Solving Security and Compliance Problems with Cisco Business Critical Services

Organizations today need to be both nimble and secure. They’re adopting Cloud, IoT, and machine learning at increasingly quickening speed as well as evolving their applications and endpoints as well as campus, data center, and WAN networking to adapt to their digital business as well as address security risks. At the same time that compliance regimes are a moving target putting increasing pressure on organizations.

In this ever changing world, many organizations struggle with maintaining good security and compliance hygiene. Year over year, IT departments attempt to manage through compliance drift as networks evolve, new systems are added, configuration changes are made, and knowledgeable individuals leave their teams. Poor audit management practices increase audit fatigue and risk even higher rates of attrition. Add requirements for risk assessments, penetration tests, privacy impact assessments, and robust processes; not to mention the pressures of being able to identify and respond to an evolving security threat landscape and the operational pressures, including OpEx spending, can be immense.

About Business Critical Services 

Business Critical Services is the next generation of subscription based advanced services. By leveraging our expert guidance, analytics, and automation solutions, we can not only address resilience, flexibility, and support concerns, but can craft ongoing services to help manage security threats and reduce compliance overhead while decreasing OpEx, allowing customers to focus on activities that most contribute to the growth of their businesses.

Solving Compliance Problems with Business Critical Services

Business Critical Services includes a wealth of offers, or deliverables, which help customers reduce compliance drift, decrease operational churn, and drive increased compliance fidelity regardless of the compliance requirement. From automated compliance hygiene to Privacy Impact Analysis, Business Critical Services enables customers to right size a solution that meets most compliance requirements they face. For example, a customer that must be compliant to the Payment Card Industry – Data Security Standard (PCI-DSS) may choose to take advantage of the following Business Critical Services:

◈ Automated Software Compliance and Remediation, Configuration Compliance and Remediation, and Regulatory Compliance & Remediation form the core of our compliance offerings. These services automate the tasks of identifying and remediating compliance drift by validating that software versions are up to date, vulnerabilities are identified and remediated, and configurations are compliant to both regulatory requirements as well as defined gold standards.  All of this is central to several PCI-DSS requirements.  These services alone provide much needed operational relief from maintaining compliance and provide evidence for your auditors to review.

◈ Security Compliance Assessment augments our automated capabilities using Cisco compliance experts to validate policy, processes, and technical requirements where assessment cannot be automated. When combined with our automated compliance capabilities, this provides a comprehensive view of audit readiness and both tactical and strategic remediation requirements. For PCI-DSS, we review the complete set of requirements, enabling customers to make audit outcomes more predictable and eliminate last minute remediation scrambles.
Network and Application Penetration Testing within Business Critical Services can be used to meet the PCI-DSS requirements to perform these tasks regularly.

◈ Enterprise Security Advisor provides a strategic resource to help drive security and compliance. The best use of this service for Compliance is to engage Cisco as a program manager to collect, collate, and present evidence to your auditor while managing your IT compliance processes, reducing audit fatigue on your staff and freeing up individuals to focus on business growth and digital transformation.

Solving Security Problems with Business Critical Services

In addition, Business Critical Services, can be used to solve operational and ongoing security issues, helping reduce the attack surface of our customers while identifying and helping to remediate vulnerabilities, ensuring the upkeep of security infrastructure, planning and accelerating security architecture transformation, and managing to security threats and incidents. This includes:

◈ An Incident Response Retainer providing both proactive and reactive threat management activities to our customers. We offer one of the most robust and flexible retainers in the business.

◈ Our automated compliance offerings also support good security hygiene, evaluating and remediating configuration and software exposures that expose up attack surface

◈ Health checks and optimization services to facilitate proper maintenance and management of security systems, protecting and enhancing the return on investment for Cisco security architecture.

◈ A Technical Knowledge Library including guides and best practices for security infrastructure to help customer staff manage their security controls

◈ Network Device Security Assessment to analyze security device configurations and firewall rules to identify gaps and recommend remediation

◈ Collaboration Security Assessment to protect against threats to Cisco Unified Communications, video collaboration, and contact center solutions.

