3 Unexpected Ways to Boost IT Efficiency, Uptime and Resolve Issues Quickly

Like the engine is to a race car, IT is at the heart of your business—to keep it running around the clock, deliver new products and services, drive transformation, and extend to new markets globally. So, it’s no surprise two of the top three operational priorities for CIOs include delivering a stable IT and increasing operational efficiencies.

Keeping your IT engine secure and running at optimal performance, while meeting the needs of your business can be a lot to juggle. With limited time and resources, we know your time is best spent on what matters most for your business. In fact, forty-six percent of IT use outsourcing to access skills and thirty-two percent plan to increase their outsourcing spend.

Having the right IT services pit crew in place who not only has the expertise to keep your network up and running but delivers business value is critical. And if something goes wrong, they can resolve it quickly, so you can focus on more important matters.

Here are three things to consider that will enhance efficiency, uptime, and resolve problems quickly to help maintain a stable IT.

1. Have better visibility to operate more efficiently

A key part of keeping everything running smoothly and error-free is knowing exactly what is installed in your network. To do this you have a couple of different options, each with their own considerations. To see what you have running on your network, you have to go through the process of accessing each device manually or running different manual scripts to collect parts of the information needed to create an inventory view. Depending on how many devices you need to manage, the first option is very labor intensive, while the latter can be error prone. If you happen to miss a device, you won’t be able to see that piece of hardware, leaving it open to potential vulnerabilities – and adding more manual efforts to your plate.

Cisco Smart Net Total Care makes having insights in your installed base effortless and automated with its integrated smart capabilities through the Smart Net Total Care portal and collector software which automatically collects device information on Cisco products. Once the collector is installed and configured, it can run automated network discoveries, automated network inventories, and automated inventory uploads back to Cisco. With the click of a mouse you can view your installed base data, helping you manage your Cisco devices easier and operate more efficiently. “The automation on the Smart Net Total Care backend makes a small team’s performance large in executionand impossible to do otherwise,” John Baldwin, IT Manager for Infrastructure Projects and Architectures, Pella.

2. Ensure devices are up-to-date and secure to maximize uptime

Keeping all of the devices in your network secure and up-to-date is critical. Part of preventing any potential vulnerabilities is making sure that your devices are running code that isn’t impacted by known critical bugs or PSIRTs, and is aligned with compliance rules. However, when a problem does arise, you have to access that device, obtain the software version and type, and manually search cisco.com to find any issue associated with that specific product type and software version. When you need to get information on your device’s lifecycle you need to manually look for all of that data using End-of-Life and End-of-Sales product bulletins for each device. If you have thousands of devices you’re tasked with tracking and keeping secure, that is a daunting task.

The Smart Net Total Care portal gives you visibility into your devices, including what IOS you’re running to help ensure you’re using the appropriate code versions across your devices, eliminating the potential for more vulnerabilities. In addition, PSIRT, BUG and automatic lifecycle data correlation and custom reports help you manage your device security more efficiently. “We can see which device are covered and at what service level, so we can appropriately cover devices to minimize risk within our environment,” Operations Manager, Service Provider.

3. Get an accurate view of your devices to resolve issues quickly

When you face a network downtime or device issue, time is always of the essence, especially if you have thousands of devices to maintain. And that’s not just the time spent in finding the number to call support. It starts with having to gather all of the device-level information you need just to open a case to get the problem resolved. That includes the device serial number, product ID, and contract number related to that device. Depending on the kind of inventory view you have (and how comprehensive it is), all of this data could take you a long time to gather. This does nothing but delay your time to issue resolution and take up even more of your limited time.

Smart Net Total Care can help you reduce your time spent in resolving issues drastically by giving you a clear and accurate view of your device information. The portal software does all of the correlation of your collected device serial numbers, product IDs, and contract numbers automatically, which means you don’t have to spend time looking for information. You can also initiate a Technical Assistance Center (TAC) case directly and instantly within the portal if you experience an issue, shortening your time to resolution even more. “Greater visibility across the network allows us tobetter prioritize and plan ahead for updates and replacement of equipment, assuringthe continuous operation of the company.”.

