Saturday, 30 September 2023

When it Comes to Compliance Requirements – Topology Matters!

When I look at the evolution of network security and how IT and security practitioners have protected the network for the last 30 years, I can’t help but notice how traditional network security enforcement points (insert your favorite firewall here) are still used to secure networks and workloads. They have evolved to offer a diverse set of features (i.e., IPS, decryption, application detection) to deeply analyze traffic coming in and out of the network to protect workloads. However, while firewalls are very capable appliances, it has been proven that they are not enough to keep malicious actors at bay, especially if those actors manage to breach the firewall defenses and move laterally in the network. But why is this?

We are in the digital era, where the concept of the perimeter is no longer contained to a location or a network segment. To offset this new reality and provide a more tailored-based policy control for protecting workloads, vendors have moved security closer to the workload.

There are two approaches to do this -, using agent or agentless techniques to build a micro-perimeter around the workloads.

Which approach is the correct one to take? Well, this depends on multiple factors, including organizations, type of application, or team structure. So, let’s start untangling this.

The challenge(s)


The most direct approach to protect applications is to install software agents on every workload and call it a day. Why? Because then every workload has its own micro-perimeter, allowing access to only what is necessary.

However, it is not always possible to install a software agent. Perhaps it is a mainframe application or a legacy operating system that requires fine-grained policies due to a compliance mandate. Or application workloads that are in the cloud and the agent installation is simply not possible due to organizational constraints.

And this is not the only challenge or consideration for choosing your approach. The teams or groups that comprise any company often have different security requirements from each other, leading to the triad challenge: people, processes, and technology.

Let’s start with people (policy owner) and process (policy execution). Usually, each organization has its own set of unique requirements to protect its application workloads, and a defined process to implement those requirements in the policy. To support this, a tool (technology) is required, which must adapt to each organization’s needs and should be capable of defining a common policy across agent and agentless workloads.

To start unwrapping this, you need to ask yourself:

◉ What are we protecting?
◉ Who is the owner of the policies?
◉ How is policy execution done?

As an example:

Say you want to protect a finance application (what) using an agent-based approach (how), and the owner of the policies is the App Team/Workload Team (who). In this scenario, as long as the application doesn’t break and the team can continue to focus on coding, this is generally an acceptable approach. However, when implementing the common policy, the translation from human language to machine language tends to generate extra rules that are not necessarily required. This is a common byproduct of the translation process.

Now, let’s assume that in your organization the protection of a legacy application (what) is tasked to the Network/NetSec team (who) using an agentless enforcement approach with network firewalls (how) because in this case, it is not possible to install software agents due to the unsupported legacy operating system. As in the first example, extra rules are generated. However, in this case, these unnecessary extra rules create negative consequences because of firewall rules auditing requirements for compliance mandates, even though they are part of the common policy.

Topology as the source of truth – pushing only what is required


Cisco Secure Workload has been addressing the people, process, and technology challenges since its inception. The solution embraces both approaches – installing software agents on workloads regardless of form factor (bare-metal, VM, or container) or by using agentless enforcement points such as firewalls. Secure Workload adapts to each organization’s needs by defining the policy, such a zero trust microsegmentation policy, to effectively apply micro-perimeters to application workloads in support of the zero trust approach. All within a single pane of glass.

However, as explained in the example above, we still needed to align our policy to the compliance needs of the Network/NetSec team, only using the policy rules that are required.

To tackle the additional rules challenge, we asked ourselves, “What is the most efficient way to push policies into a network firewall using Secure Workload?”

The answer boiled down to a common concept for Network/NetSec teams – the network topology.

So how does it work?

With Secure Workload, the term topology is intrinsic to the solution. It leverages the topology concept using a construct named “Scopes”, which are totally infrastructure agnostic, as shown in Figure 1.

It allows you to create a topology tree in Secure Workload based on context, where you can group your applications and define your policy by using human intent. For example, “Production cannot talk to Non-Production” and apply the policy following the topology hierarchy.


The Scope Tree is the topology of your application workloads within the organization, but the key is that it can be shaped for different departments or organizational needs and adapted to each team’s security requirements.

The concept of mapping a workload Scope to a network firewall is called “Topology Awareness.”

Topology Awareness enables the Network/NetSec teams to map a particular Scope to a specific firewall in the network topology, so only the relevant set of policies for a given application is pushed to the firewall.

So, what does this execution look like? With the Scope mapping achieved, Secure Workload pushes the relevant policy to the Cisco Secure Firewall by way of its management platform, Secure Firewall Management Center (FMC). To maintain compliance, only the required policy rules are sent to FMC, avoiding the extra unnecessary rules because of Topology Awareness. An example of this is shown in Figure 2:


Key takeaways


Operationalizing a zero trust microsegmentation strategy is not trivial, but Secure Workload has a proven track record of making this a practical reality by adapting to the needs of each persona such as Network/NetSec admins, Workload/Apps owners, Cloud Architects, and Cloud-Native engineers – all from one solution.

