Innovation at the inner core of Cisco DNA Center

Cisco DNA Center has seen several releases with significant innovation and the evolution of the product platform. With DNA Center capabilities aligned to Gartner’s four IT personas (AIOps, NetOps, SecOps, and DevOps), it is important to take a step back and look at the platform or networks-put the “underlay.”

With changes in the IT landscape, several megatrends are shaping what the network platform needs to deliver. With the new landscape where both applications and users are on the move, the face of the campus network has changed and expanded.

Figure 1. Megatrends shaping digital transformation

Cisco DNA Center Virtual Appliance, deployment flexibility

With applications moving to the cloud, it is no surprise that management platforms are moving to the cloud. Cisco DNA center is no exception. DNA Center is now able to run on AWS, and the deployment of the AWS VA takes under an hour from start to finish.   A lot of flexibility is also provided to the end user through the support of a launchpad to automate the installation or through a manual mode for users who already have a custom AWS environment. DNAC install is completely programmatic in both cases (no login to shell required!)

At this point, users can get on the Cisco DNA Center UI and begin configuration, discovery, and more.

Figure 2. Virtual Appliance Diagram

Following AWS, a VMWare version of the appliance will be released, allowing customers to use their existing VMWare infrastructure to run Cisco DNA Center instead of a physical appliance. As part of Cisco’s commitment to the platform, no matter how you deploy Cisco DNA Center, users will see feature parity it is the same Cisco DNA Center code and capabilities.

Hardened Security Features

Some verticals, industries, and organizations have specific security requirements mandated, such as FIPS.

Activation of FIPS compliance at Cisco DNA Center install time enables security features such as secure boot, TPM, session timeouts, and password expiration.  When data is shared using weak or deprecated ciphers, that data is at risk of being decrypted by malicious actors. Cisco DNA Center now supports FIPS 140-2-compliant cryptography modules, ensuring that only strong NIST-approved ciphers are used and enabling deployment in security-conscious verticals such as the public sector, finance, and healthcare.

Figure 3. FIPS compliance letter

ACL to management access for Cisco DNA Center appliance

By popular demand – many customers utilize ACL’s to control access to the network devices for management. As Cisco DNA Center is now the centralized monitoring and management point for network estate, customers can now create ACL’s to control what networks or IPs can access the Cisco DNA Center UI

Restricted shell support

Again by popular demand customers have requested to provide an enable shell for DNA Center so that sensitive CLI commands can be protected at all times. DNAC now comes with a restricted shell as standard and only non-invasive CLI is allowed to be run on the console. For any  CLI which requires root level / Sudo permissions, the shell will default deny it. A special token needs to be acquired to remove the restriction.

Scale – the agility to keep up with your business

Scale is a constant growth factor with post-pandemic life coming back to normal, with the proliferation of IoT and OT devices on the network on the rise. There is a constant need to ensure that the network management and orchestration platform can continue to scale with the network and business needs. With each release, Cisco DNA Center team has been making continuous strides with an increased platform scale. Recent scale updates for version 2.3.3 include up to 6,000 sites and 24,000 devices (Access Points and Network Devices for both Fabric and non-fabric networks).

Figure 4. DNA Scale

Remote support

As part of improving the support engagement between customers and TAC, at times providing TAC easy access to the equipment has contributed to extending the MTTR (Mean time to repair). To ease the process, customers are now able to allow TAC access to network equipment via Cisco DNA Center. This solution enables the customer to provide TAC-specific access to equipment and the ability to revoke access at any time.

Figure 5. Remote Support Activation

Aura (Audit & Upgrade Readiness Analyzer)

AURA stands for Audit & Upgrade Readiness Analyzer and performs various health, scale, and upgrade readiness checks for the Cisco DNA Center and the rest of the Fabric network. The tool is extremely simple to run and is executed on the Cisco DNA Center.