◈ Security Metrics Program support to design and manage KPIs to communicate control effectiveness and levels of risk to management

◈ Cyber Range Workshops to provide security operations training to SOC staff

◈ A robust set of security assessments to identify and recommend remediation to security vulnerabilities including Network, Wireless, Application, Social Engineering, and Physical

◈ Penetration Tests as well as Security Risk Assessment, Network Architecture Assessment, and third party risk management program support.

◈ Security Program Assessment and Security Strategy Planning Support to help support not just your strategic security initiatives, but also help review and improve your critical security practices and establish an enterprise security strategic roadmap

◈ Cloud Security Strategy support to help recommend security operations and technology improvements to support Cloud transformation

◈ Security Segmentation Architecture Design to help develop a roadmap to accelerate and transform the network security at our customers organization

◈ Finally, a flexible Enterprise Security Advisor service to provide program management, expert advice, and otherwise support security evolution as well as an Architecture Management Office to help drive technical change throughout customer organizations

Taken together, this robust set of subscription based offers within Business Critical Services can help customers address both the most mundane and repetitive, but critical, security tasks, drive security improvement through assessments and training, and both set and help execute strategic security direction at our customers. I can’t think of any other security company on the planet that can match this comprehensive set of security and threat management services and deliver them under an annual subscription besides Cisco.

Continue reading

5G Security Innovation with Cisco

We have been working with Service Providers and various colleagues across the world to develop the threat surface and use cases to properly apply 5G today and in applications coming tomorrow.  We call your attention to our white paper and to our session on this topic at Cisco Live US in Orlando.  The title of the session is BRKSPM-2010 (Security for Mobile Service Providers).

5G touches almost every aspect of the way we live our lives. It’s not just about faster, bigger or better, it’s about utilizing 5G as an enabler to a series of services that we all will consume in every aspect of our lives. The time is NOW to consider the security implications and cyber risk profile that come with 5G. The business operational risk, legal risk and reputational risk of not only the companies who provide 5G transport, but allcompanies, nation states and individuals who provide the services that will utilize 5G. The time is now to evaluate the cyber risk posture and apply innovative thoughts to how we can approach these challenges today and build for what’s to come tomorrow. Many IoT(Internet of Things) services will utilize 5G services. The intersection of 5G and IoT brings an extension of the existing threat surface that requires careful consideration from a cyber risk perspective. This white paper highlights innovative thoughts which enable you to take action and meet the challenges creating a security safety net for the successful deployment and consumption of 5G based services.

5G is as much the application of new architectural concepts to traditional mobile networks as it is about the introduction of a new air interface. The 5G mobile network intentionally sets out to be a variable bandwidth heterogeneous access network, as well as a network intended for flexible deployment. Aside from the usual reasons of generational shifts in mobile networks, i.e. those concerned with the introduction of networking technologies on lower cost curves, the 5th generation of mobile networks has to be able to allow the mobile service providers to evolve towards new business models that may result in future modes of operation that are very different from those of today. This presents a problem from the view point of securing such a network. The need to be flexible increases the threat surface of the network.

Security provides the foundation of service assurance. Adversaries and the threats that they impose against the networks used to deliver critical services continue to get smarter, more agile, and more destructive.

Networks used to deliver applications continue to converge, making it more important to properly segment threats and vulnerabilities by domain, while examining the aggregate threat landscape at the same time.

