Tuesday, 7 May 2019

5G + IoT Tee Up Major Disruption & Business Opportunity

Everything can be disrupted. Tiger Woods just disrupted The Masters. Telecommunications companies are being disrupted by 5G. But can 5G disrupt golf and other industries outside of telecommunications? The answer is most definitely yes. And what better time to dig into these possibilities than now- between the craziness of the Masters and the excitement building for Wells Fargo and the PGA Championship?

Cisco Certifications, Cisco Learning, Cisco Tutorials and Materials, Cisco Guides

A tenfold increase in speed and a tenfold decrease in latency. A phone battery charge that will last a month. These are some of the ways that 5G will soon leapfrog 4G to be your favorite cellular access technology. For consumers, it’s going to take just seconds to download a movie. Streaming will be clearer. The expectation of real-time experiences with apps of all kinds will become standard.

For businesses, the faster speed and lower latency will also benefit employees, customers, and partners in every industry you can think of. The lower power consumption of 5G will allow IoT sensors to operate much longer without recharging. One game changer is likely to be wireless sensors that are small enough, light enough, easy to deploy, and cheap enough to be in huge demand.

These wireless 5G-connected sensors will be attached to everything – refrigerators, cars, clothes, cameras, and in places previously never possible. Service providers will have the ability to customize the network to the needs of those sensors and business imperatives while delivering security and reliability with strict service level agreements.

Seeds of Disruption


How will 5G and IoT disrupt an entire industry? Consider the new world of virtual driving ranges. These large facilities include driving ranges with multiple hitting bays. Sensor-enabled balls are hit at various targets — monsters, cards, targets, letters — as part of different driving range games. Other technology in the golf clubs and balls let you hone your swing speed and evaluate ball speed, apex height, spin rates, and distances. Lessons and clinics for players at all levels are also available.

These new virtual golfing companies, which include fancy restaurants and cocktail lounges, are using technology to enhance the customer experience in every way possible. They are using IoT, and will soon benefit from 5G, to make each visit customized, social, participatory, and integrated.

With data center, cloud services, and apps in the background, real-time game analysis is provided for each customer. Telemetry data and data about the network, the users, and their devices is gathered and folded into a common data model that allows analysts to extract new learning and provide new experiences. With Cisco branch and cloud architecture, these virtual golfing chains can easily bring new sites online and with minimal IT support.

Out-Innovating with 5G


Cisco Certifications, Cisco Learning, Cisco Tutorials and Materials, Cisco Guides
5G will spur competition for innovation among players in the virtual golfing industry. Imagine sensors on everything you can see at each facility, from clubs and balls to silverware, waiters and waitresses, and customers. Other sensors can be connected to the lights, kitchen appliances, food supply, nearby weather station, floors, and cameras. These locations will become fully connected ecosystems of sensors and sensor data.

Now, take all that data from all those sensors and put it in a giant data pool. Then apply an artificial intelligence application front end that can mine the data to create patterns that can determine experience and operations optimization. How can that information be useful? To run a more efficient kitchen. To ensure the maximum utilization of hitting bays. To give advertisers opportunities to customize ads to individuals and groups. To offer immediate suggestions on what type of driver and what kind of ball the golfer should be using

Bartenders will know which drinks to make in advance and can offer new options to try. Social networks can participate in the golf experience. In the back office, managers can ensure tighter security with more visibility into what’s happening in each venue, make technology changes faster, roll out stores faster, and have better control of their supply chains.

Industry Implications of 5G


In addition to IoT applications and insights from data analytics, 5G will make augmented reality (AR) and virtual reality (VR) applications available and seamless to businesses of all kinds. Oil and gas exploration will be more automated and precise. Picture a drill operator who is trying to repair a drill on an ice shelf at 20 degrees below zero using collaboration over 5G satellite to share blueprints with a technician thousands of miles away.

Doctors will be able to train in virtual operating theaters. Factories will become more optimized to reduce costs, run times, and errors. Retailers will be able to target ads more precisely using time, location, customer, weather, and other data. And golfers will be able to tee up at the most exclusive courses in the world, virtually.Now think about your own industry and business.

Who are the new entrants? What companies are driving competition and how are they doing it? What could you be doing to disrupt or protect your company from disruption? Can 5G and all the things it will enable — IoT, AR/VR, data analytics, artificial intelligence — help accelerate your strategy?

