First Code… Then Infrastructure as Code… Now Notes as Code!

First, let me say how we take notes and what tools we use are admittedly a personal preference and decision. Hopefully, we are doing it, however!

Most of us are creatures of habit and comfort – we want it simple and effective. When we put that developer hat on as part of our DevOps/SRE or AppDev roles it’s optimal when we can combine our code development environment, or IDE, with a tool that we take notes in. I’m sure most of us are using Microsoft’s Visual Studio Code app as we write Python or Go-based scripts and applications during our network programming and automation work. I probably knocked out 4,500 lines of Python in support of the CiscoLive Network Operations Center (NOC) automation earlier this summer and VS Code was integral to that.

Microsoft Visual Studio Code with a CiscoLive NOC Python Script

You’re probably familiar with VS Code’s strong integration with git from your local development environment and the ability to synchronize with remote GitHub repositories. It’s a great feature to ensure version control, provide code backup storage, and encourage collaboration with other developers.

GitHub with a CiscoLive NOC Software Repository

I was encouraged to find an extension to VS Code that follows the concept of ‘Docs as Code’. If you’re not familiar, I’d encourage you to follow my esteemed Developer Relations colleague, Anne Gentle, who is leading much innovation in this space. Anne describes this concept in her GitHub repo.

The extension I use is called Dendron. It is more officially known as an open-source document management system. It allows for hierarchical documentation and note-taking. It uses the same, familiar markdown concept for text formatting, document linking and image references, as you would use with GitHub,  Webex messaging app or Webex API. You can journal and have your thoughts organized in daily buckets. Document templates are supported. I find the supplied meeting notes template as pretty useful and extensible. As a proof of Dendron’s flexibility, I wrote this blog in Dendron before passing over to the publication team!

VS Code with Dendron Extension: Note Taking Panel with Preview

I appreciate the hierarchical model of taking notes. I have sections for my team notes, my projects, the partners and customers I’m working with, and one-on-one meeting notes. The hierarchy works down from there. For instance, this note is stored in the VS Code workspace for Dendron, and its vault, as ‘MyProjects.blogs.Notes as Code.md’.  I also have a ‘MyProjects.PiK8s.md’ for a Kubernetes environment on a cluster of Raspberry Pis – more on that soon!

Dendron is capable of efficiently and quickly searching and managing tens of thousands of notes. When I finish a project, I can refactor it into a different hierarchy for archive. The links within the original note are re-referenced, so I don’t lose continuity!

I’m not ready to do this refactor just yet, but here’s a screensnap of it confirming the movement of the note across hierarchies. I tend to put completed projects in a ‘zARCHIVE’ branch.

Dendron Extension Using Document Refactor Feature

Dendron also supports advanced diagramming with the mermaid visualization syntax. This next image is a linked screen-capture of the Dendron writing panel adjacent to the preview panel where I imagined a workflow to get this blog posted.

Dendron Markdown with Preview Showing mermaid Flow Chart

Network protocol and software inter-process communication can be documented as sequence diagrams also! Here’s my tongue-in-cheek representation of a DHCP process.

```mermaid

sequenceDiagram

participant Client

participant Router

participant DHCP Server

Client->>Router: I need my IP Address (as broadcast)

Router->>DHCP Server: (forwarded) Get next lease

DHCP Server-->>Router: Here's 192.168.1.100

Router-->>Client: You good with 192.168.1.100?

Client->>Router: Yes, thank you

Router->>DHCP Server: We're all set!

```

The markdown and preview behind the scenes looked like this…

Dendron Markdown with Preview Showing mermaid Sequence Diagram

So, How Can I Use This?

An effective way of using VS Code with Dendron would be in concert with the notetaking and documentation you do for your git repos. Since Dendron notes are effectively text, you can sync them with your git repo and remote GitHub publication as your README.md files, LICENSE.md and CONTRIBUTING.md, which should make up the foundation of your documented project on GitHub.

