The four-step journey to securing the industrial network

Just as the digitization and increasing connectivity of business processes has enlarged the attack surface of the IT environment, so too has the digitization and increasing connectivity of industrial processes broadened the attack surface for industrial control networks. Though they share this security risk profile, the operational technology (OT) environment is very different from that of IT. This post looks at the key differences and provides a four-step approach to securing the industrial network.

In industries like utilities, manufacturing, and transportation, the operations side of the business is revenue generating. As a result, uptime is critical. While uptime is important in IT, interdependencies in the OT environment make it challenging to maintain uptime while addressing security threats. For example, you can’t simply isolate an endpoint that’s sending anomalous traffic. Because of the interdependencies of that endpoint, isolating it can have a cascading effect that brings a critical business process to a grinding halt. Or, worse, human lives may be put at risk. It’s important to understand the context of security events so that they can be addressed while maintaining uptime.

With uptime requirements in mind, securing the industrial network can feel like an insurmountable challenge. Many industrial organizations don’t have visibility into all of the devices that are on their OT networks, let alone the dependencies among them. Devices have been added over time, often by third-party contractors, and an asset inventory is either non-existent or grossly outdated. Bottom line: organizations lack visibility into the operational technology environment.

To help industrial organizations address these challenges and effectively secure the OT environment, we’ve put together a four-step journey to securing the industrial network. It’s important to note that while we call it a journey, there is no defined beginning or end. It’s an iterative process that requires continual adjustments. The most important thing is to start wherever you happen to be today.

There are many places from which to begin, and what makes a logical first step for one organization will not necessarily be the same for another. One approach is to start with gaining visibility through asset discovery. By analyzing network traffic, deep packet inspection (DPI) can identify the industrial assets connected to your network. With this visibility, you can make an informed decision on the best way to segment the network to limit the spread of an attack.

In addition to identifying assets, DPI identifies which assets are communicating, with whom or what they are communicating, and what they are communicating. With this baseline established, you can detect anomalous behavior and potential threats that may threaten process integrity. This information can then be fed into a unified security operations center (SOC), providing complete visibility to the security team.

How you deploy DPI is important. Embedding a DPI-enabled sensor on switches saves hardware costs and physical space, which can be at a premium, depending on the industry. DPI-enabled sensors allow you to inspect traffic without encountering deployment, scalability, bandwidth, or maintenance hurdles. Because switches see all network traffic, embedded sensors can provide the visibility you need to segment the network and detect threats early on. The solution can also integrate with the IT SOC while providing analytical insights into every component of the industrial control system. With DPI-enabled network switches, industrial organizations can more easily move through the four-step journey to securing the industrial network.

Continue reading

A Mindset Shift for Digitizing Software Development and Delivery

At Cisco, my teams—which are part of the Intent-Based Networking Group—focus on the core network layers that are used by enterprise, data center, and service provider network engineering. We develop tools and processes that digitize and automate the Cisco Software Development Lifecycle (CSDL). We have been travelling the digitization journey for over two years now and are seeing significant benefits. This post will explain why we are working diligently and creatively to digitize software development across the spectrum of Cisco solutions, some of our innovations, and where we are headed next.

Why Cisco Customers Should Care About Digitization of Software Development and Delivery

Cisco customers should consider what digitization of software development means to them. Because many of our customers are also software developers—whether they are creating applications to sell or for internal digital transformation projects—the same principles we are applying to Cisco development can be of use to a broader audience.

Digitization of development improves total customer experience by moving beyond just the technical aspects of development and thinking in terms of complete solutions that include accurate and timely documentation, implementation examples, and analytics that recommend which release is best for a particular organization’s network. Digitization of development:

◉ Leads to improvements in the quality, serviceability, and security of solutions in the field.

◉ Delivers predictive analytics to assist customers to understand, for example, the impact an upgrade, security patches, or new functionality will have on existing systems, with increased assurance about how the network will perform after changes are applied. 

◉ Automates the documentation of each handoff along the development lifecycle to improve traceability from concept and design to coding and testing.

These capabilities will be increasingly important as we continue to focus on developing solutions for software subscriptions, which shift the emphasis from long cycles creating feature-filled releases to shorter development cycles delivering new functionality and customer-requested innovations in accelerated timeframes.