Figure 6. AURA screen image

The tool uses API calls, DB reads and CLI show commands (read-only operations) and hence, doesn’t affect performance or cause impact the Cisco DNA Center or the networking devices. This functionality was built in collaboration with Cisco DNA Center Escalation Engineering, Sales, and CX Centers TAC Engines team to ensure an efficient upgrade experience. AURA Tool Check Areas:

◉ DNA Center Scale Test

◉ DNA Center Infra Health

◉ DNA Center Assurance Health

◉ WLC/eWLC Assurance Health

◉ SDA Device CLI Capture

◉ SDA Control & Security Audit

◉ Software Bugs Causing Upgrade Failures

◉ Upgrade Readiness Checks

◉ SDA Compatibility Check (Switches, Wireless Controllers & ISE for 2.2.2.x)

◉ DNAC-ISE Integration Checks

◉ Fabric Devices Configurations Capture and Compare using inbuilt diff tool

Figure 7. System Analyzer screen image

Source: cisco.com

Continue reading

Cisco Nexus: Connect cloud-scale performance and sustainability

Announcing the first Cisco 800G Nexus Switch

It’s the week of the Open Compute Project Global Summit a conference that attracts the biggest names representing cloud providers, colo-facilities, enterprises, telco service providers, media, and government entities, a group who build and operate high performance infrastructure. Our customers are here in force and we launched our blueprint for helping cloud service providers (both hyper scalers and webscale customers) deliver richer cloud applications and services, while balancing their needs for higher performance, cost effective, yet more efficient, hence more sustainable networking infrastructure.

For our Cloud Networking customers, 2022 turns out to be a block buster year. It was only in June that I wrote about exciting new 400G Nexus platforms. All of these are now shipping. This week I am proud to announce the addition of the first 800G Nexus product to the rich Nexus portfolio. The Nexus 9232E is a 1RU Nexus switch with 32ports of 800G.

So, what use case needs an 800G switch? I don’t think there is a dispute that the pace and scale of data center networking buildouts is accelerating. Two fun facts:

1. In 2011, the first year of the OCP event, the total volume of data created and stored in the world was just under two zettabytes. In 2022, that’s expected to grow to nearly 100 zettabytes.

2. Similarly, the number of users (by MAU or monthly active users) for Meta services, who was one of the founding members of OCP, grew from 845 million in 2011 to nearly 3 billion  today.

What is becoming clearer are the many use cases for AI/ML for both network operations team as well as application teams. AI/ML capabilities are crucial for digital twin type predictability of network change results as well as for modeling highly customized application outcomes in the real and meta world. Indeed, by 2025, 44 percent of global data created in the core and edge will be driven by analytics, artificial intelligence, and deep learning, and by an increasing number of IoT devices feeding data to the enterprise edge.

It is no wonder that our customers are actively looking for innovative solutions addressing their key questions:

◉ How do I handle traffic/ data growth while dealing with an increasingly challenging power/ power cost environment?

◉ Can I continue to scale this infrastructure but do so in a sensible, sustainable way?

◉ Can network bandwidth be utilized more efficiently while still supporting current cloud network deployments?

Cisco’s cloud networking difference

We are hard at work in solving these customer challenges. 800G technology is one of many steps on a journey.  Our customers want positive outcomes in the areas of experiences, economics, and environment with respect to their hybrid cloud network infrastructure. So, our new Nexus 800G product will deliver the same benefits that Nexus cloud networking customers already enjoy including:

◉ High Performance: Massive throughput with Silicon One 25.6T G100 ASIC and smart system design that will power the next generation of network innovations and breakthroughs.

◉ Flexibility and Agility: Choices in network operating systems, speed, form factors, optics to meet virtually any use case.

◉ Programmability: Enabled through open APIs and protocol support in our cloud network optimized OS.

◉ Density and Scale: For both fixed and modular systems offering scalability from 100G to 400G to now 800G.

◉ Energy Efficiency: Significantly improved power per bit leveraging 112G Serdes technology.

