Security in Utilities: an architectural approach for partners.

When we talk about Utilities, we usually refer mainly to the companies that supply electricity to business and residential consumers. However, there are several other types of Utilities including Water, Gas and Waste Management companies just to name a few. All of them face the same types of security threats, in the past few years there have been a number of incidents, for example public warning systems have been hacked and turned on in the middle of the night. There have also been attacks on the systems that control gas pipelines shutting down the gas flow for several hours.

Many of these attacks have happened not because of the actual lack of IT security measures or precautions, but in my cases due to organizational failures, whereby security data has been released to a third-party contractor without taking the necessary data protection procedures to avoid these incidents from happening.

In order to prevent security incidents from happening companies have to evolve their security approach to a phased security architecture:

◈ First Phase: modernize the connectivity of the transmission and distribution systems, including zone segmentation, controlled conduits and following standards such as ISA -95,99 / IEC 62443 / NERC /NIST.

◈ Second Phase: providing visibility of the data that is going through the equipment and systems all the way to the control area. This requires Application Control and Threat Control.

◈ Third Phase: convergence of security policies across all the different layers, including policy driven responses and deeper vision and control.

This phased security architectural approach can be used by partners across different types of Utilities. The most important thing to highlight is that partners should provide their customers with a consistent risk assessment followed by an architecture that addresses the potential gaps discovered through this assessment.

There are some use case themes that partners can discuss with their customers to address the different types of potential vulnerabilities their industrial infrastructure might have, including:

◈ Secure Connectivity: what devices can connect to what control systems; what type of communications can happen between different systems.

◈ Secure Remote Access: what are the access control measures, how can secure access be provided.

◈ Threat Control: what devices are vulnerable; how can you protect any vulnerable assets.

◈ Safe Environment: what type of protection is being provided in the networking infrastructure and what type of protection is being provided on the devices themselves.

In order to address the security requirements of all different types of Utilities we now have Cisco IoT Threat Defense which converges a security architecture and services to help industrial companies defend their IoT devices and keep their business running.

The main idea is to look at the individual environments that need some form of Cybersecurity, then mapping them to the products that Cisco partners can deliver by using the Cisco Validated Designs to define how to bring a particular solution forward.

There are four different areas that we focus on: Segmented Access Control for both IT and OT environments; Visibility and Analysis of potentially dangerous behavior to/from IoT devices; Secure Access into the OT network; and finally, Professional Security Services to assess the baseline risk, manage OT environments and perform incident response.

Continue reading

Improved performance and pay-as-you-go in Microsoft Azure

According to a recent IDC survey 85% of organizations are evaluating or using the public cloud1. As customers begin deploying workloads in the public cloud having a high-performing solution that allows them to securely extend their on-premises network to the cloud is critical. The Cisco CSR 1000V is a full-featured IOS-XE router that provides a secure way to connect your public cloud deployment to your on-premises network.

We are constantly working with our cloud partners to deliver new features and improved scale and performance. The latest software release for CSR 1000V (IOS-XE 16.10.1) delivers a number of significant enhancements for CSR 1000V on Microsoft Azure.

First, the release adds support for Microsoft Accelerated Networking which will enable customers to achieve 4x the throughput of the current CSR 1000V software release. Also, CSR 1000V will be launching support for customers to leverage pay-as-you-go, allowing for hourly consumption of the CSR. All of these improvements mean customers will be able to leverage better scale and performance for the CSR in Microsoft Azure.

Improved performance with Accelerated Networking

Cisco is adding support for Microsoft Accelerated Networking in the IOS-XE 16.10.1 software release for the CSR 1000V. By leveraging Accelerated Networking CSR 1000V is able to achieve up to a 4x increase in throughput performance across the existing instance types.

Figure 1 – Image from Microsoft Azure Documentation on Accelerate Networking

With accelerated networking, network traffic arrives at the VM’s network interface (NIC), and then is forwarded directly to the VM by-passing the host and the virtual switch. By allowing the CSR 1000V direct access to the network interface (NIC) Cisco and Microsoft are able to achieve significant improvements in the maximum throughput of the virtual router.

Azure Pay-as-you-Go

This new release for CSR 1000V also marks the launch of a new way to consume CSR 1000V on Azure. Customers will now be able to launch an hourly pay-as-you-go instance of CSR 1000V from the Azure Marketplace. With hourly pay-as-you-go, users can spin up CSR 1000V and consume it for a defined period of time based on their needs. When they are finished they can spin it down and only pay for the length of time they used it instead of being locked into an annual or multi-year contract. This pay-as-you-go instance of CSR 1000V will support all of the existing deployment models that are available today for customers who choose the bring-your-own-license consumption model for CSR 1000V.

Smart Licensing Only

In this release CSR 1000V will support only Smart Licensing. In previous release the CSR 1000V also supported classic ePAK licensing. Going forward all future releases of software for CSR 1000V will support only Smart Licensing which greatly simplifies licensing for the customer and provides greater flexibility and visibility to the licenses they own. Customers can use the Cisco Smart Software Manager (CSSM) to view all of the smart licenses they own in one place. For customers who have classic ePAK licenses they should convert their classic license to a smart licenses using the Licenses Registration Portal prior to upgrading to the 16.10.1 release.

This video provides step-by-step details on how to convert your existing classic ePAK licenses to a smart license.

Continue reading

The Legacy Continues with a Modern Classic

With the ISR 900 Series, Cisco continues a 26 year pedigree.

1993 was a much simpler time. A gallon of gas cost $1.16. The Space Shuttle was still flying. Beanie Babies were launched. Intel introduced the Pentium processor to power Windows 3.1. Jurassic Park and Mrs. Doubtfire were leading the box office while Snoop Dogg and Rage Against the Machine had breakout hits. Is this making anyone else feel nostalgic or just old?

1993 was also the year that Cisco introduced something that would forever change the landscape of networking in remote offices – the Cisco 2500 Series. For the first time there was a compact affordable Enterprise router with a huge spectrum of available interfaces and features to hammer just about any networking nail. The 2500 was so reliable that they can still be found in offices and data centers around the world more than a quarter century after being introduced. (I confess that I still use several 2511-RJ as terminal servers.)

Capability with Simplicity

So, what made the Cisco 2500 so great and how does that relate to a router being introduced in 2019? The answer is simple – literally. Simplicity with capability in the form of features and interfaces. The 2500 was never the fastest router in the market, but the flexibility and reliability made it a trusted friend for IT staff. With literally thousands of features and any interface type you were likely, or even unlikely, to run into, the 2500 could do it all.

