Malicious Forces Cracking your SD-WAN Concrete? Reinforce your Network with Cisco SD-WAN Security

Security must be deep-rooted into every software-defined WAN (SD-WAN) solution rather than bolted on as an afterthought, much like the process of planting reinforcement steel in concrete.

Concrete has been used in construction for more than a thousand years. It has excellent compressive strength which allows it to endure heavy weights but little to no strength in tension forces, which are concrete’s tolerance against pressing and stretching. Most of the current SD-WAN solutions in the market, like concrete, have some notable attributes. They can provide WAN optimization, Zero-touch deployment, centralized management, basic segmentations, and perhaps limited security functionalities like stateful firewalling and VPN. But are they also able to protect your branch network against all internal and external threats in Direct Internet Access (DIA)?

Thousands of new complex cybersecurity threats emerge every day. Similar to concrete tension forces, these threats will eventually crack and break your SD-WAN branch network. These malicious forces are more potent when connecting your branch directly to the cloud using a common internet highway bridge.

SD-WAN Security: Built-in or Bolted-on?

In almost every area of life, compared with a “built-in” option, it’s hard to imagine someone would choose a “bolted-on” as their first resort. Security is not so different. Yet many enterprises are using external security appliances to secure their directly connected SD-WAN branches to the cloud. This bolted-on security norm comes as no surprise. In the current market, there are simply not enough SD-WAN solutions with a substantial level of integrated security.

The process of bolting on legacy security tools often creates unnecessary complexity and overhead because these standalone products were never truly designed for an SD-WAN deployment. These bolted-on tools do not share the WAN tenets and have a difficult time adapting to today’s agile and scalable SD-WAN solutions.

Having distinct security and networking domains at each branch not only increases the total cost of ownership but also complicates deployment, monitoring, and manageability.  A simple policy update, for example, necessitates jockeying back and forth between two different monitoring dashboards. Managing integrated security and networking controls from a single console saves time and money and makes for an overall more efficient and effective system, just as using reinforced steel bars speeds up construction.

Cisco SD-WAN security reinforcing your WAN Network

Unlike other SD-WAN vendors’ solutions in which customers have to compromise on security, application experience or advanced routing, Cisco offers an integrated industry-leading SD-WAN with best-in-class security solution. This “no compromise” solution connects any device and any user to any cloud and delivers consistent threat protection from branch locations to the cloud edge.

With Cisco SD-WAN, multiple layers of enterprise-level security capabilities – such as application-aware firewall, intrusion prevention, URL filtering, file reputation, and simplified cloud security – can be deployed and managed through single interface dashboard, at scale.

Gaining additional protection with Cisco Umbrella, a secure internet gateway, is as simple as checking a box within the Cisco SD-WAN unified management console. Umbrella protects users across your Cisco SD-WAN from threats such as malware, ransomware, and C2 callbacks with no added latency

These integrated security capabilities are powered by Cisco Talos security engine, one of the largest threat-intelligence organizations in the world, to block sources with suspicious behaviors before they proliferate across the network.

To meet today’s highly flexible and scalable demands of an SD-WAN solution, a built-in security approach needs to be part of any SD-WAN architectural design to better detect and prevent evolving threats, while simplifying management and improving performance.

It’s time to reinforce your old network construction with Cisco SD-WAN security.

Aren’t you tired of spending time patching your cracked network?

Continue reading

5G + IoT Tee Up Major Disruption & Business Opportunity

Everything can be disrupted. Tiger Woods just disrupted The Masters. Telecommunications companies are being disrupted by 5G. But can 5G disrupt golf and other industries outside of telecommunications? The answer is most definitely yes. And what better time to dig into these possibilities than now- between the craziness of the Masters and the excitement building for Wells Fargo and the PGA Championship?

A tenfold increase in speed and a tenfold decrease in latency. A phone battery charge that will last a month. These are some of the ways that 5G will soon leapfrog 4G to be your favorite cellular access technology. For consumers, it’s going to take just seconds to download a movie. Streaming will be clearer. The expectation of real-time experiences with apps of all kinds will become standard.