Given how Tiger Woods at 43, with multiple back and knee surgeries behind him, just disrupted professional golfing with his $2 million win at the 2019 Masters and is now headed to the PGA Championship, your own business may also be ready for surprising new benefits with 5G!

Monday, 6 May 2019

Cyber Defense Clinic for Education

Cisco Certifications, Cisco Learning, Cisco Tutorials and Material, Cisco Guides

And it’s not just America’s problem, it’s the world’s, with an estimated one million cybersecurity positions currently unfilled globally. The lack of personnel with the right digital skills to bridge the cyber-gap is growing so fast that many in the industry are predicting a three-fold plus increase in that number by 2025. That means 3.5 million unfilled cybersecurity jobs are on the horizon. So it’s time the industry gets serious about how we’re going to fill them.

Leaders in cybersecurity must lead in cyber education


As an industry-leader in cybersecurity, Cisco suggests the first step is to attract and train more defenders. That’s why we’re stepping up to do just that through our Cyber Defense Clinic (CDC) for Education program. This program helps students gain experience as both an attacker and defender in various cyber attack scenarios. Our program offers schools across America access to:

◈ Software
◈ Equipment
◈ Preprogrammed labs
◈ Lab guides
◈ And other teaching materials,

all while giving teachers the flexibility they need to use and structure labs creatively to enhance the digital skills of their students.

We must move aggressively to evolve cyber training


As defense strategies evolve, so do those of the hackers. And both are doing so at a rapid pace. In order for students to gain a working knowledge of them, they’ll need to go beyond basic learning to submersive cyber training, where hands-on interaction with the latest cybersecurity tools enable them to hone their expertise in cyber defense.

That’s where our Cyber Defense Clinic for Education comes in, providing students with real-world insight into ransomware, phishing, common hacking tools, breach detection, incident response, and the latest defense technologies.

Advanced tools are now a must-have in cyber education


As an IT industry-leader keeping private and public sector networks secure around the world, Cisco has developed a robust internal tool called D-Cloud, designed with customers, partners, and employees in mind. It has the power to demonstrate solutions and show proof of value to thousands of users every single day.

CDC is one of the most popular tools in D-Cloud, teaching users how technology from Cisco and other companies can be applied in real-world scenarios to defend against cyber threats. As part of our ongoing commitment to training future cyber defenders, we are training educators on this innovative tool – empowering universities, community colleges and advanced high school programs with lab access.

Most importantly, we’re making it easy too. So easy, in fact, that all they need to do is logon from their laptop and they’ll gain immediate access to millions of dollars’ worth of lab solutions, including industry-leading technologies like:

◈ Identity and Access Management (IDAM)
◈ Email Security
◈ DNS Protection
◈ Intrusion Detection (IDS/IPS)
◈ Anomaly Detection
◈ Advanced Malware Detection
◈ and even Security Incident and Event Management (SIEM) from QRadar and Splunk.

Advanced digital skills are critical to a strong cyber defense


Thanks to CDC, schools now have the capability to get creative in their cyber training so students can advance their digital skills. For example, educators can:

◈ Cap off classes with lab experiences
◈ Engage via reinforcement labs throughout the semester
◈ Create staff enrichment events
◈ Develop activities that increase cybersecurity awareness
◈ Deploy half day or full day clinics for students and faculty.

Plus, CDC can be used for community outreach and student recruiting efforts (Cyber/STEM). We’re also committed to providing and maintaining the latest equipment and solutions, and reset labs after each use. Our team is always happy to work hand-in-hand with a school’s IT leaders to ensure the best user experience. By the way, it’s worth noting that by using CDC, which keeps schools separate from labs, the schools can reduce risks from outside cyberthreats.

Our team at Cisco is thrilled to offer our Cyber Defense Clinic (CDC) for Education program to both educators and students. By doing so we can all partner together, as one community, to slow and eventually bridge the growing cybersecurity skills gap.

Saturday, 4 May 2019

Accelerate Your Journey to AWS With a Cisco Cloud Ready Network

Many organizations have already developed cloud migration targets and are looking at how they can accelerate cloud adoption. As organizations increasingly embrace IaaS, PaaS, and SaaS consumption models many have selected AWS as their primary cloud provider.