◉ Simplicity: Manageability, optics backward compatibility enabling less equipment needed to scale higher.

Source: cisco.com

Continue reading

Vacations and IT Operations: Calm the Chaos

As I prepare to head out on summer vacation, I can’t help but realize that planning a vacation is a lot like managing IT operations. Both require coordinating a handful of individual tasks (from booking flights and reserving a hotel to deploying servers and resolving issues and more). Luckily, just as online travel services have made vacation planning easier, SaaS tools also make IT operations easier. In a series of blogs, I’ll explore this comparison to drive home the point that any IT shop still using multiple tools—or worse, trying to manually coordinate multiple tasks—can make their life much easier by using an integrated SaaS platform like Cisco Intersight for hybrid cloud operations.

From Manual Travel Management to Online Vacation Planning

The first recorded instance of a travel management service may be in 1840 when Thomas Cook organized rail transportation and lunch for 540 people. Five years later he was managing travel services for 165,000 people. All with a pen and ledger. Back then it was the model for success.

Let’s fast forward to the age of the internet. The internet not only wiped-out pens and ledgers through digital vacation planning, but it also made way for a more connected world that puts the power of integrated vacation planning at our fingertips.

Online Isn’t Good Enough

Imagine you’re planning a summer vacation for your family. Your first challenge is finding the best flights to your destination. There are 18 major airlines operating in the US plus more than 40 smaller ones. You’ll have to search each airline site for tickets. Doing this 18+ times to compare and find the best flights gets overwhelming quickly. I’ll just leave it there because when you multiply the effort to search for lodging, restaurants, and activities, it becomes clear that the internet alone isn’t the key to efficient vacation planning.

A flock of birds take synchronized flight off the beach in Destin, FL.

Integration is Key

But you’re smart. You know that all you have to do is log on to your favorite travel site, like Tripadvisor, Kayak, or a handful of others. Integrated travel sites aren’t just about booking your vacation. You can get alerts, track deals, make changes, and get support…all from your fingertips anywhere in the world. That’s the power of an integrated SaaS platform.

The Power of Integrated SaaS for IT Ops

Now let’s bring IT operations back in. Running IT operations requires juggling multiple tasks to plan, manage, and optimize outstanding experiences while managing risk and dependencies. This means deploying servers and apps, monitoring system health, identifying and resolving issues, managing critical dependencies, configuring profiles, and driving collaboration, to name just a few tasks. Then multiply these tasks across your on-prem, hybrid, and public cloud infrastructure.  It’s an incredibly complex and overwhelming responsibility with virtually no margin for error (somewhat like pleasing each family member who has a different view of the perfect vacation).

Simplify Hybrid Cloud Management with Cisco Intersight

What if there was an integrated IT operations platform that lets IT teams manage your hybrid cloud infrastructure in a few clicks from one place? There is! Cisco Intersight.

Like an integrated online travel service, Cisco Intersight:

◉ Integrates multiple tasks in one place:

    ◉ Deploy and troubleshoot your on-prem, public cloud, and edge environments, including physical servers, hypervisors, and VMs

    ◉ Evaluate workload and app performance and optimize in real time

    ◉ Build, deploy, and manage cloud-native Kubernetes clusters, and

    ◉ Provision on-prem resources for Infrastructure-as-Code deployments

◉ Provides value-added services:

    ◉ Customizing the dashboard to view your global inventory, fault monitoring, and firmware status

    ◉ Automating tasks for device configuration, OS installation, HCI cluster upgrades, K8 and infrastructure-as-code (IaC) deployments, and other routine tasks

    ◉ Creating and executing workflows across multiple infrastructure domains and cloud platforms

    ◉ Integrating with 3rd-party operations tools such as ServiceNow

    ◉ Automating workload placement, scaling, and capacity so workloads get the resources they need when they need them and you optimize spend

    ◉ Modeling capacity planning and migration scenarios to reduce risk and ensure predictable performance and cost