Whether you’re a large or small enterprise, Cisco’s Smart Net Total Care delivers world-class technical support that keeps your organization running smoothly, while driving business value.

Continue reading

Cisco Stealthwatch Cloud and Microsoft Azure: reliable cloud infrastructure meets comprehensive cloud security

Isn’t it great when the enterprise technology solutions you use to achieve various business outcomes partner and work seamlessly with each other? Cisco and Microsoft have done just that to provide you with a scalable and high-performance cloud infrastructure along with easy and effective cloud security.

In 10 minutes or less, Cisco Stealthwatch Cloud extends visibility, threat detection, and compliance verification to Microsoft Azure without agents or additional sensor deployments within your cloud environment.

A new way to think about security

Enterprises are continuously adopting the public cloud for many reasons, whether it’s greater scalability, better access to resources, cost savings, increased efficiency, faster time to market, or overall higher performance. While the move to the cloud offers great opportunities, it also means that the old ways of thinking about security aren’t working for most organizations anymore, especially when it comes to visibility in the cloud.

Often this lack of visibility leads to challenges surrounding network traffic analysis, identity and access management, compliance and regulation, and threat investigation. We all know of organizations that have made security mistakes related to configuration and inadvertently exposed their private data, resulting in serious repercussions. Of course, training can be improved, configurations checked, and automated tools used to validate configuration parameters, but these efforts only address the preventative aspects of security practice.  Organizations also need to actively watch what is actually happening with their cloud assets and catch the threats that aren’t prevented. Active breach detection starts with improved visibility.  Complete visibility gives you a way to protect your cloud infrastructure in real-time, so you can be agile and address issues as they arrive.

Cloud security: a shared responsibility

While your cloud provider manages security of the cloud, security in the cloud is the responsibility of the customer. You as a customer retain control of what security you choose to implement in the cloud to protect your content, platform, applications, systems and networks, no differently than you would in your company’s private datacenter.

How do you know what is happening to data in the cloud? How do you know you’ve configured your cloud assets to be secure? How do you recognize cloud assets starting to communicate with new, possibly hostile internet sites?  How do you do it in real time and quickly enough to mitigate data loss?

To answer these questions, it’s critical to have an active breach detection solution for your public cloud. And for that solution to be effective, the cloud provider needs to enable the right visibility to tap into valuable cloud network and configuration telemetry. 

Cisco and Microsoft: better together

In the continuous effort to provide customers with industry leading solutions, Cisco has been working with Microsoft to bring Cisco Steathwatch Cloud to Azure. Stealthwatch Cloud, a software as a service (SaaS) active breach detection solution based on security analytics, can now deliver comprehensive visibility, and effective threat detection in Azure environments in as little as 10 minutes.

Traditionally, organizations have tried to overlay a patchwork of agents across cloud assets to detect bad activity. This approach requires significant costs and effort to deploy, maintain, and manage in dynamic environments such as the cloud. Importantly, it frequently doesn’t scale with your cloud environment with regard to cost.  But Stealthwatch Cloud can deploy within your Azure environment with no need for an agent and scales up and down according to your actual cloud traffic utilization.

How does it work?

Microsoft provides Azure Network Security Group (NSG) flow logs that contain valuable information on north-south and east-west traffic within an Azure virtual network. Flow logs show outbound and inbound flows on a per flow basis, the network interface (NIC) the flow applies to, 5-tuple information about the flow (Source/destination IP, source/destination port, and protocol), if the traffic was allowed or denied, and in Version 2, throughput information (Bytes and Packets, and the NSG rule applied to the traffic). Organizations use this information to audit activity on their cloud network.  Stealthwatch Cloud can natively consume NSG flow logs V2 via APIs, without having to deploy any agents or sensors.

Additionally, Microsoft has also introduced Azure virtual network TAP (Terminal Access Point) that allows you to continuously and easily stream your virtual machine network traffic to Stealthwatch Cloud like a traditional, physical network SPAN or TAP. You can add a TAP configuration on a network interface that is attached to a virtual machine deployed in your virtual network. The destination is a virtual network IP address in the same virtual network as the monitored network interface or a peered virtual network. This approach provides access to not just flow logs, but also other network traffic like DNS data.