While pre-application migration planning and application readiness is a key area of focus, many organizations have also realized that network readiness is also critical in accelerating and ensuring a successful cloud adoption journey. Legacy network architectures lack the simplicity, adaptability, automation and most of all application-awareness needed to deliver the best user experience. A Cloud Ready Network needs to enable a secure and optimized connectivity to cloud services from the branch/remote-offices.

Cisco next-gen SDWAN is one of the pillars of the Cloud Ready Network that can accelerate organizations adoption of cloud.

Cloud Ready WAN


To guarantee optimal end users experience an organization requires seamless connectivity between branch office locations, applications, and workloads hosted in the cloud. Many WAN solutions are ill-equipped for this task because they are generally rigid, complex to configure, and expensive to maintain. IoT adoption, a dramatic increase of the number of network devices, and the sophistication of security threats further compounds this challenge.

Cisco SDWAN on Amazon Web Services (AWS) is an overlay WAN architecture that is designed to address heterogeneous WAN connectivity and distributed users by building a scalable WAN infrastructure that reduces data transport costs and operational expenses. Cisco SDWAN for AWS helps with the following two major use cases:

Cloud Onramp for SaaS – Improving SaaS performance with SDWAN on AWS


Enterprises with the legacy WAN architecture, find it challenging to ensure a quality end user experience with their SaaS adoption. Often times a suboptimal path with increased latency is chosen to connect a user to the SaaS application in the cloud resulting in a degraded end user experience. A cloud ready network via SDWAN solves the problem by creating multiple Internet exit points and dynamically steering around bandwidth and latency issues in real-time, resulting is an optimal SaaS user experience at branches.

To achieve this the SDWAN fabric continuously measures the performance of designated SaaS applications through all permissible paths from a branch including direct internet access. For each path, the fabric computes a quality-of-experience (vQoE) score that gives network administrators visibility into application performance. The fabric also makes real-time decisions to choose the best-performing path per application per VPN between the end users at a remote branch and the cloud SaaS application and automatically fails over in case of performance degradation.

Cisco Certifications, Cisco Study Materials, Cisco Guides, Cisco Cloud

Cloud Onramp for IaaS – Faster and secure connectivity from branches to the AWS cloud

Traditional hub-and-spoke network architectures were designed to support consolidated applications and services hosted at centralized “demilitarized zones” (DMZs) and data centers. This layout forces the backhaul of internet traffic through the DMZ, creating inefficient traffic routes that increase the distance between end user and application. As an alternative, many organizations have opted to implement private circuits or MPLS to create mesh connectivity and satisfy any-to any traffic requirements. This approach can work but is costly and adds operational complexity. There is also a need to handle dynamic traffic patterns driven by seasonality, bursting, or external events.

Cisco SDWAN Cloud onramp for IaaS extends the visibility, reliability, and management of the SDWAN network from branches, remote sites, and campus to AWS. It allows for a transport independent any-to-any connectivity and end-to-end VPN segmentation. Tight integration with Amazon Virtual Private Cloud (VPC) enables organizations to automate network configurations with a consistent policy across branch, DC, and AWS, so that they can deploy and scale workloads on AWS faster. Cisco vEdge routers are deployed in a gateway VPC to connect branches and application VPCs. This enables the administrators to easily scale up the VPC environment by reducing the number of point to point tunnels between organization’s branches to host VPCs resulting in a simplified WAN management, lower transport costs, and faster time to deploy. The gateway VPC also supports workload segmentation especially when an organization deploys application VPCs across multiple AWS regions. The vManage component of the Cisco SDWAN solution, orchestrates the WAN sites and Amazon VPCs to automate connectivity and provides full lifecycle management and network visibility into the entire SDWAN environment.

Cisco Certifications, Cisco Study Materials, Cisco Guides, Cisco Cloud

Friday, 3 May 2019

Optimizing Cloud Resources + Reducing Your Carbon Footprint with TimeBox

At Cisco Engineering, innovation isn’t just something we do; it’s a way of life.

With tens of thousands of developers churning out an equal number of cutting-edge solutions at high velocity, Cisco truly is at the helm of technological innovation.

For context, Cisco has a vast amount of DevOps activities that are associated with development and these require significant resources for running workloads. The resources encompass storage, compute, memory, and associated ancillary costs such as real estate footprint, electricity, and others. Moving to the cloud does not change the fundamentals of this challenge,  even cloud workloads at the end of the day need to run on compute (and consume electricity). This landscape created the perfect opportunity for Cisco internal engineering to innovate.