    ◉ Managing your entire infrastructure on the go from the Intersight mobile app

◉ Provides role-based experiences:

    ◉ Gives IT Ops a powerful tool to control every aspect of your environment and move faster with powerful automation capabilities

    ◉ Allows developers the agility and freedom they need to deploy applications even faster their own way – using the tools of their choice

Take Control

To wrap up, just like an online travel planning service lets you easily tame the many aspects of planning a vacation, Cisco Intersight helps you take control of your IT operations across your entire hybrid cloud environment. Intersight gives you one place to manage your on-premises, public cloud, and edge locations and all types of workloads (bare metal, VMs, K8s, and serverless). Its services make common IT operations tasks easier, give your DevOps teams the agility they need, and help you stay ahead of issues to optimize performance and costs.

Source: cisco.com

Continue reading

300-215 CBRFIR Preparation: Tips to Clear 300-215 Exam with Question Bank

Cisco CBRFIR Exam Description:

Conducting Forensic Analysis and Incident Response Using Cisco Technologies for CyberOps v1.0 (CBRFIR 300-215) is a 60-minute exam that is associated with the Cisco CyberOps Professional Certification. This exam tests a candidate's knowledge of forensic analysis and incident response fundamentals, techniques, and processes. The course Conducting Forensic Analysis and Incident Response Using Cisco CyberOps Technologies helps candidates to prepare for this exam.

Cisco 300-215 Exam Overview:

• Exam Name- Conducting Forensic Analysis and Incident Response Using Cisco Technologies for CyberOps
• Exam Number- 300-215 CBRFIR
• Exam Price- $300 USD
• Duration- 90 minutes
• Number of Questions- 55-65
• Passing Score- Variable (750-850 / 1000 Approx.)
• Recommended Training- Conducting Forensic Analysis and Incident Response Using Cisco Technologies for CyberOps (CBRFIR)
• Exam Registration- PEARSON VUE
• Sample Questions- Cisco 300-215 Sample Questions
• Practice Exam- Cisco Certified CyberOps Specialist - CyberOps Forensic Analysis and Incident Response Practice Test

Cisco 300-215 Exam Topics:

• Fundamental- 20%
• Forensics Techniques- 20%
• Incident Response Techniques- 30%
• Forensics Processes- 15%
• Incident Response Processes- 15%

Related Reads:-

• Cisco 300-215 CBRFIR Exam: Study Resources and Tips to Overcome Exam Anxiety
• Cisco 300-215 Certification Path: Road to Build Your Future
• Cisco 300-215 CBRFIR Certification Exam That You Need to Check Out

Continue reading

Cisco NDFC One View – Centralized Management of the Global SAN Infrastructure

Cisco Nexus Dashboard Fabric Controller (NDFC) is a scalable application for managing Fibre Channel SAN. However, in some cases a single NDFC server may not be efficient. For example, it may be a better solution for large global environments to utilize a dedicated NDFC server for each region or department. But how do you get a centralized view of the global SAN infrastructure when using multiple instances of NDFC managing separate regions or departments?

The answer is NDFC One View. It delivers the centralized management and visualization of multiple SAN environments that are managed by different NDFC servers.

What does NDFC One View offer?

NDFC One View provides insights into what is happening within the Fibre Channel SANs at multiple locations in a single pane of glass. It offers the following:

◉ Executive Dashboard: Important and relevant information.

◉ Faster Troubleshooting: Centralized view of the fabric and switch health.

◉ Increased Collaboration: Define the access using Role-Based Access Control (RBAC).

◉ High Availability: Each participating NDFC server can run on a 3-node active-active Nexus Dashboard cluster.

◉ Simplicity: Single Sign-On (SSO) allows seamless click-thru navigation to any of the servers that participate within NDFC One View.

◉ One View in Context: One View is always just a click away via a breadcrumb regardless of the participating NDFC server.

