Wednesday, 11 July 2018

Service Provider Digital Transformation and Security

For many service providers, the digital transformation journey may not be the smoothest.

Many service providers (SP) are going through a phase where they are either trying to understand the new technologies or in the process of early adoption and implementation–with a majority just beginning to understand and adopt. New technologies like internet of things (IoT), cloud, software defined networking (SDN), network function virtualization (NFV), and others are predicted to have a tremendous implication on an SP’s core business model and their journey toward cost reduction and new service offerings.

Mergers and acquisitions are going to be the norm in the SP space. A broad spectrum of services under one umbrella, with consolidated customer bases, will increase customer stickiness and will be a differentiating factor for many SPs.

Ensuring Security is Built-in


As SPs introduce new technologies and pursue increased mergers and acquisitions, numerous security challenges arise. In many cases security is typically an afterthought and can quickly become a minefield if not considered early enough or done correctly during these acquisitions and mergers.

The other side of the SP journey is focused on their business strategy: they are working to make sure that their average revenue per user (ARPU) keeps increasing with the changing revenue models. One big opportunity in revenue generation is how SPs can monetize security and offer it to their customers.

Currently, majority of the SPs, as part of securing their digital transformation, are trying to think about how to proactively secure their network architectures. At the same time, they are working to make sure they have reactive capabilities and teams are in place — be it an incident response capability or employing strong forensic expertise within their teams or by working with a partner.

As SPs begin to realize how important security is to their business, they are correspondingly assigning increased budget to security initiatives.   IDC recently published an InfoBrief titled “A Pulse on the Service Provider Industry: Digital Transformation and Security Services” that indicates SPs have allocated up to 20% more for security products and services over the last two years.

Digital Transformation, Cisco Security, Cisco Tutorial and Material, Cisco Guides

Figure 1: Increasing security budgets: Year-Over-Year. Source IDC

In the process of moving toward a more secure infrastructure, the customers of SP are also in the same boat and want to better secure their infrastructure. This presents an opportunity for the SP to add security as a value-added play that can help a SP move the needle in revenue generation. According to IDC, 56% of SPs say they will expand their security services offering in the coming year due to customer demand. SPs are actively moving toward providing security advisory services like penetration testing, network architecture assessments, and breach response services, either through internal capabilities or in partnership with a 3rdparty provider.

According to IDC, the demand for security services are driven in large part by enterprises who are seeking assistance to deploy security appropriately in their digital transformation, secure cloud and data center migrations.

Digital Transformation, Cisco Security, Cisco Tutorial and Material, Cisco Guides

Figure 2: Security assistance needed during Digital Transformation. Source: IDC

By offering security advisory services, SPs can assure their customers they are in this journey together. They can demonstrate they want to help their customers scale up and improve their security posture, versus being a traditional SP, with limited offers. In addition, SPs can differentiate themselves against competitors by offering security services to their enterprise customers. Such services improve customer retention, revenue growth and can lead to higher customer satisfaction.

In summary: service providers have an opportunity to become their enterprise customers’ go-to team for ensuring that enterprises are securely moving toward the adoption of new technology.  SPs who do not have security as a core skillset should proactively seek 3rdparty partnerships to develop new security capabilities or to enhance existing security capabilities.

Cisco’s Security Services offer a broad portfolio that includes incident response, penetration testing, secure SDN/NFV, and cloud security that are designed to help SPs secure their infrastructure. In addition, Cisco and the service provider can partner together to build and deploy security capabilities that the SP can offer to their customers.

Sunday, 8 July 2018

ASR 9901 – More choice and flexibility in your hands

Innovation, quality and customer focus are part of Cisco DNA. Our customers expressed the need to have a platform that is compact, dense, flexible, feature rich and supports programmability.

I’m thrilled to announce the availability of ASR 9901 – a compact Two-Rack-Unit (2RU) platform designed for a wide variety of use-cases across Service Provider, Enterprise and Hyperscale Web providers. It complements nicely our impressive ASR 9000 portfolio.

ASR 9901, Cisco Study Materials, Cisco Guides, Cisco Learning, Cisco Tutorial and Material

The platform is scalable and delivers incredible 800 Gbps of throughput while also providing flexibility in terms of port speeds supporting 1/10/100 Gbps with industry leading MACsec encryption support on all ports. The ASR 9901 platform shares the same Operating System (OS) and custom silicon as the ASR 9000 family thereby providing operational consistency and advanced features such as Segment Routing, Ethernet VPN (EVPN), model-driven programmability & telemetry and other enhancements we brought into IOS XR.

