Private 5G Delivered on Your Terms

Private 5G is a hot topic as enterprises seek industrial wireless IoT solutions to modernize their business for increased productivity and efficiency. In newly emerging cases, wired solutions are not enough, such as in sectors like hospitality where “protected buildings” limit running new cables. For manufacturing and other industries, critical processes like robotic assembly of essential parts (jet turbines, automotive transmissions, or medical devices) and autonomously guided vehicles need a very low-latency, high-reliability solution like private 5G, particularly when those processes co-exist with humans.

On Feb. 3, 2022, we introduced Cisco Private 5G as part of “The Network. Powering Hybrid Work” launch. During this event, we shared our view that the future of hybrid work expands beyond people collaborating with people and now includes people collaborating with things. We now begin to share many attractive use cases for introducing private 5G alongside Wi-Fi into the enterprise networks. As we move towards Mobile World Congress (MWC) at the end of February, we’ll reveal more about our private 5G go-to-market strategies and discuss exciting new opportunities for our global service provider partners.

Connecting everyone and everything

Wireless networking and IoT will transform industries by digitalizing Operational Technology (OT) just as profoundly as the cloud transformed Information Technology (IT). And enterprises are already waiting in anticipation, with a 2021 GSMA Intelligence market report showing that a combination of digital transformation and labor shortages is expected to see enterprise IoT connections quadruple to 23.6 billion by 2030, accounting for 63 percent of total IoT connections. With all the pieces in place, companies with a strategy to converge their IT and OT operations will experience significant gains in productivity and efficiency, creating a major competitive advantage.

With the convergence of IT and OT, hybrid work becomes about connecting everyone and everything. Delivering IoT at scale is just as important as connecting people, allowing hybrid workers to gain access to sensors, monitors, robots, and more. Our vision of the future of work is built on wireless through a combination of private 5G and Wi-Fi, where enterprises can modernize, automate their operations, and benefit from the resulting productivity gains.

But making the change is not easy. There are all kinds of confusing options right now, so where do you begin? We can help by delivering a private 5G solution on your terms.

What separates Cisco Private 5G from the rest?

We believe the competitors are going about it the wrong way. They would have you adopt a complex, carrier-centric 5G solution that’s radically different from what you already know and use. Some even ignore Wi-Fi entirely. As the top enterprise networking, wireless, security, Industrial IoT, and collaboration IT vendor, we know how to build a solution that fits your enterprise needs, where Cisco Private 5G is integrated with Wi-Fi and existing IT operations environments. This makes your transformation easy, and we’re the only vendor to empower enterprise customers to extend what they already own and understand into new possibilities.

We know the many different technology choices and complexity of operating such an environment can make it difficult to start. It’s hard to commit financially to a new technology with so many uncertainties. Even the most visionary business leaders may hesitate to avoid making a wrong decision. With Cisco as your partner, you can feel confident you’ve made the right choice because our private 5G solution is ‘Simple to Start’, ‘Intuitive to Operate’, and ‘Trusted’ for enterprise digital transformation.

Simple to start

◉ The journey begins with a qualified business consultation.

◉ You don’t have to choose between 5G and Wi-Fi – you can use both, protecting your current investments and strategies.

◉ With your business goals in hand, a premium partner will perform a site survey to scope the necessary networking and radio coverage to support the intended IoT use case(s).

◉ Cisco Private 5G networks will be Cisco Validated Designs (CVD).

◉ Our “pay-as-you-use” subscription model means that you and your deployment partners will have minimal up-front infrastructure costs, so no matter how small the start or how massive the goal, costs remain in line with value. By comparison, traditional purchasing models force you to “spend a lot and wait” for productivity or profitability.

Intuitive to operate

◉ A simple management portal integrates and aligns with existing enterprise tools. We handle all the complexities of the 3GPP mobile network stack.

◉ Enterprise IT teams get a complete picture of their network and devices. You can maintain policy and identity across wired and wireless network domains for simplified operations.

◉ AI/ML-based management tools can identify unexpected behavior patterns and potential issues, making it easy to proactively take intelligent actions. Intelligent analytics increase effectiveness, minimize exposure time and reduce damage.

◉ Many problems in the network stem from outdated software, and nearly all are avoidable. As a continuously improving service, our private 5G software releases are automatically maintained from the cloud, ensuring the latest functions and security updates are in place.

Trusted

◉ As the No. 1 provider for connectivity, collaboration, industrial IoT, and IoT-connected cars, enterprises trust our technology, products, and services.

◉ Cloud-native architecture allows Cisco Private 5G to flexibly support different deployment models. Components may reside in the cloud, distributed edge, or on premises depending on needs for extra reliability or data privacy.

Source: cisco.com

Continue reading

Secure and Simplify Your Programmable Edge and Industrial Sensors

The Cisco IoT Operations Dashboard provides operations teams with a centralized, cloud-based dashboard to securely deploy, monitor, and troubleshoot device connectivity. Using this secure connectivity as a foundation, that same dashboard then enables you to extract, transform, govern and deliver data from IoT edge devices to the cloud with Cisco Edge Intelligence, install and manage your containerized edge applications and to deploy a broad range of industrial IoT sensors with Cisco Industrial Asset Vision.

Once your solution is in place, or as part of your solution development process, IoT Operations Dashboard enables you to securely and simply access remote connected equipment and to monitor its connectivity status, using nothing more than your browser.  This simplifies maintenance, solution development and updates, and ensures business continuity without the need for frequent and costly truck rolls to remote sites and locations.

With IoT Operations Dashboard, scaling up is straightforward.  Using the cloud-based dashboard, Cisco Industrial Routers and Gateways can be zero-touch provisioned at remote sites, and automatically configured with proven solution templates and configurations, helping you to streamline configuration of your devices, and reduce errors. You can then deploy your industrial IoT solutions, applications and sensors using that same dashboard. Once in operation, Dashboard provides an Operations Technology (OT) focused user experience and is simple and easy to use. Directly from the browser-based dashboard you can see map-based views of your deployments, equipment status, sensor data, events and alerts, which greatly simplifies monitoring and gaining insights into your operations.

