How Cisco's 'Application Centric Infrastructure' differs from SDN

As Cisco rolls out a hardware-based alternative to software-defined networking approaches, what does it all mean for security?

Cisco Systems is touting its "spin-in" Insieme Networks' Application Centric Infrastructure, which is purpose-built for integrating cloud computing and data center management, as an alternative to software-defined networking.

The Application Centric Infrastructure technology was developed by former Cisco employees and announced in November 2013. Cisco completed its acquisition of Insieme Networks in December 2013. Application Centric Infrastructure is positioned as another component in Cisco's network programmability framework.

Software-defined networking (SDN) was created specifically to solve security issues. It involves a zero-trust model that assumes all guests are untrusted and limits the code base. VMware's network virtualization platform, NSX, which was one of the very first implementations of SDN, uses a set of primitives that can be controlled by software, independent of the physical devices beneath it. The NSX platform was announced in August 2013 at VMworld.

In addition to fast-growing partner ecosystems, a key similarity between the two network programmability approaches is that both SDN and Application Centric Infrastructure involve significant network architecture "trust limiting" changes to help solve costly security problems associated with the transition from client server to cloud computing.

What is 'Application Centric Infrastructure'?

The Application Centric Infrastructure is the result of "going back to the drawing board and dramatically simplifying the network down to just a few elements," said Jacob Jensen, director of Insieme Networks' software product management team for Cisco.

Not surprisingly, Application Centric Infrastructure embraces hardware and consists of three key parts: Cisco Nexus 9000 or 9300 switches, a policy model and an application policy infrastructure controller (APIC) as shown in Figure 1.  

Before a packet can be forwarded, it's identified and the policy associated with it begins being enforced right then and there.
Jacob JensenDirector of Insieme Networks software product management team

At a high level, Jenson explained, "we pull the policy element of the network from the forwarding. By doing this, we're able to simplify how networks are built, configured and provide dramatic improvements in terms of forwarding packets." Most organizations today want to deploy applications anywhere -- so the application-centric network is purpose-built for mobility.

The network's application-aware policy model is the foundation of security within Application Centric Infrastructure. It essentially "dictates what can talk to what on this network -- it all gets enforced in hardware at the edge," Jensen said. "Before a packet can be forwarded, it's identified and the policy associated with it begins being enforced right then and there." New hardware, in the form of the Cisco Nexus 9000 or 9300 switches, is required to enforce this policy at line rate inside the network.

The APIC controller uses a different architecture than most SDN-type controllers, which employ data path manipulation techniques, such as OpenFlow, according to Jensen. "APIC doesn't manipulate the data path directly," he said. "Instead, it centralizes the policy definition -- automating the entire process of installing and ensuring the policy. It's implemented and enforced in hardware, no matter where that application may appear or move within the network."

Cisco Application-Centric InfrastructureFigure 1. The application policy infrastructure controller (APIC) installs and automates policies in virtual and physical environments from a central point.

This approach enables the ability to wrap security and networking policies around every virtual instance, according to Forrester Research analyst Andre Kindness, "essentially creating micro parameters around everything."

Security within the hypervisor: VMware's NSX ‘Goldilocks Zone'

Instead of throwing more money at a security problem you aren't able to spend your way out of, it's time to focus on the root cause: network architecture.

Security controls are usually put in one of two places: either in an end host like the application or operating system, or in the network or infrastructure. But both have tradeoffs between context and isolation.

"There's no sort of horizontal security layer in technology with both context and isolation," said Martin Casado, the chief technology officer of networking and security for VMware, who is one of the visionaries behind software-defined networking.

A security control in an application can provide great context, but its proximity to the application means it can be turned off. "The application is generally untrusted; it's like an alarm system with the on/off switch outside your house," he said. "It's why application-based approaches are easily subverted."

Security controls in the physical infrastructure pose the opposite problem. "You have good isolation, even if the network is compromised by a virus, Trojan, worm or an attacker, Casado said. "Security controls in the infrastructure are still enforced, unless those are attacked as well. In this case, you can still enforce policy, but won't know what you're enforcing it over or have meaningful context."

So, where's the ideal place for security controls? Thanks to the transition from client server to cloud, most modern clouds in the enterprise run virtualization and have a hypervisor running on all of their servers. The hypervisor provides both context and isolation, according to Casado, whose company is unveiling a new component of its NSX network virtualization platform strategy.

