Taming AI Frontiers with Cisco Full-Stack Observability Platform

The Generative AI Revolution: A Rapidly Changing Landscape

The public unveiling of ChatGPT has changed the game, introducing a myriad of applications for Generative AI, from content creation to natural language understanding. This advancement has put immense pressure on enterprises to innovate faster than ever, pushing them out of their comfort zones and into uncharted technological waters. The sudden boom in Generative AI technology has not only increased competition but has also fast-tracked the pace of change. As powerful as it is, Generative AI is often provided by specific vendors and frequently requires specialized hardware, creating challenges for both IT departments and application developers.

It is not a unique situation with technology breakthroughs, but the scale and potential for disruption in all areas of business is truly unprecedented. With proof-of-concept projects easier than ever to demonstrate potential with ChatGPT prompt-engineering, the demand for building new technologies using Generative AI was unprecedented. Companies are still walking a tight rope, balancing between safety of compromising their intellectual properties and confidential data and urge to move fast and leverage the latest Large Language Models to stay competitive.

Kubernetes Observability

Kubernetes has become a cornerstone in the modern cloud infrastructure, particularly for its capabilities in container orchestration. It offers powerful tools for the automated deployment, scaling, and management of application containers. But with the increasing complexity in containers and services, the need for robust observability and performance monitoring tools becomes paramount. Cisco’s Cloud Native Application Observability Kubernetes and App Service Monitoring tool offers a solution, providing comprehensive visibility into Kubernetes infrastructure.

Many enterprises have already adopted Kubernetes as a major way to run their applications and products both for on-premise and in the cloud. When it comes to deploying Generative AI applications or Large Language Models (LLMs), however, one must ask: Is Kubernetes the go-to platform? While Cloud Native Application Observability provides an efficient way to gather data from all major Kubernetes deployments, there’s a hitch. Large Language Models have “large” in the name for a reason. They are massive, compute resource-intensive systems. Generative AI applications often require specialized hardware, GPUs, and big amounts of memory for functioning—resources that are not always readily available in Kubernetes environments, or the models are not available in every place.

Infrastructure Cloudscape

Generative AI applications frequently push enterprises to explore multiple cloud platforms such as AWS, GCP, and Azure, rather than sticking to a single provider. AWS is probably the most popular cloud provider among enterprise, but Azure’s acquisition of OpenAI and making GPT-4 available as part of their cloud services was ground breaking. With Generative AI it is not uncommon for enterprises to go beyond one cloud, often spanning different services in AWS, GCP, Azure and hosted infrastructure. However, GCP and AWS are expending their toolkits from a standard pre-GPT MLOps world to fully- managed Large Language Models, Vector databases, and other newest concepts. So we will potentially see even more fragmentation in enterprise cloudscapes.

Troubleshooting distributed applications spanning across cloud and networks may be a dreadful task consuming engineering time and resources and affecting businesses. Cisco Cloud Native Application Observability provides correlated full-stack context across domains and data types. It is powered by Cisco FSO Platform, which provide building blocks to make sense of the complex data landscapes with an entity-centric view and ability to normalize and correlate data with your specific domains.

Beyond Clouds

As Generative AI technologies continue to evolve, the requirements to utilize them efficiently are also becoming increasingly complex. As many enterprises learned, getting a project from a very promising prompt-engineered proof of concept to a production-ready scalable service may be a big stretch. Fine-tuning and running inference tasks on these models at scale often necessitate specialized hardware, which is both hard to come by and expensive. The demand for specialized, GPU-heavy hardware, is pushing enterprises to either invest in on-premises solutions or seek API-based Generative AI services. Either way, the deployment models for advanced Generative AI often lie outside the boundaries of traditional, corporate-managed cloud environments.

To address these multifaceted challenges, Cisco FSO Platform emerges as a game-changer, wielding the power of OpenTelemetry (OTel) to cut through the complexity. By providing seamless integrations with OTel APIs, the platform serves as a conduit for data collected not just from cloud native applications but also from any applications instrumented with OTel. Using the OpenTelemetry collector or dedicated SDKs, enterprises can easily forward this intricate data to the platform. What distinguishes the platform is its exceptional capability to not merely accumulate this data but to intelligently correlate it across multiple applications. Whether these applications are scattered across multi-cloud architectures or are concentrated in on-premises setups, Cisco FSO Platform offers a singular, unified lens through which to monitor, manage, and make sense of them all. This ensures that enterprises are not just keeping pace with the Generative AI revolution but are driving it forward with strategic insight and operational excellence.

Bridging the Gaps with Cisco Full-Stack Observability

Cisco FSO Platform serves as a foundational toolkit to meet your enterprise requirements, regardless of the complex terrains you traverse in the ever-evolving landscape of Generative AI. Whether you deploy LLM models on Azure OpenAI Services, operate your Generative AI API and Authorization services on GCP, build SaaS products on AWS, or run inference and fine-tune tasks in your own data center – the platform enables you to cohesively model and observe all your applications and infrastructure and empowers you to navigate the multifaceted realm of Generative AI with confidence and efficiency.

Cisco FSO Platform extends its utility by offering seamless integrations with multiple partner solutions, each contributing unique domain expertise. But it doesn’t stop there—it also empowers your enterprise to go a step further by customizing the platform to cater to your unique requirements and specific domains. Beyond just Kubernetes, multi-clouds, and Application Performance Monitoring, you gain the flexibility to model your specific data landscape, thereby transforming this platform into a valuable asset for navigating the intricacies and particularities of your Generative AI endeavors.