Enter TimeBox.


Cisco Certifications, Cisco Learning, Cisco Study Materials, Cisco Tutorials and Materials
Born out of a Cisco-fueled engineering hackathon and with roots in our Kanata, Ontario, Research & Development Centre, TimeBox is an award-winning made-in-Canada solution. With two filed patents, it is taking cloud resource optimization at Cisco to new heights.

As a data-driven resource optimizer, TimeBox:

1. Understands intent.

2. Provides recommendations.

3. Monitors and heals workloads on auto-pilot.

4. Provides insight into workloads.

5. Is a one-stop-shop to discover your Total Cost of Ownership (TCO) footprint, directly mapping to financial costs.

Here is the recipe:


Cisco Certifications, Cisco Learning, Cisco Study Materials, Cisco Tutorials and Materials

Through machine learning, TimeBox understands the intent of historic workload computations, then uses those to make recommendations for a better schedule. Once tweaked, this schedule gets re-trained for subsequent, more sophisticated Artificial Intelligence (AI) driven recommendations. It also works as a smart assistant, automatically answering frequently posed questions and challenges encountered by our Cisco engineers. These include:

1. Determining the optimal resources required for a given workload.
2. Autonomous monitoring and healing of aborted workloads.
3. Total Cost of Ownership for a given workload.
4. Preventing accidental hoarding of resources.

In a nutshell:


Cisco Certifications, Cisco Learning, Cisco Study Materials, Cisco Tutorials and Materials

Scheduling and optimizing cloud resources is not a new idea, but using genetic modelling-based AI to solve for it may just be. TimeBox can be pervasive, with applications across any industry where the efficiency of resource allocation is critical. Where there are resources that undergo periodic consumption, there is a need for optimal capacity planning, workloads with large variety, and associated variable characteristics.

Thursday, 2 May 2019

The Future is Now! Presenting the Cisco Catalyst 9100 Wi-Fi 6 Access Points

Cisco Mobility, Cisco Study Materials, Cisco Learning, Cisco Certifications
When I was a kid, the future meant flying cars and everyone wearing the same silver jumpsuits. It’s been a few years since I was a kid and while I may not own a flying car, but I don’t have to wear a jumpsuit and working at Cisco allows me to check out all of new innovations that we bring to the world.

With the launch of our newest Catalyst 9100 Access Points, we’re continuing our journey to bring Intent-based Networking to our customers—we’re bringing the future to now. The Catalyst 9100 Access Points are the new addition to the Catalyst family and they’re also our first access points that adhere to Wi-Fi 6 (802.11ax) standard.

A lot of people have been talking about the future of the network. You may have seen Cisco CEO Chuck Robbins present at this year’s MWC in Barcelona or perhaps you tuned in to our Virtual Event announcing our new Wi-Fi 6 innovations a few days ago.

I know that you’re thinking that this is just another access point that’s meeting another standard, this isn’t flying-car news. And you’re right, it won’t bring you a flying car, but these new devices have greater bandwidth, a more dependable connection to the network and features that will continue to automate your network. These new features are going to allow for a lot of really great uses–and in a lot of ways, that’s better.

How so? How about things such as robots and advanced virtual and augmented reality (VR/AR).

Like some of you, one of my all-time favorite TV shows is the Simpsons. There was a classic episode where Lisa dreamt of the perfect school and in that dream, her teacher told her to put on her virtual reality helmet and travel back in time to days of Genghis Khan. Thanks to the Catalyst 9100 Access Points and the increased bandwidth and strong connection, this won’t be a cartoon fantasy anymore. Students are able to learn by literally immersing themselves in their studies. Whether it’s using AR to go back thousand and reliving a historical battle or delving into a scientific study.

The VR and Wi-Fi 6 partnership isn’t just for pointy haired, second grade geniuses either. Surgeons can employ VR to work on patients at a hospital on the other side of the world. This means that geography and time will no longer be the deciding factors on whether patients get the treatment they need.

Cisco Mobility, Cisco Study Materials, Cisco Learning, Cisco Certifications
To make use of this new technology, you’re going to need a reliable, scalable and secure wireless network that can handle the additional number of devices and the data that they’re going to create. That’s where the Cisco Catalyst 9100 Access Points comes in. These access points are your first step to creating that robust network needed to handle the crush of devices and applications connecting to your network.