With topology awareness, you can:

◉ Meet compliance and audit requirements for firewall rules
◉ Protect and leverage your current investment in network firewalls
◉ Operationalize your zero trust microsegmentation strategy using both agent and agentless approaches

Source: cisco.com

Thursday, 28 September 2023

Cisco Contact Center Delivering Visibility to Improve the Banking Experience

“If you don’t know what’s happening, you don’t know what’s happening” is powerful statement about the missing knowledge that can complete an ideal banking customer experience. It is a reminder of the critical role the contact center plays in the evolution of digital channels and modern cross-channel customer journeys in the financial services space. This is especially true in banking where the adaptability of contact centers ensured the continuity of financial services for consumers and small businesses in the early months of the Covid-19 pandemic.

Customer feedback


I realized a few weeks earlier that I was in the ‘you don’t know what’s happening’ camp after participating in BAI’s 2023 Banking Contact Center Executive Roundtable, sponsored by Cisco. Since 1924, BAI has helped financial services leaders prepare for what’s next through thought-leadership, training, business intelligence, and collaborative engagement including executive roundtables. This two day event was a great opportunity for me to learn from industry practitioners and I was particularly interested to hear how banking contact centers were supporting the increasing cross-channel customer journeys that result from ongoing digitization in financial services.

Listening to contact center leaders representing ten regional and super-regional banks raised my awareness of the unique value of contact centers, their challenges, and the ability of these leaders to manage what is possibly the most dynamic workforce and technology environment inside a bank.

‘Customer experience correlates with agent experience’ was a recurring theme throughout the roundtable, reflecting the importance of agent onboarding and training and the increasing significance of agent technology. The frequency and breadth of customer interaction often results in agents developing institutional knowledge faster than new bankers, but agent workloads also lead to high turnover. Leveraging technology to optimize agent workloads and providing advancement opportunities into other bank sales and service roles helps improve execution, talent retention, and growth. Notably, the roundtable institutions were satisfied with their ability to measure agent productivity whether agents primarily worked from home or are back in the office.

Contact center leaders are looking to take advantage of the next generation of self-service capabilities such as intelligent IVR’s, chatbots, and virtual agents to optimize customer experience, agent workload, and interaction costs.

Throughout the discussions, leaders highlighted the need for continued efforts and investments to reduce operational complexity, drive efficiency, and elevate the agent experience. The shared experience among these contact center leaders is that a world-class customer experience requires a world-class agent experience. To achieve this, a few north star objectives were identified:

  • Streamlining the agent desktop – fewer discrete apps and better app data integration
  • Extracting intelligent insights from full visibility of cross-channel customer journeys
  • Providing agents with the best guidance and options in real-time
  • Utilizing best-in-class workforce management and automation

Cisco expertise


The group also heard from my colleague Jono Luk – VP, Product Management for Webex who shared his knowledge about technology advances in contact center solutions that address these needs, notably the advantages of a unified CX platform, the flexibility of the cloud, and the power of AI across a broad scope of opportunities.

Jono highlighted the capabilities that agents need in order to support banking customer journeys that are increasingly personalized, cross-channel, and almost certainly involve the contact center at some point in the journey.

Cisco Contact Center, Cisco Certification, Cisco Career, Cisco Jobs, Cisco Prep, Cisco Preparation, Cisco Guides, Cisco Learning

The banking industry, and safe to say most of financial services, currently have limited visibility of a customer’s journey prior to reaching a contact center agent. Part of the challenge is the need for more capable contact center platforms and continuing to consolidate the number of applications on the agent desktop.

Webex by Cisco


But it’s also clear the banking industry must continue to improve collaboration between LOB’s and the contact center to create awareness of the importance for holistic journey insights and to accelerate investment. Responsibility for the primary contact center is now with the Retail LOB, but many leaders cited the need for better coordination. Jono shared Cisco’s perspective on the benefits of a unified CX platform built specifically to support connected customer journeys across a customer lifecycle.

Webex by Cisco is designed for exactly that – a suite of integrated cloud-native capabilities that support a broader range of interactions (calling, video, messaging, SMS, Social, and more), with advanced AI functionality, business workflow integrations, mobile app integrations, and a robust contact center with a composable agent interface.

Cisco Contact Center, Cisco Certification, Cisco Career, Cisco Jobs, Cisco Prep, Cisco Preparation, Cisco Guides, Cisco Learning

Financial institutions often have several contact centers supporting different LOB’s such as Credit Card, Wealth Management, and Mortgage, or even internal functions like the help desk. In my experience, it’s not that uncommon to find teams that still use spreadsheets to manage inbound and outbound calling. These represent good opportunities for institutions to quickly discover the transformative capabilities of a unified CX platform like Webex and to understand it’s potential for primary banking contact centers.

This year due to the ever increasing importance of contact centers in supporting cross-channel customer journeys we added it as a use case in the Cisco Portfolio Explorer for Financial Services. We annually review the use cases in it to make sure we are providing the latest trends and focuses we are hearing from our clients. As you have read the contact center is where it is at deliver exceptional client service and engaged and informative employees.