Software Developers Thrive with Digital Development Workflows

For professionals who build software solutions, the digitization of software development focuses on improving productivity, consistency, and efficiency. It democratizes team-based development—that is, everyone is a developer: solution architects, designers, coders, and testers. Teams are configured to bring the appropriate expertise to every stage of solution development. Test developers, for example, should not only develop test plans and specific tests, but also provide functional specifications and code reviews, build test automation frameworks, and represent customer views for validating solutions at every stage of development. Case in point, when customer-specific uses cases are incorporated early into the architecture and design phases, then the functionality of the intended features are built into test suites as code is being written.

A primary focus of digitization of development is creating new toolsets for measuring progress and eliminating friction points. Our home-grown Qualex (Quality Index) platform provides an automated method of measuring and interpreting quality metrics for digitized processes. The goal is to eliminate human bias by using data-driven techniques and self-learning mechanisms. In the past 2 years, Qualex has standardized most of our internal development practices and is saving the engineering organization a considerable amount of time and expense for software management.

­Labs as a Service (LaaS) is another example of applying digitization to transform the development cycle that also helps to efficiently manage CAPEX. Within Cisco, LaaS is a ready-to-use environment for sharing networking hardware, spinning up virtual routers, and providing on-demand testbed provisioning. Developers can quickly and cost effectively design and setup hardware and software environments to simulate various customer use cases, including public and private cloud implementations.

Digitization Reduces Development Workflow Frictions

A major goal of the digitization of software development is to reduce the friction points during solution development. We are accomplishing this by applying AI and machine learning against extensive data lakes of code, documentation, customer requests, bug reports, and previous test cycle results. The resulting contextual analytics will be available via a dashboard at every stage of the development process, reducing the friction of multi-phase development processes. This will make it possible for every developer to have a scorecard that tracks technical debt, security holes, serviceability, and quality. The real-time feedback increases performance and augments skillsets, leading to greater developer satisfaction.

Workflow friction points inhibit both creativity and productivity. Using analytics to pinpoint aberrations in code as it is being developed reduces the back and forth cycles of pinpointing flaws and reproducing them for remediation. Imagine a developer writing new code for a solution which includes historical code. The developer is not initially familiar with the process or the tests that the inherited code went through. With contextual analytics presenting relevant historical data, the developer can quickly come up to speed and avoid previous mistakes in the coding process. We call this defect foreshadowing. The result is cleaner code produced in less time, reduced testing cycles, and better integration of new features with existing code base.

Digitizing Development Influences Training and Hiring

Enabling a solution view of a project—rather than narrow silos of tasks—also expands creativity and enhances opportunities to learn and upskill, opening career paths. The cross-pollination of expertise makes everyone involved in solution development more knowledgeable and more responsive to changes in customer requirements. In turn everyone gains a more satisfying work experience and a chance to expand their career.

◈ Training becomes continuous learning by breaking down the silos of the development lifecycle so that individuals can work across phases and be exposed to all aspects of the development process.

◈ Automating tracking and analysis of development progress and mistakes enables teams to pinpoint areas in which people need retraining or upskilling.

◈ Enhancing the ability to hire the right talent gets a boost from digitization as data is continuously gathered and analyzed to pinpoint the skillsets that contribute the most to the successful completion of projects, thus refining the focus on the search for talent.

Join Our Journey to Transform Software Development

At Cisco we have the responsibility of carrying the massive technical debt created since the Internet was born while continuously adding new functionality for distributed data centers, multi-cloud connectivity, software-defined WANs, ubiquitous wireless connectivity, and security. To manage this workload, we are fundamentally changing how Cisco builds and tests software to develop products at web-scale speeds. These tools, which shape our work as we shape them, provide the ability to make newly-trained and veteran engineers capable of consistently producing extraordinary results.

Cisco is transforming the solution conception to development to consumption journey. We have made significant progress, but there is still much to accomplish. We invite you to join us on this exciting transformation. As a Cisco Network Engineer, you have the opportunity to create innovative solutions using transformative toolsets that make work exciting and rewarding as you help build the future of the internet. As a Cisco DevX Engineer, you can choose to focus on enhancing the evolving toolset with development analytics and hyper-efficient workflows that enable your co-developers to do their very best work. Whichever path you choose, you’ll be an integral member of an exclusive team dedicated to customer success.