That initial success led to the Cisco 2600 and 3600 Series which would morph into the first generation of Integrated Services Routers followed by the ISR G2 and 800 Series routers all running the same Cisco IOS® operating system. That’s a direct unbroken line of platforms running the same operating system since the earliest Cisco Routers, while adding new features and hardening the whole time. There just isn’t another piece of software with that pedigree anywhere.

Modern Hardware for a New Take on a Classic

The ISR 900 Series builds on that solid foundation with rock-solid 21st century hardware. The Cisco 900 Series is a silent, fan-less chassis designed to fit into any office. With that comes the interfaces you need today including LTE (available soon), ADSL/VDSL, Gigabit Ethernet WAN and switching. Modern components bring Cisco IOS performance on par with current branch routers including high performance encrypted VPN and firewall. Thousands of features you expect from a Cisco Branch Router, including some the 2500 never dreamed of, are built in such as MPLS, IPSLA, AVC, PfR and more with performance that’s more than 100 times what the 2500 could dream of.

Just One More Thing

There’s also one more throwback to classic small branch routers you might notice in the new Cisco 900 Series ISR and that’s the internal power supply. The Cisco 921 & 931 ISRs do away with the external power supply “brick” common to branch office devices and brings the power supply inside the router which can really clean up a cluttered branch environment.  Getting the power supply inside a passively cooled chassis with a wide temperature range is a big engineering deal. Yes, I really did just geek out over a power supply.

The Cisco 900 Series is a modern classic. It complements other members of the ISR portfolio, such as the ISR 1000 Series and ISR 4000 Series, while providing an easy migration path for Cisco 800 Series users. It isn’t the fastest or flashiest member of the ISR family. What it is is a solid, reliable performer with the features you need to sort out the most complex of network nightmares. Isn’t that what most IT professionals really want when the business is on the line?

This is just a teaser for what you can expect from the Cisco ISR 900 Series. Head on over to the Cisco ISR 900 Series page, cisco.com/go/isr900, for all the details.

Continue reading

Cisco DNA Center Network Automation with Template Programmer API – Part 1

Using APIs to apply templates to network devices

Cisco DNA center provides Day0 to Day-N support for network device automation.

This blog looks at one aspect of automation, the template programmer. Specifically, it covers the API’s used to apply templates to network devices.

Template programmer uses the velocity templating language for templates. The templates are created via the template editor and are applied via the User Interface or programmatically via the API.

This initial blog is going to cover the basics of finding templates, getting a specific version and applying a template to a device. To better illustrate how the API calls can be used in a practical manner, I am going to use a small python script published on github.

I am going to use a common (practical example) template of changing the vlan assigned to an interface on a switch. The template will take two variables:

◈ An interface name (e.g. gig1/0/20)
◈ A vlan number (e.g. 20)

Interaction with PnP Day0

For those familiar with this blog series, I have covered day0 configuration with Network PnP and also some basic velocity examples.

Day-0 templates are applied only when the device first contacts the controller and is onboarded to the network. Depending on your operational model, the day0 configuration might be quite small (just enough to establish secure connectivity) and day-N templates are used to apply ongoing configuration changes.

Step 1 – Listing Templates

The first step is to find the templates available on the Cisco DNA Center.

If you downloaded the example script, you can just run it with no arguments to see a list of templates.

(in order to run this script you will need to either edit the dnac_config.py file, or set the appropriate environment variables to customize your DNA Center and loging credentials – as outlined in the README). The template of interest is called “Adam/int-vlan” .

The API call is shown below. When the script is run without any argumnets, it prints the names of all templates. The first part of the name is the template project. In this case “Adam”. A project is just a folder to group templates.

$ ./template.py
Available Templates:
https://dnac:443/dna/intent/api/v1/template-programmer/template
  Adam/acl
  Adam/binding
  Adam/int-vlan
  Adam/interface-des
  DB/prefix
  Onboarding Configuration/9300
  Onboarding Configuration/advanced
  Onboarding Configuration/basic
  Onboarding Configuration/encs-9k
  Production/base
  Production/comp1
  Production/interfaces

Step 2– Getting the latest version

To get more details on a particular template, the script can be run with the –template <template-name> option. The latest version of the template (Version: 10) is selected.

The TemplateId is then used to return the body of this version of the template.

The body is quite simple, applying an access vlan to the given switch port. This is shown in green.

The script also requires two parameters ({“vlan”:””,”interface”:””})

$ ./template.py --template Adam/int-vlan
Looking for: Adam/int-vlan
https://dnac:443/dna/intent/api/v1/template-programmer/template
TemplateId: 610a718c-0a71-484b-a632-a79b64192cb7 Version: 11

https://dnac:443/dna/intent/api/v1/template-programmer/template/610a718c-0a71-484b-a632-a79b64192cb7
Showing Template Body:
interface $interface
  switchport access vlan $vlan

Required Parameters for template body: {"vlan":"","interface":""}

Bindings []

Step 3– Applying the template

The script can be executed with a device (ip address) and params provided. Note the params are in single quote to avoid shell issues.

$ /template.py --template Adam/int-vlan --device 10.10.50.2 --params '{"vlan":"20","interface":"gig1/0/20"}'
Looking for: Adam/int-vlan
https://dnac:443/dna/intent/api/v1/template-programmer/template
TemplateId: 610a718c-0a71-484b-a632-a79b64192cb7 Version: 11

https://dnac:443/dna/intent/api/v1/template-programmer/template/610a718c-0a71-484b-a632-a79b64192cb7
Showing Template Body:
interface $interface
  switchport access vlan $vlan

Required Parameters for template body: {"interface":"","vlan":""}

Bindings []

Up to this point, the output is the same as before. The payload for applying the template is below. Some notes:

◈ The targetInfo can be a list, which means multiple devices can be provisioned at the same time.
◈ Each target has its own set of parameters.
◈ The target device can be specified in multiple ways. In this example “MANAGED_DEVICE_IP” is the type, and the IP of the device is 10,.10.50.2. UUID is also supported.
◈ The templateId is also required.

{'targetInfo': [{'params': {u'interface': u'gig1/0/20', u'vlan': u'20'},
                'type': 'MANAGED_DEVICE_IP',
                'id': '10.10.50.2'}],
'forcePushTemplate': False,
'templateId': u'610a718c-0a71-484b-a632-a79b64192cb7'}

The POST call to https://dnac:443/dna/intent/api/v1/template-programmer/template/deploy returns a task, which contains a deploymentId which needs to be polled for completion.