Examples of this include the evolved packet core where traditional and mobile services share an infrastructure leveraging the carrier data center and cloud for operational efficiency and also for service delivery. Cisco’s architectural innovations and evolution of existing networks to meet the needs of new service models like IoT services pushing technology evolution such as mobile edge compute and widely distributed secured data centers introducing a new set of visibility and control elements to handle the evolved threats.  In order to properly secure the “full stack” that delivers a connected application, two fundamental elements are applied: visibility and control. Visibility refers to the ability to see and correlate information from the carrier cloud to baseline proper behavior and then to measure deviation from that norm. Simply said, “If you can’t measure it, you can’t manage it.” Sources of visibility come from traditional network measurements (netflow, open flow, etc.), but the need to measure all aspects of a flow, from all elements of the carrier cloud to the application to the end customer, has changed what data is collected and where we get it. An example of the new visibility includes the use of application level probes that are synthetically generated and travel through the network to get a clear picture of how an application is behaving. Another example is where the Path Computation Element, which has a near real time database representing the network topology, is queried programmatically to determine the impact of a potential mitigation action on critical service classes for DDoS. Once all of the telemetry is gathered, a security controller and workflow will analyze it and determine, based on policy, suggested mitigation and controls to be applied. Of course, we have an iterative loop of constant learning. The Cisco Talos research team keeps our customers ahead of the game by its threat research and deployment of mitigation rules into our full portfolio of products, removing that burden from the Service Provider allowing them to focus on their core competencies.  Control refers to the actions taken to mitigate an attack. Some controls are taken proactively while others are applied after an attack takes place. There are two types of attacks. Day zero attacks are threats that we don’t previously have a fingerprint for. Typically deviations in known good behavior of the carrier cloud and applications that request service and state from it, are identified by the security controller and some action is then taken to mitigate the attack or to get additional visibility, an action sometimes taken to properly identify the adversary. Day one attacks are threats that we have a signature or fingerprint for and, quite often, a mitigation strategy exists in advance to handle the attack. Controls take the form of modifications to the carrier cloud to apply quality of service changes in per hop behavior to minimize the impact of an attack and also take the form of physical and virtual security assets applied as close to the source of the threat as possible in order to minimize collateral damage.

The information that the operator has that delivers the application is vast. Innovation in the way that we apply the information we have, in a close loop iterative process, is a recent innovation in threat visibility and mitigation. This is where automation, orchestration and NFV meets security to solve today and tomorrow’s security needs. The three elements of the closed loop iterative process are: policy, analytics, and the application delivery cloud (the whole transaction from the application to the networks used to serve it).  Operators can now apply innovative methods to correlate geo-location information to behavioral analytics, compare those against policy in the context of a threat to the carrier cloud, and ascertain the nature of that threat and what to do about it with far greater clarity. Visibility and control properly applied to the advanced threats of today offer the carrier cloud a level of protection. We must continue to evolve, grow and get smarter to keep our networks safe and resilient in the time of attack.

Continue reading

Business Outcomes are Driving theJourney from Finger Defined Networking (FDN) to Software Defined Networking (SDN)

Business Outcomes are driving the journey from Finger Defined Networking (FDN) to Software Defined Networking (SDN).

The industry is going through an exponential surge in bandwidth consumption along with high volumes of new devices/subscribers coming on line every day. It is fair to say that the Operation teams of Service Providers will struggle to keep up with adding many more devices every year in their current operating environments. The proliferation of 5G and Internet of Things (IoT) will lead to new business opportunities, but it will depend on Software Defined Networking (SDN) to deliver network performance with broader connectivity. Cisco’s Industry leading Network Services Orchestrator (NSO), Wide Area Networks (WAN) Automation Engine (WAE) and Segment Routing XR Traffic Controller (XTC) are the basic building blocks of our SDN solution within the Cisco Crosswork Automation framework.

Operational benefits of converting from FDN to SDN:

Automation of network functions and speed are needed to  meet the diverse needs of customers with a high level of quality of service.

Network automation: Cisco’s Automation framework helps automate workflows, services and applications – increasing efficiency in network resources and maximised path optimisation. Management and orchestration of network and services are centralised into an extensible orchestration platform by  automating the provisioning and configuration of the entire infrastructure and network services.

Speed and agility: In a rapidly changing network environment, IT policies or resource allocation are evolving all the time. In addition, deployment of new applications and business services has to be fast. With Cisco’s Software-Defined WAN (SD-WAN), networks are managed centrally and rolled out across the enterprise in real time, responding speedily to new business challenges with less bandwidth. To complement, Cisco’s NSO makes it easy to orchestrate application-based service chaining, accelerating delivery.

Orchestrated Assurance: Cisco Network Service Orchestrator solution’s augmented intelligence automatically tests deployed services and proactively monitors service quality from end user point of view providing quality assurance. Service providers can validate SLAs and resolve issues faster, bridging the gap between service fulfillment and assurance.