Continue reading

Simplifying the DevOps and NetOps Journey using Cisco SD-WAN Cloud Hub with Google Cloud

Cisco and Google Cloud have partnered to bridge cloud applications and enterprise networks by creating the new Cisco SD-WAN Cloud Hub with Google Cloud. This solution, built around Cisco SD-WAN technology and Google Cloud, simplifies the NetOps and DevOps journey by automating the allocation of SD-WAN network resources to meet application requirements.

Modern enterprise applications are composed of multiple services deployed across on-premise and cloud environments. NetOps and DevOps teams maintain the infrastructure that hosts, connects, and delivers these services. The goal of these teams: optimize the application experience. But due to the complexity of the infrastructure and the dynamism of application flows, this can be challenging. Each time a new application is deployed, the NetOps team must collect the application requirements from the DevOps team and render them into the appropriate network policy.

In this post we look at how Cisco SD-WAN Cloud Hub with Google Cloud simplifies workflow for DevOps and NetOps, by automating the tasks needed to deliver a better application experience.

Here we focus on the benefits brought by the solution in terms of automation.  There are some benefits that we don’t cover in this article but are also part of the solution, such as the improved security and segmentation, the enhanced multi-cloud operation, and how Cisco SD-WAN Cloud Hub can enable traffic steering through the Google Cloud backbone network.

How DevOps Will Use Cisco SD-WAN Cloud Hub with Google Cloud

DevOps teams are interested in what the network can do for their application, rather than in how it is done. From their perspective, the network is a component meant to support specific application demands. To that end, DevOps will focus on properly classifying services according to certain traffic profiles, for instance Video Streaming or VoIP. These profiles are agreed on beforehand with NetOps, and allow DevOps to express the networking needs of the services. DevOps leaves it to NetOps to best configure the network to handle each profile.

In our new solution, the DevOps team uses Google Cloud Service Directory to publish the traffic profile that best represents the network traffic generated by a given application. They can use different traffic profiles for different services, as needed. The integration of Service Directory with Google Cloud Identity and Access Management (IAM) ensures that only those in the DevOps team with the appropriate permissions can modify the traffic profile for a service.

For example, DevOps and NetOps may agree that the services can be classified according to four profiles: standard, data, streaming and conferencing. The DevOps then use Service Directory to associate the following metadata to each service deployed: “traffic: standard”, “traffic: data”, “traffic: streaming”, and “traffic: conferencing”. (The metadata used here is an example to illustrate the flexibility of the solution; different teams may define different profiles.)

Let’s say that the DevOps team is deploying two services with different networking needs. They want to make sure that the traffic for each is properly handled in the SD-WAN. One service is a heavy-load database backup application, with high bandwidth requirements, while the other is a screen sharing service, not only sensitive to latency but also to packet loss. Following the metadata convention agreed with the NetOps team, the DevOps team marks these services as “traffic: data” and “traffic: conferencing”, respectively.

How NetOps Leverages the Solution

The NetOps team, for its part, has a deep knowledge of the network and can efficiently optimize it to meet application requirements. The NetOps team uses Cisco vManage (Cisco’s centralized SD-WAN management platform) to program detailed network policies that map how each traffic profile should be rendered over the SD-WAN.

The NetOps team may decide to configure policies that specify that traffic with the profile “standard” should go through a best effort tunnel, that “data” should go through a high bandwidth tunnel, and that “streaming” and “conferencing” should go through low latency tunnels. The NetOps team can further fine tune the policies to specify that traffic for “conferencing” services should go, when possible, through highly-reliable links over the Google Cloud backbone to minimize packet loss.

Thanks to the integration with Service Directory, vManage can discover in real-time an application’s characteristics and its networking needs. vManage, by constantly monitoring Service Directory, acts whenever new relevant information becomes available. For instance, as soon as the database backup service is deployed, vManage automatically retrieves the associated metadata via Service Directory and dynamically renders the network policy defined by the NetOps team. In this example, the rendered network policies steer the database backup traffic through a high-bandwidth SD-WAN path. Likewise, a conferencing application, say the aforementioned screen-sharing service, would see its traffic steered to the Google Cloud backbone.