Source: cisco.com

Continue reading

FFIEC Cybersecurity Maturity Assessment Tool

Financial institutions have to be vigilant in the face of a continually evolving cybersecurity threat landscape. As these have attacks have evolved, regulatory bodies have updated their regulations to account for the increasing threat of cyber risk. In 2015, following a significant increase in nation state and hacktivist attacks on U.S. financial institutions, the FFIEC released new guidance and a Cybersecurity Assessment Tool for institutions to self assess their risks and determine their cybersecurity maturity. This was revised in 2017, and this consistent framework is intended to be able to help leadership and the board assess their preparedness and risk over time. This framework is especially relevant given the recent FFIEC Architecture and Operations update and the Executive Order on Cybersecurity from 2021.

The purpose of this blog is to assist our IT based customers and partners with a concise and high level understanding of the FFIEC Cybersecurity Assessment Tool and derivative impacts on their current and future day to day operations. It is part of a multipart blog series on financial regulations and how to manage them architecturally, geared towards IT leadership.

The Cybersecurity Assessment Tool is fairly intuitive to use and the exercise should not be arduous for an organization to complete. The assessment applies principles of the FFIEC IT Handbook and the NIST Cybersecurity Framework. The intention here was to be complimentary to existing frameworks and supportive of existing audit criteria. The FFIEC has released a mapping of the Cybersecurity Assessment Tool and the NIST Cybersecurity Framework to the FFIEC IT Handbook.

How the Assessment works:

The assessment itself involves two primary components: an institution first creates an inherent risk profile based upon the nature of their business, and determining cybersecurity maturity. The inherent risk profile is an institution’s analysis of its key technologies and operations. These are mapped into categories and include:

1. Technologies and Connection Types

2. Delivery Channels

3. Online Mobile Products and Technology Services

4. Organizational Characteristics

5. External Threats

The tool itself provides guidance on criteria to sell assess risk based on the different characteristics of an organization, which simplifies completion as well as consistency. By having explicit guidance on how to self assess into different risk categories, the leadership for the institution can ensure they have a consistent understanding of what the risk entails.

Below is a snippet of the inherent risk profile, of note is the intuitive and consistent guidance on how to classify risk within each domain.

The second aspect of the assessment is understanding cybersecurity maturity. This section can help leadership understand the risk and appropriate controls which have been put into place. It creates five levels of maturity, from baseline to innovative, and we use these to measure preparedness of the processes and controls for five risk domains:

1. Cyber Risk Management and Oversight

2. Threat Intelligence and Collaboration

3. Cybersecurity Controls

4. External Dependency Management

5. Cyber Incident Management and resilience.

The five domains include assessment factors and declarative statements to help management measure their level of controls in place. What this means is there are statements within each assessment factor that describe a state. If those descriptive statements matches a financial systems controls, then they can claim that level of cybersecurity maturity. Of important note however, as in the picture above, the levels are additive, like a hierarchy of needs. What this means is that if there is a statement in innovative that matches some of your organizations controls, but you haven’t satisfied the statements in the “advanced” guidance, you can not measure your institution as innovative in that domain. Likewise, an intermediate level of maturity assumes that all criteria in the evolving level, have been met.

The five domains each have various assessment factors. For example, in cybersecurity controls there are assessment factors for preventative, detective, and also corrective controls. Each of these assessment factors will have contributing components which are then measured. An example of this is within the preventative controls assessment factor, there is components such as “infrastructure management” and “access and data management”.

It becomes easier to envision when evaluating the assessment document and the corresponding components. As can be seen in the below cybersecurity guidance, there are a number of explicit statements that describe maturity at a particular level and mapping to regulatory requirements. Through satisfying these statements you can appropriately match your institution to its level of cybersecurity maturity.

The Next Step

Following completion of an inherent risk profile and cybersecurity maturity an organization can determine if they have the appropriate controls in place to address their inherent risk. As inherent risk increases, obviously a higher level of security controls should be positioned to provide a level of control around that risk. A conceptual guidance on how risk should map to maturity is outlined below. Where this becomes important is not only in determining a point in time deficiency, but understanding that as new projects, acquisitions, or the threat environment changes, leadership can understand whether increases in security controls need to be applied to adequately address a material change in risk level.

Derivative Impacts on Infrastructure and Security Teams

The Cybersecurity Assessment is a useful tool for financial institutions to consistently provide leadership a synopsis of the state of the institution. But how this translates downstream to day to day operations of architects may not be explicit. There are a number of areas in the Cybersecurity Maturity section where explicit guidance is given which we have seen undertaken as projects at our customers, as well as across the industry. Below are a few themes we have seen gain in prominence since the publishing of the assessment. These weren’t generated by the assessment itself, but are common themes across the industry. Through this blog, the intent is more to provide a high level synopsis of how these projects influence, and are influenced by, and measured through, the regulatory bodies.