For businesses, the faster speed and lower latency will also benefit employees, customers, and partners in every industry you can think of. The lower power consumption of 5G will allow IoT sensors to operate much longer without recharging. One game changer is likely to be wireless sensors that are small enough, light enough, easy to deploy, and cheap enough to be in huge demand.

These wireless 5G-connected sensors will be attached to everything – refrigerators, cars, clothes, cameras, and in places previously never possible. Service providers will have the ability to customize the network to the needs of those sensors and business imperatives while delivering security and reliability with strict service level agreements.

Seeds of Disruption

How will 5G and IoT disrupt an entire industry? Consider the new world of virtual driving ranges. These large facilities include driving ranges with multiple hitting bays. Sensor-enabled balls are hit at various targets — monsters, cards, targets, letters — as part of different driving range games. Other technology in the golf clubs and balls let you hone your swing speed and evaluate ball speed, apex height, spin rates, and distances. Lessons and clinics for players at all levels are also available.

These new virtual golfing companies, which include fancy restaurants and cocktail lounges, are using technology to enhance the customer experience in every way possible. They are using IoT, and will soon benefit from 5G, to make each visit customized, social, participatory, and integrated.

With data center, cloud services, and apps in the background, real-time game analysis is provided for each customer. Telemetry data and data about the network, the users, and their devices is gathered and folded into a common data model that allows analysts to extract new learning and provide new experiences. With Cisco branch and cloud architecture, these virtual golfing chains can easily bring new sites online and with minimal IT support.

Out-Innovating with 5G

5G will spur competition for innovation among players in the virtual golfing industry. Imagine sensors on everything you can see at each facility, from clubs and balls to silverware, waiters and waitresses, and customers. Other sensors can be connected to the lights, kitchen appliances, food supply, nearby weather station, floors, and cameras. These locations will become fully connected ecosystems of sensors and sensor data.

Now, take all that data from all those sensors and put it in a giant data pool. Then apply an artificial intelligence application front end that can mine the data to create patterns that can determine experience and operations optimization. How can that information be useful? To run a more efficient kitchen. To ensure the maximum utilization of hitting bays. To give advertisers opportunities to customize ads to individuals and groups. To offer immediate suggestions on what type of driver and what kind of ball the golfer should be using

Bartenders will know which drinks to make in advance and can offer new options to try. Social networks can participate in the golf experience. In the back office, managers can ensure tighter security with more visibility into what’s happening in each venue, make technology changes faster, roll out stores faster, and have better control of their supply chains.

Industry Implications of 5G

In addition to IoT applications and insights from data analytics, 5G will make augmented reality (AR) and virtual reality (VR) applications available and seamless to businesses of all kinds. Oil and gas exploration will be more automated and precise. Picture a drill operator who is trying to repair a drill on an ice shelf at 20 degrees below zero using collaboration over 5G satellite to share blueprints with a technician thousands of miles away.

Doctors will be able to train in virtual operating theaters. Factories will become more optimized to reduce costs, run times, and errors. Retailers will be able to target ads more precisely using time, location, customer, weather, and other data. And golfers will be able to tee up at the most exclusive courses in the world, virtually.Now think about your own industry and business.

Who are the new entrants? What companies are driving competition and how are they doing it? What could you be doing to disrupt or protect your company from disruption? Can 5G and all the things it will enable — IoT, AR/VR, data analytics, artificial intelligence — help accelerate your strategy?

Given how Tiger Woods at 43, with multiple back and knee surgeries behind him, just disrupted professional golfing with his $2 million win at the 2019 Masters and is now headed to the PGA Championship, your own business may also be ready for surprising new benefits with 5G!

Continue reading

Cyber Defense Clinic for Education

And it’s not just America’s problem, it’s the world’s, with an estimated one million cybersecurity positions currently unfilled globally. The lack of personnel with the right digital skills to bridge the cyber-gap is growing so fast that many in the industry are predicting a three-fold plus increase in that number by 2025. That means 3.5 million unfilled cybersecurity jobs are on the horizon. So it’s time the industry gets serious about how we’re going to fill them.