Executing template on:10.10.50.2, with Params:{"vlan":"20","interface":"gig1/0/20"}
payload {'targetInfo': [{'params': {u'interface': u'gig1/0/20', u'vlan': u'20'}, 'type': 'MANAGED_DEVICE_IP', 'id': '10.10.50.2'}], 'forcePushTemplate': False, 'templateId': u'610a718c-0a71-484b-a632-a79b64192cb7'}
https://dnac:443/dna/intent/api/v1/template-programmer/template/deploy
Response {u'duration': u'0 seconds', u'deploymentId': u'Deployment of Template: 610a718c-0a71-484b-a632-a79b64192cb7.ApplicableTargets: [10.10.50.2]Template Deployemnt Id: 41ac69b9-8f2b-43a5-bb4b-622936f0f244', u'endTime': u'', u'startTime': u''}

The deploymentId status needs to be polled until the deployment is competed.

waiting for deploymentId 41ac69b9-8f2b-43a5-bb4b-622936f0f244
https://dnac:443/api/v1/template-programmer/template/deploy/status/41ac69b9-8f2b-43a5-bb4b-622936f0f244
{u'status': u'INIT', u'templateName': u'int-vlan', u'projectName': u'Adam', u'devices': [{u'status': u'IN_PROGRESS', u'name': u'', u'detailedStatusMessage': None, u'deviceId': u'e05075e8-eb5b-42f5-9f60-d56380702655', u'startTime': u'04:33:56 15/01/2019', u'duration': u'0 minutes 0 seconds', u'endTime': u'', u'ipAddress': u'e05075e8-eb5b-42f5-9f60-d56380702655'}], u'deploymentId': u'41ac69b9-8f2b-43a5-bb4b-622936f0f244', u'startTime': u'', u'duration': u'0 seconds', u'endTime': u'', u'templateVersion': u'11'}
Task=41ac69b9-8f2b-43a5-bb4b-622936f0f244 has not completed yet. Sleeping 2 seconds...
https://dnac:443/api/v1/template-programmer/template/deploy/status/41ac69b9-8f2b-43a5-bb4b-622936f0f244
{u'status': u'SUCCESS', u'templateName': u'int-vlan', u'projectName': u'Adam', u'devices': [{u'status': u'SUCCESS', u'name': u'', u'detailedStatusMessage': u'Provisioning success for template int-vlan', u'deviceId': u'e05075e8-eb5b-42f5-9f60-d56380702655', u'startTime': u'04:33:56 15/01/2019', u'duration': u'0 minutes 2 seconds', u'endTime': u'', u'ipAddress': u'e05075e8-eb5b-42f5-9f60-d56380702655'}], u'deploymentId': u'41ac69b9-8f2b-43a5-bb4b-622936f0f244', u'startTime': u'', u'duration': u'0 seconds', u'endTime': u'04:33:57 15/01/2019', u'templateVersion': u'11'}

Once completed, the status is displayed. The status (SUCCESS/FAIL), time taken, template name, version and deviceId are all shown.

Response:
{
  "status": "SUCCESS",
  "templateName": "int-vlan",
  "projectName": "Adam",
  "devices": [
    {
      "status": "SUCCESS",
      "name": "",
      "detailedStatusMessage": "Provisioning success for template int-vlan",
      "deviceId": "e05075e8-eb5b-42f5-9f60-d56380702655",
      "startTime": "04:33:56 15/01/2019",
      "duration": "0 minutes 2 seconds",
      "endTime": "",
      "ipAddress": "e05075e8-eb5b-42f5-9f60-d56380702655"
    }
  ],
  "deploymentId": "41ac69b9-8f2b-43a5-bb4b-622936f0f244",
  "startTime": "",
  "duration": "0 seconds",
  "endTime": "04:33:57 15/01/2019",
  "templateVersion": "11"
}

The interface Gig1/0/20 on the switch has successfully been provisioned into vlan 20.

Tips and Traps

One of the most obvious issues when testing is an error message related to “deployed with same params”, an example appears below.

Executing template on:10.10.50.2, with Params:{"vlan":"20","interface":"gig1/0/20"}
payload {'targetInfo': [{'params': {u'interface': u'gig1/0/20', u'vlan': u'20'}, 'type': 'MANAGED_DEVICE_IP', 'id': '10.10.50.2'}], 'forcePushTemplate': False, 'templateId': u'610a718c-0a71-484b-a632-a79b64192cb7'}
https://dnac:443/dna/intent/api/v1/template-programmer/template/deploy
Response {u'duration': u'0 seconds', u'deploymentId': u'Deployment of Template: 610a718c-0a71-484b-a632-a79b64192cb7.ApplicableTargets: [10.10.50.2],Template int-vlan:11 is already deployed with same params,. Not deploying it.None of the targets are applicable for the template. Hence not deploying', u'endTime': u'', u'startTime': u''}
Error: 11 is already deployed with same params,. Not deploying it.None of the targets are applicable for the template. Hence not deploying

By default Cisco DNA Center will not deploy the same template, with the same parameters twice (if the first attempt was successful). There are times where you may want to change this behaviour. The –force option can be used to set the ‘forcePushTemplate’: False, option to True.
One other thing you may find confusing is the following message.

Executing template on:10.10.50.20, with Params:{"vlan":"20","interface":"gig1/0/20"}
payload {'targetInfo': [{'params': {u'interface': u'gig1/0/20', u'vlan': u'20'}, 'type': 'MANAGED_DEVICE_IP', 'id': '10.10.50.20'}], 'forcePushTemplate': False, 'templateId': u'610a718c-0a71-484b-a632-a79b64192cb7'}
https://dnac:443/api/v1/template-programmer/template/deploy
Response {u'duration': u'0 seconds', u'deploymentId': u'Deployment of Template: 610a718c-0a71-484b-a632-a79b64192cb7.nonApplicableTargets: {10.10.50.20=Device is not applicable for the template due to mismatch of deviceType or softwareType or softwareVersion}.ApplicableTargets: NoneNone of the targets are applicable for the template. Hence not deploying', u'endTime': u'', u'startTime': u''}
Error: Deployment of Template: 610a718c-0a71-484b-a632-a79b64192cb7.nonApplicableTargets: {10.10.50.20=Device is not applicable for the template due to mismatch of deviceType or softwareType or softwareVersion}.ApplicableTargets: NoneNone of the targets are applicable for the template. Hence not deploying

At first glance, you might think the device type of the template does not match that of the device. This could be true however, somewhat confusingly, it could also be the device IP address cannot be found on the controller. Be careful with devices that have multiple IP addresses, make sure you use the same IP as the controller used to discover and manage the device. In this case 10.10.50.20 is not a valid device in the controller inventory. 10.10.50.2 was used in the earlier examples.

The final thing to be careful of is some parameters might be “typed”. For example, I could have type “int” for vlan in this example (rather than a string). Make sure the payload reflects that.