Where does this box fit?


The ASR 9901 fits well into small Points of Presence (PoP), Colocation Centers (CoLo), where typical bandwidth demand is sub 500G but requires port flexibility, high 1G/10G density. The platform paves the way for customers to move to 100GE without having to sacrifice on Edge features. This platform supports broader applications such as Broadband Network gateway (BNG), Distributed Provider Edge, Internet Peering, Metro Aggregation, Data-Center Interconnect (DCI), Data-center/WAN Aggregation and Backbone router functions for Enterprises.

BNG


ASR 9000 as a Broadband Network Gateway (BNG) provides the fastest, densest and most reliable solution in the market. With industry leading geo-redundancy solution, you can let the network take care of maintaining the session states as well as management. The IOS XR BNG solution runs the same code base from a fixed 2RU solution to a multi-terabyte full rack chassis. This gives customers a huge portfolio of options without having to worry about re-validating their solution on every node. Now with BNG being pushed closer to the user, deploying ASR 9901 makes more sense with the system supporting higher BNG scale than the existing fixed chassis with support for automation, telemetry etc.

Distributed Provider Edge


Service Provider customers have been predominantly using the fixed systems as Aggregators and distributed PE’s because the platforms support the same scale as their modular counterparts. Continuing the tradition, the ASR 9901 will support the industry leading multidimensional scale (FIB, QoS) on the new compact chassis.

ASR 9901, Cisco Study Materials, Cisco Guides, Cisco Learning, Cisco Tutorial and Material

DCI


ASR 9000, more specifically ASR 9001 (fixed 2RU), has been deployed by customers as a Layer2 & Layer3 DCI, primarily supporting 10/40G speeds within data-centers. The ASR 9901 with the full support for EVPN & VXLAN capability will be a more viable solution for our customers as the DCI router with Nexus 9K integration through OpFlex .

Central Office Fabric


With customers looking for programmable fabric (CO Fabric) with Segment Routing (SR) underlay and EVPN overlay, ASR 9901 provides the smallest building block for feature rich service termination. Customers can drop in additional service PE’s if they need to support more services. This platform addresses the SR requirements with multiple MPLS label stacks (10 Labels) as well as deep buffers, hierarchical QoS and faster convergence.

In a nutshell, this new platform provides our customers with greater flexibility without having to compromise on features and also move to 100G in Small PoP’s, Colo’s.

Friday, 6 July 2018

Why Your Campus Network Needs Intent

In this blog, we look at the campus network, where IT professionals have traditionally required intricate, expert knowledge and extensive configuration expertise to manage a wide range of technologies and devices arranged in multi-tier switched or routed-access networks, complemented by wireless-overlay networks.

Campus networking can be hard! But help is at hand…


Access networks are at the heart of many IT teams’ operations, yet it can be no easy task for IT teams to authenticate, authorize, segment, monitor, and allocate the appropriate resources in a campus network. However, recent innovations in intent-based networking can bring relief throughout all phases of its operational lifecycle. Let’s explore how.

NB-09, Cisco DNA, Enterprise Networks, Cisco Security, Cisco Certifications

Simplify Provisioning for Campus Networks


With a Cisco intent-based network, administrators can start by automating software-defined-access (SD-Access) network configurations. Switches are added to the network using Digital Network Architecture LAN Automation, leveraging Cisco plug-and-play functionality. The DNA Center then pushes the correct configuration (consistent with the role of the device). The result? Automated provisioning of an entire campus network within minutes.

Manage by Identity, Not IP Address: Group-Based Policies for Endpoints


Before intent-based networking IT had to plan Internet Protocol (IP) addressing and virtual-local-area-network (VLAN) structure to separate users and devices into confined segments. IT teams have also had to take care of the associated Authentication, Authorization and Accounting (AAA) policies. These policies may have:

◈ varied by device type (think IoT) or user-group
◈ treated wired and wireless access differently.

Each device needs to be configured to represent the application policies that IT teams wish to implement for users or end-devices throughout the access network, in order to achieve the desired transport treatment.

In an intent-based network, endpoints are referenced by a natural expression of their identity, as opposed to classification by IP addresses.

Endpoints can then be grouped together based on their natural attributes, and a group-based policy (GBP) can then be applied. A large number of endpoints can then be treated as one – in a single group – which reduces the scale and complexity of the network (from the operator’s perspective). Overall, these natural and highly powerful abstractions can dramatically improve the human understandability and ease of operating a network.