Leaders in cybersecurity must lead in cyber education

As an industry-leader in cybersecurity, Cisco suggests the first step is to attract and train more defenders. That’s why we’re stepping up to do just that through our Cyber Defense Clinic (CDC) for Education program. This program helps students gain experience as both an attacker and defender in various cyber attack scenarios. Our program offers schools across America access to:

◈ Software
◈ Equipment
◈ Preprogrammed labs
◈ Lab guides
◈ And other teaching materials,

all while giving teachers the flexibility they need to use and structure labs creatively to enhance the digital skills of their students.

We must move aggressively to evolve cyber training

As defense strategies evolve, so do those of the hackers. And both are doing so at a rapid pace. In order for students to gain a working knowledge of them, they’ll need to go beyond basic learning to submersive cyber training, where hands-on interaction with the latest cybersecurity tools enable them to hone their expertise in cyber defense.

That’s where our Cyber Defense Clinic for Education comes in, providing students with real-world insight into ransomware, phishing, common hacking tools, breach detection, incident response, and the latest defense technologies.

Advanced tools are now a must-have in cyber education

As an IT industry-leader keeping private and public sector networks secure around the world, Cisco has developed a robust internal tool called D-Cloud, designed with customers, partners, and employees in mind. It has the power to demonstrate solutions and show proof of value to thousands of users every single day.

CDC is one of the most popular tools in D-Cloud, teaching users how technology from Cisco and other companies can be applied in real-world scenarios to defend against cyber threats. As part of our ongoing commitment to training future cyber defenders, we are training educators on this innovative tool – empowering universities, community colleges and advanced high school programs with lab access.

Most importantly, we’re making it easy too. So easy, in fact, that all they need to do is logon from their laptop and they’ll gain immediate access to millions of dollars’ worth of lab solutions, including industry-leading technologies like:

◈ Identity and Access Management (IDAM)
◈ Email Security
◈ DNS Protection
◈ Intrusion Detection (IDS/IPS)
◈ Anomaly Detection
◈ Advanced Malware Detection
◈ and even Security Incident and Event Management (SIEM) from QRadar and Splunk.

Advanced digital skills are critical to a strong cyber defense

Thanks to CDC, schools now have the capability to get creative in their cyber training so students can advance their digital skills. For example, educators can:

◈ Cap off classes with lab experiences
◈ Engage via reinforcement labs throughout the semester
◈ Create staff enrichment events
◈ Develop activities that increase cybersecurity awareness
◈ Deploy half day or full day clinics for students and faculty.

Plus, CDC can be used for community outreach and student recruiting efforts (Cyber/STEM). We’re also committed to providing and maintaining the latest equipment and solutions, and reset labs after each use. Our team is always happy to work hand-in-hand with a school’s IT leaders to ensure the best user experience. By the way, it’s worth noting that by using CDC, which keeps schools separate from labs, the schools can reduce risks from outside cyberthreats.

Our team at Cisco is thrilled to offer our Cyber Defense Clinic (CDC) for Education program to both educators and students. By doing so we can all partner together, as one community, to slow and eventually bridge the growing cybersecurity skills gap.

Continue reading

Accelerate Your Journey to AWS With a Cisco Cloud Ready Network

Many organizations have already developed cloud migration targets and are looking at how they can accelerate cloud adoption. As organizations increasingly embrace IaaS, PaaS, and SaaS consumption models many have selected AWS as their primary cloud provider.

While pre-application migration planning and application readiness is a key area of focus, many organizations have also realized that network readiness is also critical in accelerating and ensuring a successful cloud adoption journey. Legacy network architectures lack the simplicity, adaptability, automation and most of all application-awareness needed to deliver the best user experience. A Cloud Ready Network needs to enable a secure and optimized connectivity to cloud services from the branch/remote-offices.