Business Outcomes from SDN

Our Modular Network Automation framework enables network optimisation and helps deliver use cases that reduces both Capex and Opex.  According to Cisco’s  analysis on automation, some typical results include up to 70 percent improvement in operational efficiency and up to 30 percent revenue uplift. Other business outcomes from SDN include:

Scalability: Deploying large number of network elements, integrating the network, activating services, on-boarding millions of subscribers or IoT devices, managing network operations and service up-time can be achieved with mass-scale automation. Cisco’s Automation Framework delivers complete lifecycle management for all the building blocks of network. It is  automated to minimise human resources and errors, and enables optimal traffic flows through network path optimisation.

Reduced manual errors: Human driven network changes are prone to errors, time consuming, and lack comprehensive validation. This is greatly reduced by automating the provision and configuration of the entire infrastructure and services. This typically reduces opex overhead and technician’s precious time spent on manual work. Embarrassing network/service outage and unpleasant customer experience can also be avoided.

Agility: Augmented intelligence residing in SDN with close loop automation enhances network responsiveness. Application deployment can be as fast as minutes on any platform without compromising user experience. This gives service providers the flexibility to meet network-on-demand offering self-service portals. Delivery of network services are faster and network’s ability to quickly and proactively resolve issues when they arise to ensure customer quality of service. This is also the result of auto-remediation and self-healing with big data analytics and augmented intelligence.

Here are some of the use cases delivered by Cisco’s Transport SDN and Automation framework:

1. Orchestrated Network Optimisation

2. Seamless Network Optimisation (Bandwidth Optimisation)

3. Bandwidth on Demand

4. Operating System Upgrades

5. Device Port turn up

6. Zero Touch provisioning

7. Device and Service migration

8. Metro Ethernet services.

The result of network automation is enhanced customer experience, faster service delivery, with increased business realisation and productivity.

Continue reading

Microservices Deployments with Cisco Container Platform

Technological developments in the age of Industry 4.0 are accelerating some business sectors at a head-spinning pace. Innovation is fueling the drive for greater profitability. One way that tech managers are handling these changes is through the use of microservices, enabled by containers. And as usual, Cisco is taking advantage of the latest technologies.

From Cost Center to Profit Center

In this new world, IT departments are being asked to evolve from cost centers to profit centers. However, virtualization and cloud computing are not enough. New services developed in the traditional way often take too long to adapt to existing infrastructures.

Because of such short life cycles, IT professionals need the tools to implement these technologies almost immediately. Sometimes one company may have many cloud providers in a multicloud environment. Containers give IT managers the control they were used to in the data center.

Microservices and Containers

But what if you could break up these entangled IT resources into smaller pieces, then make them work independently on any existing platform? Developers find this new combination of Microservices and containers offers much greater flexibility and scalability. Containers offer significant advantages over mere virtualization. Containers supercharge today’s state-of-the-art hyperconverged platforms and they are cost-effective

A remaining challenge is to get companies to use containers. The adoption of a new technology often depends how easy it is to deploy. One of the early players in container technology is Kubernetes. But getting Kubernetes up and running can be a major task. You can do it the hard way using this tutorial from Kelsey Hightower. Or you can take the easy route, using the Google Container Engine (GKE).

Cisco Container Platform

Another easy-to-use solution is the Cisco Container Platform (CCP). Cisco’s takes advantage of the company’s robust hardware platforms and software orchestration capabilities. CCP uses reliable Cisco equipment that enable users to deploy Kubernetes, with options for adding cloud security, audit tools, and connectivity to hybrid clouds. Notice the growing popularity of the Kubernetes platform in the graph below:

Use Cases

Space does not permit the inclusion of all the potential use cases of Cisco Container Platform and its accompanying software solution. Here are just a few examples we would like to highlight:

#1: Kubernetes in your Data Center

For agility and scale, nothing beats native Kubernetes. Developers can easily deploy and run container applications without all the puzzle pieces required in traditional deployments. This means a new app can be up and running in minutes rather than days or weeks. Just create one or more Kubernetes clusters in Cisco Container Platform using the graphical user interface. If more capacity is needed for special purposes, simply add new nodes. CCP supports app lifecycle management with Kubernetes clusters and allows for continuous monitoring and logging.