Here are some things you can expect:

• Enhanced features: Cisco RF ASIC delivers CleanAir, Wireless Intrusion Prevention System (WIPS), Dual Filter DFS in addition to Fast Locate and off-channel RRM, which will be available in future releases. The Cisco Catalyst 9100 access points also support Target Wake Time, which is a new power-saving mode allowing the client to stay asleep and to wake at prescheduled times to exchange data with the access point. The energy savings over 802.11n and 802.11ac is significant, with up to three to four times the older standards. In addition, this improves power and battery efficiency in end devices like smartphones, tablets and IOT devices.

• Addresses the growing IoT explosion: The Cisco Catalyst 9100 access points provide multi-lingual support and application hosting of IoT protocols such as Wi-Fi, BLE and Zigbee. IoT is more than lights, heating and security cameras. From life-saving medical equipment in hospitals to restocking robots—I told you that there would be robots!—in retail to heavy machinery in manufacturing, all of these devices are considered IoT. Everything is connected and since some of these devices are literally the difference between life and death, they must be always-on. Making sure that this equipment doesn’t have downtime is paramount.

• Customizable with a programable RF ASIC: The Catalyst 9120 access point has custom RF ASIC and provides real-time analytics. When combined with Cisco DNA Assurance allows you to gain RF intelligence and visibility that can be analyzed and used to run your network more efficiently. The custom RF ASIC also has a dedicated third radio that is automatically enabled during high density scenarios. This goes along with delivering other features such as RF Interference mitigation and rogue detection.

• Reliability: always-connected, always dependable; a seamless experience. The Catalyst 9100 access points have improved roaming features allowing a better Wi-Fi experience. Add Spectrum Intelligence and Interference and Rogue Detection to the reliability mix and you can be sure that your network is clear of any issues that will hinder a seamless connection.

• Capacity: Thanks to Wi-Fi 6, there is a reduced latency with 100+ devices communicating at the same time. The Catalyst 9100 access points will also provide support in the future for both OFDMA and MU-MIMO to help to dole out application resources. OFDMA is ideal for low-bandwidth applications and increases efficiency while reducing latency. For high-bandwidth applications, MU-MIMO increases capacity resulting in higher speeds per user. Look at MU-MIMO as multiple trucks serving users simultaneously, while OFDMA is one truck serving each user.

The new Catalyst 9100 access points are poised to take your infrastructure to the next level. And with more devices being added to the network every day, this next level is where you’re going to need to be.

The future is much closer than you think. Outfitting your infrastructure is the best way of bringing the future to now.

Wednesday, 1 May 2019

Cisco Trusted Platforms

Service Provider networks serve as critical infrastructure, and the security and trustworthiness of the network infrastructure is essential and the Trusted Infrastructure video from Mobile World Congress. Providers of digital infrastructure must be able to verify whether the hardware and software that comprise their infrastructure are genuine, uncompromised, and operating as intended.  As shown in Figure 1 below, there are security and trust requirements at every layer of the Network Operating System. I will address each of these layers in this and a subsequent blog.

Cisco Trusted Platforms, Cisco Study Materials, Cisco Guides, Cisco Learning

Figure 1: Network Operating System Layers and Security Requirements

Note that not all the features listed here are available on all Service Provider platforms. Please contact the sales team for details.

Foundations of Trust


The ability to verify that a Cisco device is genuine and running uncompromised code depends on Cisco Secure Boot and Trust Anchor module (TAm).  Cisco uses digitally-signed software images, a Secure Unique Device Identifier (SUDI), and a hardware-anchored secure boot process to prevent inauthentic or compromised code from booting on a Cisco platform.

Hardware Root of Trust


A trusted element in the scope of system software is a piece of code that is known to be authentic.  A trusted element must either be immutable (stored in such a way as to prevent modification) or authenticated through validation mechanisms. Cisco anchors the root of trust, which initiates the boot process, in tamper-resistant hardware.  The hardware-anchored root of trust protects the first code running on a system from compromise and becomes the root of trust for the system.

Trust Anchor module


The Trust Anchor Module (TAm) is a proprietary, tamper-resistant chip that features non-volatile secure storage, Secure Unique Device Identifier (SUDI), and crypto services including random number generation (RNG).  See below for additional information on SUDI.