Operations Dashboard offers a rich set of capabilities for developers and systems integrators, as well as custom solutions. And you can start right now on DevNet! The new DevNet IoT Operations Dashboard sandbox includes components such as Edge Device Manager (EDM) and Industrial Asset Vision, and we also offer an IoT Cisco Edge Intelligence (EI) sandbox.

Create templates and test remote access with the Edge Device Manager Sandbox

Custom forms called eCVDs allow you to configure Cisco Industrial Routers and Gateways to meet the exact needs of your solution. Use predefined eCVD configuration forms to leverage Cisco-provided zero-touch provisioning (ZTP) and best security practices. These can then be easily customized using the open-source Freemarker template language on which they are based.  This makes it straightforward for you to create a custom configuration form which is specific to your solution with ZTP, security and solution-specific configuration options and in-form guidance.

Using the built-in Secure Equipment Access (SEA) feature of IoT Operations Dashboard, you can then use RDP, VNC, SSH or HTTP/S to securely access remote connected equipment using just the dashboard and your browser.  SEA provides this ability for simple and secure remote access even if you are in a different organization and network to your customer’s solution, for example as a solution developer or equipment vendor.  This greatly simplifies solution development, especially for those real-world proof-of-concepts and in-field development and update activities that are often so challenging and time consuming.

Reserve our all-new EDM sandbox today for access to a real Cisco IR1101 and your own IoT Operations Dashboard organization! Test on-boarding, deploy applications, and connect via the dashboard to the Linux DevBox without any VPN configuration.

Extract all your IoT sensor data via MQTT with Industrial Asset Vision

Cisco Industrial Asset Vision (IAV) provides a complete full-stack solution that includes all hardware and software components, pre-integrated and delivered as a cloud SaaS offer. IAV includes an end-user dashboard application, network management tools, LoRaWAN network devices, and Cisco industrial sensors for collecting environmental and GPS location data.

Cisco IAV exposes APIs through which global independent software vendors (ISVs) and applications developers can integrate with systems such as enterprise resource planning (ERP), service management, manufacturing execution systems, and analytics. Asset and sensor information can also be published to 3rd party data brokers via MQTT and to Azure IoT Hub.

Industrial Asset Vision – IoT Operations Dashboard Documentation

Simplify IoT Edge-to-Multi-Cloud Data Flow with Cisco Edge Intelligence

As part of IoT Operations Dashboard, the IoT data orchestration software, Cisco Edge Intelligence, connects assets at the edge to multi-cloud application destinations in a very easy way for the user and can even extend its functionality with a transformation engine at the edge.

Source: cisco.com

Continue reading

Cisco teams up with Meshtech and launches Application Hosting for brand-new Asset Tracking IoT portfolio

Application Hosting on the Catalyst 9100 series access points allows organizations of all sizes to run IoT applications from the edge. As organizations integrate and deploy IoT services across their networks, the ability to optimize workflows, streamline IoT application changes, and simplify critical processes right out of the box, is essential. This includes having the ability to monitor IoT deployments end-to-end, as well as ongoing device and IoT network management. This is precisely why Cisco is developing integrations with vendors like Meshtech.

Cisco and Meshtech deliver seamless integration

Meshtech, based in Norway, develops IoT solutions that are used in smart buildings, healthcare, transportation, manufacturing, and more. Its portfolio includes a suite of sensors, asset monitoring, and control systems that are used for environmental monitoring, asset tracking, and usage analytics.

Read More: 300-715: Implementing and Configuring Cisco Identity Services Engine (SISE)

With Cisco’s Application Hosting capabilities, Meshtech devices communicate directly with the Cisco Catalyst access point. Application Hosting doesn’t replace the Meshtech application but rather it eliminates the need for additional hardware while adding additional device management features.

IT teams retain the same visibility into key performance indicators across Meshtech sensors including humidity levels, movement, and temperature. With Application Hosting, they gain additional visibility and control on the Cisco platform. This includes the status of IoT devices, placement of sensors, as well as the ability to push application updates. Together, the integrated solution provides advanced visibility, control, and support across the application lifecycle.

Meshtech dashboard

How it works

As with all Application Hosting solutions on the Catalyst platform, the solution takes advantage of Docker-style containers to host the application directly on the access point. Further simplifying the solution is its use of industrial Bluetooth Low Energy (BLE). Meshtech’s BLE module makes use of the integrated USB port in the Cisco Catalyst access points to control and manage any of Meshtech’s IoT devices.

On the Meshtech side, a containerized version of its management application is hosted on the Cisco Catalyst access point. This allows Meshtech IoT devices communicate and share valuable data while also allowing IT Teams to control actions directly from the Cisco wireless network.

The below diagram showcases the breadth of Meshtech IoT devices supported with Application Hosting on Catalyst Access Points.

Meshtech solutions

Easy deployment and management

To summarize, Application Hosting enables the elimination of IoT overlay networks, which simplifies deployments and management while reducing costs. The Cisco Catalyst Access Point does all the heavy lifting by driving the application at the edge. With Application Hosting, there’s no need for additional IoT hardware, installation, or maintenance, everything is integrated.

Continue reading

Simply Faster than the Rest, Cisco Wi-Fi 6 + Multigigabit Switching

It’s a typical day, and as you’re mindlessly scrolling through your phone again, *ding*, a notification reads, “Flying cars will be available for purchase in just one year!”.

Wow, that’s exciting!

But would you be surprised?

The fact is, technology is advancing so fast that before we can adjust to the current innovation, a better version is already available. Just look at where we were with virtual reality, self-driving cars, and IoT smart homes only a few years back. The point is, our expectation for what is possible has never been higher, and as a technology fanatic, life is good!