Cisco next-gen SDWAN is one of the pillars of the Cloud Ready Network that can accelerate organizations adoption of cloud.

Cloud Ready WAN

To guarantee optimal end users experience an organization requires seamless connectivity between branch office locations, applications, and workloads hosted in the cloud. Many WAN solutions are ill-equipped for this task because they are generally rigid, complex to configure, and expensive to maintain. IoT adoption, a dramatic increase of the number of network devices, and the sophistication of security threats further compounds this challenge.

Cisco SDWAN on Amazon Web Services (AWS) is an overlay WAN architecture that is designed to address heterogeneous WAN connectivity and distributed users by building a scalable WAN infrastructure that reduces data transport costs and operational expenses. Cisco SDWAN for AWS helps with the following two major use cases:

Cloud Onramp for SaaS – Improving SaaS performance with SDWAN on AWS

Enterprises with the legacy WAN architecture, find it challenging to ensure a quality end user experience with their SaaS adoption. Often times a suboptimal path with increased latency is chosen to connect a user to the SaaS application in the cloud resulting in a degraded end user experience. A cloud ready network via SDWAN solves the problem by creating multiple Internet exit points and dynamically steering around bandwidth and latency issues in real-time, resulting is an optimal SaaS user experience at branches.

To achieve this the SDWAN fabric continuously measures the performance of designated SaaS applications through all permissible paths from a branch including direct internet access. For each path, the fabric computes a quality-of-experience (vQoE) score that gives network administrators visibility into application performance. The fabric also makes real-time decisions to choose the best-performing path per application per VPN between the end users at a remote branch and the cloud SaaS application and automatically fails over in case of performance degradation.

Cloud Onramp for IaaS – Faster and secure connectivity from branches to the AWS cloud

Traditional hub-and-spoke network architectures were designed to support consolidated applications and services hosted at centralized “demilitarized zones” (DMZs) and data centers. This layout forces the backhaul of internet traffic through the DMZ, creating inefficient traffic routes that increase the distance between end user and application. As an alternative, many organizations have opted to implement private circuits or MPLS to create mesh connectivity and satisfy any-to any traffic requirements. This approach can work but is costly and adds operational complexity. There is also a need to handle dynamic traffic patterns driven by seasonality, bursting, or external events.

Cisco SDWAN Cloud onramp for IaaS extends the visibility, reliability, and management of the SDWAN network from branches, remote sites, and campus to AWS. It allows for a transport independent any-to-any connectivity and end-to-end VPN segmentation. Tight integration with Amazon Virtual Private Cloud (VPC) enables organizations to automate network configurations with a consistent policy across branch, DC, and AWS, so that they can deploy and scale workloads on AWS faster. Cisco vEdge routers are deployed in a gateway VPC to connect branches and application VPCs. This enables the administrators to easily scale up the VPC environment by reducing the number of point to point tunnels between organization’s branches to host VPCs resulting in a simplified WAN management, lower transport costs, and faster time to deploy. The gateway VPC also supports workload segmentation especially when an organization deploys application VPCs across multiple AWS regions. The vManage component of the Cisco SDWAN solution, orchestrates the WAN sites and Amazon VPCs to automate connectivity and provides full lifecycle management and network visibility into the entire SDWAN environment.

Continue reading

Optimizing Cloud Resources + Reducing Your Carbon Footprint with TimeBox

At Cisco Engineering, innovation isn’t just something we do; it’s a way of life.

With tens of thousands of developers churning out an equal number of cutting-edge solutions at high velocity, Cisco truly is at the helm of technological innovation.

For context, Cisco has a vast amount of DevOps activities that are associated with development and these require significant resources for running workloads. The resources encompass storage, compute, memory, and associated ancillary costs such as real estate footprint, electricity, and others. Moving to the cloud does not change the fundamentals of this challenge,  even cloud workloads at the end of the day need to run on compute (and consume electricity). This landscape created the perfect opportunity for Cisco internal engineering to innovate.

Enter TimeBox.