#2: Multi-tier App Deployment Using Jenkins on Kubernetes

Developers are often frustrated because of the time it takes to get their applications into production using traditional methods. But these days it’s critical to get releases out fast. Using open-source solutions, Cisco Container Platform is able to create the continuous integration/continuous delivery (CI/CD) pipeline that developers are looking for. CCP takes advantage of Jenkins, an open-source automation server that runs on a Kubernetes engine.

BayInfotech (BIT) works closely with customers to implement these CI/CD integrations on the Cisco Container Platform. While it may seem complicated, once the infrastructure is set up and running, developers find it easy to create and deploy new code into the system.

#3: Hybrid Cloud with Kubernetes

The Cisco Container Platform makes it easier for customers to deploy and manage container-based applications across hybrid cloud environments. Currently, hybrid cloud environments are is being achieved between HyperFlex as an on-premises data center and GKE as a public cloud.

#4: Persistent Data with Persistent Volumes

Containers are not meant to retain data indefinitely. In the case of deletion, eviction or node failure, all container data may be lost. It involves the use of persistent volumes and persistent volume claims to store data. Further, when a container crashes for any reason, application data will be always retained on the persistent volume. Customer can reuse the persistent volumes to relaunch the application deployment so that customer will never lose the application data.

Continue reading

Managing a DAA Hub with Analog and Digital Nodes in a Single Context

The building blocks for a distributed access architecture (DAA) are shipping from Cisco. More than 60 customers in 25 countries spanning 4 continents have received key DAA components, such as Remote PHY nodes, Remote PHY shelves, cBR-8 digital cards and Smart PHY automation software. DAA holds much promise to simplify cable operations and improve overall network reliability and makes it easier to manage and configure the cable network and the services that are delivered by the network. As part of DAA, employing Remote PHY devices (RPDs) in nodes are a key element to enable 10G digital optics, Ethernet and IP used for delivering services to nodes.

Another network element that is key to DAA success is a rack mounted RPD shelf. Rack mounted RPDs are designed to connect analog nodes to digital Converged Cable Access Platform (CCAP) cores. Installed in the hub or headend, they are connected to CCAP cores via 10G digital optical connections routed through Layer2/3 Ethernet switch routers. The output of each rack mount RPD is traditional RF analog broadband, which is connected to analog fiber optics that transmit to and from legacy analog nodes in the access network. Rack mounted RPDs allow digital fiber optics and Ethernet to replace cumbersome RF hub-based coaxial distribution cables and amplifiers that were used to feed analog optical transmitters.

There are two use cases for RPD shelves. The first use case is to enable one CCAP core to serve multiple small and/or distant hubs via digital fiber (i.e. hub site consolidation). The benefits are appreciable savings in both CCAP equipment and operations costs, because RPD shelves enable CCAP processing in fewer locations, using longer distance digital optics between one CCAP core and multiple remote hubs, each with one or more RPD shelf.

However, there is a second, equally valuable benefit of RPD shelves. Consider a network in which a large portion, but not all, of the hub nodes will be upgraded to an N+0 (node + 0), DAA architecture.  For this portion of the network, it doesn’t make economic sense to rebuild and convert existing analog nodes to digital (RPD) nodes. The cable operator is faced with operating and managing a portion of the network with conventional edge QAMs, combining networks and analog optics, while the majority of the network employs digital optics, Ethernet and IP routing to do the same things. Instead of making operations simpler, operations is faced with supporting both the legacy network and the new digital network, having to support two very different operating procedures simultaneously in the same hub.

By using Remote PHY shelves to provide all connectivity to analog nodes, this problem is solved. A single, unified mode of operations is created for the hub, across both the analog and digital portions of the network. Specifically, RF combining networks and amplifiers in the hub can be completely eliminated, replaced by Ethernet switches and digital optics. Video services can be converged with data through the CCAP core if desired. Analog RF outputs from CCAP platforms can be eliminated, and CCAP platforms can be operated as CCAP cores, resulting in a higher service group density per platform. Future node splits can be done in digital, even if the node being split is analog. Simply put, Remote PHY shelves enable a hybrid analog/digital network to be managed as a single DAA network.