But while we’re busy geeking out, let’s not forget that all this upcoming innovation requires an equally powerful network infrastructure to support it. For example, let’s look at 8K VR gaming, a technology that’s right around the corner and will require a minimum of 1 Gbps for gameplay and above 2 Gbps for an optimal experience. With a growing thirst for technology to provide a more HD, a more next-gen, and a more seamless experience, we can expect that the required data consumption will skyrocket as well.

The question is no longer whether innovation is coming but if your network can handle it.

Next Level Wireless Speeds with Multigigabit Switching

Wi-Fi 6, with all its glory, has been the star of the networking show since the launch of Cisco’s Catalyst wireless access point (AP) product line. From our flagship Catalyst 9130 Access Point boasting a ridiculous max PHY of 5.37 Gbps down to the small Catalyst 9105, they’re truly the gold standard of enterprise wireless.

But what if I told you there is a way to further enhance their already incredible prowess?

By simply combining Cisco Catalyst APs with Catalyst Multigigabit Switching, we can witness what can only be described as network performance at its finest. A bold statement, but I can prove it by showing you the throughput numbers tested within Cisco’s wireless lab using a Catalyst 9130 Wi-Fi 6 AP on software version 17.5.1 and a Catalyst 9300 multigigabit switch.

Numbers Speak for Themselves

But first, let’s take a step back; if we connect a Catalyst 9130 AP to a gigabit switch, the 5.38 Gbps max PHY is actually significantly bottlenecked as the throughput capabilities become limited from the wired side.  With this topology, we achieved an average throughput of just below 1 Gbps using the IxChariot performance testing tool.

Figure 1. 3x Intel AX200 endpoints on 2.4 GHz at 20 MHz and 15x Intel AX200 on 5GHz at 80 MHz

Don’t get me wrong; these data rates are fast; it’s just that it could be so much faster!

To properly enjoy the true power of Wi-Fi 6, we connected the same Catalyst 9130 AP to a ten-gigabit port of a multigigabit switch and were able to achieve over 2 Gbps consistently.

Figure 2. 3x Intel AX200 endpoints on 2.4GHz at 20MHz and 3x Intel AX200 on 5GHz at 80MHz

With the only differing factor being the multigigabit switch, we were able to over double the throughput! With these blazing fast throughput numbers combined with Wi-Fi 6’s OFDMA and MU-MIMO, you’ve got yourself a wireless powerhouse that’s unmatched by any other vendor in the world and is ready for whatever the future throws at it.

Source: cisco.com

Continue reading

Experience the Future with Cisco and the Internet of Things

It’s the year 1950, and I’m asking you what you imagine technology would be in 70 years; what would you say? My guess is you proceed to list out some science-fiction-like answers such as the existence of space exploration programs, maybe artificial intelligent robots, or perhaps the invention of some all-knowing neural network that enlightens humankind through accessible information. While such ideas may have been on the cusp of science-fiction at the time, it’s incredible to realize that we are in the generation where many of these innovations not only exist but are customer-ready today!

Oh, and by the way, remember that “all-knowing neural network” you had mentioned? This is what we presently refer to as the internet and, of course, is what you are using to access this blog at this very moment. Despite how much of a technological breakthrough the internet was during its invention in 1983, it has become such an everyday tool, and it just doesn’t spark the same excitement as it once did.

Let me be that unwarranted catalyst and re-ignite that internet excitement by introducing a new generation of internet-powered technology. A generation of technology that can harness the limitless knowledge of the internet and engrain it into inanimate objects connecting us in a way never thought possible. I am referring to the Internet-of-Things (IoT), a technological innovation spearheaded by Cisco and its state-of-the-art Application Hosting on the Catalyst Access Points (AP) platform.

What is the Internet of Things?

The Internet-of-Things is a concept where a wireless network is leveraged for communication with smart devices to accomplish tasks in a more simplified, efficient, and often automated manner. In fact, many IoT products probably have already found their way into your home already. These products come in all shapes and sizes, but some examples could be a voice-activated speaker such as an Amazon Alexa, a mobile application-controlled thermostat such as a Nest Thermostat, a motion-activated doorbell camera such as the August Doorbell Cam, or more excitingly, a voice triggered music playing salt dispenser such as the SMALT!

Other than the salt-dispenser (which actually exists), these are all products that, due to their simplicity and usefulness, have become seamlessly integrated into many of our lives.

Figure 1: Modern Internet-of-Things products leveraging a wireless network.

So, if IoT already exists, what is Cisco’s role in this field?

Think about how IoT products work, and you’ll realize it requires a robust wireless network to connect the IoT endpoints to the information it needs to operate. While a single wireless router can easily accomplish this for a typical household size deployment, the challenge is how we can execute this at an enterprise level, where hundreds to thousands of IoT devices must work together to form a single solution. Without a proper management infrastructure to provide visibility, serviceability, and security, IoT at scale can be a complete nightmare to deploy and manage.

Cisco’s Internet of Things Solution

Application Hosting on the Catalyst Access Points and Cisco’s intent-based networking platform, Cisco DNA Center is the solution that solves this problem. This integration allows users to leverage Cisco DNA Center to deploy custom IoT applications directly onto docker containers within Cisco’s Catalyst Wi-Fi 6 access points. This integration with Cisco DNA Center solves the problem of visibility and serviceability at scale by taking on the applications’ life cycle manager’s role and allowing users to take advantage of their existing Cisco wireless infrastructure for IoT communication.

During Day 0, a user simply uploads the IoT application onto Cisco DNA Center, and from there, can choose what locations to deploy the application. From Day 1, applications throughout an entire network can now be easily monitored and maintained through a GUI and even upgraded by simply uploading then deploying a newer version of the IoT application. With this integration with Cisco DNA Center, IoT application management has never been easier!

