Get Hands-on in the Cisco Crosswork Automation Sandbox

Cisco Crosswork Network Automation is a microservices platform that brings together streaming telemetry, big data, and model-driven application programming interfaces (APIs) to redefine how service providers conduct network operations. Cisco Crosswork Network Automation offers a platform to collaborate, and build an application ecosystem around on-box innovation.

The Cisco Crosswork Network Automation product suite is a highly scalable and efficient operations automation framework. It enables service providers to quickly deploy intent-driven, closed-loop operations. You can plan, implement, run, monitor, and perfect your service provider network automation, and gain mass awareness, augmented intelligence, and proactive control for data-driven, outcome-based network automation.

Streamline Network Operation Processes

Automation plays a significant role in helping organizations move more quickly by streamlining operational processes such as:

◉ Executing workflows at machine speed with high operational efficiency and repeatable quality

◉ Bridging and synchronizing business and Information Technology (IT) processes to cut gaps and improve customer experience

◉ Supplying analytics to improve decision-making and shorten fault resolution times

Lab, Test, and Build in the New Sandbox

Now you can lab, test and build with the new Cisco Crosswork Automation Sandbox. This new sandbox lets you:

◉ Monitor key performance indicators (KPIs) in real time

◉ Prepare network changes triggered by changes in KPIs

◉ Roll out these changes automatically

◉ Automated change-impact and security analysis

Production Crosswork Suite within the Sandbox

You will find a “production” Crosswork suite deployed to manage the multi-platform network within the sandbox lab. This network is made up of:

◉ Cisco Crosswork cluster

◉ Cisco Crosswork Data Gateway (CDG)

◉ Cisco Network Service Orchestrator (NSO)

◉ Cisco IOS XE/XR routers

Included in the sandbox is a new use case which will help understanding the Applications of Health Insights and Change Automation.  In this scenario, we want to showcase how to attach and detach the devices from Crosswork Data Gateway (CDG). As a part of the scenario, we will also showcase how to change the credentials at the device level.

◉ Scenario 1: Device Level Management: Showcase how to attach and detach the devices from Crosswork Data Gateway (CDG). As a part of the scenario, we will also highlight how to change the credentials at the device level

◉ Scenario 2: Health Insights Application Overview: See how Cisco Crosswork Health Insights offers real-time, telemetry-based Key Performance Indicator (KPI) monitoring and intelligent alerting.

◉ Scenario 2A: Create and enable KPI profiles: In this scenario, KPIs are provisioned on IOS-XR devices via a KPI Profile. The KPIs can be either GNMI, MDT, or SNMP protocol based. We can then enable the KPIs and verify that the respective data are being collected and visually presented on Health Insights

◉ Scenario 3: Network Automation Application Overview Learn how to codify workflows using parameterized Plays and stitch them into Playbooks for execution in a step-by-step or single-step fashion.

◉ Scenario 3A: Playbook execution. Now we have our code, let us define an automation task to achieve the intended network states in Change Automation using Playbooks

Source: cisco.com

Continue reading

The 3 Ps for Partner Managed Services: Platform, Preference, and Performance

In case you missed Partner Summit last week, we just want to reiterate: your customers heavily prefer to consume technology as managed outcomes!

We are full steam ahead in supporting our credo The Age of the Partner where vendors, partners, and customers all work together with a consistent set of strategic business imperatives rather than disparate technology stacks. The time is now, and the path forward is through the continued relationship we have built with our partners. Success in this new age of digital transformation necessitates collective evolution, both for Cisco and our partners.

Our strategy for success, guiding our evolution in Partner Managed Services, is centered on our 3 Ps: Platform, Preference, and Performance.

While we introduced this virtually at Partner Summit 2021, we’ve matured it considerably since then and would like to update our partner community on how we are employing this strategy to successfully deliver for our partners in this new age.

Platforms

Our strategy starts by making sure our platforms are capable of best-in-class managed services delivery for partners across Cisco’s architectures. We appreciate there are key technological capabilities partners need to select a technology as a managed services delivery platform:

◉ Telemetry to feed into your Operational Support Systems

◉ Operational capabilities like single sign-on and role-based access control to deliver cost effectively at scale

◉ APIs that enable workflow automation for billing, provisioning, and reconciliation

◉ User Interfaces that provide intuitive and compelling provider operations and end-user experiences

◉ Integrations with leading systems like ServiceNow, Snow, and ConnectWise

MVPR

Our Partner Managed Services team has collaborated with key engineering teams within Cisco to develop a framework designed to articulate these technological requirements through an internal scorecard approach that we coined Minimal Viable Partner Requirements or MVPR. This framework facilitates an open, bidirectional, and iterative dialog with product engineering to form the basis of assessing and developing the technology and the Platform that orchestrates and manages it to meet Provider Partner expectations.

Partner Managed Ready Offer Catalog

We then add to the Platform the elements our Provider Partners need to build managed services with plenty of room to differentiate based on target segments, intellectual property, commercial terms, and/or the type of experience they want to deliver. Our Partner Managed Offer Management team coordinates content and tools aimed to address key care-abouts of core MSP functions:

◉ Product Management needs example service descriptions, market pricing, aligned buying programs and business case tools.

◉ Service Delivery requires Standard Operating Procedure (SOP) templates, lab environments, and technical training.

◉ Sales benefits from playbooks and positioning decks.

◉ Marketing uses messaging blocks and templated digital marketing assets.

◉ Customer Success leverages API guided for adoption measurements and user guides to enable customers on using the higher-value functions.

◉ Operations requires ordering guides and license management guides to support their role.

These are some of the assets we bring to our partners to help them move faster and be more successful with service creation and go-to-market than if Cisco just sold them technology and expected them to figure it out.

A few examples of Partner Managed Ready Offers from our catalog include:

◉ Managed SD-WAN powered by Viptela and/or by Meraki, enables partners to securely interconnect branches, campuses, data centers, and multi-cloud environments.

◉ Managed SASE allows partners to build on their cloud-delivered virtual fabric and intersect secure access for users and devices by delivering policy controlled secure access to applications and networks.

◉ Managed Webex Collaboration provides a cloud-hosted, video-centric, unified collaboration solution which can be delivered over service provider partner networks and is backed by partner managed services to enable and enrich work in a post-pandemic era.

◉ Managed Hybrid Cloud allows partners to deliver application environments that feel like the public cloud but reside where customers want, and often at much better long-term economics, blending cloud-like cost efficiencies with on-premises performance and security.

Preference

We recognize the need to simply the partner experience, and we are working hard to earn your preference as your managed services technology partner daily.

This starts by offering you choice and flexibility across two software buying programs designed specifically for managed service practices.

Managed Services Buying Programs

The first, Managed Services Enterprise Agreement (MSEA), is built on our standard Enterprise Agreement construct, but with MSEA, the partner owns the entitlement and controls the terms with their customers. Partners can enable as-a-Service packaging while getting all EA benefits like True Forward and great Cisco field alignment.