Stealthwatch Cloud can be powered by both NSG flow logs v2 and vTAP data. Stealthwatch Cloud analyzes this data using entity modeling to identify suspicious and malicious activity. For every active entity on the network, Stealthwatch Cloud builds a behavioral model – a simulation of sorts – to understand what the entity’s role is, how it normally behaves, and what resources it normally communicates with. Then it uses this model to identify changes in behavior consistent with misuse, malware, compromise, or other threats.

For instance, if an Azure resource normally only communicates with internal hosts, but suddenly it begins sending large amounts of data to an unknown external server, it could be a sign of data exfiltration. Stealthwatch Cloud would detect this behavior in real-time and alert your security team.

Continue reading

Cisco and Verizon to Demonstrate the Benefit of Multi-Haul Transport

Internet Traffic Trends and Network Pressure

Internet traffic and connected devices continue to grow. In North America, between 2017 and 2022, average broadband speeds are projected to grow 2.1x times to 94Mbps. Average Wi-Fi speeds are projected to grow 2.2x to 84Mbps, and average mobile connection speeds are projected to grow 2.6x to 42Mbps. The average smartphone will generate 14GB of traffic per month in 2022 – up 2.5x from 2017. [Source – Cisco VNI report]

The traffic mix is changing. Video will continue to dominate at 82% of all Internet traffic in 2022. However, there are significant new trends emerging. In the past few years, service providers have observed a pronounced increase in traffic associated with gaming. The launch of season 5 of Fortnite in July last year drove peak internet traffic overnight 5x to 37Tbps. Fortnite is only increasing in popularity with over 200 million registered players as of December 2018 and the recent announcement of a record $30M prize pool for the Fortnite World Cup. Online live Internet video also has the potential to drive large amounts of traffic as it replaces traditional broadcast viewing hours. According to Ooyala’s State of the Broadcast Industry 2019, sports are going to be a major catalyst for live streaming, and streaming is a much-needed solution for sports leagues that have seen a decline in ratings and ad revenues. Also of note is the growth of video surveillance traffic. This traffic is of a very different nature than live or on-demand streaming and represents a steady stream of upstream video camera traffic, uploaded continuously for commercial applications.

As Internet traffic grows and becomes more dynamic, optical transport networks for sub-sea, terrestrial long haul and metro need more capacity. The ability to deploy capacity quickly is equally important to handle the increasingly dynamic nature of the traffic. The concept of a multi-haul transport platform, as introduced by Andrew Schmitt of Cignal AI, becomes very appealing for achieving this ability to scale with speed while maintaining operational simplicity – a single platform for all requirements. A critical element of the multi-haul optical platform is the flexibility of the coherent optics to be tuned to fine granularity in order to meet the reach-capacity target of any given network.

Benefits of the Cisco NCS 1004

The Cisco NCS 1004 delivers multi-haul coherent DWDM transponders that provide state-of-the-art performance using granular baud-rate + bits per symbol tuning and time-hybrid modulation. Each 2RU form-factor NCS 1004, powered by Acacia’s Pico Digital Signal Processor chip, provides 8 coherent DWDM ports that operate from 100G to 600G. The FEC, baud-rate (or bits per symbol) and line rate combinations result in well over 6000 different ways to configure the NCS 1004 coherent DWDM trunk ports. Such flexibility is unprecedented.

Verizon Trial

We partnered with Verizon to demonstrate the benefits of the granular control of the NCS 1004 in a real-world environment. Ten fibers in Verizon’s 80km Dallas loop were used with NCS 2000 SMR flex-grid ROADMs to build an 800km network. Channelized ASE noise loading was provided by NCS 2000 equipment.

Three scenarios were tested – 1) 400G over 10x80km i.e. 800km, 2) 500G over 5x80km i.e. 400km, 3) 600G over 80km. It is important to note that in the testing, we used a single transponder carrier per channel per Verizon’s request. For each scenario listed above, we lowered the baud-rate (raised bits per symbol) to trade off excess margin for more capacity.