Figure 2: Cisco DNA Center’s simplistic IoT application deployment workflow.

 

After deploying the IoT application onto the access points, the application then begins communication with its application server, leveraging each access point as an IoT gateway to communicate with surrounding IoT devices. This communication with surrounding IoT devices happens through an IoT USB connector inserted into the Cisco Catalyst access point, which can broadcast anything from Zigbee to BLE to vendor-specific proprietary RF protocols, providing true versatility to IoT solutions possible.

Figure 3: Application Hosting on the Catalyst Access Points IoT Topology.

What about the IoT Application itself?

This is where things get exciting! Cisco is now open for partnerships with third-party IoT development companies, providing them with the opportunity to integrate their IoT solutions with Catalyst access points. While the development of IoT applications may not be a simple feat, Cisco has streamlined the process by creating an entire website, DevNet, with the sole purpose of supporting third-party application development. With DevNet, you now have an intuitive step-by-step guide that will teach you how to go from writing a basic “Hello World” application to creating an innovative end-to-end IoT solution capable of solving real-world problems!

The marketplace of IoT Technology

Once the application has been developed, as a partner, you can then join the Solution Partner Program, which allows you to post your IoT solution directly onto DevNet. Essentially, Cisco aims to create a whole marketplace of ready-for-deployment IoT solutions, providing customers with a one-stop-shop to browse, discover, then deploy IoT solutions that best fit their niche business needs.

Figure 4: Cisco Solution Partner Program.

Together, Application Hosting, Cisco DNA Center, and DevNet form a truly seamless IoT experience that allows partners to materialize, and customers deploy any IoT envisioned solution through Cisco’s powerful yet simplistic wireless infrastructure. And that is something that anyone could have predicted!

Continue reading

Simplify IoT Edge-to-Multi-Cloud Data Flow with Cisco Edge Intelligence

DevNet is always looking for ways to help you do business smarter. And with our new IoT Edge Intelligence tools, you can now get your data directly from the network edge to the cloud, or from your own data center. Read on to learn how.

Connect assets at the edge to multi-cloud application destinations

Cisco recently made its brand new IoT data orchestration software – Edge Intelligence – publicly available. Edge Intelligence (EI) connects assets at the edge to multi-cloud application destinations securely, reliably and consistently.

The software integrates nicely with Cisco’s industrial networking and compute devices, which means that it already runs on some IOx capable devices (IR829, IR809, IC3000 and more to come very soon!). But today, you can get EI as a SaaS, where the user can manage assets, data policies, and data destinations via a centralized UI that enables remote deployment at scale.

Here at DevNet, we wanted to make EI fun and easy. So, you can now test, learn, and get hands-on with EI with our new Learning Lab and DevNet Sandbox:

How it works

Edge Intelligence is built on 4 pillars:

1. Data Extraction: You can automatically ingest data from any edge sensor using built in industry standard connectors residing on Cisco Network equipment. Supported sensor protocols include OPC-UA, Modbus (TCP-IP and Serial-RTU) and MQTT

2. Data Transformation: You can create intelligent, business ready tasks using policies to filter, compress, or analyze data using real-time computing. Edge Intelligence supports creating these data logic scripts using industry standard IDE tools (e.g. Microsoft VSCode)

3. Data Governance: You can create a central point of control with the authority and security to determine who has access and where that data may be accessed. Edge Intelligence allows for policy control at device and attribute level on raw or transformed data.

4. Data Delivery: You can choose and deliver which data is sent to which analytics destinations with seamless integration with cloud providers, including Azure IoT Hub and standard MQTT based destinations, like Quantela, Software AG.

Register now for my August 26th webinar

Here’s an easy way to find more about how Edge Intelligence works. In my August 26th webinar we will show you how you can create your asset types, asset inventory, and data policies within just a few minutes. And, send data from the edge to your MQTT broker or preferred cloud hosting service. We will also showcase creating data logic scripts for data transformation using the industry-standard IDE tool Visual Studio Code.

Source: cisco.com

Continue reading

Get Started with IoT and Prepare for DEVIOT Certification

“To do, or not to do.” That is the question. Do you find you are asking yourself this question often? Well, while I can’t speak about your other dilemmas, let me help you with any confusion you might have regarding how to get started on your IoT journey. My July 21st webinar will be a great place for you to start.

Where do you even start with IoT?

Chances are if you have come this far reading this blog, you have made up your mind to embark upon the journey to equip your arsenal with more skills and knowledge regarding IoT.

You certainly own a smart device, don’t you? Great! Then you are already a part of the IoT world. How? If you are using Wi-Fi or Bluetooth, then you are already into IoT as these are some of the fundamental protocols that apply to IoT. There are many other protocols and standards which you should know about while deep-diving into the IoT world. Since IoT is adapted in so many different markets, each market or application has its own suitable IoT protocol that aligns to their requirements.

Consider the MQTT protocol. It has gained popularity in industries such as Supply Chain & Logistics, and Healthcare because of its lightweight properties and simplicity. Check out Cisco DevNet Intro to IoT Technologies – Protocols, Tools, and Software Module to learn about this protocol with a  hands-on DevNet Learning Lab!

There are many resources you can find by visiting the DevNet IoT Dev Center to get you started with IoT. You’ll find introductory topics such as:

◉ how to develop applications using Cisco IOx
◉ getting started with Cisco Kinetics Gateway Management Module (GMM)

You can take advantage of these resources and more to get familiar with cutting edge Cisco IoT technologies.

Get prepared for an IoT professional certification

In the webinar, you’ll get an overview of the Cisco Certified DevNet Specialist, IoT Certification Exam. We’ll cover some ground on the topics the exam enlists, and what percentage of questions are to be expected from each module. We will also talk about some resources which will be useful to help you prepare for this certification exam.