1. Segmentation is explicitly called out with guidance given on how to measure. We have seen this translated across the industry as both Macro and Micro segmentation approaches, and both of these are complimentary. These have driven technologies such as SD-Wan, SD-Access, ACI, and VXLan based segmentation.

2. Managing infrastructure and lifecycle hardware and software versions are measured. This practice isn’t specific to just this assessment and it has become a common theme to be able to keep devices in patch management. It is a shift from some institutions “sweating their assets” to a proactive model for managing. What had been observed was “hackers love sweaty assets”, with most exploits targeting known vulnerabilities. This should translate into any new technology investment having a lifecycle that can ensure the full depreciation of the asset while maintaining patch management.

3. Analytics and telemetry have driven significant investments in cybersecurity operations team’s ability to understand and act upon emerging threats in real time. Leveraging existing assets as sensors or sources of meaningful telemetry is important as deploying dedicated appliances to the larger attack surfaces of campuses, branches, and wireless  nd can be prohibitively expensive plus operationally unsupportable.

The above is just a few of the many derivative impacts that affect our infrastructure and security teams. With increasing nation state guidance on security and privacy, to include the U.S. Executive order on Cybersecurity, additional tightening of conformance to address evolving security risks is happening. A lot of the increased focus aligns to areas which occur within existing domains that are included in existing frameworks. The FFIEC Cybersecurity Maturity Assessment is a simplified tool that can help a board member understand which security controls should be addressed first.

Source: cisco.com

Continue reading

Top Resources to Streamline Cisco 350-401 ENCOR Exam Preparation

The Implementing Cisco Enterprise Network Core Technologies exam, also known as the 350-401 ENCOR, is a significant challenge. It is a prerequisite for four distinct Cisco certification paths, i.e., CCNP Enterprise, Cisco Certified Specialist – Enterprise Core, CCIE Enterprise Infrastructure, and CCIE Enterprise Wireless.

Continue reading

Cisco Wireless 3D Analyzer: High Level View on Latest Innovations

Wireless connections are ubiquitous and have become a part of our daily lives no differently than electricity. Planning, maintaining, and troubleshooting  WiFi networks, optimized for today’s radio coverage and capacity requirements, may not be a simple task for an otherwise seasoned wireless network engineer.

Read More: 350-801: Implementing Cisco Collaboration Core Technologies (CLCOR)

While wireless technologies are ubiquitous, they interact steadily with the physical environment.  Architecting the best wireless coverage for a specific environment depends on many different physical factors like obstacles (walls, doors, windows), building geometry, furniture, and materials as well as the user density and intended usage. Different environments encounter a wide range of complexity across different verticals. For example, covering a moderate sized enterprise-office space could be as simple as correctly placing some APs (Access Points) with omni-directional antennas, while covering space with high ceiling such as a warehouse necessitates directional antennas to optimally cover the space and requires more engineering to get it dialed-in right. The challenge is that RF, unless visualized somehow, is invisible.  Providing the “super-power” to view the RF in sufficient context to determine the correct angles, power, coverage, and capacity needs requires innovation using specialized and outstanding tools. 

Cisco Wireless 3D Analyzer goal is to address challenges like these and enable RF design like never before possible! Cisco customers had access to this innovation starting with Cisco DNA Center release 2.2.3 providing features like the following: 

Figure 1. A few examples of Cisco Wireless 3D Analyzer features

What’s new? 

As we continue to drive innovation and lead the market with RF visualization, Cisco DNA Center release 2.3.3  brings new amazing key Wireless 3D Analyzer functionalities. This extends Cisco DNA Center’s tooling set and enables impeccable user experience on the wireless network. Below are a few of the new functionalities: 

Multi-floor Management

In scenarios where a network engineer needs to provide WiFi coverage in a high-rise office building, APs will be placed on each floor of the building to have the level of coverage desired (i.e. –65DBm). But one of the crucial issues is that APs on a given floor could create interferences to the adjacent floors below or above. This is why Cisco Wireless 3D Analyzer introduced the multi-floor view to provide the 3D perspective. Using this new functionality, the user can select adjacent floors up to 2 floors above and 2 floors below. Therefore, they can see what the contributions of RF impacts on the current floor are.

