AIOps Drives Exceptional Digital Experience Through Network Assurance

The distributed workforce―and the distributed applications and services they consume―have vastly changed the enterprise network paradigm. Many connections—such as private cloud, internet, public cloud, multicloud, and software-as-a-service (SaaS) networks—now begin and end outside of the traditional corporate infrastructure. The coexistence of these complex connections creates new layers of operational complexity for teams responsible for ensuring predictable performance and quality of service.

What is needed to combat this complexity is a network assurance platform that includes true end-to-end visibility capabilities. Insight is needed into users and their devices, locations, and connected things, as well as into access networks, network services, multiple clouds, and corporate enterprise data centers and applications (Figure 1). A solution that combines these different data sets and uses artificial intelligence and machine learning (AI/ML) to analyze the data, can help drive decisions that make network operations proactive and predictive, instead of reactive.

Figure 1. Span of end-to-end visibility required (click to enlarge)

In our 2023 Global Networking Trends Report, nearly half (47%) of respondents said they are prioritizing the adoption of predictive network analytics over the next two years, primarily to help with managing the connectivity and digital experience of their remote workforce.

A predictive network analytics solution requires the ability to correlate massive amounts of network data in real time and at tremendous scale. By continuously analyzing performance data and applying predictive modeling to forecast conditions and recommend actions, predictive capabilities can become a reality. Predictive analytics empowers teams to avoid adverse application impacts to distributed workers and to ensure the best possible user experience.

Predictive analytics for SD-WAN and an internet-centric world

For the software-defined WAN (SD-WAN), a platform that uses artificial intelligence for IT operations (AIOps) can provide predictive analytics to forecast performance (Figure 2). AIOps refers to the strategic use of AI, ML, and machine reasoning (MR) technologies to simplify and streamline IT processes and optimize the use of IT resources. By correlating and analyzing real-time and historical SD-WAN performance data and applying predictive models, AIOps can use these forecasts to deliver per-site recommendations for optimal path selection by application type to deliver an optimal experience based on available paths.

By integrating predictive analytics into SD-WAN solutions, IT teams can improve dynamic enforcement of application service levels with intelligent routing across alternative paths before any degradation occurs.

Figure 2. Predictive analytics through a continual feedback loop (click to enlarge)

Combining traffic data sets from an organization’s ecosystem of ISPs, cloud providers, SaaS applications, and other external services, further enriches predictive analytical systems. Operations teams can rapidly identify, escalate, and remediate issues with providers using internet telemetry data. When outage behavior is detected, a root cause can be identified and shared with providers to prioritize fixes or escalate to peers and transit providers.

Predictive analytics at work in the real world 

When Insight Global—one of the largest staffing agencies in the United States—allowed its employees to return to the office, they leveraged information from ThousandEyes’ WAN Insights to optimize its SD-WAN policies and improve application experiences proactively and continuously. Once the solution was in place, they gained greater visibility into critical network environments and routing, and Insight Global’s IT team was better able to detect and avoid potential issues before those issues could impact the business.

Predictive and proactive operations is the way forward

It’s time to move from reactive to proactive operations management through end-to-end visibility and AI/ML-powered predictive analytics. It’s time for a consistent way of automating operations, analyzing and diagnosing issues, and assuring the user experience across all the different networking domains.

We believe strongly in this way forward. It’s the cornerstone of Cisco’s approach to network assurance and Cisco’s Networking Cloud vision—a unified management experience platform for on-premises and cloud operating models to simplify IT, everywhere, at scale.

Source: cisco.com

Continue reading

How Cisco’s SaaS Solutions on AWS Deliver Unbeatable Value to Customers and Partners

The cloud has become a vital tool for businesses of all sizes, providing flexibility, scalability, and cost-effectiveness that are necessary to compete in today’s fast-paced digital landscape. However, as more companies move their applications and data to the cloud, they face new challenges in terms of security, connectivity, observability, optimization. That’s where Cisco comes in.

“Cisco is meeting customers where they are by offering end-to-end solutions for their cloud journeys, including cloud security, connectivity, observability, and remote work.”

As a leading provider of  networking, cybersecurity and observability solutions, Cisco has become a trusted partner for businesses looking to navigate their cloud journeys. Cisco offers end-to-end solutions for customers’ cloud journeys, including cloud connectivity, cloud security, cloud observability, cloud optimization, and remote work.

Cisco is making it easier for customers and partners to take advantage of its solutions by offering them on AWS Marketplace. Cisco SaaS solutions on AWS provide greater flexibility for customers and partners, making procurement easier. With the AWS Marketplace channel program, CPPO (Channel Partner Private Offer), partners can sell more Cisco SaaS solutions on AWS to customers. Most of Cisco’s SaaS solutions run on AWS, providing customers with greater flexibility and convenience in terms of procurement, leveraging their EDP commitments, and accessing the robust ecosystem support provided by Cisco and AWS.

Cisco’s SaaS solutions on AWS cover a wide range of areas, including cloud security, connectivity, observability, and hybrid work solutions. Cisco SaaS solutions on AWS are designed to work seamlessly with AWS services, making it easier for customers and partners to integrate them into their existing cloud environments. For cloud security, Cisco offers zero trust, SSE, SASE, infrastructure protection, application security, and XDR solutions, which can help customers secure their cloud environments and protect their data from cyber threats.

In terms of cloud connectivity, Cisco offers SD-WAN and simplified cloud connectivity solutions that help customers connect their on-premises and cloud environments.