For 400G over 800km, we started with the highest baud-rate possible at 71.7Gbd/s with a corresponding modulation of 3.88 bits/symbol. This gave us a Q-margin of 2db and fit into 87.5Ghz. We then traded off the excess margin on the link for additional capacity. The optimal point as per testing was 61.72Gbs/s with a corresponding modulation of 4.5 bits/symbol and Q-margin of 1db. This signal fit into 75Ghz and resulted in a fiber capacity of 25.6Tbps. This test was similarly repeated for 500G over 400km and 600G over 80km.

We achieved the following maximum capacities for Verizon’s network:

◈ 25.6Tbps @ 400G over 800km with 75Ghz spacing

◈ 32Tbps @ 500G over 400km with 75Ghz spacing

◈ 35.4Tbps @ 600G over 80km with 81.25Ghz spacing

The below chart captures our test results for how we traded excess margin for more capacity in Verizon’s network.

After the successful completion of the tests, Glenn Wellbrock, Director of Transport, Verizon, commented, “We are happy to be the first to trial 600G on our metro network. More importantly, we were able to validate the highly granular control of the NCS 1004 to trade margin for capacity with 500G over 400km and 400G over 800km. This is a real customer advantage as we can now put significantly more capacity on a single fiber pair.”

Cisco is very excited about the results. We are moving very quickly to support our customer requests for more bandwidth and for the flexibility that multi-haul brings to maximize Verizon’s network.

Continue reading

New Wireless Frontiers for the Enterprise: 5G, Wi-Fi 6, and CBRS

2019 is going to be an incredible year in wireless networking. Enterprises are going to be able to take advantage of several important innovations.

First, 5G carrier-based wireless is going to start rolling out broadly, bringing a promise of dramatically better performance to mobile workers and the enterprise. Additionally, standards-based Wi-Fi 6 will be available in 2019. Wi-Fi 6 will dramatically improve the wireless experience, and it will enable new use cases for wireless that weren’t possible before. Quick on the heels of both of these rollouts will be CBRS (Citizens Broadband Radio Service, also known as OnGo), an extension of LTE that offers a new band of uncrowded spectrum. It will be especially valuable for mission-critical IoT applications.

With so much changing in how we connect, we are looking at a rare opportunity to combine technological change with strategic planning, as we explore how new wireless capabilities will change the way our businesses operate.

Common Tech

Before we get into the changes we’ll see in network planning due to these technologies, we have to understand how they’re different — and how they are actually coming together.

In 2019, both carrier-based mobile connectivity (LTE and 5G cellular) and unlicensed nomadic networking (Wi-Fi 6, otherwise known as 802.11ax), will converge in two key areas: radio signal encoding, and scheduling.

Both new wireless systems use the same method to squeeze more users and data into the frequencies they use, so each base station or access point can talk to more devices simultaneously. Also, with Wi-Fi 6, local wireless networking gets more scheduled, deterministic use of spectrum. Unlike other versions of Wi-Fi, which use a randomized channel access mechanism, with Wi-Fi 6, a device can rely on being able to use the radio on a particular schedule (measured by the millisecond). Scheduled access enables lower latency and allows for greater density of devices. And it has a positive impact on power use and battery longevity. In this regard Wi-Fi is advancing alongside 3GPP cellular technologies (like 5G and LTE), which are also deterministic.

Despite their technological convergence, carrier-based (LTE/5G) and unlicensed (Wi-Fi) wireless systems are, and will remain, dramatically different in terms of cost, infrastructure layout, and the level of administrative control they provide to enterprise network operators. These factors will determine how enterprises plan to maintain and grow their wireless capabilities.

Wireless Inside the Campus and the Branch

Wi-Fi 6 provides improvements in speed and latency, and supports a higher density of connected devices. Combined with its reasonable cost to deploy and maintain, it will prove an ideal system for indoor wireless connectivity – especially in areas where access points will serve more users.