See what my fellow Dev Advocate Jock Reed has to say about this certification, along with a short breakdown of the exam topics here.

There has never been a better time to get certified

Online, proctored exams are now delivered in most countries around the globe now. Thus, now is the ideal time to prepare for and earn your professional certification.

Please join me for the webinar on July 21st at 8:00 AM PDT.  Register Now!

See you all there!

Source: cisco.com

Continue reading

Three requirements to securely connect your industrial network

Digital transformation initiatives are driven by the desire to make data-driven business decisions. Whether you’re looking to increase production, reduce waste, or improve safety, the answer resides in your data: collecting it, analyzing it, and learning from it. But what happens when your data lives in extreme locations? Perhaps in places of severe heat, cold, humidity, salinity, or dust? How do you gather information with such harsh conditions? And how do you do it securely?

The first step is to converge to a single IP network. Network convergence is a proven formula for pulling together all the data in your environments. Cisco has been helping hundreds of thousands of organizations to converge their voice, video, data, and IoT networks to a single IP network. We’ve been doing this for over 30 years, and we know it works. A single network is easy to manage and operate and reduces your total cost of ownership. However, the primary challenge with a converged network is that it needs to be secure. There are three elements you need to securely connect an industrial network: 1) purpose-built hardware, 2) digitally signed and authentic security software, and 3) extensible architectures.

1. Choosing the right hardware

Start with the right hardware. For industrial internet of things (IIoT), the network hardware must satisfy the requirements of both the operational technology (OT) department and the IT department. At a high level, OT runs point on operations and understands how the organization produces its goods or services. IT connects the network and wants to make sure it’s done securely. OT and IT each have different priorities, goals, and concerns, yet the hardware has to meet both sets of requirements.

In addition to meeting the requirements of both OT and IT, the network hardware you select for connecting the industrial network should have a hardware trust anchor. A hardware trust anchor ensures that whatever software runs on the hardware will do so in a secure manner. To this end, the hardware should have an anti-theft, anti-counterfeiting, and anti-tamper chip that is completely immutable, meaning that it cannot change. Also look for built-in cryptography functions, secure storage for certificates and objects, and certifiable entropy for random number generators.

2. Selecting the right software

Going up the technology stack, the next component you need to securely connect the industrial network is the right software. Complement the secure hardware with digitally signed images, a secure boot process, and runtime defenses to ensure the software is secure and hasn’t been tampered with.

What is meant by digitally signed images? When we compile an image at Cisco, we execute a hash function on the binary code. The result of that hash function is encrypted using Cisco’s private key, and that signature is embedded right within the software image. At boot time, two things happen: 1) the local machine computes its own hash based on the binary of the software image, and 2) it decrypts the information they’re in, looking for that signature and making sure the two match. This process provides reassurance that the software hasn’t been tampered with and that it’s safe to boot up. Digitally signed images are an important component to a secure boot process.

Now that the software has securely loaded on the device, the network administrator has at his or her disposal the most powerful and secure networking operating system in the industry: Cisco IOS XE, which contains over 1,300 security feature commands and keyword options.

Cisco IOX XE also supports application-hosting in containers so that they can run on networking devices. Leveraging this application-hosting capability, Cisco has recently delivered an OT-specific security solution, namely Cisco Cyber Vision.

Cisco Cyber Vision provides innovation in OT security. For example, Cisco doesn’t require customers to install dedicated hardware sensors, but rather virtualizes their sensor to run as an application on network infrastructure, such as Cisco Catalyst Industrial Ethernet (IE) switches or Cisco ISR Industrial Routers (IR) or even Cisco Catalyst 9300 switches (which may be found in some industrial environments, albeit in temperature-controlled cabinets/rooms). Cisco’s unique approach of using a software sensor for OT protocols is not only an industry-first, but also the most scalable solution in this space, as it allows for the security solution to simply scale with the network infrastructure itself.

Another innovation that Cisco brings to OT security is the use of distributed analytics and OT flow metadata to minimize bandwidth impact. The Cyber Vision sensors running on the network devices perform deep packet inspection (DPI) on all OT flows. However, rather than mirroring these flows to a central analytics engine (i.e. the Cisco Cyber Vision Center) these sensors summarize OT flows as metadata, similar to NetFlow records (though the metadata Cyber Vision uses far exceeds the data contained in NetFlow records). Cisco Cyber Vision goes beyond NetFlow by detailing attributes of the devices sending and receiving the flows, the OT protocols used, the commands sent and received, and even the specific variables that these commands reference. As an analogy, while NetFlow can tell you who is talking to who, Cyber Vision metadata can tell you not only who is talking to who, but also the languages they are speaking, as well as specific details of their conversation. And the summary of these flows is highly efficient, typically consuming only 2-5 percent of incremental bandwidth.

3. Architectural integrations

The third piece in the tech stack is architectural integrations. Look for security solutions that leverage the existing network hardware to provide visibility into network traffic, and to identify and stop potential threats. Both IT and OT can benefit from having complete visibility of the OT environment, but IT cannot afford the operational overhead required to support a separate SPAN network. By integrating sensors into network hardware, IT can see anomalous behavior anywhere in the environment, while OT can obtain new and deeper insights into operations.

Ideally, the security solution also integrates with the technology used by the Security Operations Center (SOC) to monitor, investigate, and remediate security incidents in the IT environment. This way, the SOC has all the information it needs in one location to reduce the time to detect and respond to a security incident. Security analysts can see, for example, whether an attack originated in the IT environment and moved laterally to the OT environment, or if an attack entered the OT environment via something like a vulnerable device.