Born out of a Cisco-fueled engineering hackathon and with roots in our Kanata, Ontario, Research & Development Centre, TimeBox is an award-winning made-in-Canada solution. With two filed patents, it is taking cloud resource optimization at Cisco to new heights.

As a data-driven resource optimizer, TimeBox:

1. Understands intent.

2. Provides recommendations.

3. Monitors and heals workloads on auto-pilot.

4. Provides insight into workloads.

5. Is a one-stop-shop to discover your Total Cost of Ownership (TCO) footprint, directly mapping to financial costs.

Here is the recipe:

Through machine learning, TimeBox understands the intent of historic workload computations, then uses those to make recommendations for a better schedule. Once tweaked, this schedule gets re-trained for subsequent, more sophisticated Artificial Intelligence (AI) driven recommendations. It also works as a smart assistant, automatically answering frequently posed questions and challenges encountered by our Cisco engineers. These include:

1. Determining the optimal resources required for a given workload.

2. Autonomous monitoring and healing of aborted workloads.

3. Total Cost of Ownership for a given workload.

4. Preventing accidental hoarding of resources.

In a nutshell:

Scheduling and optimizing cloud resources is not a new idea, but using genetic modelling-based AI to solve for it may just be. TimeBox can be pervasive, with applications across any industry where the efficiency of resource allocation is critical. Where there are resources that undergo periodic consumption, there is a need for optimal capacity planning, workloads with large variety, and associated variable characteristics.

Continue reading

The Future is Now! Presenting the Cisco Catalyst 9100 Wi-Fi 6 Access Points

When I was a kid, the future meant flying cars and everyone wearing the same silver jumpsuits. It’s been a few years since I was a kid and while I may not own a flying car, but I don’t have to wear a jumpsuit and working at Cisco allows me to check out all of new innovations that we bring to the world.

With the launch of our newest Catalyst 9100 Access Points, we’re continuing our journey to bring Intent-based Networking to our customers—we’re bringing the future to now. The Catalyst 9100 Access Points are the new addition to the Catalyst family and they’re also our first access points that adhere to Wi-Fi 6 (802.11ax) standard.

A lot of people have been talking about the future of the network. You may have seen Cisco CEO Chuck Robbins present at this year’s MWC in Barcelona or perhaps you tuned in to our Virtual Event announcing our new Wi-Fi 6 innovations a few days ago.

I know that you’re thinking that this is just another access point that’s meeting another standard, this isn’t flying-car news. And you’re right, it won’t bring you a flying car, but these new devices have greater bandwidth, a more dependable connection to the network and features that will continue to automate your network. These new features are going to allow for a lot of really great uses–and in a lot of ways, that’s better.

How so? How about things such as robots and advanced virtual and augmented reality (VR/AR).

Like some of you, one of my all-time favorite TV shows is the Simpsons. There was a classic episode where Lisa dreamt of the perfect school and in that dream, her teacher told her to put on her virtual reality helmet and travel back in time to days of Genghis Khan. Thanks to the Catalyst 9100 Access Points and the increased bandwidth and strong connection, this won’t be a cartoon fantasy anymore. Students are able to learn by literally immersing themselves in their studies. Whether it’s using AR to go back thousand and reliving a historical battle or delving into a scientific study.

The VR and Wi-Fi 6 partnership isn’t just for pointy haired, second grade geniuses either. Surgeons can employ VR to work on patients at a hospital on the other side of the world. This means that geography and time will no longer be the deciding factors on whether patients get the treatment they need.

To make use of this new technology, you’re going to need a reliable, scalable and secure wireless network that can handle the additional number of devices and the data that they’re going to create. That’s where the Cisco Catalyst 9100 Access Points comes in. These access points are your first step to creating that robust network needed to handle the crush of devices and applications connecting to your network.