Cisco’s Managed Service License Agreement (MSLA) accounts for variable scale, seasonal demand, and dynamic user counts by providing post-paid utility-like consumption for 17 Cisco software products and growing. This enables additional flexibility for partners and their customers to address multiple business needs across different scenarios.

Payment Solutions Portfolio

We also offer a rich portfolio of payment solutions to help with business concerns and those “good problems” that come with success like cash flow, credit lines, environmental and sustainability targets, and cost-to-revenue alignment as partners continue to grow their managed services practices:

◉ Total technology: Cisco Easy Pay, Cisco Lifecycle Pay

◉ Software: Cisco Enterprise Agreement (EA) Pay, Cisco Partner Pay

◉ Services-focused: Cisco Multi-Year Services Pay – Attach and Renew, Cisco Partner Pay

◉ Consumption: Cisco+ Hybrid Cloud, Cisco Open Pay

◉ Circular IT: Cisco Green Pay, Cisco Lifecycle Pay, Cisco Lifecycle Pay for Secure Firewall

Additionally, we have reinvented the partner-led sales model for the Age of the Partner through our Partner Managed Success Framework:

1. Offer Development begins with the development of a compelling partner managed offer that enables our Provider Partners to address market opportunities with great technology and the content and tools needed for success by key partner roles

2. Partner Engagement allows us to assess and analyze if a particular opportunity is aligned to both Cisco and our partner, or we may collaborate to determine which of several opportunities to pursue

3. Service Creation occurs when a partner formally builds a new service with Cisco support in the form of templates, best practices, cutting edge market research, and best-in-class expertise

4. Sales Acceleration gives us an opportunity collaborate on sales campaigns with potential support via Cisco Provider Market Development Funds (MDFs)

5. Sales Execution provides access to a seasoned team of sales capture professionals to help our partners with operationalizing and scaling sales pipelines

6. Partner Success provides touch points along the lifecycles to help partners strengthen customer value across the lifecycle, find adjacent opportunities, and prepare for renewals

Performance

Performance is the transformation throttle. Cisco is continually looking at the opportunity and determining how we can best help accelerate the pace of partner success. We are incentivizing partners for growth in strategic areas, backed by industry-leading market research, using the Provider role of the Partner Program as the value exchange fulcrum.

Over the past two years, we’ve evolved the Cisco Partner Program substantially by simplifying over a dozen programs into a single, flexibly structured program centered on delivering value to customers. Partners can participate in one or more roles—Integrator, Developer, Advisor, and Provider —each at whatever level fits your business: Select, Premier, or Gold. Additionally, we have focused on aligning our Cisco Powered Services with our Partner Managed Ready Offers and evolving our benefits to suit the Age of the Partner.

We’re working hard to evolve our approach to this critical RTM to give partners a full arsenal of tools to succeed with their managed services practices. As the market evolves, Cisco is evolving and bringing our partners alongside, so no one gets left behind. Our belief is that by bringing these three elements – Platform, Preference and Performance – to bear simultaneously, we’re poised for mutual success in a very bright future. Let’s own it together!

Source: cisco.com

Continue reading

Cisco SD-WAN Fabric is SecOps New Best Friend

In this post, we will delve into new capabilities and integrations into the Cisco SD-WAN fabric that provides specific capabilities that support security operations persona.

The Cisco SD-WAN fabric, with all its existing rich security capabilities, enables the convergence of a two-box approach to secure the branch into a single-box solution. From a management perspective, Cisco vManage controller enables a seamless and converged experience for both the networking and security aspects of the SD-WAN fabric. However, the requirements from security professionals to manage the threats and risks in the enterprise are evolving as applications and the workforce become more distributed. To accommodate these changes, the Cisco SD-WAN secure fabric is being enhanced in multiple dimensions to cater to the more specific operational requirements of the SecOps persona.

An SD-WAN Dashboard Tailored for SecOps

Recent innovations in Cisco SD-WAN enable the secure fabric’s WAN functions to be managed by the networking operations team while the security functions are managed by the security operations team. In addition to a NetOps persona, a new SecOps persona is available in Cisco vManage controller. Logging into the controller, the SecOps persona is presented with a security-focused dashboard and management privileges so that the security administrator can quickly gain a comprehensive understanding of the security health of the network. From a management perspective, the SecOps persona will be able to create and associate security policies to specific sites and VPNs in the SD-WAN fabric. SecOps persona will also be able to view SD-WAN operational statistics, but will not be able to create SD-WAN-specific routing policies and configurations.

Security-Focused Visibility for Troubleshooting SD-WAN Fabrics

Logging for the purpose of visibility and troubleshooting is a critical requirement for security persona to be able to defend the far-reaching WAN fabric. The Cisco SD-WAN router generates comprehensive logs for all the security and connection events detected in the SD-WAN router. These logs can be consumed, parsed, and analyzed in real-time by Security Information and Event Management (SIEM) systems to drive timely security remediations, or stored for long-term historical reference. The security event logs are stored in Cisco Secure Analytics and can be filtered and visualized on Cisco Defense Orchestrator (CDO).

Figure 1. Intrusion Event Logging for SD-WAN Security Persona

In addition, Cisco is partnering with Splunk to enable visualization and analysis of the security and connection-related logs generated from SD-WAN. The Cisco SD-WAN application ingests logs from SD-WAN routers and presents actionable security analytics on a pre-populated dashboard. Example uses cases enabled by the Splunk integration for the security operations persona are:

◉ A holistic view of all the security events captured by the SD-WAN security stack.

◉ Ability to examine any security event at the device level along with traffic patterns occurring when the security event was triggered.

The Cisco SD-WAN Splunk Integration consists of two components:

◉ Cisco SD-WAN Add-on for Splunk – Add-ons are used for data optimization and collection processes. Cisco SD-WAN Add-on for Splunk collects a range of Cisco Logs Data and NetFlow Data and stores them in Splunk indexes.

◉ Cisco SD-WAN App for Splunk – Using data from the Add-On, the Cisco SD-WAN App presents dashboards for Cisco Logs and NetFlow Data with detailed visualization, analysis, and representation.

Figure 2. Cisco SD-WAN App for Splunk Provides SecOps with Increased Visibility into Threats

Figure 3. Cisco SD-WAN App for Splunk Provides Detailed Threat Visibility

SecOps Can Rely on Cisco SD-WAN Secure Fabric

There is an abundance of security features in the Cisco SD-WAN fabric now that will become invaluable to SecOps, whether they are hunting for intrusions, assigning security permissions, or detecting threats. Cisco SD-WAN is always evolving to make managing networks simpler and more secure, even as the scale of networks continues to scale and threats increase in complexity.

Source: cisco.com

Continue reading

Cisco Joins the Launch of Amazon Security Lake

The Cisco Secure Technical Alliance supports the open ecosystem and AWS is a valued technology alliance partner, with integrations across the Cisco Secure portfolio, including SecureX, Secure Firewall, Secure Cloud Analytics, Duo, Umbrella, Web Security Appliance, Secure Workload, Secure Endpoint, Identity Services Engine, and more.