How Cisco can help

Cisco’s industrial-grade network hardware and Cisco Cyber Vision are designed to work together to meet the three requirements for securely connecting an industrial network. Our ruggedized networking switches and routers are built to withstand the harshest environmental conditions while delivering enterprise-level networking capabilities, including a hardware trust anchor. Our software uses digitally signed images to validate that software has not been tampered with, and Cisco Cyber Vision leverages the network architecture to deliver visibility and control over the OT environment. Cyber Vision also provides real-time threat detection and integrates with the SOC.

Continue reading

Smart Parking: A Cisco IoT Solution with LoRaWAN

I’m going to give you a behind the scenes look at the architecture of this small, but real, IoT application. It shows an easy way to get a digital output from an analog action. But first, let me introduce you to the problem and solution components.

Do you know the feeling? When you’re in a large parking garage and looking for an empty parking space? You are circling around with your car. Perhaps you’re late! You know there’s an empty spot somewhere. But where?!

There’s a Cisco IoT solution for that

Well, there is a Cisco IoT solution for that which we implemented for our e-parking spaces in our Cisco office in Frankfurt, Germany. There, we have 4 parking spaces where you can charge your e-car. That’s good, but 4 spaces are too few to meet demand, and can be occupied quite fast. To solve the problem we implemented a solution using LoRaWAN parking sensors. The solution helps our visitors and employees with the following:

Website

The website is where the user can check live data on what parking spaces are empty and occupied.

Web-Dashboard with historical data

By simply storing data in a time-series database (InfluxDB), the web-dashboard (Grafana) can showcase the number of parking processes per parking space and time/date. As you can see below, because of the Covid-19 crisis nobody went to the office the last months.

Proactive and reactive Webex Teams Bot

Users get notified via push-messages if only one parking space is still available and if all parking spaces are occupied. The same is also possible the other way around: Users can reactively ask the ParkingBot what parking spaces are empty or occupied.

Architecture & Behind the Scenes

In this scenario, the data is being sent from the LoRaWAN sensors to our Cisco IXM LoRaWAN gateway which is directly connected to the industrial router IR829. Both devices are managed by the IoT Field Network Director with zero touch deployment. Then, the sensor data is sent via the cellular network to the LoRaWAN network server Thingpark Enterprise (Cisco Partner Actility). The cellular connectivity of the IR829 is managed by the Cisco Control Center which is an industry-leading SaaS SIM-card management platform. The SIM card was provided by our partner KPN.

After decrypting the LoRaWAN sensor payload, the data is forwarded via MQTT to the Python script and to InfluxDB, where the sensor data is stored for long-term. The python script also orchestrates the Webex Teams bot notifications and serves as the back-end to the website for sending the latest parking information data. Grafana is directly connected to InfluxDB.

◉ Special thanks to Michael Eder who helped building this showcase application.

Continue reading

Why 5G is Changing our Approach to Security

While earlier generations of cellular technology (such as 4G LTE) focused on ensuring connectivity, 5G takes connectivity to the next level by delivering connected experiences from the cloud to clients. 5G networks are virtualized and software-driven, and they exploit cloud technologies. New use cases will unlock countless applications, enable more robust automation, and increase workforce mobility. Incorporating 5G technology into these environments requires deeper integration between enterprise networks and 5G network components of the service provider. This exposes enterprise owners (including operators of critical information infrastructure) and 5G service providers to risks that were not present in 4G. An attack that successfully disrupts the network or steals confidential data will have a much more profound impact than in previous generations.

5G technology will introduce advances throughout network architecture such as decomposition of RAN, utilizing API, container-based 5G cloud-native functions, network slicing to name a few. These technological advancements while allowing new capabilities, also expand the threat surface, opening the door to adversaries trying to infiltrate the network. Apart from the expanded threat surface, 5G also presents the security team with an issue of a steep learning curve to identify and mitigate threats faster without impacting the latency or user experience.

What are Some of the Threats?

Virtualization and cloud-native architecture deployment for 5G is one of the key concerns for service providers. Although virtualization has been around for a while, a container-based deployment model consisting of 5G Cloud Native Functions (CNFs) is a fresh approach for service providers. Apart from the known vulnerabilities in the open-source components used to develop the 5G CNFs, most CNF threats are actually unknown, which is riskier. The deployment model of CNFs in the public and private cloud brings in another known, yet the widespread problem of inconsistent and improper access control permissions putting sensitive information at risk.

5G brings in network decomposition, disaggregation into software and hardware, and infrastructure convergence which underpins the emergence of edge computing network infrastructure or MEC (Multi-Access Edge Compute). 5G Edge computing use cases are driven by the need to optimize infrastructure through offloading, better radio, and more bandwidth to fixed and mobile subscribers. The need for low latency use cases such as Ultra-Reliable Low Latency Communication (URLLC) which is one of several different types of use cases supported by 5G NR, requires user plane distribution. Certain 5G specific applications and the user plane need to be deployed in the enterprise network for enterprise-level 5G services. The key threats in MEC deployments are fake/rogue MEC deployments, API-based attacks, insufficient segmentation, and improper access controls on MEC deployed in enterprise premises.

5G technology will also usher in new connected experiences for users with the help of massive IoT devices and partnerships with third-party companies to allow services and experiences to be delivered seamlessly. For example, in the auto industry, 5G combined with Machine Learning-driven algorithms will provide information on traffic, accidents and process peer to peer traffic between pedestrian traffic lights and vehicles in use cases such as Vehicle to Everything (V2X). Distributed Denial of Service (DDoS) in these use cases are a very critical part of the 5G threat surface.

What are Some of the Solutions to Mitigate Threats?

Critical infrastructure protection: Ensure your critical software, technologies, and network components such as Home Subscriber Server (HSS), Home Location Register (HLR), and User Defined Routing (UDR) are secured with the right controls.