Continue reading

Performance, Scale, and Flexibility for Accelerating AI / ML

A famous line: “I feel the need–the need for speed!” When I talk to data scientists, they often express the same sentiment. Charged with the responsibility of mining value out of numerous data sources, they often feel that they need ever more speed to do their jobs quickly. To support the data scientists, IT teams are always looking for performance, scale, and flexibility. Clearly, the need for accelerating artificial intelligence and machine learning performance is critical to enterprise’s success.

Performance

In anticipation of Cisco Live Barcelona, I am excited to share some of the recent development on the UCS team to help customers to accelerate AI/ML deployment.

First, Cisco has published the performance characteristics of the UCS C480 ML. With 8 x NVIDIA V100 Tesla GPUs, this server is optimized for deep learning workloads as demonstrated with the various popular convolutional neural networks for image classification.

C480 ML TensorFlow Training Performance

Scale

While the performance of a single server is important, customers are demanding that a cluster of servers to scale to increasing demands. At Cisco Live Barcelona, we are looking forward to show 2 demos.

NGC on Hortonworks 3

Many customers already have a big data lake, and almost everyone is looking to mine additional value out of the data. With Hortonworks 3, the Hadoop cluster is able to support containers running on CPUs and GPUs. This unified cluster architecture enables customers to do traditional data extract, transform, and load (ETL) before feeding the data to a deep learning algorithm. Since Cisco announced intent to support NVIDIA NGC-Ready program, which provides GPU enabled software containers, Cisco Live Barcelona will be the first time where Cisco demonstrate NGC containers running on UCS, in this case, as part of the Hortonworks cluster. In short, the Hortonworks Hadoop cluster is able to support the complete data pipeline.

NGC on Hortonworks 3

NGC on Red Hat OpenShift

While some customers prefer Hadoop as the clustering tool, others are choosing Red Hat OpenShift as the Kubernetes container orchestrator with enterprise support. In Barcelona, we will also show NGC running on OpenShift enabling support for multiple data scientists with both interactive and batch workloads.

NGC on Red Hat OpenShift

Flexibility

Kubeflow Pipelines

While many customers have the bulk of their data on-premise, some data scientists would like to do machine learning experiments in the cloud. In November, 2018, Google announced Kubeflow Pipelines. At Cisco Live Barcelona, in partnership with Google, Cisco will demonstrate Kubeflow Pipelines running on both Google Cloud and UCS enabling a true hybrid cloud experience.

Inferencing on Hyperflex 4.0

Inferencing is also a critical part of machine learning. At Barcelona, we are also showcasing HyperFlex 4.0 as a edge computing system in a retail environment where video streams can be used for customer sentiment analysis.

HyperFlex 4.0 for Inferencing on the Edge

Cisco Live Barcelona 2019

I can’t wait to share with all of you the UCS solutions that can accelerate artificial intelligence and machine learning adoption. With the raw performance of the UCS C480 ML, scale with Hortonworks 3 and Red Hat OpenShift, and flexibility with Kubeflow and inferencing on HyperFlex 4.0, I am looking forward to help our customers to make a genuine difference with the business problems.

Continue reading

Forrester’s Zero Trust or Gartner’s Lean Trust?

Zero trust is misnamed

There’s been many management approaches that include the “Zero” term. In shipping, there was “Zero Inventory”. In manufacturing, there was “Zero Defects”. In environmental planning, there’s “Zero Waste”. So, it’s not surprising that the security industry has adopted “Zero Trust” or its “Zero Trust Networking” (ZTN) and “Zero Trust eXtended” (ZTX) variants as it’s buzzword. I bet you will see this term plastered on vendors booths at RSA Conference this year. But without trust, how would your digital business get things done? Gartner’s Neil MacDonald makes the argument that “zero trust is misnamed” in his latest report, “Zero Trust Is an Initial Step on the Roadmap to CARTA”. Whether it’s Forrester ZTX or Gartner CARTA, both approaches allow businesses to operate in a risk-appropriate manner by enabling better access security decisions.

Use cases that matter

Before we jump into any comparisons, let’s explore some use cases to illustrate why it matters to your business. One example is your CEO accessing Microsoft Office 365—maybe even with her unmanaged iPhone. How do you know that she didn’t get phished and an attacker is logging in with her stolen credentials? Is her device’s screen-lock turned on, OS and browser up to date, and not jailbroken? Another example is your HVAC system accessing the campus network. Were you aware that the OT team installed this without telling IT? Do you know if it meets your IoT requirements or if it’s communicating with things it should not? And don’t forget about your in-house app with containerized workloads accessing each other across a hybrid cloud data center infrastructure. Did your DevOps team document how it’s supposed to communicate or how its services stay up to date? Unlikely, so how do you learn this as it changes over time? It’s now harder than ever for IT teams to enforce access decisions everywhere. But is the answer just denying your CEO, HVAC and app from working? Of course not. Yet “Zero Trust” essentially says to begin with an initial security posture that has no implicit trust between different entities, aka. default deny. If you’re a CISO, does zero trust clearly explain to other business execs why new security investments are needed?

Shift to lean trust

Zero trust also says to “always verify”. So, we could verify the CEO’s identity. And we could assess her iPhone’s hygiene. Or we could check the compliance of the HVAC system’s profile. And we could baseline workloads’ communication behaviors. One could say that these verifications and assessments are rebuilding trust at a higher level of the IT stack. Not based on network IPs, but establishing user-device, IoT or workload trust. So, it does seem like “zero trust” is a misnamed term. Gartner’s CARTA (Continuous Adaptive Risk and Trust Assessment) framework argues that the goal is “lean trust”. MacDonald says to better enable new digital business, cloud and mobile initiatives that we need to continuously assess the combination of risk and trust throughout the duration of a network interaction and beyond the network to all infosec processes.

Be practical

Whether you tell your boardroom that you’re going to adopt zero trust or lean trust, you need to decide how and where to start your multi-year journey. Forrester’s Zero Trust eXtended concept includes every security technology—those designed to eliminate or establish trust as well as those to prevent or detect threats. So, it opens the flood gates to dozens of vendors positioning nearly every product to help you adopt zero trust. Cisco agrees that zero trust is a useful security concept but extending it to all aspects of security makes adopting the approach less practical and prescriptive. MacDonald instead recommends starting two specific projects in 2019—one granting more access protection for users and devices and another delivering more attack protection for workloads and apps. These projects are known as software-defined perimeters to let the good guys in and microsegmentation to keep the bad guys out, respectively.

