To prevent security breaches, SecOps depends on the ability to intelligently analyze logs from multiple firewall and security appliances. Using Security Incident and Event Management (SIEM) tools, SecOps teams can determine unusual network activity and track down threats. But most firewalls are deployed to monitor north-south incursions—especially from direct internet connections. They are not ideal for preventing security threats that move laterally inside the network—those that travel among applications and the workforce, for example. However, in today’s complex data center, campus, cloud, and edge computing environments, a majority of traffic among the workforce, data resources, and applications is by nature east-west. Inserting firewalls at every east-west juncture is costly, increases network management complexity, and creates additional bottlenecks for critical traffic such as container to container communications and collaborative applications.

SecOps teams are already challenged by monitoring events across multiple security products to obtain a clear picture of the threat landscape. In order to design and apply consistent security and east-west policies across the application and data resources, SecOps needs a clear cross-enterprise view of east-west events without increasing OpEx for personnel and CapEx for extra firewall appliances. Since CISOs are already constrained by lack of qualified security personnel and under pressure to lower costs, they need to take better advantage of existing infrastructure to improve security.

As I discussed in a previous post on using network segmentation to stop threats, NetOps is using automation and analytics embedded in Cisco DNA Center to identify end points, ports, and protocols for managing access permissions for groups of people, devices, and applications. Segmenting networks using Security Group Access Control Lists (SGACL) reduces the threat surface by limiting the reach of attacks in east-west traffic to within segments and automatically isolates end-points that violate access policies or suddenly act suspiciously. With end-points identified, tagged, and grouped, traffic among them can be logged along with the protocols being used for communications.  

Historically, log files were captured and processed via software running on dedicated appliances or network controllers. But with tens of thousands of devices, people, and applications communicating over the network, are the majority of events being accurately captured for analysis? Relying on software alone to monitor and log traffic events may only be capturing a subset of incidents at best.

SGACLs Provide SecOps with Deeper Insights into East-West Traffic

By consuming the permit and deny logs generated by the SGACLs, SecOps can analyze and correlate them with indicators of compromise generated by other security appliances. To be effective, exceptions such as access violations need to be identified quickly for investigation after the offending endpoints are automatically isolated—why was a printer trying to communicate with a web server?

The Group-Based Policy with Analytics and Control application on Cisco DNA Center has the ability to enable the Security Group Access Control List (SGACL) for a specific combination of Security Group Tags (SGT) and Destination Group Tags (DGT) that define logging functions. These rules get pushed to Catalyst 9000 family of switches via Cisco’s Identity Services Engine (ISE) as part of the authorization policies.

SGACL log example.
With permit and deny logs generated by the SGACLs, SecOps can analyze and correlate them with indicators of compromise generated by other security appliances using a preferred SIEM application.

To achieve the required performance for capturing logs in real-time, the Cisco Unified Access Data Plane (UADP 2.0) silicon in Catalyst 9000 switches are capable of generating security logs at very high scale. The SGACL security logs are in a format that can readily be integrated into a SIEM logging ecosystems, such as Splunk and Kibana, that monitor, search, analyze, and visualize the results to give SecOps alerts and views into security events.

The Group-Based Policy Analytics application in Cisco DNA Center receives NetFlow from network devices and stitches it together in context with graphs and tables to help administrators visualize network behavior based on groups of endpoints, people, and applications. Now, with the ability to enable SGACL logging on the Cisco Catalyst 9000 switches and send those logs to a SIEM infrastructure, monitoring of all security-related data from a single point of view enables SecOps to efficiently spot traffic patterns that indicate threats. The key is the UADP silicon that provides the scalability to log SGACL data required for compliance reporting and deep forensics.

SGACL Logs to SIEM application

Using SGACL Logs to Defend the Network

The ability to automate the identification of endpoints to segment east-west traffic into security groups using Cisco DNA Center, Identity Services Engine, and the power of Catalyst switching gives SecOps a new weapon in the war against threats. Classic lessons from the past when malware was able to penetrate unsecured IoT devices and travel laterally to infect point of sale devices and harvest rich stores of PCI data, demonstrate that SecOps needs the ability to establish granular group segmentation and monitor in near real-time any attempted transgressions. The ability to monitor and identify access violations and abnormalities at scale enables SecOps to:

  • Monitor SGACL traffic from switches using favored SIEM applications to send alerts without adding more firewalls or security appliances.
  • Quickly identify attempted east-west access violations among security groups.
  • Piece together several seemingly low-risk events to find the one high-risk attack underway.
  • Uncover suspicious activity that may indicate compromised credentials or an insider threat.
  • Centralize monitoring for OT and IoT solutions to identify abnormal activity and potential threats.
  • Automatically quarantine misbehaving endpoints to isolate threats before they can spread to nodes in the same segment.

Segmentation using Security Groups greatly reduces the attack surface of enterprise networks that connect the vital components in the data center, campus, branch, and edge. The technique integrates seamlessly with existing security monitoring toolsets, reducing SecOps workload while providing detailed visibility into network operations.

Fighting Threats with Better Data

SGACL classification and policy enforcement functions are embedded in Cisco switching, routing, wireless LAN, and firewall products. By classifying traffic based on the identity of endpoints versus IP addresses, Cisco DNA Center and Identity Services Engine enables flexible access controls for fast changing networking environments. The high-speed logging capabilities of Cisco Catalyst switches turns SGACL logs into potent tools for SecOps to use in the battle to detect and prevent the spread of malware, intrusion threats, ransomware, malicious reconnaissance activities, and remote exploits in east-west traffic flows.

For more details on automating segmentation policies in Cisco DNA Center:

Subscribe to the Cisco Networking Blog to receive future articles like this.


Ravi Chandrasekaran

Senior Vice President

Enterprise Networking