Source: cisco.com

Continue reading

How Cisco’s SaaS Solutions on AWS Deliver Unbeatable Value to Customers and Partners

The cloud has become a vital tool for businesses of all sizes, providing flexibility, scalability, and cost-effectiveness that are necessary to compete in today’s fast-paced digital landscape. However, as more companies move their applications and data to the cloud, they face new challenges in terms of security, connectivity, observability, optimization. That’s where Cisco comes in.

“Cisco is meeting customers where they are by offering end-to-end solutions for their cloud journeys, including cloud security, connectivity, observability, and remote work.”

As a leading provider of  networking, cybersecurity and observability solutions, Cisco has become a trusted partner for businesses looking to navigate their cloud journeys. Cisco offers end-to-end solutions for customers’ cloud journeys, including cloud connectivity, cloud security, cloud observability, cloud optimization, and remote work.

Cisco is making it easier for customers and partners to take advantage of its solutions by offering them on AWS Marketplace. Cisco SaaS solutions on AWS provide greater flexibility for customers and partners, making procurement easier. With the AWS Marketplace channel program, CPPO (Channel Partner Private Offer), partners can sell more Cisco SaaS solutions on AWS to customers. Most of Cisco’s SaaS solutions run on AWS, providing customers with greater flexibility and convenience in terms of procurement, leveraging their EDP commitments, and accessing the robust ecosystem support provided by Cisco and AWS.

Cisco’s SaaS solutions on AWS cover a wide range of areas, including cloud security, connectivity, observability, and hybrid work solutions. Cisco SaaS solutions on AWS are designed to work seamlessly with AWS services, making it easier for customers and partners to integrate them into their existing cloud environments. For cloud security, Cisco offers zero trust, SSE, SASE, infrastructure protection, application security, and XDR solutions, which can help customers secure their cloud environments and protect their data from cyber threats.

In terms of cloud connectivity, Cisco offers SD-WAN and simplified cloud connectivity solutions that help customers connect their on-premises and cloud environments.

Additionally, Cisco’s cloud observability solutions offer full-stack observability that covers infrastructure, internet, applications, business, code-to-cloud, and cloud optimization. This helps customers gain better visibility into their cloud environments and optimize their cloud resources for cost and performance.

Lastly, Cisco’s end-to-end hybrid work solutions help customers support remote work and collaboration. This includes solutions for secure remote access, video conferencing, and team collaboration.

Cisco’s SaaS Key Solutions Use cases

The Cisco and AWS partnership offers numerous benefits for customers and partners who are looking to migrate to the cloud or optimize their existing cloud environments. One of the most significant advantages of this partnership is the ability to access Cisco’s SaaS solutions on the AWS Marketplace.

In conclusion, By offering its solutions on AWS, Cisco is making it easier for businesses to take advantage of the latest technologies and innovations and stay ahead of the curve in their respective industries. The Cisco and AWS partnership is a powerful combination that can help customers and partners optimize their cloud environments and achieve their business objectives. To learn more about the AWS and Cisco partnership, and how you can benefit from Cisco’s SaaS solutions on AWS, visit the AWS and Cisco partnership page, as well as Cisco’s solutions for AWS.

Source: cisco.com

Continue reading

Three Best Practices to Enable Partner Success on AWS Marketplace

More than a month has passed since AWS re:Invent and the AWS Marketplace continues to accelerate as a new route to market for ISVs and channel partners. Here are a few proof points to consider: ISVs are reporting 80% larger deal sizes when transacting on AWS, 40% shorter sales cycles (from 5 months down to 3 months), and 27% more deals closed through AWS Marketplace versus other channels. These numbers help validate that ISVs and channel partners are gaining exposure to the large customer base on AWS Marketplace, which last year accounted for billions of dollars in transactions.

As a partner-led organization, Cisco is committed to being where our customers are while working together with our channel partners. And this includes — more than ever — transacting via the AWS Marketplace. Working as One Team — Cisco, AWS and our mutual channel partners — our customers rely on us to help them achieve or exceed their outcome objectives and user experience expectations.

So let’s look at the three best practices Cisco and our partners are following to maximize the value we deliver to our customers by leveraging AWS Marketplace for success:

1. List the right products

The AWS Marketplace is an online software store that allows ISV and channel partners to market and sell their software and services to AWS customers around the world. Therefore, it’s important that Cisco lists the products from its large, market-leading portfolio that truly deliver value to AWS customers. Today, this includes offerings that enable several use cases, such as cloud and data center networking, multi-cloud, IoT, security, full-stack observability, and hybrid work.

Most recently, Cisco has added the collaboration use case by listing the Cisco Webex Suite Named User offering on AWS Marketplace and through the AWS private offer. The Webex Suite Named User offers a per-user, subscription-buying model that enables customers and partners to provide the Webex Suite service to individuals, teams or departments, and to add additional named users as adoption grows. Webex Suite Named User includes a comprehensive set of cloud-based collaboration tools, including cloud calling, meetings, messaging, webinars (1K), polling, Vidcast and whiteboarding.

2. Align the sales teams around co-selling

Because AWS Marketplace represents a new route to market, Cisco and our channel partners’ sales teams need to be aligned with multi-partner co-selling motions transacting on AWS Marketplace or via CCW. Multi-partner co-selling is a sales strategy where two or more partner companies sell together offering holistic solutions. This approach can lead to increased deal sizes and profitability by enabling partner access to new decision makers and new buying centers, including AWS Marketplace.

The reality is that no single vendor — even companies the size of Cisco — has all the skills, knowledge and intellectual property required to deliver complete solutions that meet the business outcome that customers want. It takes a partner co-selling team to drive digital transformation for our customers.

Cisco enjoys market leadership in several architectures and use cases. Complementing our product offerings, our channel partners have incredible reach as trusted advisors into their customers’ technology stacks, as well as a robust menu of value-added services. And when those services are combined with Cisco offerings, we can deliver solutions that more precisely meets our customers’ unique needs. Add AWS Cloud and AWS Marketplace to this joint value proposition and you have an unbeatable combination.

