Cisco Cisco Tetration Analytics G1 Libro blanco

Page 2 of 12

●

How to monitor live traffic in nearly real time to detect:

◦

Permitted traffic

◦

Mistakenly dropped traffic

◦

Escaped traffic

◦

Dropped traffic

Policy Compliance Use Cases

Automation has given the network operator a completely new level of flexibility in deploying cost-effective, scalable,

and maintainable data centers. However, with this approach, the operator loses a direct relationship with the

underlying device hardware. Given this abstraction that comes with most automation as well as configuration that is

in many cases generated by controllers (and perhaps not even be human readable), how do administrators verify

that their requirements have been truly programmed in the hardware? Without an automated method to validate

what is actually happening, only the illusion of security may be in place, with vulnerabilities eventually surfacing

many months later after a critical issue occurs.

However, large, non-explicitly policy-based networks (that is, standalone network architectures) face the same

issue. In this case, though, the responsibility for rendering the business and security policy (there is always a

logical policy that a data center attempts to follow) is at the hands of the network team. This team usually must

manually maintain a distributed set of distinct configuration files to deliver the desired end-to-end policy for the

network. The need to validate the configuration is working correctly and the accuracy of the security policies is the

same.

Figure 1 shows both approaches.

Figure 1. The Same Business Intent Rendered Using a Controller-Based Approach and Using an Operator-Guided Approach