APIC's Adventures in Wonderland

Presented at Black Hat USA 2019, Aug. 7, 2019, 11:15 a.m. (50 minutes).

Software-defined networking (SDN) along-side with micro-segmentation has been proposed as a new paradigm to deploy applications faster and, simultaneously, protect the individual workloads against lateral movement. Its implementation usually follows an application-centric view where the underlying network specifics are abstracted away from the management layers. Hence, an application developer only defines how similar parts of his application can communicate (e.g. web servers can connect to database servers on the following port) without considering the details of the network communication (e.g. IP addresses/subnets and routing tables).

A prominent solution in this area is the Application Centric Infrastructure (ACI) by Cisco. ACI is based on Nexus switches in a spine-leaf configuration and one (or preferably more) Application Policy Infrastructure Controller (APIC). APICs are ACI's brain controlling the configuration of the switches to provide SDN and micro-segmentation capabilities for connected endpoints. Endpoints can then be aggregated into so-called endpoint groups (EPGs), which serve as the basic entities to apply filtering rules.

In this talk, we will demystify the magic that surrounds the ACI wonderland and follow the APIC on its journey down the rabbit hole from when it gets first connected to the leaf switches till its configuration with EPGs and filtering rules. Along this journey we will participate in a crazy tea party. Here, the Mad Hatter will introduce us to the components involved in setting up the ACI fabric (including their background communication and used protocols), the March Hare will demonstrate what things can go wrong, and the Dormouse, before finally drifting to sleep, will release exploits for identified vulnerabilities.


Presenters:

  • Oliver Matula - Dr., ERNW Enno Rey Netzwerke GmbH
    Oliver Matula is an IT security researcher and practitioner at ERNW and has extensive experience on the offensive side of IT security (e.g. by means of penetration tests and research) and the defensive side (e.g. by means of consulting in large corporate environments).
  • Frank Block - Security Researcher, ERNW Research GmbH
    Frank Block is a security consultant working for ERNW Research GmbH with more than 10 years of experience, and is an external PhD student at the University of Erlangen-Nuremberg (Department Informatik) with a focus on memory forensics. His main expertise lies with the analysis of incidents and the penetration testing of enterprise networks and web applications. When not involved in customer projects, he enjoys doing research in all kinds of areas (e.g. Wireless technologies) and gives trainings on topics such as hacking and incident analysis.

Links:

Similar Presentations: