The SASE story II: How Cisco IT developed our SASE product amid an evolving industry landscape

As revealed in The SASE story, part I, the SASE model brings value to enterprise IT organizations looking to achieve connectivity and security resilience through a secure, efficient, hybrid architecture. In Part II, we’ll outline the journey we took to develop our Cisco SASE solution.

CloudPort: The precursor to SASE

Throughout the past decade, IT organizations have witnessed two significant trends: the migration of applications to the Cloud, followed by Hybrid Work. These trends caused IT leaders to think differently about how to better connect users to applications. Many — including Cisco IT — realized that networking and security problems can no longer be solved in isolation. To address this, Cisco IT embarked on a journey to build our own bespoke solution by combining different Cisco networking and security components, delivering SASE-like capabilities in an on-prem platform.

At a Cisco IT offsite in 2013, during a time when workloads were starting to migrate to the cloud, we drafted what is now the CloudPort vision on a hotel bar napkin. The plan was to deploy highly scalable networking and security hardware platforms in colocation facilities worldwide.

Initially, CloudPort was conceived in response to this Hybrid Cloud paradigm shift, providing us with the opportunity to strategically place our network edge directly with major ISPs and Cloud providers. Over time, we realized we could fuse security services directly into this architecture, which allowed us to bring together networking and security into a common platform. This was, effectively, a hardware- and co-lo-based precursor to current cloud-delivered SASE. The crux of this plan was that it allowed us to layer more and more services on top – offering similar capabilities (VPN, Firewall, Zero Trust Network Access, URL filtering, etc.) to what would become known as SASE.

The CloudPort solution was and is very effective – allowing us to securely interconnect the Cisco enterprise network with the outside world.  However, as technology evolved and business requirements changed, it started to pose some challenges:

◉ Due to the layered nature of the solution, it became complex to build and operate

◉ It required specialized skillsets, which became difficult to find in the industry

◉ After years of iteration, CloudPort became an amalgamation of different technologies and solutions we had layered together ourselves, so it became difficult to quickly adjust to increasingly agile business needs

Taking into account these challenges, we decided that it was time for a different approach.

A modernized “SASE” Hub

As a stepping-stone between CloudPort and fully Cloud-delivered SASE, Cisco IT’s Customer Zero team developed a modernized solution, branded the “CZ SASE Hub.”  Since we have the in-house expertise, and we needed to use physical appliances to meet scale requirements, we decided to deploy our own solution. For customers, this new version provides a simple, easy-to-operate, Zero Trust-ready platform, and will later allow for easier migration to SASE.

The CZ SASE Hub is SD-WAN centric, leveraging both Meraki and Viptela. This allows us to efficiently bring connectivity and policy to a central, easy-to-manage place in the network. By extending micro (Cisco TrustSec) and macro segments (SDA & SD-WAN VPNs) into Cisco Secure Firewall, we can enforce identity-based policies supporting our Zero Trust for the Workplace initiatives (SDA, TrustSec/ISE). In addition, we significantly improved our observability (DNA-C/vManage Assurance, ThousandEyes, DNA Traffic Telemetry Appliance) to make sure the platform is healthy and delivers a great experience to our end users.

This homegrown solution turned out to be much easier to deploy and operate, with a much smaller footprint. If we need to expand our footprint into different colocation facilities to meet new business demands, we will entertain using Cisco SD-WAN Cloud OnRamp for colocation or Secure Agile Exchange (SAE). These highly virtualized solutions offer the same capabilities with controller-based orchestration and integrations that offload a lot of the complexity.

Adopting Cloud delivered SASE

Although our do-it-yourself platform is doing mostly what we need it to do, it poses a few challenges. Building and operating a homegrown SASE-type solution remains complex and requires in-depth expertise of many different technologies.

To address these challenges, we look to move to a cloud-delivered SASE model. With this model we can outsource the complexity, allowing experts to build and operate the platform for us. We no longer have to deploy bigger-than-needed boxes to factor in potential future growth — we can now scale up and down when business needs change. Finally, SASE provides new security capabilities within a single offering, preventing us from having to deploy a multitude of standalone security tools. An added bonus? We believe SASE can result in cost optimizations.

Our aspiration is to migrate to Unified SASE for most of our network. These easy-to-order, easy-to-operate SASE solutions provide superb integrations among some of the best technologies (SD-WAN, Umbrella SIG, AnyConnect, ZTNA/Duo), all available through a unified services portal.

For the parts of our network where we don’t migrate to Unified SASE, we will adopt Disaggregated SASE. As a large enterprise customer, Cisco has complex use-cases that ask for a bit more flexibility. Disaggregated SASE is similar to Unified SASE in that it provides much better integrations between similar technologies, yet it allows for more customization to fit our specific needs. Disaggregated SASE deconstructs certain components of Unified SASE to allow for a more flexible, scaled deployment. For example, Cisco Secure Firewall Cloud Native (SFCN) allows a containerized deployment of Next-Generation Firewall in AWS. The customer can then combine this with custom deployments of SD-WAN, Umbrella, and Duo to create a distributed, scaled-out architecture to meet Enterprise needs.

Our ultimate aim is to drive a unified solution that is tenable for large-scale, complex environments like ours, and produce a reference solution that customers can easily replicate.

Source: cisco.com

Continue reading

Enterprise Networking Business 2019 Year in Review

Towards the end of this busy and innovative year, Cisco leadership decided to combine several businesses under one leader, SVP/GM Scott Harrell, to create the Intent-Based Networking Group. So, what is the meaning in a change of names? The new organization consists of engineering and product marketing teams from Enterprise Networking and Data Center, with a renewed focus on creating deep multi-domain integrations across wireless, wired, data center, cloud, and SD-WAN/edge computing.

The name change represents how we are focusing on solving customer challenges with complete intent-based networking solutions. As enterprises enhance the ways their workforce connects and collaborates, Cisco is there. As organizations move applications and data resources to multiple cloud platforms to improve flexibility and responsiveness of business processes, Cisco is there. When branch offices need to connect to SaaS applications over the internet, Cisco is there to secure the data, devices, and provide high quality of experience to the distributed workforce.

In this review of 2019 achievements, both technical and cultural, we will take a closer look at how our engineering teams’ accomplishments have benefited enterprises large and small, in every region in the world. Throughout this post, I’ll highlight products and solutions with links to past blog posts and external articles for deeper dives.

Solving Customer Digital Transformation Challenges

Everything we design, code, and manufacture is created to support our customers’ digital transformation journey with multi-domain connectivity, built-in security, and high-availability.

Expanding Wireless Connectivity with Wi-Fi 6

Top of mind for many organizations in 2019 was the arrival of Wi-Fi 6. Wireless connectivity is the preferred method of connecting devices to enterprise networks, applications in the cloud, and internet data sources. The next generation of faster, lower latency, and higher density wireless communications is already replacing the existing wireless LAN infrastructure and it is expected to be a high-priority, multi-year project for organizations of all sizes. To support this major transition, Cisco engineering created the Catalyst Access Points and Wireless LAN Controllers to exceed the Wi-Fi 6 standard, incorporating innovative features such as Flexible Radio Assignment, real-time analytics, integrated security, and intelligent capture. In addition, we introduced new Catalyst 9000 switches to unite the new faster and higher bandwidth wireless networks with the wired campus.

Many new enterprise endeavors are already relying on Cisco Wi-Fi 6 wireless technology to bring fast connections in high-density sites and in complex facilities, such as manufacturing, where older Wi-Fi bersions struggled to work at all. There will be even more innovations ahead as we work to connect the proliferation of IoT devices with Wi-Fi 6 with its power-saving capabilities to conserve IoT device battery life and the new Catalyst IE3k Rugged Series Switches.

As telecommunications service providers expand their 5G footprints, Cisco is providing methods for integrating the two wireless networks to deliver seamless connectivity and take full advantage of network slicing to provide specialized services to enterprise applications governed by common security policies. Wi-Fi 6 was a big leap in 2019 and will be even more important as enterprise workforces continue to be more distributed and mobile, while the business applications people need to access are hosted in multiple cloud platforms.

Uniting Campus and Branch with Cloud Resources using SD-WAN

2019 was also the year that Cisco SD-WAN powered by Viptela became the go-to solution for uniting a distributed workforce in branch offices, retail stores, and partners’ systems with cloud and SaaS applications. We built-in full stack security to ensure that using direct internet connections at branch locations to connect to cloud applications doesn’t expose data and devices to external and internal security threats. With centralized cloud management, Cisco SD-WAN connects remote offices with zero-touch edge routers, traffic segmentation, and threat detection using built-in Application-Aware Enterprise Firewall, intrusion detection system, and URL-filtering with Cisco Umbrella. As a result of these enhancements, Cisco SD-WAN was given a coveted CRN Product of the Year award.

Our next goal for SD-WAN last year was to ensure a high quality of experience (QoE) for cloud and SaaS applications being accessed by a distributed workforce. Working with cloud application providers, such as Microsoft and their Office 365 applications, we built Cloud OnRamps that automatically connect workers at branch offices with the nearest, or most efficient, point of presence for the desired application via the SD-WAN. Cisco Cloud OnRamps monitor and adjust traffic to ensure the best level of performance for the primary cloud application providers.

Taking the OnRamp concept one step further, we developed Cloud OnRamps for CoLocation for regional point of presence and IaaS centers. This advancement creates transport-independent connections to regional hubs to service multiple branches and business sites to provide high QoE for applications. The regional aspect of the colocation also addresses the need for some enterprises to keep certain types of personal data local, versus storing it in global clouds, while providing an SD-WAN fabric that is easy to manage from a central console.