Cisco Secure and AWS Security Lake

We are proud to be a launch partner of AWS Security Lake, which allows customers to build a security data lake from integrated cloud and on-premises data sources as well as from their private applications. With support for the Open Cybersecurity Schema Framework (OCSF) standard, Security Lake reduces the complexity and costs for customers to make their security solutions data accessible to address a variety of security use cases such as threat detection, investigation, and incident response. Security Lake helps organizations aggregate, manage, and derive value from log and event data in the cloud and on-premises to give security teams greater visibility across their organizations.

With Security Lake, customers can use the security and analytics solutions of their choice to simply query that data in place or ingest the OCSF-compliant data to address further use cases. Security Lake helps customers optimize security log data retention by optimizing the partitioning of data to improve performance and reduce costs. Now, analysts and engineers can easily build and use a centralized security data lake to improve the protection of workloads, applications, and data.

Cisco Secure Firewall

Cisco Secure Firewall serves as an organization’s centralized source of security information. It uses advanced threat detection to flag and act on malicious ingress, egress, and east-west traffic while its logging capabilities store information on events, threats, and anomalies. By integrating Secure Firewall with AWS Security Lake, through Secure Firewall Management Center, organizations will be able to store firewall logs in a structured and scalable manner.

eNcore Client OCSF Implementation

The eNcore client provides a way to tap into message-oriented protocol to stream events and host profile information from the Cisco Secure Firewall Management Center. The eNcore client can request event and host profile data from a Management Center, and intrusion event data only from a managed device. The eNcore application initiates the data stream by submitting request messages, which specify the data to be sent, and then controls the message flow from the Management Center or managed device after streaming begins.

These messages are mapped to OCSF Network Activity events using a series of transformations embedded in the eNcore code base, acting as both author and mapper personas in the OCSF schema workflow. Once validated with an internal OCSF schema the messages are then written to two sources, first a local JSON formatted file in a configurable directory path, and second compressed parquet files partitioned by event hour in the S3 Amazon Security Lake source bucket. The S3 directories contain the formatted log are crawled hourly and the results are stored in an AWS Security Lake database. From there you can get a visual of the schema definitions extracted by the AWS Glue Crawler, identify fieldnames, data types, and other metadata associated with your network activity events. Event logs can also be queried using Amazon Athena to visualize log data.

Get Started

To utilize the eNcore client with AWS Security Lake, first go to the Cisco public GitHub repository for Firepower eNcore, OCSF branch.

Download and run the cloud formation script eNcoreCloudFormation.yaml.

The Cloud Formation script will prompt for additional fields needed in the creation process, they are as follows:

Cidr Block:  IP Address range for the provisioned client, defaults to the range shown below

Instance Type:  The ec2 instance size, defaults to t2.medium

KeyName  A pem key file that will permit access to the instance

AmazonSecurityLakeBucketForCiscoURI: The S3 location of your Data Lake S3 container.

FMC IP: IP or Domain Name of the Cisco Secure Firewall Mangement Portal

After the Cloud Formation setup is complete it can take anywhere from 3-5 minutes to provision resources in your environment, the cloud formation console provides a detailed view of all the resources generated from the cloud formation script as shown below.

Once the ec2 instance for the eNcore client is ready, we need to whitelist the client IP address in our Secure Firewall Server and generate a certificate file for secure endpoint communication.

In the Secure Firewall Dashboard, navigate to Search->eStreamer, to find the allow list of Client IP Addresses that are permitted to receive data, click Add and supply the Client IP Address that was provisioned for our ec2 instance.  You will also be asked to supply a password, click Save to create a secure certificate file for your new ec2 instance.

Download the Secure Certificate you just created, and copy it to the /encore directory in your ec2 instance.

Use CloudShell or SSH from your ec2 instance, navigate to the /encore directory and run the command bash encore.sh test

You will be prompted for the certificate password, once that is entered you should see a Successful Communication message as shown below.

Run the command bash encore.sh foreground

This will begin the data relay and ingestion process. We can then navigate to the S3 Amazon Security Lake bucket we configured earlier, to see OCSF compliant logs formatted in gzip parquet files in a time-based directory structure. Additionally, a local representation of logs is available under /encore/data/* that can be used to validate log file creation.

Amazon Security Lake then runs a crawler task every hour to parse and consume the logs files in the target s3 directory, after which we can view the results in Athena Query.

Source: cisco.com

Continue reading

Customer Journeys to the Cloud with Cisco and Amazon Web Services (AWS)

Charles Darwin once stated, “It is not the strongest of the species that survives, nor is it the most intelligent of the species that survives. It is the one that is the most adaptable to change.”

The cloud has become one of the key components of the digital transformation process. As a leading provider of hybrid cloud solutions, Cisco can provide customers with effective cloud transformation assistance. This blog explains how Cisco software solutions on AWS can assist customers at every stage of cloud transformation.

Cisco and AWS strategic partnership accelerates cloud transformation

Cisco and AWS have partnered to simplify and accelerate businesses’ journey to the cloud using Cisco software solutions on AWS. Those solutions simplify connectivity, security, and observability, helping customers address common cloud-based use cases.

The AWS marketplace currently offers a variety of selectable Cisco software solutions to cloud customers. Cisco supports AWS cloud customers throughout their cloud transformation journey, with most solutions being Software as a Service (SaaS). Cloud customers can use a number of these solutions to complete the cloud transformation process effectively.

AWS cloud framework for customers includes four stages

Let’s begin with a high level, conceptual view of the AWS Cloud Migration Framework. As shown in Figure 1, AWS offers their customers a four-stage cloud migration.

Figure 1  Four-Stage AWS Cloud Migration Framework

Stage 1: Assess

The objective of this stage is to plan the cloud transformation by performing business case development, discovery of infrastructure and application components, and cloud planning.

Stage 2: Mobilize

This stage focuses on the preparation of cloud infrastructure components—including landing zones for application onboarding, landing zones, connectivity to the cloud, and security.

Stage 3: Migrate and Modernize

This stage involves either migrating the current applications to the cloud as they are or modernizing them to cloud-native services like microservices. This is done using any of the 7R customer migration methods: Repurchase, Re-architect, Re-factor, Re-host, Relocate, Retain, and Retire.

Stage 4: Operate and Optimize

In this final stage, the application will be operated on the cloud. Monitoring and optimizing cloud applications are among the steps taken during this stage.

Throughout their cloud transformation journeys, customers can select to use industry-leading solutions like Cisco software from AWS co-selling or the AWS marketplace, depending on their needs and requirements.

Cisco solutions support the cloud migration journey from beginning to end

As part of the AWS Cloud Migration Framework, Cisco cloud solutions pillars are mapped to each stage of the AWS cloud journey. Cloud Assess, Cloud Connect, Cloud Secure, Cloud Observe and Operate are included in this process. The diagram in Figure 2 below illustrates this in more detail.

Figure 2  Cisco Cloud Solutions Pillars

The top half of Figure 2 illustrates the AWS Migration framework. In the lower half of the diagram, Cisco solutions pillars Assess, Connect (Cloud Connectivity), Secure (Cloud Security), and Observe and Operate (Cloud Observability) are mapped to the AWS Migration Framework. Additionally, it illustrates the use cases that are supported by Cisco’s solution pillars.