Source: cisco.com

Tuesday, 26 September 2023

Evolutio FinTech module on Cisco FSO Platform gives visibility to financial transactions

We’re all aware that user experience has become the most important KPI for today’s digital businesses. Applications are the engines that power these experiences, and if a digital interaction is sub-par, customers are unforgiving.  Consider the situation of a prominent bank that recently suffered a series of downtimes on its mobile applications. Their users were not happy and  rival credit unions were advertising, highlighting their level of service compared to the “mega-bank.”  Churning customers due to digital blips is a NO-NO today. Organizations need visibility, context and control, so they can ensure that their customers are empowered with the best experiences possible. But true observability requires more than a “one size fits all” approach. Today’s application environments are highly specialized, built to support specific industries and business processes.

Observability tailored to fit specific use cases

Given the diversity and complexity of today’s modern apps, how can organizations fully align their technology to specific use case needs? Cisco FSO Platform brings data together from multiple domains including application, networking, infrastructure, security, cloud, sustainability, and business sources. It is an open and extensible, API-driven platform focused on OpenTelemetry and anchored on metrics, events, logs, and traces (MELT), providing AI/ML driven analytics.

The Cisco ecosystem of partners plays a key role in enabling this flexibility by creating custom observability solutions that help customers drive business outcomes with specific use cases. Let’s take a closer look at the Evolutio Fintech module, built by a key Cisco technology partner.

Evolutio Fintech gives holistic visibility to online financial transactions

Every moment matters in financial services, especially in online and point of sale transactions. Financial services organizations need to be able to see the full picture—and take action with insight.

The Evolutio Fintech module correlates infrastructure health with credit card authorization data. It helps organizations reduce revenue losses resulting from credit card authorization failures by figuring out the impact of infrastructure health on the credit card authorization.

“We developed a Fintech solution for the banking sector, around credit card processing,” said, Laura Vetter, CTO and Co-Founder of Evolutio. “It looks at credit card processing, how much money is running through, and the number of transactions, split by customer region data centers, which is most relevant to the business. If someone calls in and has an issue with processing, it’s easy to look at that specific company’s data and determine whether the issue involves the whole company, or just one region.”

Cisco FSO Platform, Cisco Career, Cisco Skills, Cisco Jobs, Cisco Prep, Cisco Preparation, Cisco Tutorial and Materials
Evolutio lets financial organizations view credit card authorization projects by region, to spot issues like falling numbers of authorizations, or regions that have stopped reporting data.

Cisco FSO Platform, Cisco Career, Cisco Skills, Cisco Jobs, Cisco Prep, Cisco Preparation, Cisco Tutorial and Materials
Evolutio lets organizations view KPIs and insights grouped and aggregated based on metadata like region, schemas, infrastructure components, and merchant name, to understand how their system is behaving as a whole.

A powerful partnership for technology innovators


For our technology partners, Cisco FSO Platform presents an excellent opportunity to bring new solutions to market fast, supporting specific domain and vertical use cases.

“Cisco has provided a very easy way to interact with the platform,” said Vetter. “It’s basically just a schema that you interact with and extend to make it happen. My team keeps telling me about the tight partnership that we have had throughout this entire journey.”

Our customers win, too, gaining the interoperability, agility, and flexibility of an adaptable, highly modular platform.

Together, Cisco FSO Platform and its partner modules deliver a comprehensive solution that scales as businesses scale—and easily extends everywhere, across the infrastructure and the application life cycle.

Source: cisco.com

Wednesday, 20 September 2023

CCNP Enterprise 350-401 Certification: The Road to Success

Elevate-Your-Networking-Skills-with-Cisco-350-401-certification

Greetings, fellow networking enthusiasts! Prepare to embark on a journey that not only promises to unlock a world of exciting career opportunities but also validates your prowess in networking. This comprehensive guide is your trusted companion, offering insights into the coveted Cisco CCNP Enterprise 350-401 certification. We'll explore its advantages and provide invaluable study tips to ensure a pass and excellence in this prestigious examination.

Know the Cisco CCNP Enterprise 350-401 Certification

Let's begin by unraveling the essence of the Cisco 350-401 ENCOR certification. CCNP, or Cisco Certified Network Professional, Enterprise, is a prized accolade for networking professionals aspiring to showcase their mastery in enterprise networking solutions.

Cisco 350-401 Exam Details:

  • Exam Name- Implementing and Operating Cisco Enterprise Network Core Technologies
  • Exam Price$400 USD
  • Duration- 120 minutes
  • Number of Questions- 90-110
  • Passing Score- Variable (750-850 / 1000 Approx.)

Cisco 350-401 Exam Topics:

  • Architecture- 15%
  • Virtualization- 10%
  • Infrastructure- 30%
  • Network Assurance- 10%
  • Security- 20%
  • Automation-15%

Benefits of Cisco CCNP Enterprise 350-401 Certification

Expansive Career Horizons

Acquiring the Cisco CCNP Enterprise 350-401 certification opens various career opportunities. Organizations worldwide seek professionals capable of designing, implementing, managing, and troubleshooting advanced enterprise network solutions. You become an invaluable asset in the job market.

