Have you ever needed to know what applications are running on your network? Have you ever needed to determine the set of protocols and ports used by an application so that firewall rules can be created? Or have you ever had to understand the system dependencies of a critical application? What if you needed to know all the IT assets in your business?
These requirements are common for compliance for data center migration, Payment Card Industry audits, security audits, application troubleshooting, and firewall installations. In the past, you might have had to employ a suite of tools to collect and analyze network data in order to answer any of these questions. Packet captures and analysis would be one of the primary data collection methods and it is a highly manual process that takes significant effort. And the result is only good for a short period of time, becoming obsolete as soon as some hardware is upgraded, new servers installed, or old servers removed.
On Wednesday Cisco announced a new product that makes it easy to answer these questions and more: Cisco Tetration Analytics. Tetration is a term that refers to a notation for very large numbers. Cisco’s use of the term refers to a product that automates the collection of vast amounts of data from the network about applications, flows, devices, system relationships, errors, slowness, and differences in performance. You can think of it as a data recorder for the data center network, kind of like a super black-box found in airplanes. The current version is specific to data centers and is sized for a medium to large data center. There are plans for larger and smaller versions, as well, as a cloud-based system for organizations that don’t have the resources for an on-site installation.
It is possible to use the collected data to drive “what-if” analysis to verify how the IT system would function in various scenarios, such as failures, additional capacity, and new paths. In a sense, you could characterize Tetration Analystics as “flow analysis on steroids.” But it is much more than that. Let’s look at some examples that will give you an idea of the breadth of functionality.
You have to make sure that you migrate all your applications to the new data center before you can vacate the old data center. But do you know all the applications that run in your data center and the set of services that are needed to make those applications work? If you have applications that you bought from an external vendor, it is highly likely that you don’t – and that the vendor doesn’t either (or won’t admit it).
Tetration enables you to add instrumentation to the network that collects network packet headers and uses that information to determine all the components of an application and the protocols/ports in use.
With a clear understanding of the applications, it is much easier to design a move and get all the components migrated without causing an accidental outage. Imagine monitoring a data center to verify that all active applications have been migrated to the new data center. You can also use this capability within a data center to determine dependency maps. If a switch needs maintenance, what applications (i.e. servers) are currently using paths through the switch? You need to know that you’ve migrated all active applications off of a part of the data center infrastructure and Tetration can tell you this, in real time.
You can also find unused resources like servers and switches. Cisco described a data center migration in which it found that over 40% of the VMs in the original data center were abandoned and not running active applications. It reminded me of the snarky comment: “VMs are like tattoos; easy to get and hard to remove.”
How do you keep bad actors out of your network? Security experts these days say that it is impossible to keep them out of your network. Therefore, it is important to be able to quickly identify and isolate them. Tetration can be used to create a network baseline that can be used to identify network traffic due to malicious activity. This is similar to how flow-based security tools work. One of the advantages of Tetration is that it integrates with ACI’s ability to perform network updates to mitigate the threat in real-time. There are settings in Tetration to allow the administrator to control whether automated changes are allowed or if an alert is generated.
Of course, the problem is the network. (Just kidding…) How do you diagnose what’s happening? You could use an Application Performance Management tool. With Tetration’s view of the network traffic and baselines, it is easy to identify when an application begins performing below expectations. There could be several causes that would need to be investigated. One is a slow server, which is identified by longer delays in communications with other servers or with clients.
When connectivity to an application is via a server load balancer, it is possible that some clients are able to bypass the load balancer system. These clients will exhibit a different communications path and timing profile than that of other clients that go through the load balancer. This makes those clients susceptible to an outage when their server fails or is taken out of service for maintenance. This is another example where Application Performance Management or Tetration can be used to identify incorrect infrastructure configuration.
Tetration Analytics is delivered as a rack full of UCS servers – 39 of them. Colin Lynch at ucsguru.com has written an excellent blog post about the system and its functionality.
At the announcement in the World Trade Center in New York, we had a chance to talk with Tetration Analytics inventor Navindra Yadav. His vision is that this tool will evolve to eventually allow self-driving data centers. Many of the boring and tedious functions will be replaced by Tetration’s machine learning, coupled to ACI’s automation.
The first step will be to alert the system administrators to anomalies and allow the human in the loop to make the correction. The system will recommend one or more possible forms of remediation. The administrator would have the option of allowing Tetration to automate the implementation of one of the remediations. After Tetration has learned the problem signature and the type of remediation preferred by the administrator, it can be configured to automatically perform that remediation when it encounters the problem in the future. Remember the Cisco tag line from many years ago, “The self-healing network”? We may be seeing the reality of that statement.
We didn’t discuss plans for non-data center development, but it is easy to extrapolate the current capabilities to the entire network. All that is needed are sensor modules for other network segments and perhaps for clients. Instrumenting the network elements, perhaps through packet brokers and SPAN ports, would provide one level of visibility. Adding sensor modules for clients could add complete visibility to the entire network. Complete visibility would not leave any place where a bad actor could hide. Would this capability possibly be a good solution to network security?
To talk about how Tetration might be put to use in your data center, or to discuss other data center solutions, just reach out.
Fifty Shades of Cloud
Become Agile with Equinix Network Edge
Nick has over 20 years of experience in Security Operations and Security Sales. He is an avid student of cybersecurity and regularly engages with the Infosec community at events like BSides, RVASec, Derbycon and more. The son of an FBI forensics director, Nick holds a B.S. in Criminal Justice and is one of Cisco’s Fire Jumper Elite members. When he’s not working, he writes cyberpunk and punches aliens on his Playstation.
Virgilio “Bong” has sixteen years of professional experience in IT industry from academe, technical and customer support, pre-sales, post sales, project management, training and enablement. He has worked in Cisco Technical Assistance Center (TAC) as a member of the WAN and LAN Switching team. Bong now works for Tech Data as the Field Solutions Architect with a focus on Cisco Security and holds a few Cisco certifications including Fire Jumper Elite.
John is our CTO and the practice lead for a talented team of consultants focused on designing and delivering scalable and secure infrastructure solutions to customers across multiple industry verticals and technologies. Previously he has held several positions including Executive Director/Chief Architect for Global Network Services at JPMorgan Chase. In that capacity, he led a team managing network architecture and services. Prior to his role at JPMorgan Chase, John was a Distinguished Engineer at Cisco working across a number of verticals including Higher Education, Finance, Retail, Government, and Health Care.
He is an expert in working with groups to identify business needs, and align technology strategies to enable business strategies, building in agility and scalability to allow for future changes. John is experienced in the architecture and design of highly available, secure, network infrastructure and data centers, and has worked on projects worldwide. He has worked in both the business and regulatory environments for the design and deployment of complex IT infrastructures.