Maintain balance

In the CARTA framework, MacDonald splits his “Adaptive Security Architecture” (circa 2014) into two balanced access and attack protection approaches with four stages each. This aligns more closely with how Cisco recommends that customers complement the threat-centric security solutions (already deployed or being considered), such as NGFW and SIG, with newer trust-centric security solutions, such as MFA and SDP (see acronym definitions below). Across Cisco’s portfolio, we feel it’s more practical and prescriptive to focus on the subset of services and products that align to the app and network access-focused tenets of CARTA or Zero Trust. We call these trust-centric solutions Cisco Trusted Access. And Cisco is adding continuous verification capabilities across this portfolio to establish a CARTA-inspired “lean trust” level for users and their devices, headless IoT devices, and app workloads. Cisco’s integrated portfolio will ensure that dynamic context gained from your threat-centric solutions adapt trusted access based on your risk tolerance levels. Thereby, eliminating silos across your multi-domain security policy.

Continue reading

The Next Netflix of the SD-WAN Blockbuster: Cisco SD-WAN Security

Much like Blockbuster Video, who paid a final late fee, most SD-WAN vendors will soon pay for ignoring the market’s demand for security integrated within their SD-WAN appliances.

The video rental business was a thriving industry in the early 80s and Blockbuster Video was its undisputed leader. Through years of high-resolution technology innovations, Blockbuster Video kept pace with market demands, upgrading its inventories from the early VHS videos to DVDs and ultimately to Blu-rays. Modernizations on its content delivery process, on the other hand, was a bust. Customers had to visit a video store to rent a movie and return it before a certain deadline. Many factors like an uncomfortable rental process, late fees, limited rentals times, too few copies of new releases per stores, and the occasional bad quality of the rented movies all contributed to customers searching for a better solution.

Fast forward to the present and the complex process and experiences that customers are going through with securing their SD-WAN solutions are very similar to the Blockbuster Video rental process. Over the past few years, there has been an increased interest within enterprise organizations in migrating from traditional WAN to software-defined WAN (SD-WAN). A significant appeal of SD-WAN, for many organizations, is the ability to establish a direct branch-to-cloud and branch-to-Internet connectivity. The direct internet access (DIA) from branches, using less-expensive broadband services, requires deploying strong security at each branch.

Adding Up the Costs

It was estimated that late fees contributed to a substantial amount of Blockbuster’s yearly revenues.  In fact, in 2000 they earned over $800M, or roughly 16% of their revenue, out of late fees alone. Like Blockbuster’s late fees which could have added up to several times of the rental price, a common two-box set for connectivity and security in most of today’s SD-WAN solutions makes the overall platform more expensive to implement and maintain.

But why a two-box solution?

SD-WAN’s direct internet access exposes branches to the outside world’s threats and risks. As more sophisticated threats are emerging from the application level (layer-7), customers are looking for defenses against these advanced threats at layer-7 plus better visibility and control. The majority of current SD-WAN vendors are not inherently built to provide such a granular security and are forced to use an additional security device for their branch connectivity.

Adding the costs of an extra security appliance, its license fee and support, its management tool, and the expertise to install and manage it could easily surpass the forecasted operational expenses.

End-Users’ Experience

Blockbuster’s movie renting process was lengthy and cumbersome for everyone. Customers had to physically go to the store, find a movie, rent a movie, and then return the movie back to the store within a small-time frame. Depending to the location of a video store, just renting a movie could have taken hours instead of minutes. What an inferior content delivery process compared to the modern online rental process that takes just a few clicks!

Similar to the agility of a modern movie streaming experience, distributed organizations using SD-WAN solutions have the dexterity to open two or more new offshore sales offices or store branches in no time. It’s vital for IT teams to deploy, provision, and dynamically scale new branches from any location without requiring physical presence in every location. However, remotely deploying a two-box solution does not seem to be a straight forward and easy task.  The configuration and deployment of additional infrastructure using separate management tools could easily turn the provisioning process from a zero-touch into a many-touch one.

Almost every article written about SD-WAN solution benefits, one way or another, talks about delivering the best user experience. However, many of the considerations focus on the networking side to provide the best application quality of experience for end users. A subject that often gets ignored is the customer experience associated with the complexity of deploying, managing, and monitoring the additional security box at the branch with an SD-WAN solution. Integration of multiple boxes at a branch makes the deployment process complex and lengthy and the overall manageability difficult and costly.

Cisco SD-WAN Security: The Next Netflix

Cisco is taking a new leadership position in SD-WAN solutions by integrating enterprise firewall, intrusion prevention, and URL filtering capabilities directly into its SD-WAN appliance. By integrating WAN router connectivity and security capabilities into a single box, the overall complexity associated with deployment can be eliminated and its manageability made easier.

This innovative and unified solution uses Cisco Talos – the industry-leading threat intelligence group – for its threat prevention and provides faster security deployment with Cisco Umbrella’s cloud security service in order to protect connections to the cloud. And secure access to every application by verifying users’ identities, checking devices’ hygiene, and enforcing adaptive multi-factor authentication policies via Duo Security (recently acquired).

It’s time to get rid of the old SD-WAN “VCR” box and embrace the future with Cisco SD-WAN security “streaming” box.

Continue reading

Discover Meraki APIs for Location Analytics, Cameras, and Network Health

Meraki wireless networks and security cameras are deployed in large numbers of retail outlets, hotels, campuses, and enterprises. Meraki wireless networks connect many business-critical devices, including Point-of-Sales devices, and provide internet connectivity to visiting customers. The Meraki camera provides reliable security with local and remote live viewing capabilities from Meraki cloud hosted dashboard. Both are very easy to deploy, configure, and manage via a centralized cloud management dashboard.

Meraki wireless access points and security cameras, beyond their basic functionalities, also provide valuable insight into foot traffic and behavior patterns of users. Meraki Access point collects user location information from nearby smart devices, enabling location-based analytics.

Meraki camera utilizes a powerful onboard processor to analyze video and provides valuable foot traffic insights by detecting persons using computer vision. Location insights provided by these Meraki devices enables businesses to provide better customer engagements, increase retail store traffic, and drive revenue. Meraki network location analytics and camera analytics are exposed to business owners via an easy to use Meraki dashboard.

As Meraki wireless network is enabling core business capabilities, monitoring of network health and maintaining low network latency becomes very critical to the operations team. Meraki Wireless Health features simplifies monitoring and root cause analysis of issues for all connected clients from the Meraki health dashboard. The dashboard provides a snapshot view for 1 hour, 12 hours, 1 day, and 1-week durations, along with various drill down capabilities to help identify issues.

Rich APIs for location analytics, health, and camera

Meraki pre-built dashboards for location analytics, camera analytics, and health monitoring are very useful and sufficient for many organizations. But some organizations have more advance use cases and want to retain granular data for longer periods of time. Historical data from Meraki, when combined with other business related data like Point-of-Sale, can provide very useful business insights. To enable these advanced use cases Meraki also supports rich APIs for location analytics, health, and camera analytics. These data sets can help business solve complex use-cases like:

◈ How much do foot traffic and sales increase during promotions?
◈ What is typical queue size on cash registers during specific hours of day?
◈ How many devices successfully connected (or failed to connect) to the network in specific locations throughout the business?