Industry Recognition

Cisco certifications, including CCNP Enterprise, are synonymous with excellence in the field. Employers and peers recognize them as symbols of top-tier networking expertise. This certification instantly bestows credibility and underscores your commitment to staying at the forefront of networking technology.

Elevated Earning Potential

CCNP Enterprise-certified professionals typically enjoy enhanced earning potential—the specialized skills and knowledge acquired through the certification process position you for higher-paying roles in the industry.

Skill Mastery

Cisco's CCNP Enterprise certification equips you with in-depth knowledge of critical networking topics. This mastery enhances your problem-solving abilities and bolsters your confidence in effectively managing enterprise networks.

Why Should You Pass Cisco 350-401 ENCOR Exam?

Preparing for Success: Study Tips for 350-401 ENCOR 

Now that we've established the perks let's dive into the core aspect of attaining CCNP Enterprise certification: preparation. Follow these study tips to ensure you conquer the 350-401 ENCOR exam with flying colors.

#1. Grasp the 350-401 Exam Blueprint

Before you commence your preparation, familiarize yourself with the exam blueprint. Cisco provides a detailed breakdown of the topics and subtopics covered in the exam. Use this blueprint as your roadmap to guarantee comprehensive coverage.

#2. Source Quality 350-401 Study Materials

Invest in reputable study materials, such as Cisco's official certification guides and practice exams. Additionally, consider engaging with online forums and communities where you can collaborate with fellow candidates, share insights, and access valuable resources.

#3. Craft a Study Schedule

Effective time management is paramount. Create a study schedule tailored to your daily routine, allowing consistent, focused study sessions. Allocate specific time slots for different topics to ensure thorough preparation.

#4. Hands-On Practice

More than theoretical knowledge is required. Establish a lab environment using tools like Cisco's Packet Tracer or other network simulation tools. Hands-on practice solidifies your understanding of networking concepts and reinforces your practical skills.

#5. Join Study Groups

Consider joining or forming study groups with like-minded individuals pursuing the same certification. Collaborative learning can be remarkably effective, enabling discussions on complex topics, joint troubleshooting, and exposure to diverse perspectives.

#6. Regularly Take 350-401 ENCOR Practice Tests

Periodically take practice exams to gauge your progress and identify areas needing improvement. Cisco offers official practice exams that closely mirror the actual exam format. These practice tests are invaluable in boosting your confidence and readiness.

#7. Annotate and Summarize

While studying, take notes, annotate textbooks, and create concise summaries of key concepts. This reinforces your understanding and provides quick references during the final stages of preparation.

#8. Stay Informed

Stay abreast of the latest networking trends and Cisco technologies. The field constantly evolves, and exam questions may reflect these changes. Subscribe to Cisco blogs, newsletters, and forums to stay informed.

#9. Seek Expert Guidance

When confronted with challenging topics or concepts, feel free to seek guidance from seasoned professionals or certified trainers. They can offer valuable insights and clarify any doubts that impede your progress.

The Final Push: Cisco 350-401 ENCOR Exam-Day Strategies

Prioritize Relaxation

The night before your exam, prioritize a restful night's sleep and relaxation. Avoid last-minute cramming, as it can heighten anxiety and hinder performance. Trust in your preparation and maintain confidence.

Read Carefully

During the exam, meticulously read each question to ensure a clear understanding of the requirements before answering. Cisco exams often feature scenario-based questions that demand a profound grasp of the subject matter.

Master Time Management

Effective time management is paramount. Allocate specific time limits to each question, and if you encounter a particularly challenging one, move on and return to it later. Don't let a single question consume excessive time.

Review Your Answers

Once you've completed the exam, revisit your answers if time permits. Check for errors or omissions and make necessary corrections.

Conclusion

The Cisco CCNP Enterprise 350-401 certification is your ticket to a flourishing networking career. Its manifold benefits, including expanded career opportunities, industry recognition, and higher earning potential, make it a wise investment in your professional journey.

By adhering to these comprehensive study tips, you can confidently approach the 350-401 ENCOR exam and emerge triumphant. Remember, preparation is the key, and steadfast commitment to your studies will lead you to success.

So, gear up, embark on your certification, and unlock the gateway to networking excellence. The Cisco CCNP Enterprise 350-401 certification is within your grasp, and with dedication and determination, you can attain it. Best of luck on your journey to becoming a certified networking professional!

Thursday, 14 September 2023

How to run Cisco Modeling Labs in the Cloud

Cisco Modeling Labs, Cisco Certification, Cisco Tutorial and Materials, Cisco Career, Cisco Skills, Cisco Jobs, Cisco Preparation

You might think one answer to these problems would be to use CML in the cloud. And you’d be right. However, up until recently, the only supported platforms to run CML were either on bare metal servers or on VMware vSphere.

We have heard requests to have CML Software-as-a-Service (SaaS), and we’re working hard to make this a reality in the future. Our first step in this direction is to provide tooling and automation so you can deploy your CML instance into Amazon Web Services (AWS)! This tooling is available as of today on GitHub.