Users on Wi-Fi 6 devices will see improved individual experiences. People in crowded areas that have traditionally offered hit-or-miss performance (waiting rooms, student lecture halls, meeting spaces, and so on), will have better experiences. Some devices that previously would only be connected by wired Ethernet will be able to move to wireless. This will help drive innovation around high-bandwidth and latency-sensitive use cases that should really be untethered, like AR/VR, gaming, and video communications.

As the number of performance-sensitive wireless devices goes up, enterprises will need new network intelligence to assure the best levels of service. Specifically, Cisco believes that Wi-Fi 6 access points, and end devices themselves, must become sensors, collecting real-time performance and experience data that they stream to a new generation of analytic engines. This will allow for proactive and granular management of these increasingly complex environments.

While for some enterprise installations and indoor use cases it will make sense to extend 5G or LTE into the interior space with Distributed Antenna Systems (DAS), or with interior 5G access points (“microcells”), this remains an expensive proposition. LTE and 5G radio chipsets are dramatically more expensive than Wi-Fi, and we do not anticipate this changing.  Additionally, most enterprises have an exponentially increasing number of devices they need to keep online; paying a monthly fee for connectivity per device would be cost-prohibitive.

Wi-Fi networks also provide a rich vein of analytics information to the enterprise. Businesses can gather extremely rich data about their facilities by tracking how Wi-Fi devices move through them. This information is going to change how businesses optimize the use of their physical locations.

5G for Connecting Campus and Branch

5G will have a great impact on branches and campuses as a backhaul service.  Keeping an enterprise’s branch and campus locations all connected to each other and the Internet has traditionally fallen to wired technologies like T1/E1 and xDSL; today, 4G is often used to quickly bring up sites, or as a back-up link, but it’s seldom used as a primary link, due to bandwidth limitations and cost.

But 5G is much faster than 4G. It can be used to augment or, in some scenarios, replace a wired connection. And with contemporary SD-WAN tools, it’s simple to deploy 5G in parallel with other WAN services – even across thousands of sites.

Moreover, wireless links make sense for businesses that rely on having robust, always-on connectivity to their branch offices, and for businesses that rely on cloud services. That is to say: nearly all businesses. Wireless backhaul links can’t be cut, and wireless infrastructure is often the first communications service restored after a disaster like a major storm. Using 5G to augment existing WAN services allows sites to have maximum uptime for their cloud-based services, and, when it’s managed with SD-WAN and used alongside links that are bandwidth-constrained , it can enhance the overall application experience too.

For even more bandwidth, 5G has frequency extensions into high-frequency millimeter wave bands, which offer significantly higher throughput. These high-frequency bands do not easily reach indoor spaces, but carriers can quickly set up external, line-of-site antennas to provide dedicated, high-speed connectivity at competitive prices.

Wireless and IoT

Both Wi-Fi 6 and 5G offer exciting opportunities to connect more devices reliably via wireless.  They share scheduling technology that makes wireless more deterministic, which is important for mission-critical IoT assets being used in manufacturing automation, healthcare, energy, and many other industries. Wireless technologies enable new use cases, and businesses that lean heavily on wireless will find it easier to accelerate their digitization initiatives.

Wi-Fi 6 APs will also increasingly include additional radios, like Bluetooth and Zigbee, which will make them more capable IoT gateways — and useful wireless sensors. They’ll be to help track and manage IoT devices through their entire lifecycle.

A particularly interesting extension of LTE (and later, 5G), called CBRS (Citizens Broadband Radio Service), holds a lot of promise as a complimentary technology to Wi-Fi 6 for use inside  buildings.  CBRS relies on spectrum in the 3.5Ghz range that is not used by WiFi or existing LTE/5G services in the U.S., so it’s unlikely to be interfered with by general-access consumer devices. Some initial CBRS capabilities are rolling out in products shortly.  For devices, like robots, that need guaranteed connectivity as well as mobility, CBRS will be a great compliment to Wi-Fi 6. Most businesses using CBRS will use it together with Wi-Fi 6.