Segmentation policies are abstracted by means of overlay networks.

Users and devices in a group-based policy can then be placed into their own virtual networks that are constructed independently of virtual local-area network (VLAN) tags or internet-protocol (IP) prefixes.

No more mental acrobatics!


In an intent-based-network application, policies – such as quality of service (QoS) – are also applied through the abstracted expression of intent. For example:

◈ applications can be marked (including: “business critical”, “default” or “irrelevant”)
◈ a Cisco DNA controller can then derive the desired configurations to support the intended application policy, taking the controller’s holistic knowledge of devices and state into account.

Automation then drives the desired capabilities into the network. No more mental acrobatics for network managers to determine command-line interface (CLI) commands! And no manual steps to configure each switch (and its operating system) in the network, individually via command-line interface (CLI)!

Express your segmentation policy by first associating devices or users with groups, and then groups to network segments – it’s that simple!

Since segmentation policies are anchored by a group tag in the virtual extensible LAN (VXLAN) frame headers, both wired- and wireless-connected devices can be treated consistently and in a unified manner.

NB-09, Cisco DNA, Enterprise Networks, Cisco Security, Cisco Certifications

Know What’s Going on in Your Campus Network


Comprehensive assurance functions provide a Cisco intent-based access network with major advantages over a traditional switched campus.

Historically network administrators have had limited visibility across a network, and limited tools to confirm that the network is operating as desired. Often, problems were only realized after the fact, when something in the network went wrong.

The assurance functionality of an intent-based network now provides ongoing visibility into network operations. Various forms of network data are gathered, recorded and analyzed continuously using sophisticated algorithms and machine learning to determine if the campus network is behaving as intended.

In case of discrepancies between the desired intent and actual operation, the assurance capabilities can even suggest remedies to take corrective actions.

Wednesday, 4 July 2018

Scaling Visibility and Security within the Operational Technology (OT) Environment

Mid- to large-sized enterprises have for many years built the operational technology (OT) environment like an egg – a hard exterior protected by traditional security elements such as firewalls, IDS/IPS, and malware detection (if you are lucky), but a soft interior leaving critical operational assets at risk against advanced threats and non-existent visibility.

As companies continue to digitize, more and more devices are getting added to the network. Therefore, visibility into the operational network has become critical in order to maintain secured operations. The image below highlights some of the things you may want to consider when it comes to securing the operational environment in today’s threat landscape.

Cisco Study Materials, Cisco Guides, Cisco Learning, Cisco Certifications

Cisco Stealthwatch overcomes the visibility and security analytics challenges by maximizing existing investments in your network infrastructure. It collects the rich network telemetry (NetFlow, sFlow, etc.), and performs a baseline of the network environment using behavioral analytics and multilayered machine learning to detect what is abnormal. We will discuss this in more detail but first let’s discuss the challenges most organizations are faced with today.

A hard exterior may include one, many, or all of the following items: firewalls, intrusion detection/prevention systems, content protection, DNS based controls, malware inspection, and email. These controls and inspection points may exist at the edge of the operational environment and/or within the business network. In the past, this was able to reduce a significant amount of risk to the operational environment but in today’s world it’s no longer enough. A soft interior presents a variety of risks which may include:

◈ Supply Chain: The firmware you downloaded was compromised by a bad actor – would you be able to determine or alarm on subtle behavioral changes to the network indicating something of interest?

◈ Normal Operations: Do you truly understand how the network operates 24x7x365 and are you able to detect changes based on new behaviors? These changes may be related to a security event but also may be based on a misconfiguration.

◈ Localized Malware: Malware introduced to systems from field technicians, contractors, USB keys, etc. Would you be able to detect the changes to the network behavior based on this new threat?

◈ Protection Agents such as anti-virus: Not all of your assets within the operational environment will support agents and/or the vendor will not allow agents onto systems and if installed, the vendor may revoke support. The network provides an opportunity to detect anomalous and/or bad behaviors without an agent

◈ Confidence in the control: Are you certain the controls in place are working 100% of the time. What about the fat finger syndrome when adding a control? Are systems talking to systems they should not be? The network can provide this much needed insight

◈ Compliance/Audit: Today, the audit process may include examining multiple access control lists and requires multiple teams highlighting if a control exists and if the communication to the environment meets the compliance requirement. Does this really ensure that the control was accurate throughout the year or only during the audit? The network can provide you the ability to go back throughout the year and prove the control was in place and no unauthorized communication took place

These are some simple examples of some of the challenges and risks when deploying a hard exterior only. As the operational environment continues to evolve and IP becomes more prevalent deeper within the operational environment, there is an opportunity to gain greater visibility leveraging network telemetry data; something that your operational environment may produce today. Note: not all telemetry data is the same but leveraging a technology that supports multiple network telemetry is advantageous to the consumer allowing for greater coverage.