Setting expectations


With this first step of automation and tooling comes a few limitations, including:

  • Tooling is currently only supported on AWS. We’re working on making this also available on Azure in a subsequent release.
  • It only supports an all-in-one deployment. Subsequent releases could include deployment of multiple instances to form a CML cluster.
  • This approach needs a bare-metal flavor to support all node types. Metal flavors are more expensive than virtualized instances; however, AWS does not support virtualization extensions on their non-bare-metal flavors. This is different from Azure.
  • You need to bring your own AWS instance AND your own CML license. No pay-as-you-go consumption model is available as of today.
  • CML software and reference platform files from the “refplat ISO” need to be made available in a bucket.
  • Automation must run locally on your computer, particularly a Linux machine with Terraform.

Due to the nature of CML’s function, the ability to run it in the cloud will never be cheap (as in free-tier). CML requires a lot of resources, memory, disk, and CPU, which comes at a cost, regardless of whether you run it locally on your laptop, in your data center, or in the cloud. The idea behind the cloud is to simplify operation and provide elasticity but not necessarily to save money.

Meeting software requirements


The software requirements you’ll need to successfully use the tooling include:

  • a Linux machine (should also work on a Mac with the same packages installed via Homebrew)
  • a Bash shell (in case you use the upload tool, which is a Bash script)
  • a Terraform installation
  • the AWS CLI package (awscli with the aws command)
  • the CML software package (.pkg) and the CML reference platform ISO from CCO/cisco.com

An existing CML controller satisfies the first two requirements, and you can use that to install Terraform and the AWS CLI. It also has the reference platform files available to copy to an AWS S3 bucket. You also must download the CML distribution package from the Cisco support website and copy it to the AWS S3 bucket.

Cisco Modeling Labs, Cisco Certification, Cisco Tutorial and Materials, Cisco Career, Cisco Skills, Cisco Jobs, Cisco Preparation
Select the distribution package circled in the following screenshot (the version might be different, but it ends in .pkg.zip), and you’ll need to unzip it for the upload tool to recognize it

For more detail, refer to the “Upload script” section of the README.md that is included in the cml-cloud repository.

Getting up and running


Once you’ve installed the requirements and copied the files, you’ll find the actual procedure straight forward and meticulously documented in the README.md.

Here are the fundamental steps:

1. Configure the required S3 bucket, user, policies, secrets, and rules via AWS console (once).
2. Upload the binary files (images and software) into the created bucket (once or whenever new software is available).
3. Configure the tooling by editing the config.json file (once).
4. Run terraform plan followed by terraform apply to bring up an instance
5. Wait 5-10 minutes for the system to become ready; the address of the controller is provided as a result (“output” from Terraform)
6. Use CML in the cloud and profit!

Once you’re done, tear down the cloud infrastructure by executing terraform destroy.

Note: While no cost is incurred when you are not running CML instances, you’ll still need to pay for storing the files inside the created S3 bucket.

Taking the next steps


While CML AWS automation tooling is a first step toward CML SaaS, the tooling in its current form might not fit your needs exactly because of cost for bare-metal instances or the current dependency on AWS. Or you might want a pay-as-you-go service or something else. Let us know!

Just remember subsequent steps are ahead! Stay tuned, and tell us what you think in the meantime. We are extremely interested in how useful (or not) this first iteration of cloud tooling is to you and your organization and, going forward, what your specific requirements are.

Source: cisco.com

Tuesday, 12 September 2023

Cisco Catalyst IE9300 Rugged Series switches: Enterprise-grade industrial-strength

Realizing the full potential of industrial digitization requires extensive connectivity of operations assets wherever they might be – at busy city intersections, inside utility substations, in rail and subway stations, along extreme temperatures and high-vibration production lines, within wind or solar farms, in mines and in oilfields. In these kinds of harsh environments, organizations need to deploy, secure, and maintain a wide range of connected devices. Full connectivity is the starting point and needs a network that is scalable, resilient, secure, and incorporates proven IT practices to keep the network performing up to expectations.

A new class of industrial rackmount switches


In January last year, Cisco launched the first two products in the Cisco Catalyst IE9300 Rugged Series Switches portfolio. These switches are closely related to the widely adopted Cisco Catalyst 9000 family with the same hardware ASICs, the same IOS XE operating system, and offer the same level of network automation, assurance, and policy enforcement by Cisco Catalyst Center (previously known as Cisco DNA Center). This year, we are extending that portfolio with one of the industry’s most innovative and comprehensive product sets.

Cisco Catalyst IE9300, Cisco Career, Cisco Prep, Cisco Career, Cisco Tutorial and Materials, Cisco Certification
Figure 1: Catalyst IE9300 Rugged Series all-fiber models

The new all-fiber and all-copper models of these rackmount, Layer 3 switches deliver the same security, scalability, and automation that customers have come to expect from our Catalyst 9000 enterprise-grade rackmount switches. But the Catalyst IE9300 switches are ruggedized for industrial environments – unlocking new opportunities to bring enterprise-grade networking to industrial networks.