With Cisco solutions, customers can achieve secure cloud transformation

Known for its outstanding networking, security, and observability capabilities, Cisco solves customer challenges in the cloud by providing secure connectivity, securing the cloud, and providing full stack observability solutions with visibility into applications, infrastructures, and business metrics.

In any initial cloud phase, Cloud Planning and App Discovery are among the first use cases for the phases that verify and assess the cloud. Cisco Intersight Workload Optimizer (IWO) and AppDynamics (AppD) are the most commonly used tools to address those use cases.

Cisco supports the customer journey towards cloud adoption based on primarily on three key pillars–Cloud Connectivity, Cloud Security, and Cloud Observability–to ensure a safe, secure, and effective adoption of clouds. (See Figure 3.)

Figure 3  Cisco Solutions for Key Cloud Use Cases

Cloud Connectivity: The Cisco Cloud Connectivity pillar includes a number of use cases–such as Multi-Cloud Connectivity, SASE, Hybrid Cloud SDN and WAN Insights –that enable customers to connect to the cloud successfully and securely, either from their data center or from the edge. In response to customer requirements, Cisco offers multiple solutions like Meraki SD-WAN, Viptela SD-WAN, Nexus Dashboard, and Cloud Network Controller. Those options help to connect and operate hybrid environments securely.

Cloud Security: A successful cloud journey requires foundational protection of the infrastructure, zero trust access (ZTA), application security, and secure services edge (SSE). Cisco offers a full range of security solutions for cloud transformations, including solutions specifically tailored to meet the needs of the customer. Those solutions ensure a secure cloud environment for the customer. There are a number of Cisco Secure Software portfolios, including Cisco Secure Firewall, Duo, Umbrella, Secure Workload, and many others.

Cloud Observability: In order to scale and reimagine applications and improve the user experience, observeability is a crucial element throughout the cloud journey. By utilizing AppD, ThousandEyes, and IWO, Cisco offers industry-leading solutions for Full Stack Observability, which help enable the customer to monitor hybrid and modern applications, provide a digital customer experience, map application dependencies, optimize hybrid costs, and optimize application resources.

In summary…

Due to its solution integration capabilities, Cisco is a one-stop shop for cloud customers when it comes to cloud networking, cloud security, cloud observability, and hybrid work. Cloud customers and partners can address those cloud use cases through Cisco software solutions like IWO, AppDynamics, ThousandEyes, Duo, Umbrella, Viptela SD-WAN, Meraki SD-WAN, Secure Firewall, Panoptica, Intersight Service Mesh Manager (SMM), and more. AWS offers those Cisco software solutions through their co-sell program and marketplace, leveraging their strategic partnership with Cisco.

Source: cisco.com

Continue reading

Tech Trends and Predictions That Will Shape 2023

There are thousands of stories of invention, innovation, and discovery playing out across the technology industry at this exact moment. They are real but largely unseen until an event – a data breach, a cloud outage, a social movement – brings them to our attention.

The cloud and AI are no longer frontiers. The digital economy is the new tech green space. Nearly 8 out of every ten companies have experienced at least one cloud data breach. The transition to net-zero will be as disruptive as the industrial revolution.

Businesses need to separate the trends from the hype to capture competitive value. That’s what drives my annual ritual of making tech predictions for our next orbit around the sun. The future is beginning to take shape, and here are my predictions for tech trends coming in the year ahead.

Trend #1

An Accelerating Attack Surface Will Demand More and Future-Proof Security Innovations

In the billion-dollar race to protect, detect, and respond to an expanding attack surface, we will see risk management melding with business innovation capabilities. Compromised credentials, misconfigurations, and malicious and inadvertent misuse of resources have been at the center of security discussions.

We see the conversation broadening to applications and their dependencies, as well as shadow IT which goes far beyond mismanaged devices. Exposure for businesses could exponentially increase due to unvetted development projects and as organizations innovate to meet the demand for always-on, digital access to products and services.

◉ Application and API Security (CNAPP)

As modern cloud-native applications are becoming drivers of business, protecting the underlying application environment is critical. In 2023, developers will get more and more support from various tools that help speed up development cycles and allow them to better manage and secure distributed application architectures with an emphasis on delivering exceptional, secure digital experiences. We will also see continued movement toward tools that allow developers, site reliability engineers and security experts to collaborate more seamlessly on these outcomes.

◉ Quantum Cryptography

Transmitting keys poses a fundamental risk to security, as keys can be harvested and decrypted later. While Post Quantum Cryptography (PQC) is a potential stop-gap solution, it’s unclear if PQC schemes could be broken in the future. Quantum Key Distribution (QKD) is poised to be particularly impactful because it avoids distribution of the keys over an insecure channel. In 2023, in preparation for a post-quantum world, we will see a macrotrend emerge with adoption of QKD in datacenters, IoT, autonomous systems, and 6G.

Trend #2

Experience Economy Solutions Will Deliver Actionable Business Insights and Performance

The digital experience of customers and end users is now a primary driver of business success, and “experience” will emerge as a key new KPI in the months ahead. This will change the playing field dramatically.

To survive and thrive, companies need to be able to tie data insights derived from normal IT operations directly to business outcomes or risk being overtaken by more innovative competitors. Distributed tracing will soon become a currency of business performance, and every technology investment will need to be set against observability standards and practices – from cloud, to core, to edge.

◉ Full-Stack Observability Tied to Business Outcomes

A significant problem with monitoring has always been too much data with too little context and business correlation. The evolution of application monitoring toward full stack observability will increasingly provide a view relative to business context. When applied systematically, this can dramatically speed up response and optimize business operations in real time. In 2023, business context will become widely recognized as an integral part of monitoring and visibility outcomes.

◉ Traces and OpenTelemetry

In the year ahead, there will be a significant shift toward the open-source ability to grab information from multiple domains that were previously siloed and then develop modern applications that rely on distributed tracing embedded in the actual experience. OpenTelemetry will become the leading open-source standard behind how IT teams consume data to enable observability over the IT stack from the network and infrastructure to applications and the internet.

◉ Edge Native Application Development Frameworks

As edge devices become smarter, and process, manage, and drive insights closer to the user, there is growing need for edge-native application ecosystems. In 2023, we will see growing adoption of application development frameworks for the edge replete with new data management, compliance and security APIs coupled with novel AI/ML toolchains. This is the beginning of a world where the edge will be operated by horizontal software platforms – groups of small, generic computers scaled to deployment needs and consumed as a service.

Trend #3

The New Phase of Digital Transformation Will Be Led by Smart Connectivity and Networks

Resilient and agile supply chains can be a weak link or great competitive advantage. Predictive technologies move us away from using isolated data analysis to real-time decision making. Multicloud models are designed to be elastic and scalable to complex regulatory and service-level requirements.