Some of the benefits of leveraging the network not only include visibility into the operational process but also assists in troubleshooting the environment. I have captured a few of the business outcomes we have seen in customers’ environments as a result of deploying Cisco’s Stealthwatch solution.

◈ Host group zoning (or creating a logical boundary) within the operational environment to alarm on communications activity that violated the logical trust boundary. Business outcome: risks to the environment identified earlier in the process to maintain secure and trusted operations

◈ Anomaly detection discovered a compromised camera port-scanning the network. Business outcome: significantly reduced the time to detect and allowed the team to mitigate the threat sooner. No business operation disruption

◈ Problematic wireless access point on the factory floor that was occasionally flooding the plant floor with goofy packets. Business outcome: issue was mitigated sooner, which ensured that the integrity of the network was maintained

◈ Connectivity aberrations in the distribution network – abnormal but not necessarily an attack. Business outcome: optimized the network ensuring maximum operational uptime before the incident was realized within the operational environment

◈ Systems chatting with things that were supposed to be retired. Business outcome: removal of retired assets reducing the potential threat vector from the environment and optimization of the environment

◈ A spike in traffic that was not an attack itself but an indicator of change that may have disrupted the operational network if left unexamined. Business outcome: quickly identified the issue which allowed the right team to be engaged to mitigate the spike in traffic. This also removed the concern around a potential security breach optimizing resource allocation and reduced mean time to repair.

Cisco Stealthwatch provides deep visibility leveraging metadata (telemetry) from the network providing security at scale. It also integrates with other solutions to do full packet capture in areas where this is required. Stealthwatch can ingest any kind of telemetry from across the extended network including end-points, branch, data center, and cloud. Behavioral-based analytics, machine learning, and global threat intelligence that is 100% out-of-band is a recipe for success both in IT and OT environments!

Cisco Study Materials, Cisco Guides, Cisco Learning, Cisco Certifications

Sunday, 1 July 2018

What is CCNA Routing and Switching?

The Cisco Certified Network Associate (CCNA) certification is the second level of Cisco's five-level career certification process. A CCNA certification certifies a technician's ability to install, set up, configure, troubleshoot and operate a medium-sized routed and switched computer network. This also includes implementing and verifying connections to a wide area network (WAN).

CCNA Routing and Switching, CCNA Study Materials, CCNA Exam, CCNA Learning, CCNA Exam Tips

What are the other CCNA tracks? "Cisco Associate Level Certifications"

CCNA Routing and Switching, CCNA Study Materials, CCNA Exam, CCNA Learning, CCNA Exam Tips

◈ CCNA Security
◈ CCNA Wireless
◈ CCNA Collaboration
◈ CCNA Service Provider
◈ CCNA Data Center
◈ CCNA Cloud
◈ CCDA "Design"
◈ CCNA Industrial
◈ CCNA CyberOps (Cybersecurity Operations)


Which track considered the best?


There are 10 different CCNA tracks. Each of them is valuable but some are more valuable than others. The statistics show that cybersecurity track will be in a great demand in the coming years. Hundreds of thousands of cybersecurity specialists and experts will be in demand each year for the coming few years. So CyberOps will have a great value for the near future and most probably for the long term.

I’m not saying you should go for the CCNA CyberOps right now, I’m just talking about the market demands and statistics. You can read more about the most demanded CCNA certification here → What is the difference between the CCNA exams?

The main point I want to refer to in this topic is that no matter what track/s you decide to study and specialize, you first need to study the fundamentals and basics which you get only in the CCNA Routing and Switching.

Friday, 29 June 2018

Secure Your Mobile Connections with New IP Blocking Feature

When downloading an application from the App Store, do you actually check the logistics of it? For example, how is it connecting to the internet? Or an even more relatable scenario: that game you were playing while waiting in line paused to present an advertisement, was it triggered by an IP address or a DNS request? The majority of times, users don’t check or understand those nitty gritty details. We simply see something we like, click, and begin launching the app onto our devices.

Cisco Certification, Cisco Learning, Cisco Tutorial and Material, Cisco Study Material

However, what if that application is connecting to a malicious IP address? And in a case that your employee is using a corporate-owned iOS device and downloads that app; this presents a security gap.