When we discuss mission-critical IoT programs, we also need to keep security top of mind. Many IoT devices are both highly critical to business, and highly vulnerable to attack. Fortunately, a modern network can help make an IoT-rich environment more secure in several ways. In particular, it can limit potential for malware to spread from device to device, by using software-defined segmentation to ensure that network traffic from a particular device cannot be sent where it’s not supposed to be. Segmentation policies can span wired and wireless networks, as well as ruggedized environments.

Tying Wireless Networks Together

5G and Wifi6 will eventually be deployed together in the enterprise. It will be an evolving challenge to manage these separate access technologies as integrated systems – with unified policy, security, and analytics. Users and devices will need to move between 5G and Wi-Fi 6 systems, and the smart IT leader will want the experience to be seamless and easy to manage at scale. Orchestrating the management systems of these separate networks is our next frontier. Watch out for more to come on this aspect.

Continue reading

Peace of Mind with Cisco Optics (A)

Cisco sells the highest quantity of optical transceivers in the world. Through a combination of internal development and OEM and JDM engagements with suppliers, Cisco has developed an extensive portfolio of transceivers that has shipped to thousands of customers.

The value proposition of this optics portfolio is best viewed through several interrelated aspects – the breadth of product portfolio, stringent qualification requirements on Cisco platforms, and assurance of robust supply continuity along with worldwide logistics and distribution.

This first blog in a three-part series reviews the variety of Cisco platforms and the ease of deployment that comes with deploying Cisco optics. Additionally, the Cisco Transceiver Compatibility Matrix simplifies the network architect’s job of selecting transceivers to connect Cisco host platforms to each other.

Cisco Platforms for End-To-End Network Connectivity

Cisco offers the most comprehensive set of platforms of any NEM (Network Equipment Manufacturer). These solutions address a variety of applications and markets such as IoT (Internet of Things), Service Provider, Campus Enterprise, and Datacenter segments. In addition to platform hardware and software, Cisco provides optical transceivers to connect the different switches and routers in these networks. The following table samples the variety of Cisco platforms along with their application.

To connect all these devices at various places in the network, Cisco has developed an extensive portfolio of transceivers that spans multiple Form Factors, Reaches, and Speeds.

Transceiver options for all of Cisco Platforms

Cisco provides a comprehensive portfolio of pluggable transceivers to cover the entire range of applications for IoT, Service Provider, Campus-Enterprise, and Datacenter segments. These include pluggable optics for multi-mode fiber and single-mode fiber, and cables at various data rates and distances. In addition to optical transceivers that comply to IEEE standards and/or MSAs (Multi-Source Agreement), Cisco innovation is built into transceivers with proprietary optical specifications that give customers flexibility in their operations. For example, Cisco QSFP BiDi (Bi-Directional) and SFP and QSFP CSR (Cisco Short Reach) allow customers to migrate to higher data rates while reusing their existing fiber infrastructure without modification.

The Table below provides a high-level overview of the product portfolio highlighting the standards, form factors, and platforms supported.

Table 1. Transceivers for multiple platforms and places in the network

Detailed information on the entire transceiver product portfolio is available in their respective datasheets, which are organized by speed and form factor. Cisco has shipped millions of transceivers in 100M, 1G, 10G, 40G and 100G speeds. As market adoption continues, Cisco will continue this leadership with 25Gbps and new 100Gbps transceivers.

Cisco Transceiver Compatibility Matrix

The Cisco Transceiver Compatibility Matrix is a menu driven tool that lists Cisco platforms and all transceivers qualified on each platform.  For example, the network architect can quickly select transceiver options for the NCS540, a Service Provider Access platform.

Example 1. Using the compatibility matrix tool menus and appropriate filter settings, QSFP transceivers can be selected for the 100Gbps uplinks that span from 500 meters up to 40Km reaches over single mode fiber, which results in the following options for one line card example: QSFP-100G-PSM4-S, QSFP-100G-CWDM4-S, QSFP-100G-SM-SR, QSFP-100G-LR4-S, and QSFP-100G-ER4L-S.

Example 2. Similarly, 1 Gbps transceiver can be selected for the downlink data rates that span from 1Km to 10Km reaches. In both cases, the SW release version of the switch is provided, along with indication for DOM support (if available).