Figure 2. Multi-floor contributions

In figure 2, we can clearly see the contributions of intra-floor interferences from the floor above and below.  

Coverage Area Management

The Cisco Wireless 3D Analyzer Insights View allows an amazing deep dive into possible issues the wireless network can experience, and it can be configured according to key parameters and KPIs as shown in figure 3 below 

Figure 3. Example of insights configuration

A common use case is where the network engineer is interested in a specific area of the floor as opposed to the entire floor. Therefore, Cisco Wireless 3D Analyzer added the Coverage Area feature that allows the user to easily define the area of interest for a floor as shown in figure 4.

Figure 4. Coverage Area Management

With this functionality, Wireless 3D Analyzer will compute the insights for that specific area of interest to the network engineer.

3D Client Location

Wireless networks are there to support clients (humans or machines). Wireless 3D Analyzer now supports a Client Location View depicted in figure 5 below.

Figure 5. 3D client Location

Taking advantage of the integration with Cisco DNA Spaces, location analytics, and the related triangulations of the client’s positions, Cisco Wireless 3D analyzer can show the client’s location in the 3D space. Moreover, for those clients, Cisco DNA Center can track data around RSSI, SNR, or health scores in the same position. Finally, it collects all the available client data and shows it by clicking on the client on the 3D map. 

WiFi 6E Support 

Cisco recently shipped the first WiFi 6E APs (see more info at Cisco 6E launch), so Wireless 3D Analyzer supports and integrates the new 6GHz band together with the new WiFi 6E AP models.

Figure 6. 6GHz management within Wireless 3D Analyzer

In the picture above we can see how the coverage iso-surfaces change using the 6GHz band for the selected AP. 

Source: cisco.com

Continue reading

Operationalizing Objectives to Outcomes

As part of our digital transformation, my Cisco colleagues and I were getting trained on business agility in our ONEx organization. Any transformation needs an effective way to measure the success at the end and throughout, and as part of our initiative, I could see there was enough awareness and emphasis given to metrics and measurements.

The training also addressed some points from the book “Measure What Matters,” which peaked my curiosity and inspired me to start reading it. It is a fantastic book with the origin of the Objectives and Key Results (OKR) concept and how companies have leveraged the framework. I wanted to share a bit here about how Cisco also embraces this framework – and more – in our organization, in a slightly customized and enhanced way, and how it can be extended further.

Finding Middle Ground between Vision, Strategy, and Execution

Although the OKR framework has generated more interest in recent decades, goals and metrics themselves have long been the foundation to any company to identify, set and succeed. As with technology, our approach to goals and metrics has also evolved over the time, namely to include a couple key concepts: MBO or Management by Objectives, and VSE or Vision, Strategy & Execution, extension of this, VSEM, to include Metrics.

Vision

The Vision has represented the true north-star of what the company wants to achieve. If we time box it, perhaps, 3 to 5 years or beyond, Vision does not change often unless the company goes through a major transformation or change of business. However, at an organization level or function level, it could change a bit but still align to the overall company vision. And, as you can imagine, there is still a healthy internal debate about whether one should have ONE single vision for all or a vision at each lower of functional levels – and different companies handle it in different ways.

Strategy

While Vision is a starting point, we need other elements to take it further. Strategy is the next level of Vision – how you plan to accomplish the vision. This could be multiple levers (or initiatives or methods or ways) to achieve the vision: A strategy, approach, or means to plan for the execution of it and, finally, deliver the desired outcome or results.

Execution

If Vision is the desired outcome, and Strategy is the big plan, then Execution is the detailed plan. The key to Execution is measurement, and thus it is often broken into smaller chunks – goals or objectives – which are easier to accomplish and show progress.

Finding Meaningful Measurements

In the process of transforming our operations I’ve found several things to be true, and helpful, during this endeavor:

1. As Peter Drucker said, “What cannot be measured, cannot be improved“, but even before improving upon a thing, identifying and establishing the right set of metrics is key for any goal. Drucker also observed, “A manager should be able to measure the performance and results against a goal.” However, truly effective organizations must not limit measurements to the management level, but instead, equip employees at every level to identify and track meaningful metrics. These metrics could be milestones or KPIs and can be annual, quarterly, or even monthly. Some of these metrics could be in multiple systems (say ERP or CRM or ITSM) or Project Portfolio Management tools. The goals and objectives can be (and in some cases should be) inherited either vertically or across the organization or cross-functionally beyond the organization for shared goals.