Smart connectivity and networks are at the center of it all. They’re not just about optimizing resources – they can potentially help organizations anticipate and respond to global trade issues, workforce changes, and other unexpected events. Next year, 2023, will be a turning point in the deployment of game-changing networking and connectivity solutions on which future engineering marvels will be built.

◉ IoT/Supply Chain Resiliency

Enterprises and logistics providers will increasingly utilize IoT to bring greater visibility into their supply chains in 2023. IoT and other technologies will not only play a larger role in bringing better resiliency and efficiency into supply chains but can also help to improve IT/OT network management. As a result, organizations will start to reconfigure supply chains around predictive and prescriptive models including smart contracts and distributed ledgers. This is a major transition toward more sustainable business practices and circular supply chains.

◉ Predictive Networks

In the year ahead, the network will become more experience-centric with increasing capabilities to predict end user experience issues and provide problem-solving options. Companies will increasingly access predictive technologies in integrated, easy-to-use SaaS offers. This represents an important step toward a future where connectivity is powered by self-healing networks that can learn, predict, and plan. Predictive networks will be powered by the same predictive analytics that are gathered from myriad telemetry sources.

◉ Multicloud Realignment

As deglobalization and issues around data sovereignty accelerate, in the year ahead we will see a discernible shift in how companies leverage multicloud architectures. While 89% of enterprises are adopting a multicloud strategy for a variety of reasons (geopolitical, technical, provider diversification), the benefits also come with additional complexity in connecting, securing, and observing a multicloud environment. We will see continued movement toward new multicloud frameworks such as Sovereign Clouds, Local Zone Clouds, Zero-Carbon Clouds, and other novel cloud offerings. This will create a path toward more private and edge cloud applications and services ushering in a new multicloud operating model.

Trend #4

Responsible Innovation Will Move Fast Toward Building a Better, More Inclusive Future for All

Organizations are expected to put their good intentions into action – being purpose-driven is now a corporate requirement. Trust in our institutions and in companies has been tested over the last few years. This has brought us to an inflection point, and we are on the edge of generational change that will become evident through technology in 2023.

Ultimately, organizations will have to define a purpose that goes beyond profitability. While there have arguably been benefactors of the collapse of trust, the new scope of innovation is bending fast toward public good – with responsibility, sustainability, equity and inclusion as guiding themes.

◉ Hybrid Work Equity and Inclusion

Fostering a culture of accessibility-first thinking and embedding universal design principles with assistive technologies will emerge in 2023 as defining principles for development of collaboration products and features. This is the next phase of hybrid work where prioritizing equitable, inclusive experiences can help drive happier and more productive workforces. In 2023, we will also see the use of natural language processing (NLP) and AI/ML in new and innovative ways to deliver these solutions.

◉ Sustainability and the Journey to Net Zero

Net zero will drive common standards to meet sustainability goals with advancements in Power Over Ethernet (PoE) design and hardware to transform data centers for a more sustainable future. Networking and APIs will become more advanced within data center platform management to monitor, track, and change the use of energy. IT vendors and equipment partners will be more transparent in their reuse of hardware (circularity) to move the needle with the sustainability processes.

◉ Responsible AI

In 2023, the ability of rogue individuals and organizations to use artificial intelligence for unethical or socially destructive objectives will continue to grow. Industry, governments, academia, and NGOs will come together to begin hammering out a framework for governing AI in an ethical and responsible manner to mitigate potential harm. This framework will be based on principles such as transparency, fairness, accountability, privacy, security, and reliability and will be applied in contexts such as model creation and the selection of training data for AI systems.

As we look to the year ahead, we see a transformation in how applications, connectivity, and security are delivered and consumed. We see an immersive future that is “sustainable by default,” requiring new technologies built with new processes and in service to new business models. We see exceptional, reliable digital experiences as the gold standard of business success.

No matter how extensive or complex the advances, there’s no greater risk than standing still. The winners in 2023 will be those armed with the right tools – and the courage – to break down organizational silos across domains and disciplines and work together without limits to affect real and lasting change.

Source: cisco.com

Continue reading

Cisco Secure Cloud Analytics – What’s New

Nowadays, “cybersecurity” is the buzzword du jour, infiltrating every organization, invited or not. Furthermore, this is the case around the world, where an increasing proportion of all services now have an online presence, prompting businesses to reconsider the security of their systems. This, however, is not news to Cisco, as we anticipated it and were prepared to serve and assist clients worldwide.

Secure Cloud Analytics, part of the Cisco Threat, Detection, and Response (TD&R) portfolio, is an industry-leading tool for tackling core Network Detection and Response (NDR) use cases. These workflows focus primarily on threat detection and how security teams may recognize the most critical issues around hunting and forensic investigations to improve their mean-time-to-respond.

Over the last year, the product team worked tirelessly to strengthen the NDR offering. New telemetry sources, more advanced detections, and observations supplement the context of essential infrastructure aspects as well as usability and interoperability improvements. Additionally, the long-awaited solution Cisco Telemetry Broker is now available, providing a richer SecOps experience across the product.

MITRE ATT&CK framework alerting capabilities

As part of our innovation story on alerting capabilities, Secure Cloud Analytics now features new detections tied to the MITRE ATT&CK framework such as Worm Propagation, Suspicious User Agent, and Azure OAuth Bypass.

Additionally, various new roles and observations were added to the Secure Cloud Analytics to improve and change user alerts, that are foundational pieces of our detections. Alerts now include a direct link to AWS’ assets and their VPC, as well as direct access to Azure Security Groups, enabling further investigation capabilities through simplified workflows. In addition, the Public Cloud Providers are now included in coverage reports that provide a gap analysis to determine which accounts are covered. Alert Details offers new device information, such as host names, subnets, and role metrics that emphasize detection techniques. To better configure alerts, we are adding telemetry to gain contextual reference on their priority. Furthermore, the ingest process has grown more robust due to data from the Talos intelligence feed and ISE.

NDR: A Force Multiplier to Cisco XDR Strategy

The highly anticipated SecureX integration is now available in a single click, with no API credentials required and smooth interaction between the two platforms. Most importantly, Secure Cloud Analytics alerts may now be configured to automatically publish as incidents to the SecureX Incident Manager. The Talos Intelligence Watchlist Hits Alert is on by default due to its prominence among the many alert types.

Among other enhancements to graphs and visualizations, the Encrypted Traffic widget allows for an hourly breakdown of data. Simultaneously, the Device Report contains traffic data for a specific timestamp, which may be downloaded as a CSV. Furthermore, the Event Viewer now displays bi-directional session traffic to provide even more context to Secure Cloud Analytics flows, as well as additional columns to help with telemetry log comprehension: Cloud Account, Cloud Region, Cloud VPC, Sensor and Exporter.

New Sensor Data to Quickly Detect and Hunt Threats

On-premises sensors now provide additional telemetry on the overview page and a dedicated page where users can look further into the telemetry flowing through them in Sensor Health. To optimize the Secure Cloud Analytics deployment and improve the user experience, sensors may now be deleted from the interface.