Augmenting NetOps Skills with AI and Machine Reasoning

Just because networks grow in complexity doesn’t mean they have to be complicated to manage. But trying to make sense of the billions of data points generated by campus-sized networks of switches, routers, and access points can quickly overwhelm an IT team. Using machine learning, machine reasoning, and artificial intelligence algorithms to analyze the vast data lakes of telemetry to determine norms and anomalies, we developed Cisco AI Network Analytics to help IT navigate the torrents of network telemetry to zero-in on time-critical problems. Applying machine reasoning to the analysis of network anomalies leverages thousands of man-hours of Cisco troubleshooting knowledge to suggest the correct remedies for many challenging issues.

Empowering IT with an Architecture for Access Control

To simplify the complexity of campus to branch to cloud connectivity, we augmented Cisco SD-Access with additional intelligence to translate business intents into segmentation and security polices—a foundational aspect of intent-based networking. SD-Access shifts the workload from IT staff performing routine tasks of onboarding individual devices and managing network configurations, to building intelligence into the network. The network learns to manage itself by, for example, automatically onboarding specific device types with pre-determined security and access policies that follow people and devices across the wired and wireless fabrics, from ground to cloud.

We also improved the Cisco Identity Services Engine (ISE) to work with multiple Cisco DNA Centers. This enables regional Cisco DNA Centers to leverage a master instance of Cisco ISE so that SD-Access can apply access and segmentation policies across each region. With this capability, SD-Access ensures that security and access policies defined by corporate IT are implemented consistently across global networks, while enabling regional control over specific aspects of workforce and device rules.

Focusing on Innovations in Connectivity Solutions

At several 2019 events, Cisco had the opportunity to demonstrate OpenRoaming, an open method of enabling mobile devices to automatically and securely connect to Wi-Fi networks without entering IDs and passwords. We created the OpenRoaming Federation ecosystem with partners such as Apple, Intel, and Samsung. As the Federation grows with additional device and access providers, the general public will be able to seamlessly connect to authorized Wi-Fi networks in stores, public spaces, and offices without manually signing in to captive portals with IDs and passwords. OpenRoaming unites wireless connectivity from LTE, 5G, and Wi-Fi to provide continuous internet connectivity to the applications people depend on for collaboration, finance, shopping, and community. Last year, OpenRoaming was demonstrated in real-world environments such as Mobile World Congress in Barcelona, Cisco Live in San Diego, Cisco Impact in Las Vegas, and a public trial at the Canary Wharf Group business center in London.

Building on the premise of always-on connectivity for mobile devices with OpenRoaming, we released the Cisco DNA Spaces Cloud Location Platform to empower property managers to interact with guests’ devices to offer location-specific services, wayfinding, and customized experiences. For sites that already use Cisco access points, capabilities such as Operational Insights, Locate, and Detect are available through Cisco DNA Center and the DNA Spaces SDK for building custom location apps, with no need for additional hardware or software overlays. Physical spaces become digital spaces that improve customer service by measuring and understanding the habits and preferences of guests using wireless devices.

Worldwide Events Bring Cisco Customers and Engineers Together

Like most technology companies, Cisco often announces new solutions sets in conjunction with customer and partner events that provide an opportunity to receive immediate feedback from customers, industry analysts, and the technology press. This year we used events to unveil and demonstrate:

◉ OpenRoaming and DNA Spaces Cloud Platform at Cisco Live Barcelona

◉ Wi-Fi 6 Catalyst Access Points and Wireless Controllers at Cisco Live Melbourne

◉ Cisco AI Network Analytics at Cisco Live San Diego

◉ SD-WAN integration with MS Azure vWAN and Office 365 at Partner Summit

◉ SD-WAN integration with AWS Transit Gateway at AWS re:Invent

Being Inclusive and Innovative Makes Cisco the #1 Place to Work

Cisco stands committed to empowering business, society, and people to help develop a more Inclusive Future for all stakeholders. Our investments in Country Digital Acceleration (CDA) goes hand in hand with our People, Culture, and Social Impact initiatives to solve some of the world’s most challenging problems.

Our innovation mindset in Enterprise Network engineering produces an average of 300 patents a year. To turbocharge our internal thinking, we host or participate in multiple events throughout the year. For example, our annual EN Hackathon combines team building with technical prowess and a healthy portion of fun, to generate original prototypes that could one day become products that solve customer challenges. The Pioneer Awards represent a similar take on innovation, but with a focus on solutions brought to market that are making a significant impact—the Cisco AP4800 with Location-based Intelligent Capture was this year’s best product, and the best productivity solution went to WARP (Workflow Architecture Renewal Program), which is key to keeping the IOS XE network operating system up-to-date. Engineers also attend external events—such as the Grace Hopper Celebration and Women of Impact—to broaden their thinking and make new professional connections.