However, enabling co-selling takes focus and change management. For instance, sales compensation models must be adjusted to motivate co-selling which results in AWS Marketplace bookings. Trust is the foundation of sales, so a defined communication plan centered on co-sell wins is paramount to ensuring the right behaviors are placed on the spotlight for all to see. This then triggers a domino effect of repeatable wins and undeniable trust.

3. Invest in developing processes to ensure operational success

Booking through AWS Marketplace requires partners to invest resources in building the operational foundation to process the bookings. For instance, when booking through AWS Marketplace, the partner generally sees margin — not topline — revenue. This can create required changes with existing sales compensation models that pay on topline revenue. That said, partners that manage their customers’ annual spend commitment per the predetermined AWS Enterprise Discount Program could recognize topline revenue.

In other words, integrating co-sell pipeline markers and data into a partner’s current sales pipeline may require planning and change management of existing processes. For instance, changes may be required with existing sales compensation models to properly motivate co-selling behavior with Cisco and AWS.

Accelerating opportunity and growth

Many will argue that the AWS Marketplace is still nascent with plenty of growth opportunities available for Cisco and our partners on the near- and long-term horizons. The AWS Marketplace value proposition is just too strong to ignore. It makes it easy for customers to buy, provision, and instantly gain value from their purchases. Individual buyers can make their purchases independently, while taking advantage of AWS Marketplace’s single platform to manage and pay for software and services. In addition, software purchases made on AWS can be used to “burn down” customers’ committed spends.

Partners! Now is the time to engage with us and AWS and be part of the journey that brings incredible value to our mutual customers running on AWS.

Source: cisco.com

Continue reading

Cisco Secure Firewall on AWS: Build resilience at scale with stateful firewall clustering

Organizations embrace the public cloud for the agility, scalability, and reliability it offers when running applications. But just as organizations need these capabilities to ensure their applications operate where needed and as needed, they also require their security does the same. Organizations may introduce multiple individual firewalls into their AWS infrastructure to produce this outcome. In theory, this may be a good decision, but in practice—this could lead to asymmetric routing issues. Complex SNAT configuration can mitigate asymmetric routing issues, but this isn’t practical for sustaining public cloud operations. Organizations are looking out for their long-term cloud strategies by ruling out SNAT and are calling for a more reliable and scalable solution for connecting their applications and security for always-on protection.

To solve these challenges, Cisco created stateful firewall clustering with Secure Firewall in AWS.

Cisco Secure Firewall clustering overview

Firewall clustering for Secure Firewall Threat Defense Virtual provides a highly resilient and reliable architecture for securing your AWS cloud environment. This capability lets you group multiple Secure Firewall Threat Defense Virtual appliances together as a single logical device, known as a “cluster.”

A cluster provides all the conveniences of a single device (management and integration into a network) while taking advantage of the increased throughput and redundancy you would expect from deploying multiple devices individually. Cisco uses Cluster Control Link (CCL) for forwarding asymmetric traffic across devices in the cluster. Clusters can go up to 16 members, and we use VxLAN for CCL.

In this case, clustering has the following roles:

Figure 1: Cisco Secure Firewall Clustering Overview

The above diagram explains traffic flow between the client and the server with the insertion of the firewall cluster in the network. Below defines the roles of clustering and how packet flow interacts at each step.

Clustering roles and responsibilities 

Owner: The Owner is the node in the cluster that initially receives the connection.

◉ The Owner maintains the TCP state and processes the packets. 

◉ A connection has only one Owner. 

◉ If the original Owner fails, the new node receives the packets, and the Director chooses a new Owner from the available nodes in the cluster.

Backup Owner: The node that stores TCP/UDP state information received from the Owner so that the connection can be seamlessly transferred to a new owner in case of failure.

Director: The Director is the node in the cluster that handles owner lookup requests from the Forwarder(s). 

◉ When the Owner receives a new connection, it chooses a Director based on a hash of the source/destination IP address and ports. The Owner then sends a message to the Director to register the new connection. 

◉ If packets arrive at any node other than the Owner, the node queries the Director. The Director then seeks out and defines the Owner node so that the Forwarder can redirect packets to the correct destination. 

◉ A connection has only one Director. 

◉ If a Director fails, the Owner chooses a new Director.

Forwarder: The Forwarder is a node in the cluster that redirects packets to the Owner. 

◉ If a Forwarder receives a packet for a connection it does not own, it queries the Director to seek out the Owner.  

◉ Once the Owner is defined, the Forwarder establishes a flow, and redirects any future packets it receives for this connection to the defined Owner.

Fragment Owner: For fragmented packets, cluster nodes that receive a fragment determine a Fragment Owner using a hash of the fragment source IP address, destination IP address, and the packet ID. All fragments are then redirected to the Fragment Owner over Cluster Control Link.  

Integration with AWS Gateway Load Balancer (GWLB)

Cisco brought support for AWS Gateway Load Balancer (Figure 2). This feature enables organizations to scale their firewall presence as needed to meet demand.

Figure 2: Cisco Secure Firewall and AWS Gateway Load Balancer integration 

Cisco Secure Firewall clustering in AWS

Building off the previous figure, organizations can take advantage of the AWS Gateway Load Balancer with Secure Firewall’s clustering capability to evenly distribute traffic at the Secure Firewall cluster. This enables organizations to maximize the benefits of clustering capabilities including increased throughput and redundancy. Figure 3 shows how positioning a Secure Firewall cluster behind the AWS Gateway Load Balancer creates a resilient architecture. Let’s take a closer look at what is going on in the diagram.