Regarding telemetry, Cisco Telemetry Broker can now serve as a sensor in Secure Cloud Analytics, so users can identify and respond to threats faster with additional context sent to Secure Cloud Analytics. In addition, there will soon be support for other telemetry types besides IPFIX and NetFlow.

As we can see from the vast number of new additions to Secure Cloud Analytics, the product team has been working hard to understand the latest market trends, listen to the customers’ requests, and build one of the finest SaaS products in the NDR industry segment. The efforts strongly underline how Secure Cloud Analytics can solve some of the most important challenges in the NDR space around visibility, fidelity of alerts and deployment complexity by providing a cloud hosted platform that can offer insights on-premise and on cloud environments simultaneously from the same dashboard.

Source: cisco.com

Continue reading

Making private 5G interconnect easy to configure, simple to operate, and widely adopted

1. Introduction

This is the follow up blog to an earlier post titled “scaling the adoption of private cellular networks” where the challenges of how to scale interconnect between private 3GPP networks are described. Compared to the current inter-network signaling that serves around 800 public cellular operators, there are forecasts of a 1000 fold increase in the number of private cellular networks. Critically, each private network may experience perhaps a thousandth of the signaling load of a conventional public carrier network.

The full potential of 5G will only be harnessed if the scalable deployment of private 5G solutions can be simplified. The 5G DRIVE (Diversified oRAN Integration & Vendor Evaluation) project led by Virgin Media O2 and part-funded by the UK Government’s Department for Culture Media and Sport (DCMS), Cisco and co-partners is targeted at defining the use of the new 5G Security Edge Protection Proxy (SEPP) roaming interface to connect public and private 5G networks. How best to integrate private 3GPP Non-Public Networks with established public cellular networks, affordably, securely and at scale is a problem that Cisco is invested in solving.

In this post we share details of a recent demonstration Cisco gave to UK DCMS and other 5G DRIVE partners. The demonstration highlights an approach that may facilitate the simplification of 5G roaming interconnect with private wireless networks.

2. Evolution of inter-carrier signaling

The first cellular networks were interconnected using the same SS7 based signaling used on the public switched telephone network. The 2G cellular standard defines enhancements to SS7 messages. These enhancements support concepts of mobility as well as the newly introduced short message service. The introduction of 4G/LTE saw the introduction of IP based Diameter signaling between carrier networks. However, the structure of the SS7-defined exchanges was preserved to facilitate the interworking with earlier systems. Importantly, these Diameter-based systems are responsible for transporting the inter-carrier roaming signaling and not the roaming data used by the end-users. This roaming data can either be tunneled back to the home network or routed locally by the visited access network.

Now, 5G sees the most significant change in how to carry signaling between networks since the inception of cellular. 5G defines a “service based architecture” (SBA) that avoids strict signaling hierarchies. Instead, SBA allows signaling consumers to communicate with different signaling producers. SBA defines the use of RESTful APIs transported using HTTP2 defined methods like GET, POST and PATCH. These APIs are more familiar to web developers compared to the telco-focused SS7 and Diameter.

As described in the earlier post, the GSM Association is responsible for the services and solutions that underpin public roaming systems. This enables subscribers to experience seamless roaming across the world. As expected, GSMA is currently enhancing these services and solutions to be able to interconnect 5G Systems and enable users to seamlessly roam onto 5G public cellular systems using SBA-defined interfaces.

Just like in earlier Gs, the roaming signaling defined in 5G architecture is bidirectional. HTTP2 Request messages originate from both the visited network and the home network. These are then responded to by the other party, as illustrated below. The signaling transits the IPX network which is a private IP backbone used between public cellular operators. The IPX is isolated from the public Internet with security rules defined to prevent unauthorized access to/from it.

The figure above illustrates that each operator is responsible for their own perimeter security including configuration of firewalls and border gateways. GSMA defines procedures for exchanging IP address information for all operator nodes that connect to the IPX in its permanent reference document (PRD) IR.21. Operators configure firewall rules using this information to ensure that only signaling connections originating from registered IP addresses are permitted. The figure below illustrates how this firewall configuration is essential for the visited access network to permit inbound signaling flows from the home network.

3. Securing 5G roaming signaling

The 5G System introduces the Security Edge Protection Proxy (SEPP). The SEPP sits at the perimeter of the 5G public cellular network and is the focus of the 5G DRIVE project.

The N32 interface is defined by 3GPP for use between two SEPPs to ensure the HTTP2 messages can be securely exchanged. First, N32 control signaling is exchanged to establish N32 forwarding. The N32 forwarding operates by taking the HTTP2 Request or Response messages that need to be exchanged between operators and encoding the HTTP2 header frames and data frames in JSON. This JSON is transported in another set of HTTP2 messages which are exchanged between the two SEPPS. 3GPP defines two options for securing signaling between SEPPs. Either TLS protects the communication of these HTTP2 messages using the transport layer, or JSON Web Encryption (JWE) protects the communication at the application layer.

4. Private network challenges

Unlike GSMA, which defines the operation of roaming signaling and the IP backbone between public cellular operators, there is no equivalent system between private 5G networks. This is one of the reasons why 3GPP has defined two separate approaches to deploying private networks, a standalone approach that simply interconnects credential holders with access networks and a public network integrated approach that integrates the private network with the systems of a public cellular operator.

Interestingly, credential holders and private Wi-Fi access networks are increasingly using OpenRoaming (www.openroaming.org) to interconnect. OpenRoaming is a federation of identity providers and access providers targeted at lowering the barriers to adoption of roaming between Wi-Fi credential holders and Wi-Fi hotspot providers. Cisco was responsible for incubating the OpenRoaming system before transferring the operation of the federation to the Wireless Broadband Alliance (www.wballiance.com).

Prior to OpenRoaming, using Wi-Fi while on the go was a hassle. Most of the time, the Wi-Fi operator requires users to accept specific end-user terms and conditions using an intrusive browser pop-up. There were some deployments that delivered a more seamless experience using SIM-based authentication by interconnecting with mobile operators, but the access network configuration was complicated and agreements time consuming. The private enterprise’s InfoSec policies typically prohibit inbound sockets from unknown hosts on the Internet. This means each inbound roaming relationship requires a specific firewall configuration to permit signaling to transition across the enterprise’s perimeter. Without such configuration, the inbound signaling originated by the credential holder will be dropped by the firewall, as illustrated below.

Instead of sharing IP addresses, the OpenRoaming federation makes extensive use of DNS to enable the visited access providers to dynamically discover signaling systems operated by different credential holders. WBA’s Public Key Infrastructure (PKI) issues certificates to OpenRoaming providers. The roaming signaling endpoints authenticate and authorize each other using these certificates. The visited access network establishes a single TLS-secured outbound socket towards the credential holder. All signaling between the providers uses this single socket.

OpenRoaming’s use of DNS and a single secure outbound socket means that the enterprise can configure a single firewall rule for all OpenRoaming signaling originating from their own systems. This significantly simplifies and streamlines the procedures required to enable roaming onto the enterprise’s wireless network.