Merakibeat Plugin collects data from the Meraki API and stores it in an analytics database

The DevNet and Meraki teams worked together to create the Merakibeat plugin, data pipeline, and reporting dashboard based on open source technologies like Elastic Beats, Elasticsearch, and Kibana. The Merakibeat plugin enables consumption of data from Meraki wireless health, location analytics, and camera API, and stores this data in an analytics database like Elasticsearch.

Key open source components for data pipeline include:

◈ Elastic Beats is an open source platform for data shipper. The lightweight beats agent sends metrics to Elasticsearch. Beats is very flexible framework that supports pluggable input-output plugins.
◈ Merakibeat is a DevNet community contributed input plugin that can write data to any of the Beats supported output data sources like Elasticsearch, Kafka, MongoDB, Redis etc.
◈ Elasticsearch is an analytics data store that saves historical data for further analysis and reporting.
◈ Kibana is a visualization tool for Elasticsearch, that enables creating custom reports and dashboards.
◈ Business metrics, like point-of-sale data, can also be ingested into the same analytics datastore to enable data analysis of business metrics, network health, and location analytics.

Merakibeat data analytics pipeline

The DevNet team, working with Meraki engineers, developed a custom Beats plugin and reference data pipeline for Meraki APIs. This Merakibeat plugin has three sub modules –

◈ Meraki Health API module polls health APIs at configured intervals and fetches connection and latency status at network, device, and client levels. Polling interval and metrics to be collected can be configured using a config file.

◈ Location analytics scanning API supports pushing location analytics metrics to registered endpoints. The Merakibeat plugin starts a listener that accepts scanning data posted on a callback hook. The user needs to expose scanner data endpoint on external network and register callback endpoint in Meraki dashboard.

◈ Camera API: The Merakibeat camera module polls camera APIs at configured intervals and fetches average count of user presence and entrances in specific camera zones or full camera view.

Kibana is configured as a visualization tool for Elasticsearch, and we created a custom dashboard for wireless health status reporting. The dashboard shows different charts, like average success/failure ratios and network latencies. These charts can be viewed for various time duration (like 1day, 1week, 1month etc.) or specific date/time ranges. The Merakibeat GitHub repo also includes pre-created dashboards for Kibana that can be easily customized for user’s requirements.

To ease deployment, we bundled all components of the pipeline as Docker images, and created a Docker compose project that allows you to bring up a complete pipeline in a single command.

Merakibeat trial deployments

With one of our retail customers we deployed a trial version of Merakibeat, configured to collect wireless health and location analytics data. We also collected daily sales data from the retailer’s point-of-sale system. That enabled analyzing network health, active connections, and foot traffic with daily sales at the retail store. After collecting data for a couple of weeks we are able to create a dashboard in Kibana that helped the customer to analyze the following:

◈ Average number of customers visited per day

◈ Peak hours when customer visited retail area

◈ Correlation chart between customer count and sales revenue

◈ Percentage/count of customer devices that failed or succeed to connect wireless network

Retail dashboard, store traffic, and network health metrics overlaid with Point Of Sales data

With the Cisco Merchandise Store in San Jose we deployed Merakibeat trial version configured to collect Meraki camera analytics data. After collecting data for more than a week we created a custom dashboard and alerting solution to support the following use cases:

◈ Overall customer store visits

◈ Customers queue size at cash register

◈ Number of customers visiting specific areas in store (e.g., apparel, gadgets, greeting cards, etc.)

◈ Alerts to staff via Webex Teams if a suspicious person is detected in off-hours, or queue size is greater than an established threshold

Retail store dashboard, camera API based traffic pattern in zone of interest

The Merakibeat plugin source is available on DevNet Code Exchange, and is also contributed to the Elastic Beats community

With the Merakibeat plugin project we have not only enabled specific use-cases but created a reference data pipeline to enable correlating business metrics with various Meraki API provided data. We are looking forward to see interesting analytics and reporting use cases that users will create based on data collected and made available by Merakibeat plugin.

Continue reading

Localization: 6 tips for success

Software localization is often an afterthought instead of being embedded into projects from the start. In 2017, we started a localization project for the software-fulfillment process in our Tokyo office. The regional team had approached us because partners and end customers were having a “broken” user experience—from commerce applications to fulfillment process—because some applications were in Japanese, others in English.

In 2014, we had launched a corporate extended relationship management (xRM) project, which included localizing major partner and customer-facing applications. The project had a multi-language data foundation. However, constant updates to the software and newer projects were causing us to fall behind. In addition, we faced challenges in getting partners to align with our software subscription business strategy mainly for a localized user experience. For most projects, localization support was added long after the release of the application or new capability.

Since the Tokyo project, we’ve brought localization into the initial phase of software development. Here are the six guidelines we follow.

1. Define success

The time and resources spent on localization can be hard to justify in quantitative terms because outcomes can be subjective and difficult to evaluate. For the Tokyo project, we measured success based on:

◈ Establishing strategic self-sufficiency by addressing/removing customized localization work-arounds by various users.
◈ Providing a smooth user experience between commerce and fulfillment applications.
◈ Storing consistent user language preferences and sharing user language preferences across applications.
◈ Making it as easy to add a new language during software product planning as adding a new user story.
◈ Accelerating go-to-market.
◈ Giving us a competitive advantage in international markets.

2. Realize that localization is foundation work, not an add-on

Our original localization initiative tried to address the problem after new applications and features were released. Our analysis of the software-fulfillment process in Tokyo showed that this approach led to production stoppage, re-engineering, and increased resource requirements to identify customer impacts and application dependencies. Thinking about localization from the initial phase of software development avoids these risks. To achieve this, we re-engineered the architecture to be ready for internationalization. According to Wikipedia, internationalization (i18N) is the process of designing a software application so that it can be adapted to various languages and regions without engineering changes. Localization (l10N) is the process of adapting internationalized software for a specific region or language by translating text and adding locale-specific components.