Figure 3: Cisco Secure Firewall clustering in AWS

Figure 3 shows an Internet user looking to access a workload. Before the user can access the workload, the user’s traffic is routed to Firewall Node 2 for inspection. The traffic flow for this example includes:

User -> IGW -> GWLBe -> GWLB -> Secure Firewall (2) -> GLWB -> GWLBe -> Workload

In the event of failure, the AWS Gateway Load Balancer cuts off existing connections to the failed node, making the above solution non-stateful.

Recently, AWS announced a new feature for their load balancers known as Target Failover for Existing Flows. This feature enables forwarding of existing connections to another target in the event of failure.

Cisco is an early adaptor of this feature and has combined Target Failover for Existing Flows with Secure Firewall clustering capabilities to create the industry’s first stateful cluster in AWS.

Figure 4: Cisco Secure Firewall clustering rehashing existing flow to a new node

Figure 4 shows a firewall failure event and how the AWS Gateway Load Balancer uses the Target Failover for Existing Flows feature to switch the traffic flow from Firewall Node 2 to Firewall Node 3. The traffic flow for this example includes:

User -> IGW -> GWLBe -> GWLB -> Secure Firewall (3) -> GLWB -> GWLBe -> Workload

Source: cisco.com

Continue reading

Streamlining Connectivity for a Multi-Region Hybrid World

Multi-region cloud deployments create complexity

The combination of a hybrid cloud migration and the long-term needs of a hybrid workforce are shining a spotlight on the need for consistently secure, high quality access to on-demand compute resources.

Requirements for low latency across geographically distributed workloads, resiliency, and compliance with data privacy regulations are driving organizations towards multi-region deployments in the cloud. While this can be done manually by using VPC peering and static routes, management complexity increases with scale and can be error-prone. To make networks streamlined and scalable, organizations need a dynamic and central way to manage their multi-region deployments.

Multi-region cloud deployments: complex, manual static routes and VPC peering

All the hybrids: cloud and work

Cisco Meraki has a globally-proven cloud platform that unifies secure SD-WAN, Access, and IoT technologies—empowering enterprises to deliver high quality hybrid work experiences. The platform allows secure and optimized SD-WAN connectivity to hybrid cloud environments, including AWS, in just three clicks. This Meraki SD-WAN capability is delivered through MX appliances that are available in physical and virtual (vMX) form factors where the latter can be spun up within AWS. Remote workers can also easily connect to vMX appliances in hybrid clouds with a dedicated teleworker appliance or via Cisco AnyConnect.

For customers making this investment into cloud platforms, there are a few ways they can use Meraki to accelerate their cloud journey with AWS. Specifically, for multi-region deployments, Meraki SD-WAN offers deep integration into the newly launched AWS Cloud WAN service and AWS Transit Gateway to significantly streamline workflows to connect users to their cloud resources. For organizations looking to connect their on-prem sites to workloads across regions, we also announced support for AWS Outposts at AWS re:Invent 2021 in December.

Meraki SD-WAN and AWS Transit Gateway

First, the Meraki vMX integration with AWS Transit Gateway lets customers extend their SD-WAN fabric to AWS workloads in an automated manner using AWS Quickstarts.

Dynamic routes and VPC peering with Meraki SD-WAN and AWS Transit Gateway

◉ The architecture consists of a SD-WAN VPC with two vMXs deployed in different availability zones to achieve a highly available architecture.

◉ In addition, a Transit Gateway (TGW) is deployed to extend connectivity to workload resources across different regions. The SD-WAN VPC is linked to the TGW via a VPC and customers can leverage their existing workflows to connect their workload VPCs to the Transit Gateway.

◉ On the Meraki Dashboard, each vMX is configured as a Hub to the branch sites and statically advertises all of the subnets available in Amazon AWS into Auto VPN.

◉ Finally, an AWS Lambda function is used to monitor the state of the vMX instances and update the SD-WAN VPC and the Transit Gateway route tables for the Auto VPN routes with the appropriate vMX as the next hop.

Meraki SD-WAN and AWS Cloud WAN

AWS recently launched AWS Cloud WAN at AWS Re:Invent. Cisco Meraki is one of the first partners to integrate with the new service. Cloud WAN is AWS’s managed wide area networking (WAN) solution that makes it easy for customers to build, manage, and monitor their global networks across the AWS backbone.

Organizations with Meraki SD-WAN can leverage the new AWS Cloud WAN service to extend their SD-WAN fabric across the unified AWS global network.

Meraki vMX integrates with AWS Cloud WAN to allow admins to define a multi-region, segmented, dynamically routed global network with intent-driven policies. This allows organizations to scale across different regions without worrying about managing the complexity of peering.

Dynamically routed global network with Meraki SD-WAN and AWS Cloud WAN

Instead of having to manage peering connections between different AWS Transit Gateways across multiple regions, a single Cloud WAN core network is deployed that spans across multiple regions with the following:

◉ Core Network Edges (CNE), deployed in each region of the core network

◉ Two segments, one for SD-WAN overlay and one for the customer workloads.

◉ Core Network Policy (CNP), which defines the global configuration of the core network

◉ The SD-WAN VPC and the workload VPCs are connected to the core-network as VPC attachments.

Multi-tenancy and Scale using AWS Outposts

Customers also need a secure way to connect their on-prem sites to workloads across different regions in the cloud. Using Meraki’s vMX solution, customers can easily extend their SD-WAN fabric to their public and private cloud environments.

Customers also need a secure way to connect their on-prem sites to workloads across different regions in the cloud. Using Meraki’s vMX solution, customers can easily extend their SD-WAN fabric to their public and private cloud environments.

AWS recently announced new Outposts Server Form Factors at AWS Re:Invent and Cisco Meraki will be one of the first launch partners to support the 2U servers with vMX (coming soon).