Figure 1: Nexus Dashboard SAN Controller One View

You can view a summary of all the SAN switches across the globe on the NDFC One View Dashboard.  However, for making a change on any of the switches, such as creating a zone, you must do that from the NDFC server that manages that switch. NDFC One View simplifies this inter-cluster navigation with a single log in, so you do not have to remember which switches are managed by which Nexus Dashboard (ND) clusters.

How does NDFC One View work?

NDFC One View is an intuitive presentation layer. Only when accessed, it uses the RESTful APIs over HTTPS transport for retrieving the data from the participating NDFC servers. NDFC One View doesn’t store any additional data, or increase the storage requirement of the ND clusters.

No Extra Licensing Requirements for NDFC One View

Unlike other competing solutions, there is no extra license for NDFC One View. If you already have DCNM advanced license for managing Fibre Channel switches, you can start using NDFC One View today with no added cost.

How is NDFC One View different from Cisco Nexus Dashboard One View?

Cisco Nexus Dashboard (ND) One View and NDFC One View are different features. ND One View provides centralized management of Nexus Dashboard itself, which is a hosting platform in which applications such as NDFC can run. In contrast, NDFC One View provides centralized management of the global SAN Infrastructure that is managed by different NDFC servers.

How is NDFC One View different from DCNM Federation?

DCNM SAN, the predecessor of NDFC, provides high availability using a Federation. The participating DCNM servers in a federation must use an externally shared Oracle RAC database, which increases the total cost of ownership. In contrast, Nexus Dashboard integrates all the required services, including the distributed database services, which provide native active-active clustering. This design makes NDFC One View even more affordable.

How-to setup NDFC One View?

It’s easy. First, configure remote authentication for the Nexus Dashboard clusters. Then, add the address and the credentials under Infrastructure > Cluster Configuration > Multi Cluster Connectivity.

Source: cisco.com

Continue reading

Got Windows… But Jonesing For Linux?

I suspect most people are aware of the Windows Subsystem for Linux (WSL). And how you can use it to install a distribution like Ubuntu on Windows. That will get you all the command-line features of Linux, which are many. Most people I know use vi as their console-based editor. I prefer Joe’s Own Editor (joe), which I have customized to use my favorite keystroke commands. And then there’s Midnight Commander (mc), which is a favorite for file and directory navigation.

But what about the powerful GUI applications? This blog entry shows you how to get them working on Windows 10 and Windows 11.

I’ve been a Linux guy for decades now. But when I began my career at Cisco with Developer Support, I chose Windows 10 as my operating system. At that time, David Staudt had Linux covered and David Nguyen had a Mac, so I filled in the gap. I like Windows 10. I like Windows 11 even more. It puts the virtual desktop chooser at the bottom of the screen, like Windows 10 originally did it.

But I’m still a Linux guy at heart

So, when it comes time to get a laptop refresh, I will be getting a Mac. No, it’s not Linux, but OS X has a lot of BSD (Berkely Software Distribution) in it (and/or FreeBSD, depending on who you ask), so it is a familiar platform for Linux users like me.

Why does the Mac build on FreeBSD and not Linux? My friend Brett Glass made very strong arguments for FreeBSD over Linux back in the day. He pointed out that you can build proprietary code on top of FreeBSD and make money doing it. Steve Jobs, when forced out of Apple, started up NeXT, a computer that ran on a BSD-based OS. So, the foundation for making money on BSD was already laid. Apple simply continued the evolution.

That’s hard to do with Linux. The GNU Public License (GPL) constrains Linux proprietary use, because (for the most part) you must share your Linux code free of charge. The way to make money is to charge for support. Of course, that’s an over-simplified comparison of BSD vs Linux, but that’s the gist.

While I can clearly see the advantages of an open-source operating system like Linux, I’m beyond caring about the philosophical differences, these days. I just prefer a UNIX-like operating system for my personal use over Windows. So, the Mac is a great choice for me.

In the meantime, while I wait for a laptop refresh, there’s a way to run Linux on Windows, and that’s what this blog entry is about.