In this way the network automatically adapts, in real-time, not only to new applications, but also to changes in application requirements or changes in existing traffic profiles. The most relevant and effective network policies are always enforced and specifically tailored for each service. This greatly simplifies operations for both NetOps and DevOps teams, which now only need to make sure that the intended application profiles and network policies are in place. Service Directory and vManage coordinate to dynamically render the most effective network optimizations.

The integration of Cisco vManage and Google Cloud Service Directory leads to an improved application experience and more efficient use of SD-WAN resources.

Additional automatic traffic steering is also a part of the solution, thanks to the automatic aggregation of data about applications, obtained via Service Directory, correlated with vManage’s detailed, real-time view of network infrastructure. For instance, prior to this integration, minimal losses on a high-bandwidth link may not trigger special actions on regular SD-WAN operation. With this solution in place, vManage, knowing that there is traffic over this link that belongs to a “conferencing” application, might automatically steer that traffic through an alternate, non-lossy link. Similarly, knowing that “standard” applications are not sensitive to small losses, vManage can take advantage of the bandwidth just made available to automatically allocate flows for “standard” applications over the lossy link.

To conclude, Cisco SD-WAN Cloud Hub with Google Cloud leverages Cisco SD-WAN and Google Cloud Service Directory to simplify the journey of the NetOps and the DevOps teams, automating the allocation of SD-WAN network resources to match applications’ demands, optimizing the application experience. All without disrupting the continuous flow with which applications are developed, deployed and supported.

Continue reading

What’s new and exciting on Cisco ACI with Red Hat Ansible Collections

Introduction

As customers embrace the DevOps model to accelerate application deployment and achieve higher efficiency in operating their data centers, the infrastructure needs to change and respond faster than ever to business needs. DevOps can help you achieve an agile operational model by improving on automation, innovation, and consistency.  In this blog let us go on a quick journey of how Red Hat Ansible and Cisco ACI helps you address these challenges quickly and proficiently.

Ansible and Cisco ACI – The perfect pair that enables a true DevOps model

In many customer IT environments, network operations still remain entrenched in error-prone manual processes. Many of the earlier generation folks that were attracted to network operations didn’t want to be programmers, rather they were more interested in implementing and maintaining network policies using CLI and monolithic means on proprietary platforms. In recent times, best-practices in Server-side and DevOps practices have started influencing the networking world with Cloud Administrators forced to support both the compute and network resources. However, in many cases, entirely moving away from traditional network operations may not be possible, just as a 100% DevOps strategy may not be a good fit. The best strategy: The most with the least amount of change or energy. Automation is the natural solution here – it can make the most unproductive and repetitive tasks ideal candidates for automation.

Red Hat Ansible has fast emerged as one of the most popular platforms to automate these day-to-day manual tasks and bring unprecedented cost savings and operational efficiency. Cisco ACI’s Application Policy Infrastructure Controller (APIC) supports a robust and open API that Ansible can seamlessly leverage. Ansible is open source, works with many different operating systems that run on Cisco Networking platforms (ACI, IOS, NX-OS, IOS-XR), and supports the range of ACI offerings.

Together, Cisco ACI and Ansible provide a perfect combination enabling customers to embrace the DevOps model and accelerate ACI Deployment, Monitoring, day-to-day management, and more.

Cisco ACI – Red Hat Ansible solution

Ansible is the only solution in the market today to address network automation challenges, with its unified configuration, provisioning and application deployment, and creating favorable business outcomes like accelerated DevOps and a simplified IT environment.

Ansible brings lots of synergies to an ACI environment with its simple automation language, powerful features such as app-deployment, configuration. management and workflow orchestration and above all an agentless architecture that makes the execution environment predictable and secure.

In the latest Ansible release (2.9), there are over 100 ACI and Multisite modules in Ansible core. Modules for specific objects like, Tenant and Application Profiles as well as a module for interacting directly with the ACI REST API. This means that a broad set of ACI functionality is available as soon as you install Ansible. After installing Ansible only two things are required to start automating an ACI Network Fabric. First, an Ansible playbook, which is a set of automation instructions and two, the inventory file which lists the devices to be automated in this case an APIC. The playbooks are written in YAML to define the tasks to execute against an ACI fabric. Here is an ACI playbook sample that configures a Tenant on an APIC.