Here are some things you can expect:

• Enhanced features: Cisco RF ASIC delivers CleanAir, Wireless Intrusion Prevention System (WIPS), Dual Filter DFS in addition to Fast Locate and off-channel RRM, which will be available in future releases. The Cisco Catalyst 9100 access points also support Target Wake Time, which is a new power-saving mode allowing the client to stay asleep and to wake at prescheduled times to exchange data with the access point. The energy savings over 802.11n and 802.11ac is significant, with up to three to four times the older standards. In addition, this improves power and battery efficiency in end devices like smartphones, tablets and IOT devices.

• Addresses the growing IoT explosion: The Cisco Catalyst 9100 access points provide multi-lingual support and application hosting of IoT protocols such as Wi-Fi, BLE and Zigbee. IoT is more than lights, heating and security cameras. From life-saving medical equipment in hospitals to restocking robots—I told you that there would be robots!—in retail to heavy machinery in manufacturing, all of these devices are considered IoT. Everything is connected and since some of these devices are literally the difference between life and death, they must be always-on. Making sure that this equipment doesn’t have downtime is paramount.

• Customizable with a programable RF ASIC: The Catalyst 9120 access point has custom RF ASIC and provides real-time analytics. When combined with Cisco DNA Assurance allows you to gain RF intelligence and visibility that can be analyzed and used to run your network more efficiently. The custom RF ASIC also has a dedicated third radio that is automatically enabled during high density scenarios. This goes along with delivering other features such as RF Interference mitigation and rogue detection.

• Reliability: always-connected, always dependable; a seamless experience. The Catalyst 9100 access points have improved roaming features allowing a better Wi-Fi experience. Add Spectrum Intelligence and Interference and Rogue Detection to the reliability mix and you can be sure that your network is clear of any issues that will hinder a seamless connection.

• Capacity: Thanks to Wi-Fi 6, there is a reduced latency with 100+ devices communicating at the same time. The Catalyst 9100 access points will also provide support in the future for both OFDMA and MU-MIMO to help to dole out application resources. OFDMA is ideal for low-bandwidth applications and increases efficiency while reducing latency. For high-bandwidth applications, MU-MIMO increases capacity resulting in higher speeds per user. Look at MU-MIMO as multiple trucks serving users simultaneously, while OFDMA is one truck serving each user.

The new Catalyst 9100 access points are poised to take your infrastructure to the next level. And with more devices being added to the network every day, this next level is where you’re going to need to be.

The future is much closer than you think. Outfitting your infrastructure is the best way of bringing the future to now.

Continue reading

Cisco Trusted Platforms

Service Provider networks serve as critical infrastructure, and the security and trustworthiness of the network infrastructure is essential and the Trusted Infrastructure video from Mobile World Congress. Providers of digital infrastructure must be able to verify whether the hardware and software that comprise their infrastructure are genuine, uncompromised, and operating as intended.  As shown in Figure 1 below, there are security and trust requirements at every layer of the Network Operating System. I will address each of these layers in this and a subsequent blog.

Figure 1: Network Operating System Layers and Security Requirements

Note that not all the features listed here are available on all Service Provider platforms. Please contact the sales team for details.

Foundations of Trust

The ability to verify that a Cisco device is genuine and running uncompromised code depends on Cisco Secure Boot and Trust Anchor module (TAm).  Cisco uses digitally-signed software images, a Secure Unique Device Identifier (SUDI), and a hardware-anchored secure boot process to prevent inauthentic or compromised code from booting on a Cisco platform.

Hardware Root of Trust

A trusted element in the scope of system software is a piece of code that is known to be authentic.  A trusted element must either be immutable (stored in such a way as to prevent modification) or authenticated through validation mechanisms. Cisco anchors the root of trust, which initiates the boot process, in tamper-resistant hardware.  The hardware-anchored root of trust protects the first code running on a system from compromise and becomes the root of trust for the system.

Trust Anchor module

The Trust Anchor Module (TAm) is a proprietary, tamper-resistant chip that features non-volatile secure storage, Secure Unique Device Identifier (SUDI), and crypto services including random number generation (RNG).  See below for additional information on SUDI.