Image signing


Image signing is a two-step process that creates a unique digital signature for a given block of code. First, a hashing algorithm, similar to a checksum, is used to compute a hash value of the block of code. The hash is then encrypted with a Cisco private key, resulting in a digital signature that is attached to and delivered with the image. Signed images can be checked at runtime to verify that the software has not been modified.

Chain of Trust


A chain of trust exists when the integrity of each element of code on a system is validated before that piece of code is allowed to run. A chain of trust starts with a root of trust element. The root of trust validates the next element in the chain (usually firmware) before it is allowed to start, and so on. Through the use of image signing and trusted elements, Cisco hardware-anchored secure boot establishes a chain of trust which boots the system securely and validates the integrity of the software.

Secure Boot


Cisco Secure Boot helps ensure that the code that executes on Cisco hardware platforms is genuine and untampered. A typical UEFI-based boot process starts at the UEFI firmware and works up to the boot loader and the operating system. A tampered UEFI firmware can result in the entire boot process being compromised.

Using a hardware-anchored root of trust, digitally-signed software images, and a unique device identity, Cisco hardware-anchored secure boot establishes a chain of trust which boots the system securely and validates the integrity of the software.  The root of trust (aka. microloader), which is protected by tamper-resistant hardware, first performs a self-check and then verifies the UEFI firmware, and thus kicks off the chain of trust leading up to the integrity verification of the entire IOS XR operating system.

Cisco Trusted Platforms, Cisco Study Materials, Cisco Guides, Cisco Learning

Secure Unique Device Identifier (SUDI)


The SUDI is an X.509v3 certificate and an associated key-pair which are protected in hardware in the Trust Anchor module (TAm).  The SUDI certificate contains the product identifier and serial number and is rooted in Cisco Public Key Infrastructure. This identity can be either RSA or ECDSA based. The key pair and the SUDI certificate are inserted into the Trust Anchor module during manufacturing, and the private key can never be exported. The SUDI provides an immutable identity for the router that is used to verify that the device is a genuine Cisco product, and to ensure that the router is well-known to the customer’s inventory system.

The SUDI-based identity can be used to perform authenticated and automated configuration using Zero Touch Provisioning (ZTP). A backend system can issue a challenge to the router to validate its identity and the router will respond to the challenge using its SUDI based identity. This allows the backend system to not only verify against its inventory that the right router is in the right location but also provide encrypted configuration that can only be opened by the specific router, thereby ensuring confidentiality in transit.

Secure Storage


Cisco’s Trust Anchor technology provides a mechanism to securely store secrets on the router. The encryption of the storage space is tied to the hardware root of trust, and data cannot be decrypted without the specific hardware that was used to encrypt it. The secrets that can be stored include user passwords, customer credentials for authentication protocols such as RADIUS or TACACS, customer certificates, and any type of keys.

The combination of SUDI-based ZTP and secure storage provide very strong protection of customer configuration and secrets.

Hardware Fingerprint


Tampered hardware, particularly in transit, is a clear vector of attack. This is especially a concern when the hardware is in transit from Cisco to our customers and partners; or when a Service Provider ships their router from a holding center to the deployment center. A malicious agent can intercept the hardware in transit and tamper the hardware in a non-detectable manner.

Cisco’s Hardware Fingerprinting technology provides the ability to detect tampered hardware using the Trust Anchor. Cisco fingerprints the critical hardware elements of a router, such as CPUs and ASICs, during manufacturing and stores the fingerprint in the tamper resistant Trust Anchor. This fingerprint is not only immutable once it is inserted into the Trust Anchor but it also cannot be read back from the Trust Anchor.

When the router boots up, UEFI firmware fingerprints the hardware elements of the router at boot and creates a fingerprint of the hardware elements. This fingerprint is sent to the Trust Anchor hardware, which will compare it against the master fingerprint stored inside the hardware. UEFI firmware will only boot the router if the Trust Anchor hardware can successfully verify the observed fingerprint at bootup against the master fingerprint.

As threats evolve, Cisco continues to enhance the security and resilience of our solutions.  While no vendor can guarantee security, we are committed to transparency and accountability and to acting as a trusted partner to our customers to address today’s, and tomorrow’s, security challenges.