Cover All Your Bases: IP Addresses and DNS Requests


The Umbrella extension within Cisco Security Connector serves as a first line of defense against threats by protecting users from malicious domains. Umbrella delivers both DNS-layer encryption and enforcement on top of an intelligent proxy that provides URL and file inspection for risky domains. Therefore, when your employee attempts to make any connections to the internet, Cisco Security Connector is there to protect your business against suspicious app and user-initiated network requests.

But applications can also connect to malicious IP addresses. To counter that, Cisco Security Connector is continuing to innovate with a newly added IP Blocking feature as a part of Clarity. This IP Blocking feature now provides complete network protection for your corporate-owned iOS devices. With just a few clicks, adminscan simply add a suspicious IP address to their blacklist and regulate that list accordingly; giving more control to businesses. Now, whether it’s a direct IP connection or DNS request, Cisco Security Connector can secure your users end-to-end.

Cisco Certification, Cisco Learning, Cisco Tutorial and Material, Cisco Study Material
Image: iOS Events List

Cisco Security Connector


Cisco Security Connector allows businesses to gain deep visibility and control across all devices. With the ability to integrate with existing MDM/EMM such as Cisco Meraki Systems Manager, VMware AirWatch Cloud EMM, and MobileIron on-premises EMM, Cisco Security Connector ensures ease of deployment as well as adaptability to a business’s current environment.

With similar Cisco Advanced Malware Protection (AMP) capabilities extended to iOS devices, users can now gain insight into all application and device behaviors on all devices. Though most importantly, as part of the AMP console, admins can now have one single location to manage all their endpoints.

Unfortunately, we can’t control our employee’s actions on our network, but what we can control are the results of it. So, cover all your bases with Cisco Security Connector.

Wednesday, 27 June 2018

Network Management: Don’t React – Act

The future will bring a lot of changes for telecoms, internet and cable service providers: more data, more devices and more services. Cisco’s research predicts that by 2021, annual global IP traffic will reach 3.3 zettabytes (that’s 3.3 trillion gigabytes).

Cisco Study Material, Cisco Learning, Cisco Tutorial and Material, Cisco Certifications

There are two ways things can go for service providers. They can buckle under the pressure. Or they can find new operational approaches, that help them grow their business by creating the agile, powerful services their customers need.

Proactive Control with Cisco Crosswork


For service providers who want to maintain their competitive edge, the key will be automation: programming large, complex workflows so they can take care of themselves. Automation improves the way your network functions by reducing human error, inconsistencies, and service disruption. It allows you to stay on top of operations, with time to focus on what really matters.

Automation isn’t simple. But our engineers have spent a long time working out how it can best be supported. The result is Cisco Crosswork, a new framework for approaching network operations. With its three key pillars – mass awareness, augmented intelligence, and proactive control – it enables service providers to work with unprecedented precision and efficiency.

Cisco Crosswork gathers comprehensive data and then runs this through a sophisticated analysis, enabling actionable insights. At its heart is the Cisco Network Services Orchestrator (NSO), which uses advanced data models for intent-based networking, and is proven to work across network elements from different vendors.

This creates many benefits for service providers. It helps them protect themselves against ever-evolving security threats, maintain stringent service level agreements, and discover valuable new revenue streams.

Transforming Level 3’s* Network


One service provider that has adapted to meet new customer demands is Level 3 (*now part of CenturyLink). Level 3 realised that their customers increasingly expected instantly available services with less complexity and less overhead – and that included capacities like integrating third-party cloud services.

Powered by the Cisco NSO, the business put together a powerful set of programmable wide area networks that enabled it to automate a wide range of services in markets around the world.

This meant that Level 3 could design and deliver services more quickly, using a single modelling language and a single data store. The company was able to automate tens of thousands of tasks monthly, offer bandwidth scalability of up to 300%, and enable the management of 5,000 network devices around the world. Services could be adapted within minutes or even seconds while running, with no disruptions.

Innovation Through Automation


Results like these explain why many service providers are considering automating their networks as they look to ensure they are capable of meeting new challenges. Intelligent, end-to-end automation offers them a transformed landscape. Instead of constantly trying to play catch-up with events, they can make more informed decisions, using information about the service, the end user, and all of the multi-vendor devices in their service chain.

We want to help service providers bring about a shift in their approach to running networks. To move away from managing functions in separate silos, towards a world of intelligent, holistic operations. Forward-looking service providers understand that if they can transform their network in this way, they will boost their innovation and effectiveness for years to come.