3. Know the stakeholders and key partners

Assessing localization requirements requires an understanding of all stakeholder groups, which often have a wide variety of backgrounds. Regional teams drove the discussion, but the Cisco IT architecture framework team was also involved because they owned the application platforms. There were many stakeholders like Japan sales operations, Japan strategy & planning, corporate business team, corporate IT team, global translation services team, and the architecture framework team. To achieve our localization goals within the target timeframe, we took the following steps:

◈ Aligned the business outcomes with the country’s go-to-market strategy
◈ Established a partnership with the architecture framework team to enable scalable internationalization
◈ Scheduled regular team meetings to enable dynamic collaboration across all functional teams responsible for software business adoption
◈ Implemented a phased approach to localization, starting with the highest-priority applications

4. Obtain buy-in from key stakeholders

The localization process is complex and requires commitments from business leaders as well as engineers. To obtain these commitments, we:

◈ Established dynamic teams, consisting of members from across the globe including various stakeholders who could participate in reviews and take necessary actions.
◈ Educated upper management about the importance of dynamic team sync up meetings on a regular basis.
◈ Assigned dedicated teams to re-engineer the architecture to be internationalization (i18N) ready.
◈ Encouraged dynamic team collaboration by scheduling regular meetings at times that worked for team members in different time zones.
◈ Analyzed application dependencies during the project to ensure smooth project sign-off to avoid release time surprises and re-work.

5. Know the difference between machine translation and localization

Localization is more than simply translating existing web properties. More broadly, it’s adapting content and applications for regional or local consumption. This sometimes requires modifying the flow of the user interface or requires changes to the source language (English for instance) itself and other site elements to match the user’s cultural expectations.

To ensure the quality of localization, we:

◈ Aligned the user interface to follow same user preferences across different user applications
◈ Localized every possible user interface flow
◈ Asked linguists to review application screens
◈ Utilized appropriate change management to review with teams so that no gaps arise when changing the user interface in one language, impacting the core (English) user interface flow and vice versa.

6. Speak directly to the customers in a language they understand

This guideline applies whether you’re building a website, customer application, or partner application. In a Harvard Business Review study, 72% of consumers said they’d be more likely to buy a product that’s in their own language and 56% said this was more important than price.

Progress to-date

Globalization and internationalization are becoming a standard for every Cisco IT project (Figure 1). Once the projects get realized, if the project has gone through localization, it can increase the business opportunities among international customers. The data gathered with a localized user interface can give clear visibility for data analysis.

Figure 1

We are working to make localization a business priority in other regions. To support that effort, we are building a strategic and holistic operating model and framework for localization across products, IT platforms, technical support documents, and channel programs portfolio

Continue reading

Planning Your Cloud Communications Migration: Connectivity And Network Service Options

Layer 1 and 2 Access Connectivity Type

In the ISO (International Standards Organization) data connectivity model, Layer 1 and 2 represent the physical and data layers. The most common Layer 1 physical connectivity are copper, fiber, and radio frequencies. This layer includes both the wiring and switching equipment. Layer 2 data connectivity protocols include things such as Ethernet, PPP, and ATM. Using these layers help to understand how quality internet services are constructed. Like a building, the integrity of the foundation is critical for the overall quality of the final structure. Trying to deliver high quality internet services on poor quality wiring is both challenging and not recommended.

In this next section, we will do a quick review of access types and their suitability for IP-based business communications. This is not intended as a technical overview of access types but instead provides guidance for IT and procurement managers for their migration planning process. Key access types we will discuss are DSL, T1 / PRI, Coax, Ethernet over Copper, and Fiber-based access.

DSL and DSL Variants:

DSL or digital subscriber line is a family of technologies designed to deliver internet services over telephone lines. DSL variants include “asynchronous” ADSL, “synchronous” SDSL, and higher speed technologies such as “very-high-bit-rate” VDSL and “G.fast.” Although DSL technologies continue to advance and produce higher and higher theoretical speeds (even up to 1Gb/s), these technologies are dogged by the quality problems with the underlying twisted-pair phone lines on which they are built. In addition, DSL service performance is sensitive to the distance from the central office (CO). This combination of challenges brings variability to the performance of what planners can expect for specific target sites. For these reasons, DSL should largely be avoided for access connectivity planning and only be considered in limited circumstances. One of the circumstances to consider DSL is when its access capacity can be bonded with another access circuit through advanced network service such as SD-WAN. We will discuss SD-WAN in the next section and will refer back to this scenario.

T1 (DS1) / T3 (DS3) Variants:

T1 or the T-carrier family of access connectivity services is built on a four wire transmission circuit. Originally developed at Bell Labs in the 60s, this family of services is built on the aggregation of “DS0” 64Kb/s channels. Typically delivered by telecom operators, offers in this class provide symmetrical internet service and speeds of 1.544 Mb/s (T1), 2.048Mb/s (E1), and up to 45 Mb/s (T3/DS3). These services are highly reliable and served as the primary method of “last mile” internet connectivity for most businesses in the late 90s and 2000s. While the T-carrier family is largely considered a legacy access methodology, there could be instances where businesses might consider some higher capacity variants, especially from a fractional T3 or above and where more modern managed Ethernet or fiber-based services are not available. Some CSPs that still sell T3 access circuits may offer these at substantial discounts.

Coax:

This class of internet services are typically delivered by cable MSOs and lead with a coaxial copper cable for the Layer 1 physical delivery of internet service. Most cable networks are actually now engineered as hybrid fiber coaxial (HFC) with much of the regional internet traffic distributed over new fiber plant. Coaxial connectivity provides last mile connections to homes and businesses. Coax-based internet services from most Cable MSOs are offered at attractive prices and provide high bandwidth, with speeds starting in many cases at 100 Mb/s. Speeds are typically asymmetrical with higher download than upload. For communications services planning, IT managers should focus on upload speeds. Most business packages start at 10 Mb/s, enough to support a large number of IP voice channels and enough for limited HD video channels. Many coax-based services from cable MSOs are delivered as a “shared service” where all the users from a single street, neighborhood, or a strip mall may share a single pool of bandwidth. While shared services should be a concern for IT planners, consider that cable MSOs use the DOCSIS protocol to reserve bandwidth for high priority media traffic. DOCSIS is only offered on the cable MSOs’ own services and not for OTT-based services. For OTT services, IT planners should consider adding healthy buffers and/or overhead to their estimated bandwidth demands. Or, if they are engaging with a cable MSO for business internet, they should inquire about fiber and DIA-based solutions.

Carrier Ethernet (over copper):

Ethernet dominates enterprise and business networks. Ethernet has grown into this position with its ease of deployment, self-configuration, and excellent price per bit and price per port. The primary limitation for Ethernet, especially over copper, is on transmission distance. For this reason Ethernet is used for most in-building and small campus links but not used for access networks that may extend thousands of feet to several miles. Vendor innovation has extended the range of Ethernet services. These innovations have enabled CSPs to offer access Ethernet services with symmetrical speeds and high quality of service. Speeds are still dependent on the distance from the CO. In most cases, speeds available are well-understood by CSPs and can be easily provided and quoted based on site address. Carrier Ethernet services are considered a state-of-the-art offer from CSPs and provide an excellent platform for cloud-based IP communications services. Service pricing will depend on geography and local competitive alternatives.