5. Scaling signaling on the internet

As part of our 5G DRIVE participation, Cisco revisited how “server-initiated signaling” is supported on today’s Internet. The aim was to understand whether future roaming systems can be enhanced with similar capabilities.

The challenge of how to support server push based signaling is well understood. The Internet has seen the deployment of a number of different solutions. 5G signaling is based on HTTP2 and this includes a capability termed Server Sent Events (SSE). SSE is used to send web server initiated events to the client over an already established socket. SSE is designed to reduce the number of client requests and deliver faster web page load times. However, SSE is unsuitable for supporting the reverse direction 5G roaming signaling as this necessitates full bidirectional signaling.

Prior to HTTP2 SSE, other solutions for server initiated signaling focused on polling-based solutions. With short polling, the client continuously sends HTTP requests to enable any server-initiated signaling to be returned to the client. As a consequence, short polling solutions place a significant load on the server which limits their scalability. To reduce this impact, alternative long-polling solutions have been developed. Using long polling, the client opens an HTTP request which then remains open until a server initiated message needs to be returned. As soon as the client receives the server initiated message in the HTTP response, it immediately opens another HTTP request. As with HTTP2 SSE, polling solutions are useful for sending individual events back to the client but are poorly suited when the server sent information is expected to be responded to by the client.

Some perceive the use of polling solutions by web applications as an abuse of the HTTP protocol. Consequently, the WebSockets protocol was specified to enable full two-way communications between clients and servers. The WebSocket connection starts off as an HTTP connection. The client includes an HTTP Upgrade header in the request to change the protocol from HTTP to WebSocket. The HTTP request header also includes a subprotocol field. This is used to indicate the upper layer application intended to be exchanged using the WebSocket.

6. Adapting N32 transport for adoption by private networks

As described above, the existing HTTP2-based SEPP solution takes the HTTP2 Request and Response messages that need to be exchanged between operators and encodes the HTTP2 header frames and data frames in JSON. This approach is adapted to enable a WebSocket-based SEPP to transport the same JSON encoded information. Because WebSocket transport is designed to support bi-directional communications, a single WebSocket is used to transport signaling generated from the visited network and that generated from the home network.

The 3GPP-defined N32 interface between SEPPs is split into a setup phase using control signaling and a forwarding phase. However, the current HTTP2-based system assumes fully decoupled signaling between those exchanges when the SEPP-initiator is in the visited access network and those when the SEPP-initiator is in the home network. This means that bidirectional forwarding requires separate N32 control exchanges. The HTTP2-SEPP uses a HTTP2 POST to a specific “/exchange-capability” path as part of the N32 control exchange.

In contrast, WebSockets enable bi-directional communications over a single socket. This means the visited access network is able to trigger the establishment of bidirectional forwarding. The WebSocket-SEPP signals a specific sub-protocol indicating that N32 service is being requested. In the demonstration, “n32proxy.openroaming.org” was used as an example sub-protocol. Following setup of the WebSocket, the WebSocket SEPP in the visited network sends a JSON object over the WebSocket requesting to establish the N32 forwarding service. The information exchanged in this setup message closely matches that defined in 3GPP N32c messages, including identities, public land mobile network (PLMN) information and security parameters.

After forwarding is established, the conventional HTTP2 SEPP maps the headers and data fields from received HTTP requests and responses into JSON objects that are then transported using HTTP2. The WebSocket SEPP maps the headers and data fields from received HTTP requests and responses into JSON objects that are transported using the WebSocket message syntax.

The WebSocket solution enables private networks to configure simplified firewall rules. All outbound and inbound signaling exchanges between the private 5G access network and the remote credential holder are transported on a single socket. The credential holder’s WebSocket SEPP rewrites the authority of any callBackUris it receives from the visited access network using a SEPP fully qualified domain name (FQDN) suffix. For example, a 5G Access Management Function (AMF) located in a visited network may signal a deregistration callback URI to the home network of:

http://24.208.229.196:7777/namf-callback/v1/imsi-234600000055531/dereg-notify

The WebSocket SEPP located in the home network rewrites the URI to a value that will always resolve to the IP address of the SEPP in the home network, e.g.,

http://24.208.229.196.sepp.operator.com:7777/namf-callback/v1/imsi-234600000055531/dereg-notify

This means that any HTTP requests originating in the credential holder’s network will use the rewritten URI in their HTTP2 Request messages. This ensures that all messages will be routed via the SEPP and the bidirectional N32 forwarding service towards the visited access network.

7. Demonstration of 3GPP roaming interfaces transported over WebSocket

Cisco has built a proof of concept based on the WebSocket approach described above and demonstrated the system to UK DCMS and other 5G DRIVE partners. We adopted a similar approach to how OpenRoaming enables scale by using a cloud federation as the authority to connect access network providers with identity providers. Private 5G systems can then benefit from the same simplification and streamlining of procedures that have accelerated interconnection between private Wi-Fi networks and different credential holders.

A fictitious cellular carrier is assumed to have joined a roaming federation, has been issued a certificate by the federation to use in securing signaling with other federation members and has configured their DNS records to enable their signaling systems to be discoverable from the public Internet. In the demonstration, the signaling systems of this fictitious cellular network are hosted by a cloud provider. A SIM card was provisioned in the 5G User Data Repository (UDR) of the fictitious cellular carrier, identified with a corresponding Mobile Country Code of 234 and a Mobile Network Code of 60. The demonstration focuses on the use case of a subscriber from the fictitious cellular carrier roaming onto the private 5G network operated by “Acme-Industrial” who has similarly joined the roaming federation. Acme-Industrial has configured its local private 5G network to support N32 signaling over WebSockets and operates a firewall that only permits outbound sockets to the Internet.

A UE with the SIM card attempts to register on the local private 5G network. There are a number of ways that the registration can be triggered. In one approach, the federation specifies the use of a Group Identity for Network Selection (GIN) that is broadcast from the private network. As part of the registration, the UE provides its identity to the network. The private 5G network performs a dynamic discovery to identify the home network using the 5G UE identifier.

The private 5G network contacts the UE’s home network through an API-Gateway, establishing a websocket connection.  Then, to keep things efficient and simple, we automated the implementation of logic for the WebSocket-based N32 forwarding using the cloud provider’s function-as-a-service. Finally, the 5G Core Services for the Authentication Server Function (AUSF), Unified Data Management (UDM) and User Data Repository (UDR) are hosted on cloud service’s compute platform.

The proof of concept demonstrates signaling associated with a typical roaming scenario. The different phases are described together with signaling logs from the demo.

◉ A private 5G access network is setup and awaits inbound roamers.

◉ The firewall rules in the private 5G network permit outbound signaling originating from the WebSocket-based SEPP function.

◉ An inbound roaming UE attempts to register with the private network.

◉ The private network recovers the home PLMN from the UE identifier and uses DNS to discover the WebSocket signaling peer.

2022.09.06 18:32:48: [INFO] Waiting for SUPI or SUCI from in-bound roaming UE 

2022.09.06 18:33:41: [INFO] In-bound SUPIorSUCI detected: suci-0-234-60-0000-0-0-0000055531

◉ The WebSocket SEPP establishes a bi-directional N32forwarding service for the home PLMN.