Buying Optics from a Platform Vendor

Cisco optical transceivers are qualified on the largest portfolio of routers and switches in the industry. By vetting transceivers for the most applications, Cisco routinely identifies issues during qualification that would otherwise go undetected until after network deployment has started. Cisco optics indeed provide peace of mind and the assurance that the entire network will be brought up and continue to operate reliably.

Continue reading

Practicing Responsible SSL Inspection in an SD-WAN Environment

One benefit driving enterprise SD-WAN adoption is improved branch connectivity to cloud applications via direct internet access (DIA). When performed securely, DIA cuts bandwidth costs and ensures a consistent user experience.

Looking at an SD-WAN fabric, WAN aggregation may seem outdated as headquarters and core locations no longer need to serve as fortified gateways to the internet. Despite these architectural changes, core locations can excel as aggregation points for more challenging security operations, such as Transport Layer Security (TLS) decryption, often called by its more common name, Secure Socket Layer (SSL) inspection.

Security remains a top concern across the WAN. Enterprises want to detect the latest malware threats, yet the latest research shows that 70% of malware attacks are estimated to be hidden in encrypted TLStraffic that network and security teams cannot see. With encrypted internet traffic increasing, SSL inspection has been promoted a solution for finding hidden malware, but this is misleading for a number of reasons.

To Decrypt or Not

Though some SD-WAN vendors may tout their SSL inspection capabilities—such as hardware acceleration or off-loading—as evidence of product superiority, indiscriminate decryption across the WAN is not a sound practice. Decrypting sensitive traffic can violate privacy and data laws, and establishing whitelist policies to avoid violations is time-consuming and, at best, educated guesswork. Furthermore, many enterprise teams do not have the compute resources for wholesale SSL inspection, forcing them to suffer performance degradation as traffic enters the WAN.

Cisco addressed this challenge by developing a proprietary process known as Encrypted Traffic Analytics(ETA). With ETA enabled, Cisco SD-WAN platforms, such as the Integrated and Aggregated Services Routers (ISR and ASR), as well as the Enterprise Network Compute System (ENCS) hosting virtual devices, are able to categorize malicious traffic without performing decryption. Enabling ETA allows your SD-WAN fabric more precise network policies, where any traffic flagged as questionable can then be backhauled to core locations for responsible decryption.

This is a unique process we call SSL Aggregation.

Reasons to adopt SSL Aggregation

While Cisco SD-WAN enables industry-leading, zero-touch branch security capabilities, such as stateful firewalling, URL filtering, DNS monitoring, and Snort IPS, it is recommended to backhaul any traffic ETA flags as questionable to core locations for three main reasons:

◈ Greater physical space at core locations allows for more robust security layering, including products that are different from, or go beyond, what’s available through SD-WAN. A next-generation firewall (NGFW) with SSL Inspection, next-generation anti-virus (NGAV) that can detect fileless malware, or SIEM technology can help to remediate and log vulnerabilities after the malicious traffic is decrypted for inspection.

◈ Many enterprises manage thousands of branch office locations in their SD-WAN fabric. Even if SSL inspection capabilities exist at branch and remote office locations, the complexity of such data could overwhelm network and security teams. By consolidating malicious data flows into fewer ingress points, security management is simplified.

◈ Metadata created in conjunction with ETA can alert to zero-day threats that evade threat intelligence. Sending the flagged traffic to secure core locations is the safest practice when aiming to retain and utilizing data.

Given their superiority as secure hubs to isolate and examine malicious traffic, core locations make effective aggregation points for practicing responsible SSL inspection in an SD-WAN environment. Architecting this process is simple with Cisco.

Architecting SSL Aggregation

Combined with a Cisco Stealthwatch license, Cisco routing and compute platforms become ETA intelligent, able to identify potential hazards in encrypted traffic. The following Cisco platforms are recommended in a standard SSL Aggregation architecture:

◈ At the Branch: Deploying a 1000 or 4000 Series Integrated Services Router (ISR 1000; ISR 4000), or a 5000 Series Enterprise Network Compute System (ENCS 5000) will allow your branch locations to feed key telemetry data into Stealthwatch, enabling ETA across the SD-WAN fabric.

