East/west segmentation is required in the data center to protect backend networks from each other. Segmentation is often implemented using ACLs between VLANS on your core switch. The ACLS are maintained by network or security engineers but define the flows permitted between hosts or host classes.
In a typical workflow, the network engineer will ask the service owner which ports they require open, and they often don’t know. A wasteful and extended back-and-forth debate continues until the rule is deployed. The key challenge here is that the service owner owns the requirement but doesn’t know what their service does at the network layer. The temptation is to insert wide rules, but the network engineer is accountable for the ruleset when the auditor knocks on the door.
This workflow challenge could be solved with a self-service portal and automation with rule-ownership, but there this doesn’t address the problem of scale. Even very large switches have limited ACL TCAM. You’ll often have to scale by complicating your routing and forcing east/west traffic through a firewall-on-a-stick.
The other option is to widen and consolidate your switch ACLS rules on the core switch using subnet-to-subnet or layer-3-only rules. This weakens security and dilutes rule ownership. In theory, a service-owner would request and ‘own’ a rule until they no longer need it. If a rule was wide-enough the rule will have undocumented users, and thus cannot be removed.
Juan Lage presented to the crew at TFDx Cisco Live Europe on the topic of ACI micro-segmentation. ACI can solve the east/west segmentation problem by binding ‘a contract’ to an ‘application network profile’. The ‘contract’ can describe which end-points are allowed to talk to each other and on which ports. I like this approach because the security rules for the ‘contract’ are bound to the service definition at creation time.
I’m pleased that the ACI security enforcement happens at edge of the network. I firmly believe that the core of the network should not enforce security policy. It’s true that the same could be achieved through the use of virtual firewalls. However the ACI approach becomes essential when you have a bare-metal server at one end of a flow. I can really see the benefit of having ACI take care of ACLs at the edge, and have security bound to the service on creation.
I do have a slight concern that the TCAM of the ACI leaf switch could become the new resource bottleneck if the leaf switch enforces a lot of contracts for a lot of services. I’ll let you know when I find out more.