Customers looking for edge computing and even datacenter computing can leverage vMX on Outpost with the benefit of a fully managed infrastructure with native AWS APIs and the simplicity and security of Meraki.

Without Outposts, customers need to procure and manage multiple hardware for compute and networking making management cumbersome and difficult.

If you’re investing in a multi-cloud architecture and need a more scalable, flexible, and manageable SD-WAN fabric, we encourage you to learn more about the Meraki platform. Meraki combines SD-WAN with Wi-Fi, access switching, and IoT on a cloud-native platform that reduces the complexity of building a hybrid cloud architecture.

Source: cisco.com

Continue reading

Automating AWS with Cisco SecureX

The power of programmability, automation, and orchestration

Automating security operations within the public clouds takes advantage of the plethora of today’s capabilities available and can drive improvements throughout all facets of an organization. Public clouds are built on the power of programmability, automation, and orchestration. Pulling all of these together into a unified mechanism can help deliver robust, elastic, and on-demand services. Services that support the largest of enterprises, or the smallest of organizations or individuals, and everywhere in between.

Providing security AND great customer experience

The success of the major public cloud providers is a testament itself to the power of automation. Let’s face it, Cyber Security isn’t getting any easier, and attackers are only getting more sophisticated. When considering the makeup of today’s organizations, as well as those of the future, a few key points are worth consideration.

Read More: 500-173: Designing the FlexPod Solution (FPDESIGN)

First, the shift to a significantly remote workforce it here to stay. Post-pandemic there will certainly be a significant number of employees returning to the office. However, the flexibility so many have gotten used to, will likely remain a reality and must be accounted for by SecOps teams.

Secondly, physical locations, from manufacturing facilities and office space, to branch coffee shops, not everything has the ability to go virtual and we, as security practitioners, are left with a significant challenge. How do we provide comprehensive security, alongside seamless customer, and top-notch user experience?

Clearly the answer is automation

The SecureX AWS Relay Module consolidates monitoring your AWS environment.

Leveraging the flexibility of Cisco’s SecureX is a great place to begin your organization’s cloud automation journey. Do this by deploying the SecureX AWS Relay Module. This module immediately consolidates monitoring your AWS environment, right alongside the rest of the security tools within the robust SecureX platform. Within the module are three significant components:

◉ Dashboard tiles providing high level metrics around the infrastructure, IAM, and network traffic, as a means of monitoring trends and bubbling up potential issues.

◉ Threat Response, with features that facilitate deep threat hunting capabilities by evaluating connection events between compute instances and remote hosts, while also providing enrichment on known suspicious or malicious observables such as remote IP addresses or file hashes.

◉ Response capabilities allow for the immediate segmentation of instances as a means of blocking lateral spread or data exfiltration, all from within the Threat Response console.

The SecureX enterprise grade workflow orchestration engine offers low or no-code options for automating your AWS, environment

Customizable automaton and orchestration capabilities

The SecureX Relay Module provides some great capabilities, however there are many operations that an organization needs to perform that fall outside the scope of its native capabilities. To help manage those, and provide highly customizable automaton and orchestration capabilities, there is SecureX Orchestration. This enterprise grade workflow orchestration engine offers low or no-code options for automating your AWS, environment and many, many, more.

SecureX Orchestration operates by leveraging workflows as automation mechanisms that simply go from start-to-end and perform tasks ranging from individual HTTP API calls, to pre-built, drag and drop, operations known as Atomic Actions. These “Atomics” allow for the consumption of certain capabilities without the need to manage the underlying operations. Simply provide the necessary inputs, and they will provide the desired output. These operations can be performed with all the same programmatic logic such as conditional statements, loops, and even parallel operations.

Libraries of built-in Atomics (including for AWS) let you conduct custom operations in your cloud environment through simple drag and drop workflows.

Included with every SecureX Orchestration deployment are libraries of built-in Atomics including a robust one for AWS. From operations such as getting metrics, to creating security groups, or VPC’s, a multitude of custom operations can be conducted in your cloud environment through simple drag and drop workflows. Do you have a defined process for data gathering, or routine operations that needs to be performed? By creating workflows, and assigning a schedule, all of these operations can be completed with consistency and precision, freeing up time to address additional business critical operations.

A more effective SecOps team

By combining built in SecureX Orchestration workflows with additional custom ones critical to your organizations processes, end-to-end automation of time sensitive, business critical tasks can be achieved with minimal development. Used in conjunction with the SecureX AWS Relay module, and your organization has at its disposal a fully featured, robust set of monitoring, deployment, management, and response capabilities that can drastically improve velocity, consistency, and the overall effectiveness of any organizations SecOps team.

Continue reading

Extend secure, automated branch office networking to AWS with Cisco SD-WAN Cloud OnRamp

According to a Cisco study, by 2021, there will be 20 zettabytes of traffic between the DC/branch to the clouds, as companies use popular public cloud platforms like Amazon Web Services (AWS). Meanwhile, “IaaS is forecast to grow 24% year over year, which is the highest growth rate across all market segments,” according to Gartner.

However, while a cloud strategy creates more agility, it also presents challenges for IaaS deployments. Below are three primary concerns cloud users face regularly:

Inconsistent connectivity

Large-scale networks may traverse multiple slow public and/or expensive private connections to get to the cloud deployments, while smaller networks may need to battle out a slow, jittery internet to get to the clouds. In either case, customers will need to find the fastest and most reliable link while confirming a secure transport.

Complexity with governance

No real uniformity exists as to how different platforms handle their governance and compliance. This maze of rules and frameworks can create consistency problems with companies trying to utilize more than one cloud platform, especially with (but not exclusive to) IaaS. Finally, each cloud vendor has its own policy, security and segmentation process. These variances from vendor to vendor add another layer of complexity that must be managed.