2. When employing new measurement metrics within a company, the ideal scenario would be to integrate, automate, and bring all of these metrics into one single dashboard. A one-stop shop for metrics viewing simplifies the process, ensuring that there is minimal manual work involved in updating these metrics periodically. Several of the SaaS solutions provide APIs that can be used to easily integrate and get the needed metric and based on a set threshold, can even provide indicators about whether metrics have been achieved, and communicate that critical information in real-time to impacted teams.

3. Although Goals & Results could be separately reviewed from employee performance review discussions, the ideal would be to review them together.

4. WHAT was achieved should be equally evaluated with HOW it was achieved. Equally important to the Vision are the types of behaviors that were exhibited to accomplish these results, and they should be reviewed to ensure that we understand and agree with the methods and the values represented in the achievement.

5. It’s critical that metrics and measurements are looked at holistically and together. Operationalization of the entire framework, process, or activity makes it efficient for the organization, but defining and setting meaningful metrics cannot be a one-time activity. Putting a structure and defining these annually is a good start but this is just the beginning – goals need to be measured, reviewed, revisited, and adjusted as needed.

Operationalization of the OKR framework can include various elements:

1. Conducting reviews at Initiative, Program, and Project level – leveraging metrics from the Portfolio Management and other IT Systems/Tools

2. Organizational health metrics from various sources

3. Ongoing operational reviews (RtB or Run your Business) – both IT (ideal to do weekly, monthly, and quarterly) and Business Reviews (ideal is Quarterly)

Among all of these observations I’ve made through this process, one of the most critical ones is that the information about meaningful metrics cannot be created and kept safe somewhere secretly. Instead, it needs to be published centrally, so that anyone can check on the goals of their colleagues and leaders at any point in time. This not only brings transparency and trust but also avoids duplication when found.

We are still in the process of creating a more mature, sophisticated practice around our internal OKRs, and in parallel, my colleagues across Cisco are also applying metrics to inform smarter, more efficient operations within our customer organizations.

For those who want to dig into the topic even more deeply, click here to learn more about how Cisco’s IoT practice is using metrics as a powerful tool in our customers’ digital transformation.

On that note, how is your team doing it? What can you share about what it takes to set and achieve measurable goals in your organization’s digital transformation? 

Source: cisco.com

Continue reading

Compliant or not? Cisco DNA Center will help you figure this out.

Clear visibility of device compliance is key for network operations. One of the biggest challenges though is to agree upon the definition of compliance since different environments have different requirements. The purpose of this blog is to share the current compliance capabilities in Cisco DNA Center that will help network administrators to keep the infrastructure safe and consistent.

The current version of Cisco DNA Center, looks at device compliance from five different lenses in a non-SD-Access network: startup vs. running-config, network profiles, application visibility, software image, and critical security advisories.

Figure 1: Compliance Types

Startup vs Running Configuration

Have you ever configured a device and forgotten to save the running configuration only to have the device reboot unexpectedly?  The result of this could be catastrophic resulting in numerous issues in the network. Even though the preferred method for device configuration is through Cisco DNA Center, manual changes are still permitted. To avoid inconsistencies between startup and running configurations, Cisco DNA Center provides a compliance check by flagging any devices that have a startup and running configurations that don’t match.

In the snapshot below, we see how Cisco DNA Center provides visualization of the differences between the running and startup configuration.  In this example, the network administrator manually added a description to an interface and forgot to save the new configuration. Cisco DNA Center also provides a way to remediate this problem with a button to “Synch Device Config” which saves the running-config into startup-config.

Figure 2: Config Differences and Remediation option

Network Profiles

One of Cisco DNA Center’s greatest values is the automation it brings by leveraging Intent-Based Networking (IBN). One of the constructs that Cisco DNA Center uses to implement IBN is network profiles. Network profiles contain different aspects of intent-based networking including wireless and model-based configuration (for wireless devices) and templates (for all devices). Via compliance checks, Cisco DNA Center can flag any configuration deviation from these constructs.