Image signing

Image signing is a two-step process that creates a unique digital signature for a given block of code. First, a hashing algorithm, similar to a checksum, is used to compute a hash value of the block of code. The hash is then encrypted with a Cisco private key, resulting in a digital signature that is attached to and delivered with the image. Signed images can be checked at runtime to verify that the software has not been modified.

Chain of Trust

A chain of trust exists when the integrity of each element of code on a system is validated before that piece of code is allowed to run. A chain of trust starts with a root of trust element. The root of trust validates the next element in the chain (usually firmware) before it is allowed to start, and so on. Through the use of image signing and trusted elements, Cisco hardware-anchored secure boot establishes a chain of trust which boots the system securely and validates the integrity of the software.

Secure Boot

Cisco Secure Boot helps ensure that the code that executes on Cisco hardware platforms is genuine and untampered. A typical UEFI-based boot process starts at the UEFI firmware and works up to the boot loader and the operating system. A tampered UEFI firmware can result in the entire boot process being compromised.

Using a hardware-anchored root of trust, digitally-signed software images, and a unique device identity, Cisco hardware-anchored secure boot establishes a chain of trust which boots the system securely and validates the integrity of the software.  The root of trust (aka. microloader), which is protected by tamper-resistant hardware, first performs a self-check and then verifies the UEFI firmware, and thus kicks off the chain of trust leading up to the integrity verification of the entire IOS XR operating system.

Secure Unique Device Identifier (SUDI)

The SUDI is an X.509v3 certificate and an associated key-pair which are protected in hardware in the Trust Anchor module (TAm).  The SUDI certificate contains the product identifier and serial number and is rooted in Cisco Public Key Infrastructure. This identity can be either RSA or ECDSA based. The key pair and the SUDI certificate are inserted into the Trust Anchor module during manufacturing, and the private key can never be exported. The SUDI provides an immutable identity for the router that is used to verify that the device is a genuine Cisco product, and to ensure that the router is well-known to the customer’s inventory system.

The SUDI-based identity can be used to perform authenticated and automated configuration using Zero Touch Provisioning (ZTP). A backend system can issue a challenge to the router to validate its identity and the router will respond to the challenge using its SUDI based identity. This allows the backend system to not only verify against its inventory that the right router is in the right location but also provide encrypted configuration that can only be opened by the specific router, thereby ensuring confidentiality in transit.

Secure Storage

Cisco’s Trust Anchor technology provides a mechanism to securely store secrets on the router. The encryption of the storage space is tied to the hardware root of trust, and data cannot be decrypted without the specific hardware that was used to encrypt it. The secrets that can be stored include user passwords, customer credentials for authentication protocols such as RADIUS or TACACS, customer certificates, and any type of keys.

The combination of SUDI-based ZTP and secure storage provide very strong protection of customer configuration and secrets.

Hardware Fingerprint

Tampered hardware, particularly in transit, is a clear vector of attack. This is especially a concern when the hardware is in transit from Cisco to our customers and partners; or when a Service Provider ships their router from a holding center to the deployment center. A malicious agent can intercept the hardware in transit and tamper the hardware in a non-detectable manner.

Cisco’s Hardware Fingerprinting technology provides the ability to detect tampered hardware using the Trust Anchor. Cisco fingerprints the critical hardware elements of a router, such as CPUs and ASICs, during manufacturing and stores the fingerprint in the tamper resistant Trust Anchor. This fingerprint is not only immutable once it is inserted into the Trust Anchor but it also cannot be read back from the Trust Anchor.

When the router boots up, UEFI firmware fingerprints the hardware elements of the router at boot and creates a fingerprint of the hardware elements. This fingerprint is sent to the Trust Anchor hardware, which will compare it against the master fingerprint stored inside the hardware. UEFI firmware will only boot the router if the Trust Anchor hardware can successfully verify the observed fingerprint at bootup against the master fingerprint.

As threats evolve, Cisco continues to enhance the security and resilience of our solutions.  While no vendor can guarantee security, we are committed to transparency and accountability and to acting as a trusted partner to our customers to address today’s, and tomorrow’s, security challenges.

Continue reading