Additionally, Cisco’s cloud observability solutions offer full-stack observability that covers infrastructure, internet, applications, business, code-to-cloud, and cloud optimization. This helps customers gain better visibility into their cloud environments and optimize their cloud resources for cost and performance.

Lastly, Cisco’s end-to-end hybrid work solutions help customers support remote work and collaboration. This includes solutions for secure remote access, video conferencing, and team collaboration.

Cisco’s SaaS Key Solutions Use cases

The Cisco and AWS partnership offers numerous benefits for customers and partners who are looking to migrate to the cloud or optimize their existing cloud environments. One of the most significant advantages of this partnership is the ability to access Cisco’s SaaS solutions on the AWS Marketplace.

In conclusion, By offering its solutions on AWS, Cisco is making it easier for businesses to take advantage of the latest technologies and innovations and stay ahead of the curve in their respective industries. The Cisco and AWS partnership is a powerful combination that can help customers and partners optimize their cloud environments and achieve their business objectives. To learn more about the AWS and Cisco partnership, and how you can benefit from Cisco’s SaaS solutions on AWS, visit the AWS and Cisco partnership page, as well as Cisco’s solutions for AWS.

Source: cisco.com

Continue reading

Revolutionizing Customer Engagement and Collaborative Development

Our customers are looking for ways to simplify management of their Cisco devices and adopt new technologies faster while maintaining strong security across their environment. They are facing challenges in locating the right information necessary for deployment, obtaining access to the right resources, gaining visibility into their assets as well as more automated capabilities to reduce risks, increase uptime, and optimize overall performance.

Cisco CX Cloud was built to address these concerns, alongside the Success Tracks suite of service packages. A cloud-based Software as a Service (SaaS) platform, CX Cloud provides customers with unified access to all of their Cisco portfolio in one pane of glass. Users can view their assets, contract coverage and licenses, access insights into the health of their network infrastructure, be alerted to security advisories, detect risks, open support cases in-app, and take advantage of contextual learning to train their IT teams all within CX Cloud.

Realizing the value of IT investments quickly is critically important to delivering results with agility. Our customers have told us that they want to be able to self-service, but at the same time be able to leverage consultative subject matter experts to help navigate more complex infrastructures. For example, one of our customers mentioned that often once a vendor sells something, they are left to figure out how to set it up, how to use it, and how to make it work to meet their needs. Another received a mandate to eliminate all critical security vulnerabilities across their entire infrastructure in a relatively short time frame, which is traditionally neither fast nor easy to accomplish, and weren’t sure where to begin.

In partnership with our customers, the CX Cloud Insights & Innovation Team aligns CX Cloud’s platform capabilities with our customers’ goals, so value is realized faster. We help customers learn how to use the CX Cloud platform and move through every stage of the adoption lifecycle, removing barriers along the way and identifying how to make the platform exactly what our customers need it to be. We have engaged with many customers and have learned from them the many ways CX Cloud helps them every day.

We engage with customers early and often, learning together and from one another and working together to solve their biggest pain points. Our engagement enriches the customer experience as we collaborate with our customers to determine how they can leverage the platform and how it can be used to help fulfill their responsibilities. As previously mentioned, one customer had to meet a deadline to reduce critical impact security advisories fast. They used CX Cloud Advisories to demonstrate their progress against this goal. It allowed them to identify what assets were vulnerable and then follow the guidance to remediate those vulnerabilities. From their efforts, they were able to reduce their risk by 33% in a matter of a few weeks. Customers say CX Cloud is intuitive and easy to use, and the expert level guidance from our team takes any remaining questions off the table to help them learn how to get the most from CX Cloud fast. The only question to answer is how fast do you want to go

We actively search for solutions to problems customers face on a day-to-day basis while we train and educate them on how to use CX Cloud. Looking again at our customer who needed to tackle security vulnerabilities across their entire infrastructure, they knew immediately this traditionally is neither fast, nor easy to accomplish. With the capabilities delivered by CX Cloud, customers can be efficient and effective in achieving this goal and be proactively notified of critical vulnerabilities before they become an emergency. How is this possible Using the insights and guidance delivered by CX Cloud, customers can skip the investigation required to identify if and where problems exist. Instead, they can move directly to remediation because CX Cloud will do the investigation for them by automatically scanning the environment. As shared by another customer, it takes on average two hours per week for them to investigate potential problems in the network. With CX Cloud monitoring their environment, those two hours can now be spent implementing fixes to known issues instead. What can you achieve with time back each week And what more can you accomplish when reacting to problems is a thing of the past

Our customers have never had as much say in the development of a Cisco product as they do with CX Cloud today. What is very exciting is how customer-centric CX Cloud really is in its development and product roadmap. Cisco is listening more than ever to learn from our customers what they need from CX Cloud and feed ideas directly into product development either through direct engagement or in-app within CX Cloud. Customer ideas are captured every day and reviewed throughout the week. Often our product managers will directly engage with customers to follow up and better understand their ideas and how they might be best implemented. And by submitting ideas online, customer will receive updates on the status of their ideas and will know when they’ve been implemented into production. Finally, in our weekly CX Cloud Club Conversations webinars, we train on, discuss, and learn about the future of CX Cloud with product management, where they also answer customer questions in a live forum.

What do you want CX Cloud to do for you Through expert engagement you’ll learn how to maximize the value of CX Cloud platform, align it with your goals, and customize it to drive efficiency in your organization.