Let’s say that we have a simple template in Cisco DNA Center pushing a “vlan” configuration to a port:

TBRANCH-C9200L-2#show run int gig 1/0/7

Building configuration...

Current configuration : 344 bytes

!

interface GigabitEthernet1/0/7

description Description pushed by DNAC Template -- lan

switchport access vlan 419

switchport mode access

device-tracking attach-policy IPDT_POLICY

ip flow monitor dnacmonitor input

ip flow monitor dnacmonitor output

service-policy input DNA-MARKING_IN

service-policy output DNA-dscp#APIC_QOS_Q_OUT

end

In this example, we will assume that someone manually removed the “vlan” configuration that has been pushed by Cisco DNA Center templates:

TBRANCH-C9200L-2#conf t

Enter configuration commands, one per line. End with CNTL/Z.

TBRANCH-C9200L-2(config)#int gig 1/0/7

TBRANCH-C9200L-2(config-if)#no switchport access vlan 419

TBRANCH-C9200L-2(config-if)#

This action will trigger a “Network Profile” compliance violation as seen in the snapshots below:

Figure 3: Network Profile Compliance Violation

Cisco DNA Center clearly identifies the template that has been changed in the device and the specific lines of configuration that have been removed:

Figure 4: CLI commands from Template not present in the config

Application Visibility

Cisco DNA Center also leverages Intent-Based Networking (IBN) to provision devices for visibility of applications through CBAR and NBAR.  If there are any changes to this intent, the devices will be marked as non-compliant for “Application Visibility” as seen in the example below.

The device has CBAR (Controller Based Application Recognition) enabled via DNA Center:

interface GigabitEthernet1/0/7

description Description pushed by DNAC Template -- lan

switchport access vlan 419

switchport mode access

device-tracking attach-policy IPDT_POLICY

ip flow monitor dnacmonitor input

ip flow monitor dnacmonitor output

service-policy input DNA-MARKING_IN

service-policy output DNA-dscp#APIC_QOS_Q_OUT

ip nbar protocol-discovery

end

Configuration is manually removed from the device:

TBRANCH-C9200L-2(config)#int gig 1/0/7

TBRANCH-C9200L-2(config-if)#no ip nbar protocol-discovery

TBRANCH-C9200L-2(config-if)#

Figure 5: Application Visibility Compliance Violation

Figure 6: Configuration removed for this interface

Software Image

Cisco DNA Center uses the concept of “Golden Image” to support image consistency within a site. When devices have images different from “Golden Image”, it will trigger the “Software Image” compliance violation as seen in the snapshots below:

Figure 7: Software Compliance Violation

Figure 8: Device Image different from Golden Image

Critical Security Advisories

Devices with critical security vulnerabilities will also trigger a compliance check as shown in the snapshots below:

Figure 9: Critical Security Advisories Compliance Violation

Figure 10: Detailed list of security advisories

Source: cisco.com

Continue reading

Cisco 350-201 CBRCOR: How to Prepare for CyberOps Professional Certification?

Cisco CBRCOR Exam Description:

Performing CyberOps Using Cisco Security Technologies v1.0 (CBRCOR 350-201) is a 120-minute exam that is associated with the Cisco CyberOps Professional Certification. This exam tests a candidate's knowledge of core cybersecurity operations including cybersecurity fundamentals, techniques, processes, and automation. The course Performing CyberOps Using Cisco Core Security Technologies helps candidates to prepare for this exam.

Cisco 350-201 Exam Overview:

• Exam Name- Performing CyberOps Using Cisco Security Technologies
• Exam Number- 350-201 CBRCOR
• Exam Price- $400 USD
• Duration- 120 minutes
• Number of Questions- 90-110
• Passing Score- Variable (750-850 / 1000 Approx.)
• Recommended Training- Performing CyberOps Using Cisco Security Technologies (CBRCOR)
• CBRCOR study materials
• Exam Registration- PEARSON VUE
• Sample Questions- Cisco 350-201 Sample Questions
• Practice Exam- Cisco Certified CyberOps Specialist - CyberOps Core Practice Test

RELATED READ:

350-201 CBRCOR: Outstanding Study Tips to Become Cisco Certified CyberOps Specialist - CyberOps Core

Continue reading