Cisco Secure Development Lifecycle: Being cloud-native and completely software-driven, 5G uses open source technologies. Although this is critical for scalability and allowing cloud deployment integrations, vulnerabilities from multiple open-source applications could be exploited by attackers. To reduce the attack surface, service providers need to verify the 5G vendor-specific secure development process to ensure hardened software and hardware. We offer security built into our architectural components. Our trustworthy systems’ technology includes trust anchor, secure boot, entropy, immutable identity, image signing, common cryptography, secure storage, and run-time integrity.

Vendor Assessment (security): It’s critical to validate the vendor supply chain security, secure your organization’s development practices from end to end, and employ trustworthy products. You must also be vigilant when it comes to continuously monitor hardware, software, and operational integrity to detect and mitigate infrastructure and service tampering. Sophisticated actors are looking to silently gain access and compromise specific behavior in the network. These attackers seek to take control of network assets to affect traffic flows or to enable surveillance by rerouting or mirroring traffic to remote receivers. Once they have control, they might launch “man-in-the-middle” attacks to compromise critical services like Domain Name System (DNS) and Transport Layer Security (TLS) certificate issuance.

Secure MEC & Backhaul: 5G edge deployments will supply virtualized, on-demand resource, an infrastructure that connects servers to mobile devices, to the internet, to the other edge resources and operational control system for management & orchestration. These deployments should have the right security mechanisms in the backhaul to prevent rogue deployments and right security controls to prevent malicious code deployments and unauthorized access. As these MEC deployments will include the dynamic virtualized environments, securing these workloads will be critical. Cisco workload protection, will help service providers to secure the workloads. Cisco’s Converged 5G xHaul Transport will provide the service providers with the right level of features for secure 5G transport.

Cisco Ultra Cloud Core allows the user plane to support a full complement of inline services. These include Application Detection and Control (ADC), Network Address Translation (NAT), Enhanced Charging Service (ECS), and firewalls. Securing the MEC would require multiple layers of security controls based on the use case and the deployment mode. Some of the key security controls are:

• Cisco Security Gateway provides security gateway features along with inspections on GTP, SCTP, Diameter, and M3UA.

• Secure MEC applications: Securing virtualized deployments on the MEC and centralized 5GC requires a smarter security control rather than just having firewalls, be it hardware or virtualized. Cisco Tetration provides multi-layered cloud workload protection using advanced security analytics and speedy detections.

• Secure MEC access: Securing user access to MEC can be catered by utilizing the Zero Trust methodology, which is explained in greater detail below.

Utilizing zero trust security controls during 5G deployment is critical for service providers. This is particularly important in the deployment phase where there will be multiple employees, vendors, contractors, and sub-contractors deploying and configuring various components and devices within the network. The old method of just providing a VPN as a security control is insufficient, as the device used by the configuration engineer might have an existing malicious code that might be deployed within the 5G infrastructure. This whitepaper gives you more insights on how zero trust security could be applied to 5G deployments.

End to End Visibility: 5G brings in distributed deployments, dynamic workloads, and encrypted interfaces like never before. This requires end-to-end visibility to ensure proper security posture. Advanced threat detection and encryption methods can identify malware in encrypted traffic without requiring decryption. And because latency is very important in 5G, we can’t use traditional methods of distributed certificates, decrypting traffic, analyzing the data for threats, and then encapsulating it again, as this adds too much latency into the network. Cisco Stealthwatch is the only solution that detects threats across the private network, public cloud, and even in encrypted traffic, without the need for decryption.

Source: Cisco.com

Continue reading

Cisco’s AI/ML can make your Wi-Fi 6 upgrade a success

Upgrading to Wi-Fi 6 is not just about replacing your oldest access points. The true value proposition is in locating areas where specific Wi-Fi 6 features will improve the network performance and user experience. The AI/ML capabilities in Cisco DNA Center can help you find these upgrade opportunities.

Wi-Fi 6 has some new features that are useful in resolving what used to be unsurmountable problem areas in a wireless network. The first step is to understand these new Wi-Fi 6 features and the wireless challenges that they resolve.

As you are sitting at home reading this, you could be analyzing your campus wireless network for areas where Wi-Fi 6 can add the most bang for your buck. Wi-Fi 6 has some new features that are useful in resolving what used to be unsurmountable problem areas in a wireless network. Your Cisco DNA Center Assurance dashboard has AI/ML features that can allow you to find these areas!

The first step is to understand these new Wi-Fi 6 features and the wireless challenges that they resolve:

Poor performance in highly congested areas: OFDMA in Wi-Fi 6, allows multiple clients to transmit simultaneously in order to increase capacity in highly congested areas.

Poor uplink performance on mobile devices: Uplink sub-channelization in Wi-Fi 6 provides mobile devices greater radio transmit power without consuming more battery power. This provides mobile devices better Wi-Fi performance in challenging conditions.

High radio interference: The Wi-Fi 6 OFDMA uplink map creates a synchronization that leads to less interference in between clients and in between access points. Additionally, OFDMA allows clients to transmit on small channels at greater power making them much less susceptible to interference from other wireless devices.

The IoT small packet problem: IT teams with large concentration of IoT devices (manufacturing, process control, video surveillance, etc.) are very familiar with the packet processing bottleneck that access points can become. Modern Wi-Fi 6 chipsets solve this with powerful quad-core 2.2GHz processors that can process three times more packets than most 802.11ac access points and twelve times as much as most 802.11n access points. This processing power, combined with a well-designed access point data-forwarding mechanism, has the potential to eliminate most of the issues you used to have supporting IoT devices.

Now let’s look at how you can use the AI/ML in Cisco DNA Center to quickly locate areas in your campus network that fit these challenging conditions.