---

- name: ACI Tenant Management

  hosts: aci

  connection: local

  gather facts: no

  tasks:

  - name: CONFIGURE TENANT

    aci_tenant:

      hostname: "{{ hostname }}"

      username: admin

      password: adminpass

      validate_certs: false

      tenant: "{{ tenant_name }}"

      description: "{{ tenant_name }} created Using Ansible"

      state: present

How Ansible-ACI integration works?

The picture below represents users creating inventory files (for the APICs we want Ansible to manage), creating the playbooks (what tasks we want to run/automate on the target systems – the APICs), and leverage the available ACI modules for the tasks you want to configure/automate. Ansible then pushes those configuration tasks via the APIC REST API through HTTPS to the target system, the APIC.

The ACI Ansible modules help cover a broad set of Data center use cases. These include,

◉ Day 0 – Initial installation and deployment – Configuration of universal entities and policies, for example switch registration, naming, user configuration and firmware update.

◉ Day 1 – Configuration and Operation – Initial Tenant creation, along with all the Tenant child configurations, for example VRF, AP, BDs, EPGs, etc.

◉ Day 2 – Additional Configuration and Optimization – Add/Update/Remove Policies, Tenants, Applications, for example add a contract to support a new protocol in an existing EPG.

Key Benefits of ACI-Ansible solution

◉ Enables Admins to align on a unified approach to managing ACI the same way they manage other Data Center and Cloud infrastructure.

◉ ACI Ansible modules provide broad coverage for many ACI objects

◉ ACI Ansible modules are idempotent ensuring that playbook results are always the same

◉ ACI Ansible modules extend the trusted secure interaction of the ACI CLI and GUI.

◉ No Programming Skills required with Ansible module.

Continue reading

Expanding the Internet for the Future Supporting First Responders and Society at Large

As social distancing measures continue, daily necessities such as maintaining a livelihood, accessing education, or obtaining critical services are being forced online. My wife and I are seeing this unfold personally as we work from home and attempt to help our 7- and 13-year-old navigate distance learning.

In our “new normal,” our consumption of online services is growing. Internet access is becoming increasingly vital to our health, safety, economic, and societal survival. And it’s not just us. Heroes and first responders, hospitals, schools, governments, workers, businesses, and our society-at-large are relying on the internet more than ever.

The more our society remains apart, the more we all need to be connected.

Service Providers Play an Important Role

With more people working from home, more children distance learning, and more parents seeking to keep their families entertained, global internet traffic has reached a new threshold. At Cisco, we’re seeing this firsthand.

Following stay-at-home mandates, traffic at major public peering exchanges increased 24% in Asia-Pacific, 20% in Europe, and 18.5% in the Americas. Here is a more specific breakdown by country:

Our service provider customers and partners have been doing a great job to manage the spikes in network traffic and load balance the shift in ‘peak’ online hours accordingly. They are vital to helping people stay safe and healthy, keeping them connected to their families, providing them access to important services, and supporting their jobs and education.

Service Provider Roundtable

Earlier this week, I hosted a virtual press and industry analyst roundtable with some leading providers of connectivity, social networking, and telehealth services.  The panel included:

◉ Jason Porter, SVP, AT&T FirstNet

◉ Kevin Hart, EVP/ Chief Product and Technology Officer, Cox Communications

◉ Dan Rabinovitsj, VP Connectivity, Facebook

◉ Andrés Irlando, SVP/President, Public Sector and Verizon Connect at Verizon

◉ Todd Leach, VP/CIO University of Texas, Galveston Medical Branch

◉ Mike King, MS, CHCIO Director University of Texas, Galveston Medical Branch

During the one-hour event, we explored how these big companies are supporting healthcare providers and first responders during this global pandemic. We also talked about critical infrastructure and how it’s driving changes in tele-health developed by the University of Texas, Galveston. Here are a few highlights from our panelists as they shared what’s happening on their networks:

Todd Leach, University of Texas Galveston Medical Branch: “We were dealing with critical patients while caring for the rest of the population. We had to scramble pretty quickly to transition over to telehealth. I can’t imagine what we would have done without having this technology.”

Kevin Hart, Cox: “Over the last two months, we’ve had a 15%-20% increase in traffic to our downstream network, and a 35%-40% increase in our upstream traffic… The peak usage window has moved from 9:00 p.m. on weekends to 2:00 – 3:00 p.m. during the weekday.”