One result of these internal and external celebrations of innovation is that Cisco was named #1 World’s Best Workplaces by Great Place to Work in 2019, capping off a year of employee engagement and Cisco’s Corporate Social Responsibility (CSR) in a wide variety of social endeavors around the world.

Enterprise Network Engineering is a significant driver of Cisco solutions. We take great pride in our innovations and progress in producing quality solutions for our worldwide customers. Now that we are an integral part of the larger Intent-Based Networking Group, I personally look forward to the amazing journey ahead in 2020.

Continue reading

Drag and drop your way to network segmentation

I can understand if you dread configuring network segmentation. Not only is it hard to configure the many different switches and routers, creating VLANs, using ACLs to create lists of permit or deny IP addresses, it is also easy to make mistakes and risk shutting down parts of the network. And with users and devices moving around, you must continuously modify these configurations. Is it any surprise that many of today’s networks are not optimally segmented?

In this blog we discuss how Cisco Digital Network Architecture (Cisco DNA) makes it easy to segment your campus and branch networks. This blog is the second in a series focusing on aspects of intent-based networking, the first being on controller-led architecture.

Before digging into the solution, let’s understand why you may want to segment your network in the first place.

◉ Enhanced security: Isolate and filter network traffic to limit communications between users and devices

◉ Better access control: Allow users and devices to access only authorized resources

◉ Improved monitoring: Log events, monitor connection attempts, and detect suspicious behavior

◉ Faster containment: Minimize the scope of a network breach

Group-based access control

Recognizing that segmenting the network is a security must-have, we set about making it easy to do in Cisco DNA – the access network for campus and branch. Those of you who have experienced the Cisco DNA Center – the controller for a Cisco DNA based network – know that it provides a highly intuitive and easy to use graphical interface to manage the network and is the ideal platform to define segmentation. For those who haven’t, we encourage them to attend one of our monthly demo sessions where we explain what Cisco DNA can do for you.

Cisco DNA Center allows you to easily manage security policies through policy-based abstractions called scalable groups.  Scalable groups are used to represent connected users and devices based upon attributes, like role, function, location, etc. rather than IP addresses. These groups then form the basis of security policies, centrally managed on Cisco DNA Center and enforced across the network fabric.

Cisco DNA Center enables simplified management of access control between the different groups, and dynamically configures the access control policy in the fabric consisting of switches, routers, and wireless network devices that make up the fabric.

As people and things connect to the network using either a wired or wireless interface, Cisco DNA identifies them and automatically assigns them to their rightful group and places them in the appropriate segment. We call the creation of these Virtual Networks (VN), macro-segmenting.

The two levels of network segmentation

But what about the communications between members within a VN? We need to control that too for a deeper level of security. We call this micro-segmenting. So, while macro-segmenting isolates traffic between VNs, micro-segmenting controls communications between different groups or members of the same group within the VN.

For example, you might define two VNs – an ‘Employee’ VN with management, HR, security staff, and financial analysts, and an ‘IoT’ VN with security cameras, door locks, and digital signage. With SD-Access macro-segmentation you can ensure that a compromised camera will not let the attacker access HR resources. While with micro-segmentation, you can prevent lateral spread of malware between say HR and security staff or between two financial analysts.

Cisco DNA Center makes it easy to micro-segment the network. The Access Control Application within Cisco DNA Center works with Cisco Identity Services Engine (ISE) to let you define contracts. Contracts are statements that permit or deny specific types of interactions. For example, if you are concerned about malware attacks that spread using well-known TCP ports of 22, 80, and 443, you can simply create a contract that would disallow such communications between members of the same group.

Once you define the contracts, you use a simple matrix within Cisco DNA Center and activate them between source and destination groups. This matrix visually describes policies that the Cisco DNA Center consistently applies and enforces through the network fabric.

Segmentation that extends from access to apps

Just like Cisco DNA Center segments the access network and creates groups of users, Cisco ACI segments data center and cloud networks and creates groups of applications. Cisco’s multidomain architecture lets these networking domains exchange and map these groups. Now, thanks to this integrated segmentation, users can only run applications they are authorized for. For example, only accounting staff may access point-of-sale systems in keeping with PCI regulations.

Continue reading

Cisco CCIE Collaboration 400-051 (CCIE C): Latest [2019] Exam Guide

Exam Name: CCIE Collaboration Written Exam

Exam Code/Number: 400-051 CCIE C

Exam Overview:  This exam validates that candidates have the skills to plan, design, implement, operate, and troubleshoot enterprise collaboration and communication networks.

Practice Exam: Cisco Certified Internetwork Expert Collaboration Practice Test

Sample Questions: Cisco 400-051 Sample Questions

Continue reading