One switch family, unlimited possibilities


Specific features make these multifunction switches especially powerful and versatile. For example, the latest models offer higher Power over Ethernet (PoE) wattage and high PoE budget (up to 720W). That means organizations can connect more – and higher-power, higher-bandwidth – endpoints, including Wi-Fi 6/6E access points, 4K UHD and PTZ cameras, digital signage, and even thin clients and user laptops, to name a few.

These models also provide higher bandwidth – up to 2.5GE downlinks and 10GE uplinks – for high-bandwidth endpoints and to enable data to be backhauled from many access switches in field deployments such as road intersections, railroads, and manufacturing environments. For utilities, the products’ high-density fiber ports and IEC 61850 compliance make them ideal for substation automation. Across industry sectors and use cases, Software-Defined Access makes it easier to interface industrial networks with enterprise networks. They also unlock the benefits of Cisco Cyber Vision and Endpoint Analytics to enhance visibility and security throughout industrial networks.

Cisco Catalyst IE9300, Cisco Career, Cisco Prep, Cisco Career, Cisco Tutorial and Materials, Cisco Certification
Figure 2: Catalyst IE9300 Rugged Series all-copper models

The IE9300 family is built to withstand extreme temperatures and is hardened for vibration, shock and surge, and electrical noise. These switches offer extended durability thanks to no moving parts and their fanless, convection-cooled design. And they comply with specifications for several industries – from Intelligent Transport Systems (ITS) to utility substation environments.

To put it more conversationally, you can think of the Catalyst IE9300 Rugged Series as the Layer 3 switches that you can use for (almost) everything and (nearly) everywhere!

Use cases for the Catalyst IE9300 Rugged Series Switches


One of the best ways to illustrate the potential of these new products is to describe some of the use cases they make possible:

  • High density fiber access. Fiber ports offer several benefits over copper. Fiber cables are immune to electromagnetic radiation, offer safer transmission in hazardous conditions due to their electric isolation, and can transmit data over much longer distances without experiencing signal degradation or loss of quality. Use cases for fiber include industries such as utilities that are modernizing substations using native fiber devices, and traffic backhaul from field deployments.
  • Clock input and precision timing. GPS and IRIG-B inputs that allow network synchronization ensure that different devices across the network are working with the same time reference, which is crucial for applications requiring coordinated actions. For example, in energy sectors, accurate time synchronization is crucial for monitoring power grid events, fault detection, and grid stability. Further, Precision Timing Protocol (PTP) Power Profile built into the IE9300 ensures 50ns per-hop accuracy that keeps the delay within 1µs over 16 switch hops.
  • Aggregation and cost-efficiency. 10G uplink fiber aggregation switch makes it possible to connect Resilient Ethernet Protocol (REP) and Media Redundancy Protocol (MRP) rings in non-climate-controlled field points-of-presence. This use case has broad potential in field deployment such as in roadways, wind, and solar farms. The 10G uplinks help avoid oversubscription that could occur in Gigabit only switches.
  • Distribution layer switching. Uplink ports open new opportunities for IE9300 to be used as distribution layer switches that you can deploy right in dusty and hot environments ensuring that critical data flows smoothly between access switches and the core network. Stacking capabilities of IE9300 ensure scale and redundancy.
  • High-wattage and high-density PoE. Copper models of IE9300 offer a variety of PoE options and can provide power to connected devices with a total of up to 720W per switch. Note that the IE9300 delivers 720W of PoE power while still maintaining a 1RU form factor, a first in the industry. Moreover, you can configure the switch to deliver up to 90W on a single 2.5GE port. This combines high bandwidth with high-power on a single port enabling new use cases.
  • Flexibility and scalability. Although the IE9300 switches have a fixed port count, and multiple units can be stacked to increase the number of available ports while still appearing virtually as a single switch, which reduces configuration complexity. Management by Cisco Catalyst Center makes onboarding and reconfigurations easy, increasing flexibility to keep pace with operations.
  • Visibility and security. Granular visibility into connected assets and network traffic is the necessary first step in ensuring operations security. Compute capabilities within the IE9300 allow it to run Cisco Cyber Vision sensors that provides visibility, risk assessments, and helps form the basis for network segmentation for security.

As you look to evolving your industrial network and gain from Industry 4.0 opportunities, look to the Catalyst IE9300 Rugged Series as your solution to connect everything – everywhere.

Source: cisco.com

Saturday, 9 September 2023

The New Normal is Here with Secure Firewall 4200 Series and Threat Defense 7.4

What Time Is It?


It’s been a minute since my last update on our network security strategy, but we have been busy building some awesome capabilities to enable true new-normal firewalling. As we release Secure Firewall 4200 Series appliances and Threat Defense 7.4 software, let me bring you up to speed on how Cisco Secure elevates to protect your users, networks, and applications like never before.