Source: Cisco.com

Continue reading

8 Reasons why you should pick Cisco Viptela SD-WAN

20 years ago, I used to work as a network engineer for a fast-growing company that had multiple data centers and many remote offices, and I remember all the work required to simply onboard a remote site. Basically, it took months of planning and execution which included ordering circuits, getting connectivity up and spending hours, and sometimes days, deploying complex configurations to secure the connectivity by establishing encrypted tunnels and steering the right traffic across them. Obviously, all this work was manual. At the time I was very proud of the fact that I was able to do such complex configurations that required so many lines of CLI but that was the way things were done.

Read More: 300-420: Designing Cisco Enterprise Networks (ENSLD)

During the decade that followed, we saw a slew of WAN and encryption technologies become available to help with the demand and scale for secure network traffic. MPLS, along with frame Relay, became extremely popular and IPsec-related encryption technologies became the norm. All this was predicated on the fact that most traffic was destined to one clear location and that is the data center that every company had to build to store all its jewels including applications, databases and critical data. The data center also served as the gateway to the internet.

From a security perspective, the model was simple and had clear boundaries. All infrastructure within the enterprise was trusted and everything outside including the internet and DMZ was labeled as untrusted, so firewalls and other proper security devices were deployed at these boundaries mainly at the data center in order to protect the organization.

The decade that followed brought some disrupting trends. We moved from desktops to laptops and then mobile devices became the norm. We became more dependent on voice and video services which meant regular infrastructure updates were frequently needed to deal with increasing demands for bandwidth.

As WAN services became more critical, businesses had to invest in expensive redundant links of which the secondary link was sitting idle designed as a backup link in case of a primary link failure. Although there were some challenges, this model worked out pretty well for some time.

The rise of Cloud Computing

Although Cloud Computing has been around since the early 2000s, rapid adoption did not materialize until recently due to multiple factors including general lack of trust and security concerns. Over the last 5 years, however, a new trend picked up and many organizations started to see benefits to cloud computing that allowed for cost saving and more flexibility. For example, a small company can now have their servers run on a cloud Service provider (CSP) the likes of AWS or Azure rather than having to spend tons of Capex money to build a data center. Basically, mindsets are changing even in conservative sectors such as Financials as per the following quote from a banking customer.

“In 2020, we left our data centers behind and moved to the public cloud to create exceptional banking experiences for our customers. The agility, scalability and elasticity of the cloud are helping us build the bank of the future”

In addition, Software as a Service (SaaS) is another trend that is also changing the way we consume applications. A long list of critical applications that include Office 365, Salesforce, WebEx, Box and many more are now being served from the cloud.

While moving to the cloud trend has been accelerating over the last 5 years the COVID pandemic has sure made this trend accelerate exponentially and with it the need for a new architecture that is better suited to address these new diverse challenges.

The need for SD-WAN

As organizations increasingly adopt SaaS and IaaS, the old model of networking will no longer work for the main reason that services are no longer residing in one place but are now distributed across the internet on multiple clouds. Basically, we can no longer rely on the data center as the gateway to the internet because going that route no longer gives us the optimal path and thus introduces more latency culminating in sub-optimal user application experience. Also Increased traffic at the data center requires expensive links as well as network and security equipment that can support the throughput.

In addition, the customer consumption model for connectivity is changing and rather than spending a lot of money on expensive MPLS links, companies now can utilize their branch backup links or go with cheaper ones at a fraction of the cost. Although direct internet links (DIA) provide a great way to offload noncritical internet traffic, using it beyond that will require those links to be secured and to do so brings more challenge to IT organizations.

Software Defined WAN was introduced to solve all these problems by decoupling the data plane from the control and management plane, creating a secure overlay and, similar to a car GPS, providing the intelligence to route a packet to the right destination avoiding traffic congestion attributed to loss, latency and jitter. Most importantly, it relies on a single management interface that made the provisioning and management of WAN extremely simple.

Why Cisco Viptela?

Cisco acquired Viptela, a leading SD-WAN provider in 2017. Since then, Cisco has integrated the solution into its long line of WAN routers, introduced the Catalyst 8K family (a new router platform that was designed specifically for SD-WAN and Cloud), added a long list of cloud innovations by working with leading Cloud Service Providers (CSPs) and deployed the solution at thousands of customer sites. In order to better understand the benefit that Cisco Viptela brings let’s breakdown the conversation into the following 8 key areas:

Centralized Management: One of the key benefits that Cisco Viptela provides is the use of centralized management using vManage to not only provision and monitor SD-WAN fabric policies but to also provide capabilities to integrate with external systems such as provisioning transit gateways on AWS and automating tunnel creation to a Secure Internet Gateway (SIG) thus providing the administrator with one tool to simplify solution roll out.

Bandwidth Augmentation: The ability to offload traffic from expensive MPLS links can be achieved due to the fact that Viptela SD-WAN is link agnostic so multiple internet links can achieve the same availability and performance as a single premium link at the fraction of the price and can still meet the same SLA

Application Performance Optimization: Applications have different requirements when it comes to quality of service. Some may have issues with little delay, some are sensitive to loss and some behave poorly if there is jitter. SD-WAN features such as TCP optimization, DRE and Application-aware routing are among the tools that we can use to get around congestion issues and allows us to deliver optimal quality of experience.

Secure Direct Internet Access: Leveraging many years of security expertise, the Cisco Security stack which includes Firewall, IPS, URL filtering, TLS Proxy and advanced malware protection can be deployed at the branch or on Cloud using Cisco Umbrella which gives customers the confidence to utilize branch breakout links, saving cost and enhancing the overall application experience especially for cloud-based services.

