and responding to adversaries more productive. CISOs can expect automation to become one of the next great security buzzwords.

    Through Cisco ACI, all security device provisioning and configuration can be automated according to the centrally managed application policies and requirements, greatly simplifying IT security tasks, and accelerating application deployments.

  3. Application mobility provides challenges to statically placed security devices – Cloud environments require applications to be location-independent and mobile. When application traffic has to be sent to specific security services and devices, this can be overwhelming to manage when applications are mobile and physical security devices are not. A dynamic and automated way to configure security paths specific to application requirements is required.Cisco ACI provides a seamless and consistent method for integrating both virtual and physical security appliances, independent of location, into application networks, and applying security policies consistently to both physical and virtual workloads. Automating this service chaining capability simplifies and accelerates some of the most complex tasks of setting up new applications in multi-tenant data centers, helping to reduce application deployments from weeks to minutes.

Tomorrow, I’m planning a blog to review some market data we collected with Enterprise Strategy Group (ESG) on data center security requirements, including the need for automation and finer-grained segmentation as we’ve discussed here.

If you are around Interop this week, we’d love to have you stop by and see the new demos of ACI with FirePOWER integration, as well as all the other features we’re showing. If not, we’ll hope to at least see you at Cisco Live in San Diego, where we’ll have even more to show off.

[Cisco Press Release]


Gary Kinghorn

Sr Solution Marketing Manager

Network Virtualization and SDN