Congested areas

Any simple network management system with wireless heat maps can show you areas of high congestion. But even older 802.11ac/Wi-Fi 5 (with multi-user MIMO) can handle most congested areas quite well. To get the best bang for our Wi-Fi buck, we only want to upgrade those areas where this congestion is affecting the performance and user experience. The Assurance section in Cisco DNA Center has an area called “Trends and Insights” where you can use AI/ML to compare just about anything on your campus network. You can compare the wireless performance in your buildings, between floors, or even compare every single access point on campus. The graphic above shows channel utilization of 2,216 access points from greatest to lowest. The access points in dark red are using very high percentages of the wireless medium to keep up with demand. You can then view the packet failure rate on those highly utilized access points. This will quickly tell you which access points have (1) high utilization AND (2) high retransmission rates. Upgrading these access points to Wi-Fi 6 is a good investment. –Note that, depending on when you are reading this, you want to select to go back in time a few months to when your campus wireless network traffic was normal. February is a good month because it is after the winter holiday and before spring break.

Areas where mobile devices struggle  

In order to minimize battery consumption, mobile device Wi-Fi radios transmit at much lower power (15mW typical) than the transmit power for access points (100mW or more). Because of this, mobile devices often struggle to send data (uplink) even though the mobile device Wi-Fi signal strength indicator shows full power. This happens because the mobile device measures how it is receiving signal from the access point (downlink). This problem is often worse in certain areas of the campus because building materials vary and things like concrete and metal exacerbate this uplink weakness.  OFDMA in Wi-Fi 6 allows a mobile device to concentrate its transmission (the uplink) on a smaller radio channel for higher power. If that didn’t make sense, imagine how the nozzle on your garden hose concentrates the flow of water to give it more power. The result for Wi-Fi 6 is the ability of a low power device to transmit with much greater uplink signal quality, which can help penetrate (or bounce around) heavy walls and other obstacles. So how can you detect areas on campus where Wi-Fi clients are experiencing low-quality uplink?

Go back to the AI/ML Trends and Insights and compare average client RSSI (Received Signal Strength Indicator) across all access point on your campus. This will tell you how each access point is receiving signal from the wireless clients. Access points with low averages should be selected for a Wi-Fi 6 upgrade.

Areas of high interference

Interference is a difficult problem to diagnose in wireless networks because the symptoms of interference can vary. Users can experience long onboarding times, slow app performance, and difficulty connecting to the cloud. The good news is that the AI Network Analytics feature in Cisco DNA Center will automatically identify interference and alert you on the “Top 10 Issues” window, right on the front page of the dashboard.

So, if you have seen these alerts on your home screen, it would be a good idea to see if Wi-Fi 6 can help mitigate this interference. If you go to the AI/ML “Trends and Insights” menu you can sort access points based on levels of interference. This can give you a list of your worst offenders. Click on one of the access points and look for the “Intelligent Capture” tool at the top of the window. This tool uses your network access points to perform complex packet, frame, and spectrum analyses.

Inside of the Intelligent Capture window, click on spectrum analysis and watch as the software begins to monitor the wireless traffic for interference severity and duty cycle. The waves show you the channels where the interference is located and how this is affecting the duty cycle of that particular access point. This is a very comprehensive test that will scan all of the available wireless channels with traffic from your actual network at that location.

Intelligent Capture lets you drill down on this and identify the percentage of channel utilization for this access point, other access points, and even non-Wi-Fi interference. The image to the right is a screen capture from the output of a spectrum analysis at 2.4 GHz (I cut the screen to be able to enlarge the image). Channels 1 and 2 have high levels of interference but channels 3 and 4 do not. If you find that interference is limited to one or two of the Wi-Fi channels, you can configure your access point to operate outside of these channels. However, if the interference is running across all channels you have a great candidate for a Wi-Fi 6 upgrade. The OFDMA synchronization in Wi-Fi 6 will greatly minimize any self-interference (interference between your own network devices and access points), and your Wi-Fi 6 clients will be able to transmit on a more narrow, more powerful radio channel giving them added robustness against internal or external interference.

A mere 20 Mbps of M2M data can take almost half of your access point’s capacity!

The IoT small packet problem

IT teams that operate networks for manufacturing, process control, mining, and digital cities are quite familiar with the IoT small packet problem. It has long been a thorn in the side of Wi-Fi networks used for machine-to-machine (M2M) connectivity and video surveillance. The issue is that these types of communication use small payloads of data in high frequency. Most forms of M2M encapsulate their data in 64-Byte UDP packets, while most normal IP file transfers use larger 1,500-Byte packets. A Wi-Fi access point is limited in the number of packets per second (PPS) that the imbedded chipset can process.  Imagine a Wi-Fi chipset capable of processing 30,000 PPS. For normal 1,500-Byte data packets, this device is capable of transferring 360 Mbps (30,000*1500*8). But, for 64-Byte packets the maximum throughput drops to only 45 Mbps. More importantly, 20 Mbps of M2M data can take almost half of my access point’s capacity!

To find small packet problem areas in your campus network, begin by looking at the AI/ML “Trends and Insights” menu and sort access points based on “Traffic.” This will single out the busiest access points based on packet transfers. Like before, use the Intelligent Capture feature, but this time look at the frame counts and frame errors window (shown at left). Any access points with lots of traffic, high frame counts and high frame errors are great candidates for a Wi-Fi 6 upgrade.In the past Cisco has done many enhancements to overcome the limitations of typical Wi-Fi chipsets, like HDX and “Turbo Performance” in the Cisco Aironet 2700 and 3700 series access points for 802.11ac. This HDX technology along with the quad-core processors now available in new Wi-Fi 6 chipsets take packet capacity to a whole new level, and you can see this in the Cisco Catalyst 9100 access points and Cisco Meraki Wi-Fi 6 Access Points.

My goal with this blog was to show you the power of AI/ML in Cisco DNA Center and how it can locate some of the less obvious, but more critical opportunities for upgrading to Wi-Fi 6. The material may be a bit more technical than most of our blogs here at Cisco, so please feel free to comment below with any questions you may have.

Cisco DNA Assurance and AI Network Analytics are included in the Cisco DNA Advantage software.

Continue reading