"We call it 'The Goldilocks Zone,' which is a term NASA scientists used in the ‘70s to describe planets that could be hospitable to life -- not too hot or too cold -- but that need to be a certain distance from the sun," Casado said. "The hypervisor is similar because it's close enough to the application to get meaningful semantics, but far enough away to be totally isolated." The implications and consequences of the Goldilocks Zone "are extremely significant, because it touches on most areas of security."

Application Centric Infrastructure versus SDN

So, how exactly is Application Centric Infrastructure different than SDN? One obvious difference is its implementation. Application Centric Infrastructure appears to be a network virtualization platform, done in hardware instead of software, with an application-aware network policy layer on top.

SDN is essentially a "stack" architecture used to separate the network control plane from the forwarding plane. A centralized controller defines forwarding behavior through high-level policy. Atop the controller, northbound APIs present a network abstraction interface to the applications and management. At the bottom of the stack, southbound APIs, such as OpenFlow, allow a controller to define the behavior of switches.

The other major difference between the two approaches is that NSX taps the hypervisor for the isolation and context it provides, while Application Centric Infrastructure as the name implies is application centric. (See "Security Within the Hypervisor: VMware's NSX 'Goldilocks Zone.'")

VMware's NSX and other SDN platforms may have an early advantage, however. "Cisco's controller, for example, won't be out for a few months yet," said Kindness, "while NSX is already being tested and deployed."

But at this stage, according to Kindness, "there's a whole lot of hand waving going on. People are still attempting to make sense of SDN and figuring out what exactly it can do for them," he said. "SDN brings many changes and, since there are a wide variety of options out there, it's a confusing time overall."

Security benefits

As for security improvements with programmability architectures, network security professionals can expect to see the emergence of Layer 4-7 service benefits.

"If you look at security today, many mistakes that occur are just flat-out misconfigurations," said Jensen. "APIC manages more than just basic connectivity; it also gets into Layer 4-7 services like firewalls or load balancers."

One problem frequently encountered in networks is firewall rules. "Say, for example, your network has 15,000 firewall rules, but these were turned on over time and no one knows whether they're active based on application requirements currently on the network … it's not good," Jensen said. "We went out and solved that problem by describing what the application needs are -- including their firewall -- in the system. APIC will configure and automatically ‘stitch' the application to the firewall."

If the application is removed from the network, APIC "calls out to the firewall and decommissions the associated firewall rules," he explained. This is something that "can save customers a tremendous amount of money on firewalls in terms of managing firewall rules."

Many people have voiced security and risk management concerns with these new architectures. For example, there's a big misconception that the controller is an easy target, but in both the Application Centric Infrastructure and NSX approaches the controller is actually running on a remote compute node and isn't addressable.

DDoS attacks are another area of concern, but proponents say both Application Centric Infrastructure and SDN are hardened against these types of attacks -- including traffic coming into the controller through the northbound APIs.

"We also provide encryption between the network and the controller, which prevents man-in-the-middle types of attacks," said Praveen Jain, vice president of Insieme Networks' Application Centric Infrastructure product line.

Security role changes ahead

What do all the potential network architecture changes mean for security? With options galore, there is real opportunity to fix security problems.

The hypervisor is … close enough to the application to get meaningful semantics, but far enough away to be totally isolated.
Martin CasadoVMware chief technology officer

One emerging trend that may affect the approach CISOs choose to take, according to Kindness, is that it's not necessarily networking personnel making buying decisions anymore. Data center architects, enterprise architects and application developers are also setting criteria and defining what they want their infrastructures to be able to do.

"This has the potential to really change the dynamics for the industry -- it's why we're seeing big interest in exploring all of the options available," said Kindness. "Our clients are asking not only about VMware and Cisco solutions, but also HP, F5 Networks and other small companies like Cumulus Networks."

In the networking realm, "we aren't comfortable with coding and virtual instances -- but we need to get there," he said. "Security people will need to become comfortable with it, too, because networking and security are on the path toward eventually meshing into a single unit. Our desire to move at speed means changes ahead for security roles, as well as networking."

Next Steps

Small SDN providers' cost, flexibility appeal to enterprises

Dig Deeper on Network security