Software and hardware interoperability continue to be essential for enabling a DAA. The Open Remote PHY Device (OpenRPD) initiative was established to stimulate the adoption of a DAA by providing reference software for OpenRPD members, encouraging future OpenRPD devices to be based on interoperable software standards and enabling them to develop OpenRPD devices more quickly than by developing code from scratch. Cisco continues to be a key member of the initiative, openly developing and contributing significant portions of RPD software code to the initiative. To verify that hardware and software interoperability work as advertised, CableLabs® has established thorough CCAP core and RPD interoperability testing. Cable operators looking to migrate to a DAA can look for CableLabs’ stamp of interoperable approval and be confident that the devices they choose will work in a multivendor network. As an active participant in interoperability testing, Cisco is committed to interoperability.

The Distributed Access Architecture is a dramatic evolutionary change in the cable network. It is a step toward cloud-native CCAP and the evolution of cable networks to a Converged Interconnect Network (CIN). With our comprehensive hardware and software portfolio for DAA, including the cBR-8 platform, Remote PHY digital nodes and Smart Digital Nodes, Remote PHY shelves that can be configured for redundant operation, and SmartPHY software, Cisco can help cable operators radically simplify the configuration and management of DAA networks.

Continue reading

Cisco’s Fanless Catalyst 2960-L Switch for Unleashed SMB Performance

Making an investment in IT is more critical today than ever before for a small- to medium-size business. With so many open-air business settings and anywhere, any location workspace bring technology up close and personal. Cisco’s insight into saving  space and reducing noise makes everyone—from librarians to your coworkers—happier than ever.

We live in a connected world of phones, laptops and tablets in our hands, and we’re surrounded by our technology of whiteboards, routers, wireless access points, and switches that connect multiple devices on the same network within a building or campus. A switch is necessary because it enables connected devices to share information and talk to each other.

Cisco’s Catalyst 2960-L fanless switch.

Why does a feature like fanless matter? Fanless means quiet and compact. Compact because the use of fans requires airspace and airflow. A fanless switch  can be put in smaller spaces that wouldn’t normally work. A typical network switch is a bit noisy. Some networks range from a hum to what is best described as “helicopter-like whirling. That can be distracting in offices, retail, hospitality or clinics where noise can be an issue.” Being fanless opens up options for smaller organizations to create a robust network in smaller spaces than before.

The Cisco Catalyst 2960-L has been designed for just an environment. The Cisco Catalyst 2960-L Series switch isn’t just any fanless switch: it’s the industry’s first 24-port and 48 port 1 Gbps, POE, fanless switch.

Reliable, Secure and Intuitive

The Cisco Catalyst 2960-L includes a host of reliability and security features that come with Cisco IOS. And the Cisco Catalyst 2960-L is preloaded with Cisco Configuration Professional for Catalyst (CCPC) built-in. CCPC provides users with an easy-to-use and intuitive graphical interface to configure, manage and monitor a standalone, stack or cluster of Cisco Catalyst switches.

Key features that solve problems for SMBs:

◉ Quiet and cool operations — You won’t even know it’s there

◉ Small form factor — Great for mounting in confined spaces to be inconspicuous for hospitality, cruise ships, healthcare or retail locations.

◉ Perpetual PoE — Power over Ethernet for all connected devices avoids unnecessary power cabling to connect to the switch.

◉ Automatic switch recovery — No touch recovery. You can also configure automatic recovery on the switch to recover from the error-disabled state after the specified period of time.

◉ Bluetooth connectivity — You can access the Command-Line Interface (CLI) through Bluetooth connectivity by pairing the switch to a computer.

◉ Cost-effective connectivity — Ideal for branch offices, wired workspaces and infrastructure networks; conventionally wired workspaces with PC, phones and printers; building infrastructure networks to connect physical security, sensors and control systems; and any application requiring fast Ethernet connectivity and a low total cost of ownership.

◉ Enhanced limited lifetime hardware warranty — Next-business-day delivery of replacement hardware where available and 90 days of 8×5 Cisco Technical Assistance Center.