2022.09.06 18:33:41: >>>> {"n32Service": "subscribeRequest", "accessProvider": "ACME-INDUSTRIAL.CISCO:US", "plmnIdList": ["23460"], "3GppSbiTargetRootApiRootSupported": "False", "jwsCipherSuiteList": ["ES256", "none"]} 

2022.09.06 18:33:41: <<<< {"n32Service": "subscribeAccept", "identityProvider": "MNC60MCC234.3GPPBROKER.GB", "3GppSbiTargetRootApiRootSupported": "False", "plmnIdList": ["23460"], "jwsCipherSuite": "none"} 

2022.09.06 18:33:41: [INFO] WebSocket forwarding established and serving suci-0-234-60-0000-0-0-0000055531

◉ The UE registers onto the private network using standard 5G service-based architecture and signalling. The WebSocket transports bi-directional signalling exchanges between the private access network and the home network.

2022.09.06 18:33:43: >>>> {"n32Service": "http2Message", "messageId": "2785087321A", "n32MessageSigned": {"payload": {"reformattedReq": {"requestLine": {":method": "POST", ":path": "/nausf-auth/v1/ue-authentications", ":scheme": "http", ":authority": "172.31.14.141:7777"}, "headers": {"accept": "application/3gppHal+json:application/problem+json", "content-type": "application/json"}, "payload": {"supiOrSuci": "suci-0-234-60-0000-0-0-0000055531", "servingNetworkName": "5G:mnc060.mcc234.3gppnetwork.org"}}}, "protected": "eyJhbGciOiJub25lIiwiYjY0IjpmYWxzZSzigJxjcml0IjpbImI2NCJdfQ==", "signature": ""}} 

2022.09.06 18:33:43: <<<< {"n32Service": "http2Message", "messageId": "2785087321A", "n32MessageSigned": {"payload": {"reformattedRsp": {"statusLine": {":status": "201"}, "headers": {"server": "Open5GS v2.4.9", "date": "Tue, 06 Sep 2022 17:33:43 GMT", "content-length": "318", "location": "http://172.31.14.141:7777/nausf-auth/v1/ue-authentications/1", "content-type": "application/3gppHal+json"}, "payload": "{\n\t\"authType\":\t\"5G_AKA\",\n\t\"5gAuthData\":\t{\n\t\t\"rand\":\t\"50d05393a459af7786bb96b38f4ebf12\",\n\t\t\"hxresStar\":\t\"4d332c90989aa127a9c86a96a8978379\",\n\t\t\"autn\":\t\"7ee4c1f4ee8f8000c459a0a203065874\"\n\t},\n\t\"_links\":\t{\n\t\t\"5g-aka\":\t{\n\t\t\t\"href\":\t\"http://172.31.14.141:7777/nausf-auth/v1/ue-authentications/1/5g-aka-confirmation\"\n\t\t}\n\t}\n}"}}, "protected": "eyJhbGciOiJub25lIiwiYjY0IjpmYWxzZSzigJxjcml0IjpbImI2NCJdfQ==", "signature": ""}}

◉ The UE uses the resources of the private 5G network.

◉ The home network triggers a de-registration of the UE. This will typically be due to the UE registering on another network, which could be when it returns to coverage of its home network or registers on another federated private 5G network. As we didn’t have a second access network in the demonstration, we triggered a deregistration by withdrawing the subscription of the UE in the UDR. The WebSocket SEPP in the home network translates the network initiated HTTP2 Request to de-register the UE into JSON. The JSON is transported to the private network using the already established WebSocket.

2022.09.06 18:37:53: <<<< {"n32Service": "http2Message", "messageId": "4043366907D", "n32MessageSigned": {"payload": {"reformattedReq": {"requestLine": {":method": "POST", ":path": "/namf-callback/v1/imsi-234600000055531/dereg-notify", ":scheme": "http"}, "headers": {"content-type": "application/json","accept": "application/json,application/problem+json", "host": "192.168.128.145:7777"}, "payload": {"deregReason": "SUBSCRIPTION_WITHDRAWN", "accessType": "3GPP_ACCESS"}}}, "protected": "eyJhbGciOiJub25lIiwiYjY0IjpmYWxzZSzigJxjcml0IjpbImI2NCJdfQ==", "signature": ""}}

◉ The WebSocket SEPP in the private 5G network recovers the JSON and re-creates the HTTP2 Request to de-registers the UE. The HTTP2 message is forwarded on to the private 5G Network’s Access and Mobility Management Function (AMF) which processes the message and deregisters the UE. The AMF then signals back to the UDR that the UE has been successfully deregistered.

2022.09.06 18:37:53: >>>> {"n32Service": "http2Message", "messageId": "4043366907D", "n32MessageSigned": {"payload": {"reformattedRsp": {"statusLine": {":status": "204"}, "headers": {"server": "Open5GS v2.4.9", "date": "Tue, 06 Sep 2022 17:37:53 GMT"}, "payload": ""}}, "protected": "eyJhbGciOiJub25lIiwiYjY0IjpmYWxzZSzigJxjcml0IjpbImI2NCJdfQ==", "signature": ""}} 

2022.09.06 18:37:53: [INFO] suci-0-234-60-0000-0-0-0000055531 successfully deregistered

◉ The home PLMN no longer serves any UEs in the visited network. The private network automatically triggers the deactivation of the WebSocket-based N32forwarding service towards the home PLMN.

2022.09.06 18:37:53: [INFO] terminating WebSocket forwarding for mnc60.mcc234 

2022.09.06 18:37:53: >>>> {"n32Service": "terminateRequest", "accessProvider": "ACME-INDUSTRIAL.CISCO:US"} 

2022.09.06 18:37:53: <<<< {"n32Service": "terminateAccept", "identityProvider": "MNC60MCC234.3GPPBROKER.GB"}

8. Reducing complexity and increasing scale

Cisco is investing in taking the complexity out of private 5G with its 5G-as-a-service offer. With WBA already reporting that over 1 million private wireless hotspots have embraced OpenRoaming, it is clear that simplifying roaming systems can lead to the transformation of roaming, from serving 100s of public cellular operators towards supporting millions of private 5G networks. Importantly, the WBA Board has committed to expanding the use of OpenRoaming to address alternative wireless technologies used in private networks. As part of this expansion, WBA has exchanged liaison statements with 3GPP regarding facilitating the adoption of roaming onto 3GPP Non Public Networks.

Re-using the newly introduced SEPP functionality to enable new deployments of roaming between public and private networks is a focus of the 5G Drive project. The proof of concept demonstrated by Cisco points to how established public cellular roaming interfaces can be adapted to facilitate adoption between private 5G networks and credential holders.

Cisco looks forward to working with others in WBA and 3GPP to help specify new capabilities that ensure that roaming between private and public cellular networks becomes as easy to configure, as simple to operate, and as widely adopted as traditional Wi-Fi-based OpenRoaming.

Source: cisco.com

Continue reading