◈ Core/Colo/Campus/HQ: Because these core locations will receive high volumes of aggregated traffic, deploying 1000 Series Aggregated Services Router (ASR 1000) is recommended to handle increased flows. A Cisco Firepower Threat Defense (FTD) Next-Generation Firewall (NGFW) can decrypt the malicious traffic at the core and detect the threat.

Continue reading

Digital Transformation: Lesson’s learned at Cisco’s Media and Entertainment Industry Roundtable

Recently I had the great opportunity to host and moderate Cisco’s most recent Media Roundtable in Barcelona, Spain in conjunction with Cisco Live EMEAR with over 30 attendees.  During this event we had representation from some of the leading European Media organizations and partners including the likes of the BBC, Sony, France Television, SIC, Telefonica, Videlio, TF1, Dorna, Arqiva, Radio France, and Talpa TV along with our team at Cisco in attendance.  At this session we started to uncover how IP is transforming the Media Supply Chain in ways that are affecting their business in three areas:  Business Transformation, Technology Transformation and Operational Transformation or collectively what we at Cisco call “Digital Transformation”.  Let me dig into some of that discussion and some insights I gathered.

To set some context to the discussion we focused on the initial entry into the Media Supply Chain by focusing on the SDI to IP Transition or what many think of as the area of the Media Supply Chain focused on the live or near live acquisition of content.  This is an area that has had lots of visibility over the past two years with the introduction of new industry standards and trade groups, new technology solutions, new facilities being built, and new ways of thinking all while the needs of the staff to operate and execute this are changing dramatically.

Business transformation:

The key theme expressed during the discussion was that these media organizations are thinking about flexibility and use cases for manipulating the content that they now will have at their hands in far greater ways than ever before in the Media & Entertainment industry.  Some shared feedback that they were hyper focused on how IP would allow for new channels or digital channels for distribution and the revenue models to support that similar to how Canal + explains it in this video.  There was also interest and opinions in the role of the industry standards bodies in terms of how they are incorporating formats and whether those apply or not to their real life situations.  Some interesting debates on that specific topic for sure!  Some discussed how IP could offer flexibility to their environments and impact staffing, facilities and such.  Regardless it was clear that the move to IP creates some opportunities and goals that many are still trying to uncover.

Technology transformation:

Much of the discussion was around how to monitor and operate an IP Fabric environment.  Monitoring, flows, security and automation all bubbled up during the discussion but as we progressed the discussion we drilled into how this technology transformation was forcing the need for full interoperability between the Media and Broadcast Ecosystem Partners and folks like Cisco who provide the network and security aspects of these systems and innovation needed.  This “open interop” and “expanded partner ecosystem” has proven to be a hallmark of our strategy within Cisco’s Media and Entertainment strategy and this roundtable reinforced that direction.  The key now is to see how the industry keeps up and evolves to meet the demands of the content providers.

Operational Transformation:

This was an unexpected area of discussion, in which many of the customers and partners shared with us the challenges they have around workforce needs, training, and skilled labor needed by their own staff as well as the staffs of the ecosystem partners and systems integrators. It was clear that more awareness to training programs such as Cisco’s IP Fabric for Media basic and advanced training are needed and desired by the market.  We also shared that Cisco is working hard to “industrialize” the media ecosystem by creating programs and incentives to create consistent delivery partners of these systems through the IP Fabric for Media Partner Authorization Program. Here partners have a way to distinguish themselves as a trusted advisor to deliver these systems by investing in labs, training and ecosystem interoperability and thus Cisco’s ability to recommend them to the market.  Partners like Diversified Systems and WWT have already received their badge for this distinction but it was clear that we need to get more partners around the world to leverage this type of program to ensure successful project delivery.

In all, it was clear that transitioning to IP is top of mind for Media organizations due to the abundance of benefits it can bring however this transition also brings many concerns therefore there is a need to work together with the right partners and systems integrators to make the transition more seamless and effective.

Continue reading