Dan Rabinovitsj, Facebook: “People use our platform to stay connected. Messaging on all of our platforms is up 50%. In some of our markets, we’ve seen 1000% increases in video calling, video messaging—unprecedented usage.”

Jason Porter, AT&T FirstNet: “COVID was the perfect test case for our response, and we proved a nation-wide public/private network was there for first-responders the whole way.”

Andres Irlando, Verizon Connect at Verizon: “It’s the first time we activated our Verizon emergency response team across the country, everything from mobile testing sites, to pop-up hospitals, emergency operations centers, quarantine sites… you name it. By and large, the macro network has performed very well during this crisis.”

Digital Divide

As the importance of the internet shifts from huge to massive, the pandemic is shining a spotlight on the realities of the digital divide—we’re seeing large gaps between developed and developing countries, as well as urban and rural areas, for example.

Despite the growing transition to digital and remote services, 3.8 billion people around the world still remain unconnected and underserved with lack of critical access to information, healthcare and education.

At Cisco, we believe connectivity is critical to create a society and economy in which all citizens can participate and thrive.

◉ Only 35% of the population in developing countries has internet access, versus 80% in advanced economies.

◉ Bringing the internet to those currently without it would lift 500 million people out of poverty and add $6.7 trillion to the global economy.

◉ Approximately 23% of adults internationally do not know how to use the internet.

In these challenging times, the internet is more critical than ever. Businesses, governments, and institutions realize the need to invest in the networks connecting them to their customers, constituents, patients, and students. For some, that may require increased funding, government incentives, and cooperation across industries.

As we discussed on the panel, we all believe it will take the work of new and ongoing partnerships with strong commitment to make the internet more ubiquitous. As Dan at Facebook said, “No one company can do this alone.” And as Todd at UTMB put it best, “Just because it is hard, doesn’t mean we shouldn’t do it.” We are all in.

Source: cisco.com

Continue reading

Cisco’s AI/ML can make your Wi-Fi 6 upgrade a success

Upgrading to Wi-Fi 6 is not just about replacing your oldest access points. The true value proposition is in locating areas where specific Wi-Fi 6 features will improve the network performance and user experience. The AI/ML capabilities in Cisco DNA Center can help you find these upgrade opportunities.

Wi-Fi 6 has some new features that are useful in resolving what used to be unsurmountable problem areas in a wireless network. The first step is to understand these new Wi-Fi 6 features and the wireless challenges that they resolve.

As you are sitting at home reading this, you could be analyzing your campus wireless network for areas where Wi-Fi 6 can add the most bang for your buck. Wi-Fi 6 has some new features that are useful in resolving what used to be unsurmountable problem areas in a wireless network. Your Cisco DNA Center Assurance dashboard has AI/ML features that can allow you to find these areas!

The first step is to understand these new Wi-Fi 6 features and the wireless challenges that they resolve:

Poor performance in highly congested areas: OFDMA in Wi-Fi 6, allows multiple clients to transmit simultaneously in order to increase capacity in highly congested areas.

Poor uplink performance on mobile devices: Uplink sub-channelization in Wi-Fi 6 provides mobile devices greater radio transmit power without consuming more battery power. This provides mobile devices better Wi-Fi performance in challenging conditions.

High radio interference: The Wi-Fi 6 OFDMA uplink map creates a synchronization that leads to less interference in between clients and in between access points. Additionally, OFDMA allows clients to transmit on small channels at greater power making them much less susceptible to interference from other wireless devices.

The IoT small packet problem: IT teams with large concentration of IoT devices (manufacturing, process control, video surveillance, etc.) are very familiar with the packet processing bottleneck that access points can become. Modern Wi-Fi 6 chipsets solve this with powerful quad-core 2.2GHz processors that can process three times more packets than most 802.11ac access points and twelve times as much as most 802.11n access points. This processing power, combined with a well-designed access point data-forwarding mechanism, has the potential to eliminate most of the issues you used to have supporting IoT devices.

Now let’s look at how you can use the AI/ML in Cisco DNA Center to quickly locate areas in your campus network that fit these challenging conditions.