Middle Mile Optimization: Colo presence provides a lot of value to customers that include direct access to CSPs through express routes, allows service chaining and much more. In this situation, Cisco SD-WAN extends the fabric and provides a management interface to onboard and manage the environment.

Cloud OnRamp for IaaS: The key benefit of this feature is that it not only allows us to use the same simple flow to automate connectivity to all key Cloud Service Providers which include AWS, Azure and GCP, but once the SD-WAN Fabric is extended to the cloud, then customers will get to use all the features available to SD-WAN on the Cloud and all configurations can be done from the same vManage Console. In certain cases, the CSP provider network can be used as a backbone for passing site-to-site traffic thus reducing latency to a specific destination.

Cloud onRamp for SaaS: This feature provides optimal experience for SaaS applications by utilizing internal probing and external telemetry received from SaaS application vendors. Microsoft Office 365 offers a great example of this feature. In addition to the probing intelligence built into SD-WAN, Microsoft will send key URLs along with new recommendations based on internal dynamic data.

Analytics: The Cisco vAnalytics platform is offered as a Service and provides a graphical interface of the fabric performance with the ability to drill down into specific areas such as network availability, carrier, tunnel and application performance. Other Cisco applications such as Cisco StealthWatch and Cisco ThousandEyes can also be used to provide more analytics.

In summary, as the future of networking turn into the cloud, the internet will now play a critical role similar to the role that LAN played in the past. Cisco Viptela SD-WAN a highly reliable and resilient solution with its rich features integrating Cloud optimization, security and advanced analytics can play a major role in helping organizations manage this disruptive WAN phase and will be the foundation for Secure Edge Service Edge (SASE), but that will be another discussion for another blog.

Source: cisco.com

Continue reading

Under Analytics

Back when network management was booming in the early 90’s, the whole idea seemed straightforward. System administrators would speak of endpoints on the network as being “under management” or conversely “unmanaged.” There seemed to be a place for everything and looking back now at those times, enterprises seemed so simple compared to today. Maybe simple is not the right term, maybe they just seemed more orderly compared to the modern network landscape.

At some point, hackers showed up and names like “under management” or “unmanaged network elements” made little difference to them. I remember security folks in the early days joking that SNMP (Simple Network Management Protocol) stood for “Security Not My Problem.” An insecure network meant that you had an insecure business! The experienced security architect knows that whether the system is under management, under someone else’s management, or completely unmanaged, if that system is part of the business, it is still their job to secure it. To put it another way, while management of systems can span certain, more specific information systems, security must always be as wide as the business.

I would like to suggest a new term and concept for our vocabulary and that is “under analytics.” I like to think of this as a conceptual means to discuss if areas of your digital business have enough visibility for continuous monitoring of its integrity. Why not just call it “under management?” Well, because more and more these days, you are NOT the one managing that area of the network. It might be the cloud service provider managing it, but it is still your problem if something gets hacked. You could even then speak of observable domains as having certain requirements that satisfy the type of analytics you would like to perform.

There are many types of observational domains to consider so let’s talk about some here. Back in the day, there was just your enterprise network. Then when folks connected to the internet, the concepts of internal and external and even the DMZ networks were referenced as observable network domains. These days, you have to deal with public cloud workloads, Kubernetes clusters, mobile devices, etc. Let’s just say that you can speak of having any amount of observable domains for which you require telemetry that will get you the visibility required to detect the most advanced threat actors in those domains.

For each of these observable domains, there will need to be telemetry. Telemetry is the data that represents changes in that domain that feeds your behavioral analytics outcomes. You could make a list of the competency questions you would want to answer from these analytical outcomes.

◉ Are there any behaviors that suggest my systems have been compromised?

◉ Are there any behaviors that suggest some credential has been compromised?

◉ Are there any behaviors to suggest there is a threat actor performing recognizance?

My suggestion is that you begin with these questions and then hold security analytics to them to see if they are competent to answer them daily, weekly, monthly, etc.

From there, you can go one step further and start to consider and look into scenarios like the following:

◉ We have a new partner network, is it “under analytics?”

◉ We have a new SaaS service, is it “under analytics?”

◉ This company has a new cloud deployment, do we know if it is “under analytics?”

◉ What part of our digital busines is not “under analytics?”

How well do you know your digital business behavior when it is 100% without compromise? How would you even go about answering this? The truth is, you really do need to get to this level because if you don’t, threat actors will. Even if parts of the business use SaaS products, while parts of the network are using Infrastructure as a Service (IaaS), you can still set the requirements that there must be a sufficient amount of telemetry and analytics that help you understand the answers to these questions above. Your business must always remain “Under analytics” and only then will you be one step ahead of your attackers.

Continue reading

Cisco Launches SD-WAN Cloud Interconnect Ecosystem with Megaport

Enterprises are consuming more business-critical cloud applications, and most connect to the cloud over the Internet. However, the Internet offers only best-effort connectivity with inconsistent network quality, which can impact application performance significantly.

Enterprises can also choose direct cloud interconnects for their site-to-cloud connectivity. However these “mid-mile” interconnects require customers to plan for capacity and global reach upfront, which can lead to underutilization and spiraling cost.

Today we are announcing a collaboration with Megaport, which offers Software-Defined Cloud Interconnects (SDCI). It provides programmable cloud interconnects to bridge enterprise SD-WAN sites to clouds in minutes instead of weeks, with strong performance and high reliability.

Cisco’s vManage will act as the overlay for software-defined cloud interconnects, providing ease of management and the capability to rapidly instantiate connections.