Visibility problems

Different cloud platforms also use various protocols for analytics, metrics and insights. This variance can effectively reduce visibility for companies, making it more challenging to optimize usage across the network.

Cisco’s SD-WAN Cloud OnRamp automates and optimizes the enterprise SD-WAN to IaaS and SaaS

Cloud OnRamp is a cloud networking solution and a functionality of Cisco SD-WAN through which enterprises can network their branch sites to workloads deployed in cloud environments. Cloud OnRamp provides seamless, secure and automated networking for IaaS as well as an optimized experience for various SaaS applications.

One proven way to overcome the challenges of a cloud strategy is by implementing a consistent fabric across a company’s entire WAN network using Cisco SD-WAN Cloud OnRamp. Cisco SD-WAN provides a secure WAN architecture that can extend consistent policy enforcement, segmentation and security across both on-premises and cloud networks. Cloud OnRamp simplifies the experience further through the power of automation, using vManage as the single pane of glass management platform to create a SD-WAN transit network in the cloud provider’s environment.

Advantages of Cisco SD-WAN Cloud OnRamp

◉ Greater automation — With Cloud OnRamp, users can expect to automate SD-WAN extension to the cloud in minutes with just a few clicks.

◉ Improved security – Cloud OnRamp reduces security risks by leveraging graular segmentation and streamlined policy enforcement that can control and segment the traffic that flows through the network, guarding against external and internal threats to the data.

◉ Ease of management – Cloud OnRamp provides end-to-end data sharing between cloud and branch and establishes inter-regional visibility across transit data and network telemetry.

Cisco SD-WAN Cloud OnRamp Integration with AWS Transit Gateway

Cisco has partnered with AWS to provide end-to-end solutions for joint customers to create the best possible user experience. Customers benefit from fully automated networking to workloads in AWS Cloud and native integration between Cisco SD-WAN and AWS Transit Gateway and Transit Gateway Network Manager.

Sneak peek of the new features and benefits:

◉ Fully automated Cisco SD-WAN fabric extension to AWS Cloud: instead of spending hours of time per region and going through error-prone manual processes, now enterprise customers can bridge their branches to AWS workloads through a fully secure Cisco SD-WAN network in just minutes.

◉ Single pane of glass management through Cloud OnRamp: jumping back and forth between different management consoles of Cisco and AWS to orchestrate networking resources can be challenging and ineffective. With this new integration, enterprise customers will be able to manage both the Cisco SD-WAN virtual router and AWS Transit Gateway through Cloud OnRamp.

◉ Extending enterprise segmentation to AWS Cloud: one important aspect of secure networking is to ensure consistent enterprise segmentation across the entire network. By using the GUI-based Intent Management feature in Cloud OnRamp, enterprise customers can easily manage VPN to VPC and VPC to VPC communications through simple clicks.

◉ End-to-end visibility: by populating elements of both the SD-WAN network and AWS cloud network into AWS Network Manager, enterprise customers will have a unified and visualized view of both branch and cloud sites.

Watch AWS, Cisco and joint customer ENGIE discuss the benefits of integrating Cisco SD-WAN with AWS Transit Gateway Network Manager in a recent webinar and learn how to get started.

With more than half of enterprise workloads expected to be deployed in public clouds within the next year, cloud computing is a growing opportunity and challenge for today’s enterprises. By deploying an integrated solution like Cisco’s Cloud OnRamp for IaaS, companies will stay competitive by making their cloud strategy more productive, consistent and secure.

Continue reading

Cisco Secure Cloud Architecture for AWS

More and more customers are deploying workloads and applications in Amazon Web Service (AWS). AWS provides a flexible, reliable, secure, easy to use, scalable and high-performance environment for workloads and applications.

AWS recommends three-tier architecture for web applications. These tiers are separated to perform various functions independently. Multilayer architecture for web applications has a presentation layer (web tier), an application layer (app tier), and a database layer (database tier). There is the flexibility to make changes to each tier independent of another tier. The application requires scalability and availability; the three-tier architecture makes scalability and availability for each tier independent.

Figure 1: AWS three-tier architecture

AWS has a shared security model i.e., the customers are still responsible for protecting workloads, applications, and data. The above three-tiered architecture offers scalable and highly available design. Each tier can scale-in or scale-out independently, but Cisco recommends using proper security controls for visibility, segmentation, and threat protection.

Figure 2: Key pillars of a successful security architecture

[SAFE Secure Cloud for AWS (pdf)]

Cisco recommends protecting workload and application in AWS using a Cisco Validated Design (CVD) shown in Figure 3. All the components mentioned in this design have been verified and tested in the AWS cloud. This design brings together Cisco and AWS security controls to provide visibility, segmentation, and threat protection.

Visibility: Cisco Tetration, Cisco Stealthwatch Cloud, Cisco AMP for Endpoint, Cisco Threat Response, and AWS VPC flow logs.

Segmentation: Cisco Next-Generation Firewall, Cisco Adaptive Security Appliance, Cisco Tetration, Cisco Defense Orchestrator, AWS security group, AWS gateway, AWS VPC, and AWS subnets.

Threat Protection: Cisco Next-Generation Firewall (NGFWv), Cisco Tetration, Cisco AMP for Endpoints, Cisco Umbrella, Cisco Threat Response, AWS WAF, AWS Shield (DDoS – Basic or Advance), and Radware WAF/DDoS.

Another key pillar is Identity and Access Management (IAM): Cisco Duo and AWS IAM

Figure 3: Cisco Validated Design for AWS three-tier architecture

Cisco security controls used in the validated design (Figure 3):

◉ Cisco Defense Orchestrator (CDO) – CDO can now manage the AWS security group. CDO provides micro-segmentation capability by managing firewall hosts on the workload.