Fiber-Based Services:

Just as much Ethernet over copper is an attractive option for business IP communications, Ethernet over fiber is even more attractive. Fiber provides far greater resistance to the signal degradation that occurs when some protocols are transmitted over copper. Requesting fiber-based access for a site is often prohibitively expensive. It is for this reason that most businesses should initiate their cloud migration plan for “what is available” from current providers at particular sites. As we’ve mentioned previously in this post, fiber-based connectivity is now available at more than 50% of business sites across the US. The main question facing planners is exactly what kind of premium the business needs to pay for securing fiber-based connectivity. In addition, IT planners should be prepared to layer service assurance and network services to provide QoS for voice and video connectivity. Though fiber offers an excellent transmission medium, it can still experience contention where fiber links are stressed with lots of demanding traffic such as HD video.

Network Services to Support Access Layer Service Quality

After physical connectivity above (fiber, copper, etc.), QoS of packets and traffic flow is managed through a variety of standards and protocols. There are benefits and drawbacks to most management approaches. In most cases, businesses prefer to apply some type of bandwidth reservation for real-time media such as voice and video traffic. A basic summary of traffic demands of various communications and data traffic is provided below and can help to show the sensitivity of traffic.

Figure 5: Representation of Traffic QoS Demands by Jason D. Hintersteiner, CWNE #171

DOCSIS:

Cable MSOs use DOCSIS, “data over cable service interface specification,” to deliver IP broadband service over their hybrid fiber-coaxial (HFC) infrastructure. Within the DOCSIS standards are methods for delivering a higher class of service for specific types of traffic, specifically real-time protocol (RTP) used for IP-based voice and some video communications traffic. Priority service is achieved using unsolicited grant synchronization (UGS), which provides an immediate grant of bandwidth access from the cable modem termination system (CMTS).

MPLS:

One of the most mature and proven methods for assuring call quality, MPLS or “multi-packet label switching,” provides a virtual tunnel across the CSPs access connection to assure transmission quality across potential points of traffic contention. Considered one of the most trusted and preferred methods for assuring resilience, MPLS is considered relatively costly and may not be available across all geos. The price of MPLS has represented a barrier for some planners who might be looking at cloud migration strictly on a cost comparison basis – where MPLS port charges eat away many of the savings of PBX maintenance and TDM access trunk charges.

While MPLS port charges have been coming down in recent years, and in some geographies at a compound rate of 10+% / year, reliance on MPLS alone for access connectivity assurance is proving challenging for both CSPs and IT planners. For the economics and flexibility needed to plan a multi-site and phased migration approach, IT planners should look to a mix of MPLS and other access methods.

SD-WAN:

Perhaps the most exciting innovation in access networking and WAN services has been the innovations around SD-WAN (SD = Software Defined). In fact, Frost & Sullivan recently revealed that 94% of businesses have deployed, are deploying, or will deploy an SD-WAN service in the next two years. A key benefit of SD-WAN is that it uses multiple paths for traffic to traverse a network. SD-WAN can improve service resilience across existing access circuits (by running several parallel traffics streams) or can improve resilience by running parallel traffic streams across multiple access circuits.

In the case of overlaying multiple circuits, consider a scenario where a particular business’s site may only have IP access via DSL and a shared cable broadband service. While either service might not provide the needed resilience for the business’s traffic demands, an SD-WAN service across a combination of both the DSL and cable circuits could offer the needed performance to deploy high quality hosted communications. From an economics standpoint, the combination of DSL and cable broadband circuits plus SD-WAN services would be very cost-effective.

Note that some SD-WAN resilience measures can add overhead traffic to voice and video media. Overhead can come in the form of multiple media streams and from the increased size of some packet headers. IT managers should work with their SD-WAN and CSPs to correctly size access circuits with these overhead factors in consideration.

All in all, SD-WAN offers a lot of benefits and should certainly be seriously evaluated as a part of IP access services for cloud-based communications. Consider the 2018 report by Transparency Market Research. They forecast that the global SD-WAN market will expand at a 51.4% CAGR between 2017 and 2025 and be worth US $34.35 billion.

Continue reading

Cisco Mobility Express and Cisco Umbrella – Security Simplified!

We’ve had a few busy months with our Cisco Mobility Express solution. How busy? Following in this trend of new innovations, I am excited to share another key enhancement to the Mobility Express solution: Cisco Umbrella integration with Mobility Express via the latest AireOS 8.8.111.0 release.

With today’s digital consumers, providing Wi-Fi in your business is a necessity rather than simply a luxury. On top of that there is increasing complexity caused by the proliferation of smartphones, tablets, wearables and IoT end points that are beyond IT’s direct control. According to Cisco Visual Networking Index (VNI), 49% of global traffic in 2020 will be Wi-Fi based. With this explosive Wi-Fi growth in the network, providing a safe and secure connection is of paramount importance. Threats continue to increase in sophistication and have reached exponential levels, increasing in speed with every passing year.

So how do you secure your wireless network if you’re a small to medium-sized organization with a lean or nonexistent IT department? How will you keep pace with your competitors while successfully deploying, managing, and securing your network?

Enter Mobility Express and Umbrella.

Limited budget? No problem. IT team of one? That’s okay too. With these integrated solutions, it’s easier than ever to quickly deploy and secure an on-premise wireless network. Mobility Express offers industry-leading wireless LAN technology with a built-in virtual controller, and Umbrella provides the first line of defense against threats on the internet wherever users go. And you don’t have to sacrifice enterprise-class performance and reliability.

Umbrella is a cloud-delivered security platform that protects against threats like malware, ransomware, and phishing. With Umbrella, you gain visibility and enforcement at the DNS layer, so you can block requests to malicious domains and IPs before a connection is ever made. The Umbrella integration across the Cisco wireless LAN controller (WLC) portfolio – including Mobility Express, WLC 3504, 5520 and 8540 – provides comprehensive security coverage that is simple to deploy and manage.

Deploy and Protect in Minutes 

You can quickly and easily enable Umbrella policies per SSID in three easy and intuitive steps from the Cisco Mobility Express WebUI itself. The ability to map granular policies on a per-SSID basis allows the network to evolve rapidly to your changing business needs. All of this added protection is enforced without any additional latency, so the end user experience is not impacted.

Step1: Enable Umbrella and enter the Umbrella API Token

Step 2: Create profile and register the profile with Umbrella

Step 3: Apply the profile to the WLAN

Licensing & ordering Umbrella with Mobility Express

With AireOS 8.8.111.0 release, this feature is available to all customers and there is no additional license on Mobility Express to enable this feature. However, customers who wish to use Umbrella with Mobility Express will need an Umbrella license and account.

With the amount of Mobility Express innovations coming from Cisco, make sure to bookmark this blog page so that you’re always up-to-date.

Continue reading