This collaboration will offer Cisco’s SD-WAN customers access to Megaport’s global reach. Megaport offers extensive connectivity choices, backed by service-level guarantees for assurance. It includes peering with location data centers, with a global footprint across 23 countries. Megaport connects to more than 200 cloud on-ramps, including leading SaaS services like Office365 and Salesforce, and to the six largest public cloud providers:  AWS, Azure, Google, Oracle, IBM and Alibaba. The Megaport ecosystem also connects to 200 network service providers, more than 700 data centers, and 360 IT service providers and aaS providers.

With this new collaboration, Cisco customers can leverage Cisco’s SD-WAN management platform, vManage, to software-define their cloud interconnects to multicloud and SaaS. With this integration, Cisco SD-WAN fabric will act as the overlay, and the Megaport Software Defined Network will act as the underlay.

This collaboration extends Cisco’s SD-WAN leadership, by offering an ecosystem platform for partners, of which Megaport is the first, to bridge Cisco SD-WAN fabric with the carrier-neutral and software-defined cloud interconnect fabrics.

Continue reading

New Perspectives on Software-Defined WAN

The integration of Software-Defined Wide Area Networking (SD-WAN) with cloud management functionality into the Cisco family of routers in 2018 excited many of our customers. Instantly over a million installed Cisco ISR and ASR routers could be upgraded to become SD-WAN capable, improving application performance for a distributed workforce, store outlets, and branch offices. SD-WAN lowers the cost of branch connectivity to not only the enterprise data center but also IaaS and SaaS application platforms. Later in 2018, we addressed the evolving Cloud Edge—the intersection between security, networking, and the cloud—by adding full-stack security to Cisco SD-WAN. This brings flexible, secure connectivity to distributed organizations with multicloud environments by making every WAN device software-defined and secure.

In short, SD-WAN has arrived and organizations are deploying it worldwide. So what can we look forward to as this technology enters its next phase? Let me preview some of the ways we are working to bring even more control, functionality, and flexibility to SD-WAN.

Turning the Internet into a Manageable and Secure WAN

One of the key features of SD-WAN is the ability to use multiple connectivity options simultaneously to always have the most reliable or appropriate connection for application Quality of Experience. Specifically, you can choose among the options available for the location: MPLS, Ethernet, internet, leased lines, DSL, LTE networks, and soon 5G. It’s this flexibility to choose the most cost-effective and best-performing connectivity option available to provide the ideal application experience for each location of a distributed workforce. For example, need to ensure that Office 365 Cloud is performing as needed at branch offices? Instead of relying on an expensive MPLS connection backhauling to headquarters for connections to multicloud applications, use a secure Direct Internet connection to the Microsoft Cloud, which is continuously monitored by SD-WAN to meet performance SLAs.

What’s next? The ability to manage end-to-end connectivity from enterprise to 5G endpoints and back will bring greater levels of control over data traffic and application performance. The key to extending intent-based networking controls from enterprise to 5G cellular endpoints is network slicing in the 5G channels in conjunction with micro-segmentation in the enterprise. 5G slicing enables the carrier to separate traffic into unique partitions, keeping sensitive data separate from normal traffic. The technique enables 5G providers to maintain the necessary service level agreements for low-latency traffic, and create an end-to-end virtual network encompassing compute and storage functions.

Wired and wireless Enterprise networks are already segmented to channel traffic according to type (sensitive/video/IoT), priority, and latency. Today with 4G LTE, the enterprise segmented traffic destined for a cellular endpoint would move onto the cellular network with few controls over how the data is segmented and managed. The new 5G networks can be sliced to match the security and performance requirements of the segments in the enterprise, thus maintaining the original policies from end-to-end. A security policy, for example, that is established in the enterprise network will follow a person’s device as it transitions from the enterprise to a 5G network slice. Cisco SD-WAN will be able to take full advantage of network slicing in 5G to meet the security and segmentation needs of enterprise networks.

Virtualizing Network Functions for the SD-Branch

Bringing the focus back to ensuring robust branch connectivity, we are enhancing the functions that run on the local edge routers and appliances along with the core SD-WAN software suite. Virtualizing network functions (VNF) increases local performance and minimizes backhaul traffic to corporate data centers DMZs or cloud platforms. Many functions are being virtualized on edge routers and appliances—such as optimization and intelligent caching, application-aware firewalls, intrusion detection, and URL filtering. And, of course, SD-WAN’s full security stack supports compliance, direct internet access, direct cloud access, and guest access.

Virtualizing critical functions and running them at the cloud edge—in the branch office, store, or clinic—improves both the efficiency and cost-effectiveness of distributed computing and a remote workforce. VNFs can also be run on cloud platforms and colocation facilities to spread the functionality over multiple remote locations. For example, by consolidating VNFs on a provider’s IaaS platform—a virtual network hub—IT can reduce management costs while being able to spin up or down new virtual machines as needed to accommodate workloads and connectivity for a group of regional branches. More on this in a future blog post.

Improving Application Quality of Experience with WAN Optimization

WAN optimization techniques have been around since the early days of frame relay and MPLS. The main goal of dedicated optimization appliances was to maximize the throughput on these relatively expensive circuits. As new technologies such as VoIP and video became critical to business, optimizing the circuits to provide the necessary Quality of Service grew in importance. But as direct internet connections became the rule rather than the exception for accessing popular SaaS and cloud apps, a much more granular, flexible, and automated WAN optimization process is required. Thus SD-WAN was designed to meet the new application QoE demands.