Here’s how to start:

First, you must make sure your computer BIOS settings allow your CPU to support virtualization. If you can’t do that, then I can’t predict how the rest of these instructions will work out.

Then you need to install some optional Windows features, if they aren’t already installed. There are different ways to get to the Windows optional feature installation dialog, so I’ll just jump right to it and assume you know how.

Install Hyper-V, Virtual Machine Platform and Windows Hypervisor Platform shown in these two sample screen shots:

Some may say, like chicken soup, one or more of these wouldn’t help, but it wouldn’t hurt. Click OK and do whatever Windows tells you to do if anything.

Now, make sure you have the latest graphics drivers installed. I have a Radeon 5700 XT on my personal computer running Windows 11. My company laptop has an Nvidia Quadro display adapter.

Open the Microsoft Store and “get” a copy of Ubuntu. I recommend Ubuntu 22.04.1 LTS, unless a later version is available by the time you read this. Run it, and the installation will ask you for your language, a username and password, and not much else.

Open a Windows PowerShell console with administrator privileges. Perform these operations:

C:>wsl –list

C:> wsl --set-version Ubuntu-22.04 2

C:> wsl --set-default-version 2

It is possible those are already the default settings (and that last command is probably redundant), but it’s worth making sure.

Now launch Ubuntu from the Windows menu, and enter these commands:

$ sudo apt update

$ sudo apt dist-upgrade

You can use “upgrade” instead of “dist-upgrade”, but “dist-upgrade” is more comprehensive. It removes unnecessary files and adds newly needed files. The “upgrade” option only upgrades what you already have on your system.

Let’s install some sample apps. If you’re like me and prefer the KDE Plasma desktop on Linux, install the KDE editor, kate.

$ sudo apt install kate

If you’re a fan of GNOME, install gedit instead.

$ sudo apt install gedit

And just for fun, install some basic X11 GUI apps.

$ sudo apt install x11-apps

You can install whatever other Linux GUI apps you like, but the above will get you started. The one thing you cannot do is install a graphical desktop, like Xfce, KDE Plasma, GNOME, Cinnamon, or any of the many other desktops. But you can run almost any graphical application.

You need to set an environment variable for the X11 display. So back in the Ubuntu terminal type:

$ export DISPLAY=:0.0

That’s only good for this one Ubuntu terminal session, so edit your .bashrc file and add this line somewhere at the top of the file:

DISPLAY=:0.0

STOP, do not turn the page until told to do so

If you are running Windows 11 or some super-secret double probation version of Windows 10, you can stop installing, open an Ubuntu terminal window and happily run your Linux GUI applications. For example, start kate or gedit (the ampersand launches the app and returns you to the prompt):

$ kate &

$ gedit &

If, on the other hand, you’re on Windows 10, there’s more for you to do. There are several different ways you can get Linux GUI apps working on Windows 10, but here’s what I have found to be the easiest. Download and install MobaXTerm. You can install the free home version or the paid version if it is for business purposes.

Once you have it installed, launch MobaXTerm. You should see something like this:

You see that X server icon in the upper right? If it’s in color, you’re gold. If it’s black and white, click it to start the X server.

You can see that MobaXTerm is aware that you have Ubuntu-22.04 installed. Double-Click on that to bring up a terminal for Ubuntu-22.04. DO NOT use the “Start local terminal” button. That way lies madness.

You should see something like this:

Now go ahead and start kate or gedit, or whichever app you like. I started xeyes and kate. Yes, kate complains about missing theme items, but I can install those later.

Voila, I now have access to graphical Linux apps:

And there you have it. All the pleasure of using Linux graphical applications on a Windows computer.

Source: cisco.com

Continue reading

Leveraging the Cloud to Scale your Industrial DMZ

The iDMZ (industrial demilitarized zone) is a critical layer in a comprehensive end-to-end security strategy for an industrial operations environment. The primary function of the iDMZ is the enforcement of a secure boundary between the internal trusted operations environment and external entities that may need to exchange data with services that support the operation.