Congested areas

Any simple network management system with wireless heat maps can show you areas of high congestion. But even older 802.11ac/Wi-Fi 5 (with multi-user MIMO) can handle most congested areas quite well. To get the best bang for our Wi-Fi buck, we only want to upgrade those areas where this congestion is affecting the performance and user experience. The Assurance section in Cisco DNA Center has an area called “Trends and Insights” where you can use AI/ML to compare just about anything on your campus network. You can compare the wireless performance in your buildings, between floors, or even compare every single access point on campus. The graphic above shows channel utilization of 2,216 access points from greatest to lowest. The access points in dark red are using very high percentages of the wireless medium to keep up with demand. You can then view the packet failure rate on those highly utilized access points. This will quickly tell you which access points have (1) high utilization AND (2) high retransmission rates. Upgrading these access points to Wi-Fi 6 is a good investment. –Note that, depending on when you are reading this, you want to select to go back in time a few months to when your campus wireless network traffic was normal. February is a good month because it is after the winter holiday and before spring break.

Areas where mobile devices struggle  

In order to minimize battery consumption, mobile device Wi-Fi radios transmit at much lower power (15mW typical) than the transmit power for access points (100mW or more). Because of this, mobile devices often struggle to send data (uplink) even though the mobile device Wi-Fi signal strength indicator shows full power. This happens because the mobile device measures how it is receiving signal from the access point (downlink). This problem is often worse in certain areas of the campus because building materials vary and things like concrete and metal exacerbate this uplink weakness.  OFDMA in Wi-Fi 6 allows a mobile device to concentrate its transmission (the uplink) on a smaller radio channel for higher power. If that didn’t make sense, imagine how the nozzle on your garden hose concentrates the flow of water to give it more power. The result for Wi-Fi 6 is the ability of a low power device to transmit with much greater uplink signal quality, which can help penetrate (or bounce around) heavy walls and other obstacles. So how can you detect areas on campus where Wi-Fi clients are experiencing low-quality uplink?

Go back to the AI/ML Trends and Insights and compare average client RSSI (Received Signal Strength Indicator) across all access point on your campus. This will tell you how each access point is receiving signal from the wireless clients. Access points with low averages should be selected for a Wi-Fi 6 upgrade.

Areas of high interference

Interference is a difficult problem to diagnose in wireless networks because the symptoms of interference can vary. Users can experience long onboarding times, slow app performance, and difficulty connecting to the cloud. The good news is that the AI Network Analytics feature in Cisco DNA Center will automatically identify interference and alert you on the “Top 10 Issues” window, right on the front page of the dashboard.

So, if you have seen these alerts on your home screen, it would be a good idea to see if Wi-Fi 6 can help mitigate this interference. If you go to the AI/ML “Trends and Insights” menu you can sort access points based on levels of interference. This can give you a list of your worst offenders. Click on one of the access points and look for the “Intelligent Capture” tool at the top of the window. This tool uses your network access points to perform complex packet, frame, and spectrum analyses.

Inside of the Intelligent Capture window, click on spectrum analysis and watch as the software begins to monitor the wireless traffic for interference severity and duty cycle. The waves show you the channels where the interference is located and how this is affecting the duty cycle of that particular access point. This is a very comprehensive test that will scan all of the available wireless channels with traffic from your actual network at that location.

Intelligent Capture lets you drill down on this and identify the percentage of channel utilization for this access point, other access points, and even non-Wi-Fi interference. The image to the right is a screen capture from the output of a spectrum analysis at 2.4 GHz (I cut the screen to be able to enlarge the image). Channels 1 and 2 have high levels of interference but channels 3 and 4 do not. If you find that interference is limited to one or two of the Wi-Fi channels, you can configure your access point to operate outside of these channels. However, if the interference is running across all channels you have a great candidate for a Wi-Fi 6 upgrade. The OFDMA synchronization in Wi-Fi 6 will greatly minimize any self-interference (interference between your own network devices and access points), and your Wi-Fi 6 clients will be able to transmit on a more narrow, more powerful radio channel giving them added robustness against internal or external interference.

A mere 20 Mbps of M2M data can take almost half of your access point’s capacity!