◉ Cisco Tetration (SaaS) – Cisco Tetration agent on AWS instances forwards “network flow and process information” this information essential for getting visibility and policy enforcement.

◉ Cisco Stealthwatch Cloud (SWC) – SWC consumes VPC flow logs, cloud trail, AWS Inspector, AWS IAM, and many more. SWC includes compliance-related observations and it provides visibility into your AWS cloud infrastructure

◉ Cisco Duo – Cisco Duo provides MFA service for AWS console and applications running on the workloads

◉ Cisco Umbrella – Cisco Umbrella virtual appliance is available for AWS, using DHCP options administrator can configure Cisco Umbrella as a primary DNS. Cisco Umbrella cloud provides a way to configure and enforce DNS layer security to workloads in the cloud.

◉ Cisco Adaptative Security Appliance Virtual (ASAv): Cisco ASAv provides a stateful firewall, network segmentation, and VPN capabilities in AWS VPC.

◉ Cisco Next-Generation Firewall Virtual (NGFWv): Cisco NGFWv provides capabilities like stateful firewall, “application visibility and control”, next-generation IPS, URL-filtering, and network AMP in AWS.

◉ Cisco Threat Response (CTR): Cisco Threat Response has API driven integration with Umbrella, AMP for Endpoints, and SWC (coming soon). Using this integration security ops team can get visibility and perform threat hunting.

AWS controls used in the Cisco Validated Design (Figure 3):

◉ AWS Security Groups (SG) – AWS security groups provide micro-segmentation capability by adding firewalls rules directly on the instance virtual interface (elastic network interface – eni).

◉ AWS Web Application Firewall (WAF) – AWS WAF protects against web exploits.

◉ AWS Shield (DDoS) – AWS Shield protects against DDoS.

◉ AWS Application Load Balancer (ALB) and Network Load Balancer (NLB) – AWS ALB and NLB provides load balancing for incoming traffic.

◉ AWS route 53 – AWS Route53 provides DNS based load balancing and used for load balancing RAVPN (SSL) across multiple firewalls in a VPC. 

Radware controls used in the Cisco Validated Design (Figure 3):

◉ Radware (WAF and DDoS): Radware provides WAF and DDoS capabilities as a service.

Cisco recommends enabling the following key capabilities on Cisco security controls. These controls not only provide unmatched visibility, segmentation and threat protection, but they also help in adhering to security compliance.

In addition to the above Cisco security control, Cisco recommends using the following native AWS security components to protect workloads and applications.

Continue reading

Top 5 features of a Network Traffic Analysis (NTA) tool- Why you need Stealthwatch now more than ever

According to research from Enterprise Strategy Group (ESG) and the Information Systems Security Association, 91% of cybersecurity professionals believe that most organizations are either extremely or somewhat vulnerable to a significant cyber-attack or data breach.1 CISOs have tried many different solutions. Many are increasing hiring in a field with a steep talent shortage, which may have some long-term returns but doesn’t solve the problems they are facing today. Some also purchase a patchwork of security solutions that aren’t really integrated – an approach that can cause major complications for security architects. These strategies are clearly not increasing confidence in their overall security effectiveness.

What are the primary reasons you believe cybersecurity analytics and operations are more difficult today than they were 2 years ago?

Research indicates that organizations can’t hire their way out of their cybersecurity woes. CISOs must improve security efficacy, streamline operations and bolster employee productivity, and they must rely on their existing workforce. That’s where Network Traffic Analysis (NTA) tools can provide a cybersecurity quick-win. An effective and modern NTA solution can continuously monitor the network and detect threats that might have bypassed the perimeter or even originated within the business. Top-tier NTA solutions take the weight off of the employees’ shoulders by giving them the tools they need to speed up threat detection and remediation. To help you evaluate an NTA solution effectively, let’s take a look at the top features identified by cybersecurity professionals as part of the research conducted by ESG:

1. Built-in analytics and threat intelligence services

44% of survey respondents said that built-in analytics to help analysts detect suspicious/malicious behavior is one of the most important features. Best-in-class NTA tools have different algorithms and signatures built-in to model behavior and crunch data, allowing for high-fidelity alerts that streamline workloads and accelerate incident response. The same percentage also said that threat intelligence services/integrations to enable comparisons between suspicious behavior and known threats is another top feature. These integrations allow NTA tools to “enrich” network telemetry, making alerts more thorough and actionable.

2. Ability to monitor IoT traffic/devices

Users also need the ability to monitor niche equipment that is unique to their industries. This is especially important in industries that have made aggressive investments in IoT like healthcare, manufacturing and transportation. IoT devices generate telemetry and increase the threat surface like any other connected device, and therefore need to feed into an NTA tool.

3. Ability to monitor all network nodes

37% of respondents stated that alerts for when new network nodes are connected are essential for an NTA tool. This means security professionals want NTA tools to issue alerts when unsanctioned devices connect. This is incredibly important for monitoring and mitigating cyber-risks.

4. Proven integrations with other security technologies

37% also said that one of the most important features is documented and tested integrations with other types of security technologies. These other technologies could be malware sandboxes, network segmentation enforcement technologies and much more. These integrations allow for a closed-loop process that includes network security development, monitoring and enforcement.

5. Public cloud visibility

More than a third of respondents said that the ability to monitor cloud traffic is an essential feature. In order to provide true end-to-end visibility, NTA tools need to be able to tap into VPCs, cloud monitoring logs and APIs across AWS, Azure, GCP, etc.

Cisco Stealthwatch

Stealthwatch aligns well with the most important NTA attributes cited by the surveyed cybersecurity professionals. For example, Stealthwatch:

◉ Features multiple types of built-in analytics. Its behavioral modeling and multi-layered machine learning algorithms can detect hidden threats- even those hiding in encrypted traffic.