◉ Built-in web-based GUI: Catalyst 2960-L supports a day-zero GUI called Cisco Configuration Professional for Catalyst (CCPC) to help with easy deployment of the switch without the need for a CLI.

— Simple provisioning
— Easy-to-use diagnostics
— Performance at-a-glance dashboard

With these features, we believe our small business customers can affordably expand their IT reach.

Continue reading

Intent-Based Networking in the Cisco Data Center

We’ve continued to expand our solutions to deliver Intent-Based Networking to our customers. Our years of designing, building, and operating networks tells us that you just can’t add automation to existing processes. The scale, complexity and new security threat vectors have grown to a point where we need to rethink in some fundamental ways how networks work, and beyond that, how networks and applications interact. Let’s dive in to what Cisco means by Intent-Based Networking, and how it can help you run your data center more efficiently and more intelligently for your business.

Networking is shifting from a box-by-box, configure-monitor-troubleshoot model to a model where the network globally understands the intent, or requirements, that need to be satisfied, automatically realizes them, and continuously verifies the requirements are met. This process has 3 key functions – translation, activation, and assurance.

Understanding the “intent” cycle in the data center

Translation: The Translation function begins with the capture of intent. Intent is a high-level, global expression of what behavior is expected from the infrastructure to support business rules and applications. Intent can be captured from multiple locations; for instance, users may directly provide requirements or built-in profiling tools, capable of analyzing behavior in the network and workloads, may automatically generate them. Once intent is captured, it must be translated to policy and validated against what the infrastructure can implement.

Activation: The Activation function installs these policies and configurations throughout the infrastructure in an automated manner. This covers not just the network elements – physical and virtual switches, routers, etc. – but also covers software-based agents installed directly in the workload. Additionally, as datacenter networks become multicloud, this must work across multiple datacenters, colocation environments, and even public clouds.

Assurance: The last function, Assurance, is an important part of what makes Intent-Based Networking unique. It’s a new function we’ve never been able to offer in the network before. Assurance is the continuous verification, derived from network context and telemetry, that the network is operating in alignment with the programmed intent. It offers a continuous ground truth about not just what’s happening but also what’s possible in your network. It helps you confidently make changes with the advanced knowledge of how they will impact your infrastructure.

What Intent-Based Networking means for the data center

Now let’s think about Intent-Based Networking and its translation, activation, and assurance functions in the context of some of our datacenter products, Cisco ACI, Nexus 9000, Network Assurance Engine (NAE), and Tetration.

Cisco ACI offers a policy-based SDN fabric capable of providing translation and activation functions for the network. The Application Policy Infrastructure Controller (APIC) exposes a policy model abstraction that can be used to capture higher level requirements and automatically convert them into low level or concrete configuration. This configuration is automatically and transparently communicated to the network infrastructure, including Nexus 9000 switches, as part of the activation process.

Cisco Network Assurance Engine fulfills the assurance function in the network. NAE was designed to integrate with both the network devices as well as a network controller such as the APIC. NAE reads policy and configuration state from APIC as well as configuration, dynamic and hardware state on each device. Using this information to build a mathematical model of the network, NAE is able to proactively and continuously verify that the network is behaving in accordance with the operator intent and policy captured in the APIC. By codifying knowledge of thousands of built-in failure scenarios that run continuously against the model, NAE can identify problems in the network before they lead to outages and provide a path to remediation. It is precisely this closed-loop behavior that characterizes an Intent-Based Networking design.

Cisco Tetration contributes to multiple functions in an Intent-Based Network at an application and workload level. Its application dependency mapping capabilities play a critical role in profiling applications and ultimately capturing intent. Its cloud workload security and segmentation capabilities provide a means of delivering (or activating) a highly automated, zero-trust security environment. This includes advanced capabilities such as detecting software vulnerabilities, identifying deviations in process behavior in addition to building whitelist segmentation policies based on real-time telemetry. And Tetration’s network performance, insight, and forensic capabilities provide visibility and assurance of what is occurring in your environment.  It can described as a time machine or “DVR” due to its ability to play back past network behavior and model future trends.

Continue reading