So you’ve built a software and service inventory platform that supports both Windows and Linux endpoints through the use of a lightweight agent, but you want to expand market share for it and seem cool & hip with the micro-segmentation crowd. What are you to do? Well if your name is Cisco and the product is Tetration you add in the ability to orchestrate the host level firewall be it IPTables or Windows Defender Firewall.
Now I hear you saying, “Doesn’t Cisco already have a micro-segmentation offering with ACI?”. And yes, they do but it is tied to rather expensive Nexus 9K series hardware. So, in a rather un-Cisco like move rather than tying the product to an expensive piece of proprietary hardware, with Tetration one can deploy the management plane on hardware, as a VM or utilize a Cisco managed SaaS service. This is due to a break from the micro-segmentation model used by ACI where policy enforcement is done at a layer above the protected host. With Tetration an agent (boo! hiss!) gets installed on every protected host, be it Windows or Linux, to turn policy statements crafted at the management plane into rules in the native Windows Firewall or IP Tables. This comes with the inherent limitation of only being able to do layer 4 port/protocol security policies with a twist of being able to tell which process is listening or transmitting the traffic.
To automate the process of rule creation as new hosts come online Tetration utilizes policies built around tags. In theory this is great and provides for a more devops path to security. But in reality, it takes a fairly mature organization to have their security policies implemented in such a way that applying tags works. Especially when you start integrating with other environments such as VMware vSphere or border firewalls with their own sets of tags. Agreement across the board on what a tag means and what attributes are associated with it is critical.
Where Tetration gets interesting, and IMO provides real value, is with the agent installed on every protected host you are provided an inventory of every system. This inventory includes software (and version) installed, currently running processes, and historically run processes. So, you can know which of your web servers are vulnerable to Apache Struts bugs and where in your environment you still have SMBv1 running. The inventory data can also be shared with 3rd party tools through a REST API or via Kafka.
I see value in Tetration, but more for mapping out application dependencies and inter-relationships than for providing security. Whether the value justifies purchase all depends on Cisco’s licensing of the product which is historically one of Cisco’s weak points. Products typically are priced at a premium, and support renewals are akin to walking barefoot across a bed of salt and broken glass. It will be interesting to see what sort of foothold Cisco is able to gain with Tetration in what is becoming a crowded segment of host based micro-segmentation with Illumio, Guardicore, Edgewise Networks, and others having a head start.
Thank you to Remi Philippe, Rob Tappenden, and Tim Garner of Cisco for their presentation on Tetration at Security Field Day 4.