◉ Provides comprehensive visibility. In addition to monitoring on-premises environments, Stealthwatch also offers agentless visibility into the public cloud. It can also detect when a new network node connects, monitor traffic from IoT devices and more. Nothing slips through the cracks with Stealthwatch.

◉ Backed by Cisco Talos threat intelligence. Threat intelligence is one of the most important features of an NTA tool. Stealthwatch ties its multi-layered analytics with global threat intelligence from Talos, the largest non-governmental threat intelligence organization in the world, and can take immediate action when activity is associated with a known threat, no matter the origin.

CISOs of the world can’t keep up with their security workloads, especially with a global cybersecurity talent shortage. They need quick wins– fast, efficient and accurate alerts that allow them to focus on what really matters. Cisco Stealthwatch is the tool they need right now.

Continue reading

Configuring Cisco Security with Amazon VPC Ingress Routing

Today, Amazon Web Services (AWS) announced a new capability in Virtual Private Cloud (VPC) networking that is designed to make it easier and more efficient for Cisco Security customers to deploy advanced security controls in the cloud. This new capability is called Amazon VPC Ingress Routing. It allows users to specify routes for traffic flowing between a VPC and the internet or from a VPN connection, such as a private datacenter.

Amazon VPC Ingress Routing is a service that helps customers simplify the integration of network and security appliances within their network topology. With Amazon VPC Ingress Routing, customers can define routing rules at the Internet Gateway (IGW) and Virtual Private Gateway (VGW) to redirect ingress traffic to third-party appliances, before it reaches the final destination. This makes it easier for customers to deploy production-grade applications with the networking and security services they require within their Amazon VPC.

While the remainder of this post focuses on Cisco’s NGFWv and ASAv products, this capability can also be used to deploy a number of other network-based security solutions into the AWS traffic path. This includes services such as the following:

◉ Firewall policy enforcement
◉ Network traffic visibility
◉ Malware detection
◉ URL filtering
◉ Intrusion Prevention
◉ DNS security

This is a big win for Cisco customers deploying our security products in AWS, and we are pleased to have been an early adopter and Integration Partner with AWS on this launch.

How to Use Amazon VPC Ingress Routing with Cisco Firewalls

The configuration is achieved by creating a custom route table and associating subnet routes with the private Elastic Network Interface (ENI) of the security appliance, and then associating the public ENI with an IGW and VGW. A single firewall instance can protect multiple subnets; however, a separate instance is needed per VPC. Below are some details on the testing we performed as well as sample use cases and configuration guidance.

Use Cases / Deployment Scenarios

Cisco NGFWv/ASAv can be deployed in a VPC to protect the following traffic flows:

◉ Traffic Traversing an Internet Gateway (IGW) To/From the Internet
◉ Traffic Traversing a VPN Gateway (VGW) To/From a Remote VPN Peer

Benefits of Using Amazon VPC Ingress Routing with Cisco’s NGFWv and ASAv

◉ Offload NAT from the firewall to AWS network address translation (NAT) gateway or instance
◉ Simplify protection of multi-tier applications spanning subnets and VPCs
◉ The scalable design makes it easy to add new subnets, and more of them
◉ Enables bi-directional, threat-centric protection for traffic bound for private networks and the internet

POC Deployment Scenario

Enable outbound Internet connectivity and offload NAT function to AWS NAT gateway

In this scenario, the Cisco Firewall (NGFWv or ASAv) is deployed between internal services in the AWS VPC and the internet. The route table for the Internet Gateway (igw-rt) has a specific route for the Inside subnet which directs inbound traffic to the Cisco Firewall for inspection. Prior to this enhancement, the users had to NAT egress traffic on the firewall to bring back the reply packet to the same virtual appliance. This new configuration eliminates the need for an ENI on the firewall and removes the requirement to perform NAT on the firewall, thus improving performance.

Cisco NGFW/ASA with AWS IGW (routable attached to IGW) and AWS NGW to NAT outbound traffic

Cisco NGFW/ASA with Multiple Subnets, Three-tier Architecture Using IGW and Amazon VPC Ingress Routing

This topology expands on the previous​, demonstrating how multiple subnets can be protected by a single firewall. By utilizing the AWS NAT Gateway service, the number of protected subnets behind a single firewall can be scaled significantly beyond what was previously possible.

As with the previous architecture, the ​Cisco Firewall is deployed at the edge in routed mode, forwarding outbound traffic to the IGW. Multiple routes are configured in the IGW’s route table to direct the traffic back to the appropriate subnet while the protected subnets forward their traffic to the internal firewall interface via the NAT gateway.

Cisco NGFW/ASA three-tier Architecture with AWS IGW and VPC Ingress Routing

Cisco NGFW/ASA with Multiple Subnets, Three-tier Architecture Using VGW and Amazon VPC Ingress Routing 

Cisco Firewalls can also be deployed in an Amazon VPC to inspect traffic flowing through a VPN tunnel. In this case, the ​Cisco Firewall is deployed at the edge in routed mode, forwarding outbound traffic to the to a VGW. In this example, the local and remote networks are routable; therefore, the NAT gateway can be eliminated, further improving efficiency and reducing cost.

Cisco NGFW/ASA three-tier Architecture with AWS IGW and VPC Ingress Routing

In Addition to Support for Amazon Ingress Routing, we are adding AWS Security Group management to Cisco Defense Orchestrator (CDO). We are also extending the existing ACI policy-based automation for L4-7 services insertion to the AWS cloud by leveraging Amazon VPC ingress routing. These integrations will make deploying L4-7 services in a hybrid cloud as well as Cisco Security at scale in AWS easier than ever.

Continue reading