Browse Prior Art Database

THREAT MITIGATION IN A SOFTWARE DEFINED NETWORK ENVIRONMENT

IP.com Disclosure Number: IPCOM000248564D
Publication Date: 2016-Dec-19
Document File: 7 page(s) / 551K

Publishing Venue

The IP.com Prior Art Database

Related People

Javed Asghar: AUTHOR [+6]

Abstract

Presented herein are methods for integrating next-generation intrusion prevention systems (NGIPSs) and application-centric infrastructures (ACIs) to form one integrated security policy. The methods involve automatically (i.e., without a need for manual intervention) quarantining and micro-segmenting offending endpoints detected by an IPS within milliseconds in an ACI fabric. Further, a security workflow deploys an ACI service graph with a remediation endpoint group (EPG) to provide a security feedback loop.

This text was extracted from a PDF file.
This is the abbreviated version, containing approximately 26% of the total text.

Copyright 2016 Cisco Systems, Inc. 1

THREAT MITIGATION IN A SOFTWARE DEFINED NETWORK ENVIRONMENT

AUTHORS: Javed Asghar Saurabh Jain Yibin Yang

Michael Smith Srinivas Sardar Munish Mehta

CISCO SYSTEMS, INC.

ABSTRACT

Presented herein are methods for integrating next-generation intrusion prevention

systems (NGIPSs) and application-centric infrastructures (ACIs) to form one integrated

security policy. The methods involve automatically (i.e., without a need for manual

intervention) quarantining and micro-segmenting offending endpoints detected by an IPS

within milliseconds in an ACI fabric. Further, a security workflow deploys an ACI

service graph with a remediation endpoint group (EPG) to provide a security feedback

loop.

DETAILED DESCRIPTION

End users have more media and communications choices than ever before. A

number of prominent technological trends are currently afoot (e.g., more computing

devices, more online video services, more Internet traffic), and these trends are changing

the media delivery landscape. Datacenters serve a large sector of the Internet content

today, including web objects (text, graphics, Uniform Resource Locators (URLs) and

scripts), downloadable objects (media files, software, documents), applications (e-

commerce, portals), live streaming media, on demand streaming media, and social

networks. In a datacenter, there are typically non-virtualized servers (e.g., bare-metal

servers) as well as virtualized servers. A non-virtualized server is a server running an

operating system (OS) directly on hardware as opposed to a virtualized server that runs

the OS on software. In the datacenter, computing, storage, and networking capacity may

be pooled into virtual datacenters where the nodes of the datacenter are connected by a

Copyright 2016 Cisco Systems, Inc. 2

network. However, once a node is infected with malware, the node can infect the entire

network with the malware.

ACI provides an application policy-based solution through scalable distributed

policy enforcement. It supports integration of physical and virtual environments under

one declarative policy model for networks, servers, services and security. An ACI

software-defined networking (SDN) controller is called an Application Policy

Infrastructure Controller (APIC), which provides a single point of automation and

management for the ACI overlay network fabric. An EPG is a major component of the

ACI framework. It contains a collection of endpoints that share common policy

requirements such as security, quality of service (QOS) and services. Application policies

can be applied between EPGs, instead of between endpoints directly, in the form of

contracts.

Micro-segmentation is an appealing security feature in a modern datacenter. It

provides enhanced security for east-west traffic within a datacenter by dividing a

datacenter into smaller protected zones. A micro-segmented datacenter has security

services provisioned not only at the perimeter but also between application ti...