The New Normal is Here with Secure Firewall 4200 Series and Threat Defense 7.4

Secure Firewall leverages inference-based traffic classification and cooperation across the broader Cisco portfoliowhich continues to resonate with cybersecurity practitioners. The reality of hybrid work remains a challenge to the insertion of traditional network security controls between roaming users and multi-cloud applications. The lack of visibility and blocking from a 95% encrypted traffic profileis a painful problem that hits more and more organizations; a few lucky ones get in front of it before the damage is done. Both network and cybersecurity operations teams look to consolidate multiple point products, reduce noise, and do more with less; Cisco Secure Firewall and Workload portfolio masterfully navigates all aspects of network insertion and threat visibility.

Protection Begins with Connectivity


Even the most effective and efficient security solution is useless unless it can be easily inserted into an existing infrastructure. No organization would go through the trouble of redesigning a network just to insert a firewall at a critical traffic intersection. Security devices should natively speak the network’s language, including encapsulation methods and path resiliency. With hybrid work driving much more distributed networks, our Secure Firewall Threat Defense software followed by expanding the existing dynamic routing capabilities with application- and link quality-based path selection.

Application-based policy routing has been a challenge for the firewall industry for quite some time. While some vendors use their existing application identification mechanisms for this purpose, those require multiple packets in a flow to pass through the device before the classification can be made. Since most edge deployments use some form of NAT, switching an existing stateful connection to a different interface with a different NAT pool is impossible after the first packet. I always get a chuckle when reading those configuration guides that first tell you how to enable application-based routing and then promptly caution you against it due to NAT being used where NAT is usually used.

Our Threat Defense software takes a different approach, allowing common SaaS application traffic to be directed or load-balanced across specific interfaces even when NAT is used. In the spirit of leveraging the power of the broader Cisco Secure portfolio, we ported over a thousand cloud application identifiers from Umbrella,which are tracked by IP addresses and Fully Qualified Domain Name (FQDN) labels so the application-based routing decision can be made on the first packet. Continuous updates and inspection of transit Domain Name System (DNS) traffic ensures that the application identification remains accurate and relevant in any geography.

This application-based routing functionality can be combined with other powerful link selection capabilities to build highly flexible and resilient Software-Defined Wide Area Network (SD-WAN) infrastructures. Secure Firewall now supports routing decisions based on link jitter, round-trip time, packet loss, and even voice quality scores against a particular monitored remote application. It also enables traffic load-balancing with up to 8 equal-cost interfaces and administratively defined link succession order on failure to optimize costs. This allows a branch firewall to prioritize trusted WebEx application traffic directly to the Internet over a set of interfaces with the lowest packet loss. Another low-cost link can be used for social media applications, and internal application traffic is directed to the private data center over an encrypted Virtual Tunnel Interface (VTI) overlay. All these interconnections can be monitored in real-time with the new WAN Dashboard in Firewall Management Center.

Divide by Zero Trust


The obligatory inclusion of Zero Trust Network Access (ZTNA) into every vendor’s marketing collateral has become a pandemic of its own in the last few years. Some security vendors got so lost in their implementation that they had to add an internal version control system. Once you peel away the colorful wrapping paper, ZTNA is little more than per-application Virtual Private Network (VPN) tunnel with an aspiration for a simpler user experience. With hybrid work driving users and applications all over the place, a secure remote session to an internal payroll portal should be as simple as opening the browser – whether on or off the enterprise network. Often enough, the danger of carelessly implemented simplicity lies in compromising the security.

A few vendors extend ZTNA only to the initial application connection establishment phase. Once a user is multi-factor authenticated and authorized with their endpoint’s posture validated, full unimpeded access to the protected application is granted. This approach often results in shamingly successful breaches where valid user credentials are obtained to access a vulnerable application, pop it, and then laterally spread across the rest of the no-longer-secure infrastructure. Sufficiently motivated bad actors can go as far as obtaining a managed endpoint that goes along with those “borrowed” credentials. It’s not entirely uncommon for a disgruntled employee to use their legitimate access privileges for less than noble causes. The simple conclusion here is that the “authorize and forget” approach is mutually exclusive with the very notion of Zero Trust framework.

Secure Firewall Threat Defense 7.4 software introduces a native clientless ZTNA capability that subjects remote application sessions to the same continuous threat inspection as any other traffic. After all, this is what Zero Trust is all about. A granular Zero Trust Application Access (ZTAA – see what we did there?) policy defines individual or grouped applications and allows each one to use its own Intrusion Prevention System (IPS) and File policies. The inline user authentication and authorization capability interoperates with every web application and Security Assertion Markup Language (SAML) capable Identity Provider (IdP). Once a user is authenticated and authorized upon accessing a public FQDN for the protected internal application, the Threat Defense instance acts as a reverse proxy with full TLS decryption, stateful firewall, IPS, and malware inspection of the flow. On top of the security benefits, it eliminates the need to decrypt the traffic twice as one would when separating all versions of legacy ZTNA and inline inspection functions. This greatly improves the overall flow performance and the resulting user experience.