There are several optimization methods that Cisco SD-WAN currently employs to improve the QoE for cloud and SaaS applications accessed by the distributed workforce. Currently, Cisco SD-WAN monitors the available links for latency, packet loss, and jitter that affect throughput and performance. By dynamically measuring these characteristics and comparing them with service levels that specific applications require, the SD-WAN can automatically decide which circuits to use for individual applications. VoIP and video are two applications that require specific levels of latency and low jitter to perform correctly. While a SaaS application may be more tolerant of jitter, it still requires a guaranteed level of throughput to provide satisfactory performance. SD-WAN automates the monitoring and selection of appropriate paths to maintain expected QoE for each type of application.

Supplementing these existing performance attributes of SD-WAN are new controls for TCP optimization, forwarding correction, and packet duplication. SD-WAN provides metrics that aid in fine tuning the optimal TCP congestion algorithm to improve application performance. For example, the Cisco SD-WAN TCP optimization engine, a new layer in the Cisco SD-WAN stack, helps maintain superior application performance in high latency networks such as satellite, transcontinental, and other types of circuits prone to high-loss and high-latency.

To better tackle lossy networks, even for non-TCP applications, the Cisco SD-WAN optimization stack includes a Forward Error Correction (FEC) mechanism. FEC improves application experience by using additional parity packets to protect against loss. In situations when the loss percentage is very high, the Cisco SD-WAN optimization stack maintains performance by deploying a Packet Duplication feature. These optimization features help mitigate packet loss over noisy channels, thereby maintaining high application QoE for voice and video in particular. They are being integrated into the Cisco SD-WAN stack in upcoming IOS-XE releases. All three optimization techniques are managed via Cisco vManage and vSmart virtual network functions.

Edge-to-Cloud Protection with Integrated SD-WAN Security Stack

Securing branch to cloud to data center traffic, in all its permutations, is a key strength of SD-WAN. Last year Cisco added a virtualized security stack to provide multiple levels of protection at the cloud edge that includes:

• Application-Aware Enterprise Firewall with the ability to identify, permit, or block over 1400 applications.
• Intrusion Protection System (IPS) using Snort, the most widely deployed IPS engine in the world, to deliver real-time network defense against malware intrusions.
• URL-Filtering with advanced reporting on over 80 URL categories, providing IT with greater visibility and reducing risk with usage policies customized to an organization’s unique needs.
• DNS/web-layer security with integrated connections to Cisco Umbrella to prevent enterprise branch users, guests and mobile users from accessing inappropriate internet content and known malicious sites that might contain malware and other security risks.

Cisco SD-WAN Security Today

Coming soon to a Cisco edge router near you is Cisco Advanced Malware Protection (AMP) Threat Grid operating as a virtual network function (VNF). The additional AMP-focused layer includes a context-aware knowledgebase of known malware infectious agents. Cisco AMP Threat Grid identifies and alerts IT staff of discovered infections, and provides information on the malware method of attack, a measure of the threat it poses, and how to defend against it. Operating at the branch edge, with the SD-WAN VNF security stack, AMP Threat Grid provides a layer of malware protection, examining all incoming and outgoing traffic, ensuring that malware originating from direct internet connections can’t infect branch devices. Similarly, malware originating from the branch can’t hide in traffic outbound to the enterprise network or cloud applications.

Threat insights exposed with AMP Threat Grid are viewable through the Cisco vManage Portal where administrators can also initiate protective actions such as segmenting infected devices from the rest of the network. The vManage Portal gives network admins a view across the entire WAN, displaying all suspected infections, malware type, and paths of infection through the network. To augment security threat intelligence, the VNF instances of AMP Threat Grid working at the local edges are continuously connected to both AMP Cloud and Threat Grid Cloud, both managed by Cisco Talos Security.

AMP Cloud and Threat Grid Cloud collect malware and suspicious file data from Cisco installations around the world, maintaining a Malicious File Hash catalogue of suspected infections and keeping the information up to date on all Cisco routers as well as third-party security tools via an open API. For example, API integration of AMP Cloud and Threat Grid Cloud with application-aware, threat-focused firewalls provides rapid identification of suspected malware files with automated sandboxing of unknown files in the Threat Grid Cloud for additional analysis.

SD-WAN Continues to Improve Branch Connectivity, Application QoE, and Security

Cisco SD-WAN is foundational for a new software-defined network architecture. As organizations become more distributed, the workforce needs new ways to connect edge to cloud, data center to branch, while ensuring a high Quality of Experience for cloud and SaaS applications wherever they are needed. Cisco is at the forefront of this new wave of distributed connectivity, continuously refining our SD-WAN software and security stack to meet the needs of the digital enterprise.

Continue reading

Accelerate Your Journey to AWS With a Cisco Cloud Ready Network

Many organizations have already developed cloud migration targets and are looking at how they can accelerate cloud adoption. As organizations increasingly embrace IaaS, PaaS, and SaaS consumption models many have selected AWS as their primary cloud provider.

While pre-application migration planning and application readiness is a key area of focus, many organizations have also realized that network readiness is also critical in accelerating and ensuring a successful cloud adoption journey. Legacy network architectures lack the simplicity, adaptability, automation and most of all application-awareness needed to deliver the best user experience. A Cloud Ready Network needs to enable a secure and optimized connectivity to cloud services from the branch/remote-offices.

Cisco next-gen SDWAN is one of the pillars of the Cloud Ready Network that can accelerate organizations adoption of cloud.