One of the challenges with an exclusively on-site iDMZ is the limited ability around expansion to meet future demand and capabilities. With the growth of Industrial IoT (IIoT), it will be necessary for hardware and resource growth to meet the demands of increasing data. This translates to a consistently increasing hardware footprint and utilities to provide cooling and power, which can be in limited supply on premises. In addition, operators must explore new ways to obtain deeper insights and introduce enhancements to the operation, which may require tighter alignment with partners and/or the ability to securely consume XaaS offers.

Operators also have a safety-first culture, keeping people out of the “line of fire.” Vendors and partners may need to maintain on-site hardware, applications and services, potentially exposing people to risk through their presence on-site. For heavy industry environments, accessibility to site and the equipment residing on it is not necessarily an easily accomplished task. Many industrial sites require site safety training and approved work permits as a prerequisite for physical access.

Finally, a lack of iDMZ consistency when comparing multiple sites, from a hardware and feature composition, creates challenges for operations staff. In some instances, product and feature selection is made locally. This impacts the ability to deliver consistent policies and end user experiences. It also complicates support across the operation for staff responsible for troubleshooting and minimizing time to resolution and maintaining different SOPs and training documents.

Operators exploring options to gain operational efficiencies through modern service offerings may benefit from exploring how to extend their iDMZ beyond the “four walls” of the operation.

One deployment alternative for iDMZ is extending the architecture to leverage a hybrid-cloud model. A hybrid cloud iDMZ model can be deployed as a centralized model or repeated regionally, based on geographic presence and/or regulatory or compliance requirements. While migrating the entirety of the iDMZ and its capabilities to the cloud may not be an option, a hybrid cloud iDMZ architecture does offer operational benefits and mitigates previously raised challenges.

First, the hybrid cloud iDMZ can secure the operation, and mitigate risk and exposure. Similar to an on-prem iDMZ, multiple tools and applications should be leveraged to take a holistic approach for enforcing security. This can include:

◉ Services that support a secure and encrypted pipe between an operations site and a regional iDMZ

◉ Segmentation and possible options for multi-tenancy

◉ Visibility to monitor applications and flows traversing the industrial zone

The solution should also include tools for consistently configuring, deploying, enforcing policies, and managing assets.

In addition to providing a holistic security strategy, a hybrid cloud iDMZ offers the benefit of shared resources and assets, as opposed to entirely duplicating unique stand-alone iDMZ deployments per site. The regional based approach offers a more repeatable and consistent architecture, delivering consistent policies, as well as easing the operational overhead and complexity mentioned previously.

A hybrid cloud solution offers more flexibility to expand, and contract based on evolving requirements and demand. By leveraging public cloud services as part of the iDMZ architecture, operators have the ability to increase capabilities without physically maintaining hardware and space to house equipment. This approach affords the unique opportunity to foster tighter engagements with partners and ecosystem vendors, while leveraging cloud services to drive innovation, deeper operational insights and efficiencies. Adding tools like Thousand Eyes and App Dynamics, operators can verify adherence to application SLAs/SLOs, in accordance with operational requirements.

Finally, a hybrid cloud iDMZ aligns with the concept of the ROC (Regional Operations Center), which is top of mind for some industrial organizations, especially those with a global footprint. A ROC model seeks to leverage more automation and remote operations, thus reducing on-site headcount to mission essential resources, improving on-site safety and driving more operational efficiencies. With a regional based iDMZ deployment, the process of aggregating and presenting the status and data for operations within the region can become more streamlined and a regionally distributed model can facilitate compliance with local industry regulations, if applicable.

For more details on how to build a hybrid cloud iDMZ architecture and its benefits for securing industrial operations, we have just published a short white paper that you should read on the Hybrid Cloud Industrial DMZ. We’ll also be discussing this in a free webinar on September 20, 2022.

Source: cisco.com

Continue reading