The IoT small packet problem

IT teams that operate networks for manufacturing, process control, mining, and digital cities are quite familiar with the IoT small packet problem. It has long been a thorn in the side of Wi-Fi networks used for machine-to-machine (M2M) connectivity and video surveillance. The issue is that these types of communication use small payloads of data in high frequency. Most forms of M2M encapsulate their data in 64-Byte UDP packets, while most normal IP file transfers use larger 1,500-Byte packets. A Wi-Fi access point is limited in the number of packets per second (PPS) that the imbedded chipset can process.  Imagine a Wi-Fi chipset capable of processing 30,000 PPS. For normal 1,500-Byte data packets, this device is capable of transferring 360 Mbps (30,000*1500*8). But, for 64-Byte packets the maximum throughput drops to only 45 Mbps. More importantly, 20 Mbps of M2M data can take almost half of my access point’s capacity!

To find small packet problem areas in your campus network, begin by looking at the AI/ML “Trends and Insights” menu and sort access points based on “Traffic.” This will single out the busiest access points based on packet transfers. Like before, use the Intelligent Capture feature, but this time look at the frame counts and frame errors window (shown at left). Any access points with lots of traffic, high frame counts and high frame errors are great candidates for a Wi-Fi 6 upgrade.In the past Cisco has done many enhancements to overcome the limitations of typical Wi-Fi chipsets, like HDX and “Turbo Performance” in the Cisco Aironet 2700 and 3700 series access points for 802.11ac. This HDX technology along with the quad-core processors now available in new Wi-Fi 6 chipsets take packet capacity to a whole new level, and you can see this in the Cisco Catalyst 9100 access points and Cisco Meraki Wi-Fi 6 Access Points.

My goal with this blog was to show you the power of AI/ML in Cisco DNA Center and how it can locate some of the less obvious, but more critical opportunities for upgrading to Wi-Fi 6. The material may be a bit more technical than most of our blogs here at Cisco, so please feel free to comment below with any questions you may have.

Cisco DNA Assurance and AI Network Analytics are included in the Cisco DNA Advantage software.

Continue reading

Extending Effective Security without Adding Complexity

Security solutions often need to walk a very fine line. On one side, they must provide visibility and the capability of enforcing policy. On the other side, they cannot be so complex to administer, maintain and configure that they are not adopted or are set up in ways that are confusing or low value. At Cisco, we’ve intentionally designed, developed and acquired security solutions to be high value without being overly complex.

Security administrators are already overwhelmed with the sheer number of tools that they have. Organizations are moving to vendor consolidation, but still deploy many tools. The Cisco 2019 CISO Benchmark Study reports that 79% of those surveyed claimed it was “somewhat or very challenging to orchestrate alerts from multiple vendor products.”

Figure 1. The Security Effectiveness Gap

The adoption of multiple security solutions with incremental new capabilities but high degrees of complexity results in the security effectiveness gap. Organizations invest great amounts of time, money and effort for only marginal benefits. If a tool is difficult to install and only provides a small number of benefits, these investments can be costly.

Figure 2. Incremental Complexity with Exponential Banefits

Alternatively, solutions should be simple to deploy but offer expanded capabilities. The goal is for incremental complexity and exponential benefits. To this end, Cisco has made substantial investments in security solutions that organizations can deploy easily. Two examples of this are Umbrella and Duo.

Cisco Umbrella offers flexible, cloud-delivered security. It combines multiple security functions into one solution, so security teams can extend protection to devices, remote users, and distributed locations anywhere.

Duo is designed to verify the identity of all users with effective, strong authentication (two-factor authentication) before granting access to corporate applications and resources. It provides visibility into every device used to gain access to corporate applications, whether that device is corporate managed or not.

Both Umbrella and Duo can be deployed in minutes and provide visibility and protection for remote users, whether they are leveraging a VPN or not. The goal is to keep security simple while organizations and administrators handle a previously never seen set of challenges.

To help overcome these challenges, Cisco has enabled our trusted partners to manage these trials for customers around the world. Partners have tools in place to help customers initiate these trials, to extend them when necessary, and to help seamlessly move from trials to production. These skills and tools provide smooth management and transition, allowing customer administrators to focus on keeping the business running and productive.

The increase in work from home initiatives introduces some issues for administrators. Ensuring that employees can be productive is its own challenge. Organizations may have to open up corporate networks and assets in ways they never predicted. Cisco’s offerings provide the confidence that this access is granted, without sacrificing the visibility and control needed to secure those devices.

Continue reading