Cloud Ready WAN

To guarantee optimal end users experience an organization requires seamless connectivity between branch office locations, applications, and workloads hosted in the cloud. Many WAN solutions are ill-equipped for this task because they are generally rigid, complex to configure, and expensive to maintain. IoT adoption, a dramatic increase of the number of network devices, and the sophistication of security threats further compounds this challenge.

Cisco SDWAN on Amazon Web Services (AWS) is an overlay WAN architecture that is designed to address heterogeneous WAN connectivity and distributed users by building a scalable WAN infrastructure that reduces data transport costs and operational expenses. Cisco SDWAN for AWS helps with the following two major use cases:

Cloud Onramp for SaaS – Improving SaaS performance with SDWAN on AWS

Enterprises with the legacy WAN architecture, find it challenging to ensure a quality end user experience with their SaaS adoption. Often times a suboptimal path with increased latency is chosen to connect a user to the SaaS application in the cloud resulting in a degraded end user experience. A cloud ready network via SDWAN solves the problem by creating multiple Internet exit points and dynamically steering around bandwidth and latency issues in real-time, resulting is an optimal SaaS user experience at branches.

To achieve this the SDWAN fabric continuously measures the performance of designated SaaS applications through all permissible paths from a branch including direct internet access. For each path, the fabric computes a quality-of-experience (vQoE) score that gives network administrators visibility into application performance. The fabric also makes real-time decisions to choose the best-performing path per application per VPN between the end users at a remote branch and the cloud SaaS application and automatically fails over in case of performance degradation.

Cloud Onramp for IaaS – Faster and secure connectivity from branches to the AWS cloud

Traditional hub-and-spoke network architectures were designed to support consolidated applications and services hosted at centralized “demilitarized zones” (DMZs) and data centers. This layout forces the backhaul of internet traffic through the DMZ, creating inefficient traffic routes that increase the distance between end user and application. As an alternative, many organizations have opted to implement private circuits or MPLS to create mesh connectivity and satisfy any-to any traffic requirements. This approach can work but is costly and adds operational complexity. There is also a need to handle dynamic traffic patterns driven by seasonality, bursting, or external events.

Cisco SDWAN Cloud onramp for IaaS extends the visibility, reliability, and management of the SDWAN network from branches, remote sites, and campus to AWS. It allows for a transport independent any-to-any connectivity and end-to-end VPN segmentation. Tight integration with Amazon Virtual Private Cloud (VPC) enables organizations to automate network configurations with a consistent policy across branch, DC, and AWS, so that they can deploy and scale workloads on AWS faster. Cisco vEdge routers are deployed in a gateway VPC to connect branches and application VPCs. This enables the administrators to easily scale up the VPC environment by reducing the number of point to point tunnels between organization’s branches to host VPCs resulting in a simplified WAN management, lower transport costs, and faster time to deploy. The gateway VPC also supports workload segmentation especially when an organization deploys application VPCs across multiple AWS regions. The vManage component of the Cisco SDWAN solution, orchestrates the WAN sites and Amazon VPCs to automate connectivity and provides full lifecycle management and network visibility into the entire SDWAN environment.

Continue reading

Practicing Responsible SSL Inspection in an SD-WAN Environment

One benefit driving enterprise SD-WAN adoption is improved branch connectivity to cloud applications via direct internet access (DIA). When performed securely, DIA cuts bandwidth costs and ensures a consistent user experience.

Looking at an SD-WAN fabric, WAN aggregation may seem outdated as headquarters and core locations no longer need to serve as fortified gateways to the internet. Despite these architectural changes, core locations can excel as aggregation points for more challenging security operations, such as Transport Layer Security (TLS) decryption, often called by its more common name, Secure Socket Layer (SSL) inspection.

Security remains a top concern across the WAN. Enterprises want to detect the latest malware threats, yet the latest research shows that 70% of malware attacks are estimated to be hidden in encrypted TLStraffic that network and security teams cannot see. With encrypted internet traffic increasing, SSL inspection has been promoted a solution for finding hidden malware, but this is misleading for a number of reasons.

To Decrypt or Not

Though some SD-WAN vendors may tout their SSL inspection capabilities—such as hardware acceleration or off-loading—as evidence of product superiority, indiscriminate decryption across the WAN is not a sound practice. Decrypting sensitive traffic can violate privacy and data laws, and establishing whitelist policies to avoid violations is time-consuming and, at best, educated guesswork. Furthermore, many enterprise teams do not have the compute resources for wholesale SSL inspection, forcing them to suffer performance degradation as traffic enters the WAN.

Cisco addressed this challenge by developing a proprietary process known as Encrypted Traffic Analytics(ETA). With ETA enabled, Cisco SD-WAN platforms, such as the Integrated and Aggregated Services Routers (ISR and ASR), as well as the Enterprise Network Compute System (ENCS) hosting virtual devices, are able to categorize malicious traffic without performing decryption. Enabling ETA allows your SD-WAN fabric more precise network policies, where any traffic flagged as questionable can then be backhauled to core locations for responsible decryption.

This is a unique process we call SSL Aggregation.

Reasons to adopt SSL Aggregation

While Cisco SD-WAN enables industry-leading, zero-touch branch security capabilities, such as stateful firewalling, URL filtering, DNS monitoring, and Snort IPS, it is recommended to backhaul any traffic ETA flags as questionable to core locations for three main reasons:

◈ Greater physical space at core locations allows for more robust security layering, including products that are different from, or go beyond, what’s available through SD-WAN. A next-generation firewall (NGFW) with SSL Inspection, next-generation anti-virus (NGAV) that can detect fileless malware, or SIEM technology can help to remediate and log vulnerabilities after the malicious traffic is decrypted for inspection.