Let’s Decrypt


Speaking of traffic decryption, it is generally seen as a necessary evil in order to operate any DPI functions at the network layer – from IPS to Data Loss Prevention (DLP) to file analysis. With nearly all network traffic being encrypted, even the most efficient IPS solution will just waste processing cycles by looking at the outer TLS payload. Having acknowledged this simple fact, many organizations still choose to avoid decryption for two main reasons: fear of severe performance impact and potential for inadvertently breaking some critical communication. With some security vendors still not including TLS inspected throughput on their firewall data sheets, it is hard to blame those network operations teams who are cautious around enabling decryption.

Building on the architectural innovation of Secure Firewall 3100 Series appliances, the newly released Secure Firewall 4200 Series firewalls kick the performance game up a notch. Just like their smaller cousins, the 4200 Series appliances employ custom-built inline Field Programmable Gateway Array (FPGA) components to accelerate critical stateful inspection and cryptography functions directly within the data plane. This industry-first inline crypto acceleration design eliminates the need for costly packet traversal across the system bus and frees up the main CPU complex for more sophisticated threat inspection tasks. These new appliances keep the compact single Rack Unit (RU) form factor and scale to over 1.5Tbps of threat inspected throughput with clustering. They will also provide up to 34 hardware-level isolated and fully functional FTD instances for critical multi-tenant environments.

Those network security administrators who look for an intuitive way of enabling TLS decryption will enjoy the completely redesigned TLS Decryption Policy configuration flow in Firewall Management Center. It separates the configuration process for inbound (an external user to a private application) and outbound (an internal user to a public application) decryption and guides the administrator through the necessary steps for each type. Advanced users will retain access to the full set of TLS connection controls, including non-compliant protocol version filtering and selective certificate blocklisting.

Not-so-Random Additional Screening


Applying decryption and DPI at scale is all fun and games, especially with hardware appliances that are purpose-built for encrypted traffic handling, but it is not always practical. The majority of SaaS applications use public key pinning or bi-directional certificate authentication to prevent man-in-the-middle decryption even by the most powerful of firewalls. No matter how fast the inline decryption engine may be, there is still a pronounced performance degradation from indiscriminately unwrapping all TLS traffic. With both operational costs and complexity in mind, most security practitioners would prefer to direct these precious processing resources toward flows that present the most risk.

Lucky for those who want to optimize security inspection, our industry-leading Snort 3 threat prevention engine includes the ability to detect applications and potentially malicious flows without having to decrypt any packets. The integral Encrypted Visibility Engine (EVE) is the first in the industry implementation of Machine Learning (ML) driven flow inference for real-time protection within the data plane itself. We continuously train it with petabytes of real application traffic and tens of thousands of daily malware samples from our Secure Malware Analytics cloud. It produces unique application and malware fingerprints that Threat Defense software uses to classify flows by examining just a few outer fields of the TLS protocol handshake. EVE works especially well for identifying evasive applications such as anonymizer proxies; in many cases, we find it more effective than the traditional pattern-based application identification methods. With Secure Firewall Threat Defense 7.4 software, EVE adds the ability to automatically block connections that classify high on the malware confidence scale. In a future release, we will combine these capabilities to enable selective decryption and DPI of those high-risk flows for truly risk-based threat inspection.

The other trick for making our Snort 3 engine more precise lies in cooperation across the rest of the Cisco Secure portfolio. Very few cybersecurity practitioners out there like to manually sift through tens of thousands of IPS signatures to tailor an effective policy without blowing out the performance envelope. Cisco Recommendations from Talos has traditionally made this task much easier by enabling specific signatures based on actually observed host operating systems and applications in a particular environment. Unfortunately, there’s only so much that a network security device can discover by either passively listening to traffic or even actively poking those endpoints. Secure Workload 3.8 release supercharges this ability by continuously feeding actual vulnerability information for specific protected applications into Firewall Management Center. This allows Cisco Recommendations to create a much more targeted list of IPS signatures in a policy, thus avoiding guesswork, improving efficacy, and eliminating performance bottlenecks. Such an integration is a prime example of what Cisco Secure can achieve by augmenting network level visibility with application insights; this is not something that any other firewall solution can implement with DPI alone.

Light Fantastic Ahead


Secure Firewall 4200 Series appliances and Threat Defense 7.4 software are important milestones in our strategic journey, but it by no means stops there. We continue to actively invest in inference-based detection techniques and tighter product cooperation across the entire Cisco Secure portfolio to bring value to our customers by solving their real network security problems more efficiently. As you may have heard from me at the recent Nvidia GTC event, we are actively developing hardware acceleration capabilities to combine inference and DPI approaches in hybrid cloud environments with Data Processing Unit (DPU) technology. We continue to invest in endpoint integration both on the application side with Secure Workload and the user side with Secure Client to leverage flow metadata in policy decisions and deliver a truly hybrid ZTNA experience with Cisco Secure Access. Last but not least, we are redefining the fragmented approach to public cloud security with Cisco Multi-Cloud Defense.

The light of network security continues to shine bright, and we appreciate you for the opportunity to build the future of Cisco Secure together.

Source: cisco.com