Tuesday, 30 April 2019

TLS Fingerprinting in the Real World

To protect your data, you must understand the traffic on your network.  This task has become even more challenging with widespread use of the Transport Layer Security (TLS) protocol, which inhibits traditional network security monitoring techniques.  The good news is that TLS fingerprinting can help you understand your traffic without interfering with any of the security benefits TLS brings to applications and complements current solutions like Encrypted Traffic Analytics.   To help our customers better understand the benefits of the approach, and to help drive the development and adoption of defensive uses of traffic analysis, the Advanced Security Research team of Cisco’s Security and Trust Organization has published a large set of fingerprints with the support of the Cisco Technology Fund.

Cisco Tutorials and Materials, Cisco Learning, Cisco Certifications, Cisco Guides

Transport Layer Security (TLS) fingerprinting is a technique that associates an application and/or TLS library with parameters extracted from a TLS ClientHello by using a database of curated fingerprints, and it can be used to identify malware and vulnerable applications and for general network visibility. These techniques gained attention in 2009 with mod_sslhaf, in 2012 with SSL fingerprinting for p0f, in 2015 with FingerprinTLS, and most recently with JA3.  We have been using this approach at Cisco since 2016.  The attention given to TLS fingerprinting has been warranted because it is a proven method that provides network administrators with valuable intelligence to protect their networks. And while more of the TLS handshake goes dark with TLS 1.3, client fingerprinting still provides a reliable way to identify the TLS client. In fact, TLS 1.3 has increased the parameter space of TLS fingerprinting due to the added data features in the ClientHello. While there are currently only five cipher suites defined for TLS 1.3, most TLS clients released in the foreseeable future will be backwards compatible with TLS 1.2 and will therefore offer many “legacy” cipher suites. In addition to the five TLS 1.3-specific cipher suites, there are several new extensions, such as supported versions, that allows us to differentiate between clients that supported earlier draft implementations of TLS 1.3.

Why is our approach different?


But here’s the catch: the visibility gained by TLS fingerprinting is only as good as the underlying fingerprint database, and until now, generating this database was a manual process that was slow to update and was not reflective of real-world TLS usage. Building on work we first publicly released in January 2016, we solved this problem by creating a continuous process that fuses network telemetry with endpoint telemetry to build fingerprint databases automatically. This allows us to leverage data from managed endpoints to generate TLS fingerprints that give us visibility into the (much larger) set of unmanaged endpoints and do so in a way that can quickly incorporate information about newly released applications. By automatically fusing process and OS data gathered by Cisco® AnyConnect® Network Visibility Module (NVM) with network data gathered by Joy, our system generates fingerprint databases that are representative of how a diverse set of real-world applications and operating systems use network protocols such as TLS. We also apply this process to data generated from Cisco Threat Grid, an automated malware analysis sandbox, to ensure that our system captures the most recent trends in malware. With ground truth from multiple sources like real-world networks and malware sandboxes, we can more easily differentiate fingerprints that are uniquely associated with malware versus fingerprints that need additional context for a confident conviction.

Our internal database has process and operating system attribution information for more than 4,000 TLS fingerprints (and counting) obtained from real-world networks (NVM) and a malware analysis sandbox (Threat Grid). The database also has observational information such as counts, destinations, and dates observed for more than 12,000 TLS fingerprints from a set of enterprise networks. We have open sourced a subset of this database that, at more than 1,900 fingerprints (and counting), is the largest and most informative fingerprint database released to the open-source community.   This database contains information about benign processes only; we are not able to publish fingerprints for malware at this time.

Cisco Tutorials and Materials, Cisco Learning, Cisco Certifications, Cisco Guides

Given the records generated from the data fusion process, we report all processes and operating systems that use a TLS fingerprint, providing a count of the number of times we observed each process or operating system using the TLS fingerprint in real-world network traffic. This schema gives a more realistic picture of TLS fingerprint usage (in other words, many processes can map to a single fingerprint with some more likely than others).

Another advantage of our database is that it provides as much relevant contextual data per fingerprint as possible. The primary key into our database is a string that describes the TLS parameters that you would observe on the wire, which allows a system generating these keys to provide valuable information even in the case of no database matches. We associate each TLS parameter in the ClientHello with the RFC that first defined that parameter and use this information to report maximum and minimum implementation dates. These dates provide useful context on the age of the cryptographic parameters in the ClientHello and are not dependent on a database match.