◈ Many enterprises manage thousands of branch office locations in their SD-WAN fabric. Even if SSL inspection capabilities exist at branch and remote office locations, the complexity of such data could overwhelm network and security teams. By consolidating malicious data flows into fewer ingress points, security management is simplified.

◈ Metadata created in conjunction with ETA can alert to zero-day threats that evade threat intelligence. Sending the flagged traffic to secure core locations is the safest practice when aiming to retain and utilizing data.

Given their superiority as secure hubs to isolate and examine malicious traffic, core locations make effective aggregation points for practicing responsible SSL inspection in an SD-WAN environment. Architecting this process is simple with Cisco.

Architecting SSL Aggregation

Combined with a Cisco Stealthwatch license, Cisco routing and compute platforms become ETA intelligent, able to identify potential hazards in encrypted traffic. The following Cisco platforms are recommended in a standard SSL Aggregation architecture:

◈ At the Branch: Deploying a 1000 or 4000 Series Integrated Services Router (ISR 1000; ISR 4000), or a 5000 Series Enterprise Network Compute System (ENCS 5000) will allow your branch locations to feed key telemetry data into Stealthwatch, enabling ETA across the SD-WAN fabric.

◈ Core/Colo/Campus/HQ: Because these core locations will receive high volumes of aggregated traffic, deploying 1000 Series Aggregated Services Router (ASR 1000) is recommended to handle increased flows. A Cisco Firepower Threat Defense (FTD) Next-Generation Firewall (NGFW) can decrypt the malicious traffic at the core and detect the threat.

Continue reading

Improve Office 365 Connectivity with Cisco SD-WAN

As more applications move to the cloud, the traditional approach of backhauling traffic over expensive WAN circuits to the data center or a centralized Internet gateway via a hub-and-spoke architecture is no longer relevant. Traditional WAN infrastructure was not designed for accessing applications in the cloud. It is expensive and introduces unnecessary latency that degrades the user experience. The scale-up effect of the centralized network egress model coupled with perimeter stacks optimized to handle conventional Internet browsing often pose bottlenecks and capacity ceilings, which can hinder or bring to a stall customer transition to the SaaS cloud.

As enterprises aggressively adopt SaaS applications such as Office 365, the legacy network architecture poses major problems related to complexity and user experience. In many cases, network administrators have minimal visibility into the network performance characteristics between the end user and software-as-a-service (SaaS) applications. ‘One size fits all’ approach focusing on perimeter security without application awareness, which legacy network architectures often have, do not allow enterprises to differentiate and optimize sanctioned and more trusted cloud business applications from recreational Internet use, resulting the former to be subject to expensive and intrusive security scanning further slowing down user experience.

Massive transformations are occurring in enterprise networking as network architects are reevaluating the design of their WANs to support a cloud transition, reduce network costs, increase visibility and manageability of their cloud traffic, while ensuring an excellent user experience. These architects are turning to software-defined WAN (SD-WAN) to take advantage of inexpensive broadband Internet services and to find ways to intelligently route trusted SaaS cloud bound traffic directly from remote branches. Cisco SD-WAN fabric is an industry-leading platform that delivers an elegant and simplified secure, end-to-end hybrid WAN solution that can facilitate policy based, local and direct connectivity from users to your trusted, mission critical SaaS applications, such as Office 365, straight from your branch office. Enterprises can use this fabric to build large-scale SD-WAN networks that have advanced routing, segmentation, and security capabilities with zero-touch bring-up, centralized orchestration, visibility and policy control. The result is a SaaS cloud-ready network that is easy to manage and more cost-efficient to operationalize and that empowers enterprises to deliver on their business objectives.

A fundamental tenet of the Cisco SD-WAN fabric is connecting users at the branch to applications in the cloud in a seamless, secure, and reliable fashion. Cisco delivers this comprehensive capability for SaaS applications with the Cloud onRamp for SaaS solution in alignment with Microsoft’s connectivity principles for Office 365.

With Cloud OnRamp for SaaS, the SD-WAN fabric continuously measures the performance of a designated SaaS application through all permissible paths from a branch and assign a score. This score gives network administrators visibility into application performance that has never before been available. Most importantly, the fabric automatically makes real-time decisions to choose the best-performing path between the end users at a remote branch and the cloud SaaS application. Enterprises have the flexibility to deploy this capability in multiple ways, according to their business needs and security requirements.

In some deployments, enterprises connect remote branches to the SD-WAN fabric using inexpensive broadband Internet circuits, and they want to apply differentiated security policies depending on the type of services users are connecting to.  For example, instead of sending all branch traffic to a secure web gateway (SWG) or cloud access security broker (CASB), an enterprise may wish to enforce their IT security policies in a targeted manner – by routing regular Internet traffic through SWG, while allowing performance optimal direct connectivity for a limited set of sanctioned and trusted SaaS applications, such as Office 365. In such scenarios, Cloud onRamp for SaaS can be set up to dynamically choose the optimal path among multiple ISPs for both applications permitted to go directly and for applications routable per enterprise policy through SWG.

To learn more about Cloud onRamp for Office 365, read our white paper. For more information about Cisco SD-WAN, click here.

If you’re attending Microsoft Ignite in Orlando next week, make sure to visit Cisco at booth #418. I’d love to show you how to improve your Office 365 connectivity and user experience using Cisco SD-WAN.

Continue reading