Award-Winning Centralized Platform Helps Unlock Value Through Simplicity

From work style to vehicle choice, hybrid has become the new norm. In fact, we are surrounded by use cases that need a hybrid approach to problem solving. And as we all know, networks are evolving. Today, networks need to be ready for new and growing applications such as artificial intelligence (AI), augmented and virtual reality (AR/VR), edge clouds, online gaming, connected cars, and video streaming. As a result, communication service providers (CSPs) are considering more options in redesigning networks.

For example, network operators need to cater to their customers by delivering services from anywhere between 1G to 100G speeds, while having the ability to aggregate into 400G networks. Operators need a platform that allows them to bridge this gap from 1G to 400G.

Platform design choices

Typically, there have been two types of form factors for routing platforms: fixed and distributed systems.

Fixed systems can contain a single forwarding chip and single route processor (RP) with fixed interfaces (see Figure 1). Fixed systems typically come in a “pizza box” form factor that is often used in network architectures that are more predictable and simpler, where using a system with fixed interfaces is suitable for anticipated network traffic patterns.

Figure 1. Fixed system

Distributed systems use a different architecture (see Figure 2), where the packet-forwarding decisions and actions take place on the network processor units (NPUs)/forwarding engines located on the individual line cards. Each card maintains a copy of the forwarding information base (FIB) that is distributed by the RP in the control plane. Large distributed systems have traditionally been designed to provide higher total system bandwidth and port densities, field-replaceable line cards, interface diversity, and redundancy.

These requirements have far exceeded what could be accomplished with a single NPU on a fixed system, which is why every line card has multiple NPUs participating in the forwarding decisions. This architecture helps deliver favorable customer outcomes with increased reliability and flexibility.

Figure 2. Distributed system

New hybrid choice with centralized architecture

With the evolution of the network and emergence of more localized and metro-driven traffic patterns, there is a need for network operators to deploy a solution that meets the needs of both fixed and distributed systems. Cisco 8000 Series Routers address this customer problem and market need by delivering a platform that is uniquely positioned to support the reliability and flexibility offered by distributed solutions, while also delivering value with the customer investments.

Instead of having to choose between a fixed or distributed system, customers can now also consider the new centralized system with Cisco 8600 Series Routers (see Figure 3), which blend the resource efficiency of fixed systems with the interface flexibility, upgradeability, and redundancy of distributed systems.

Figure 3. Centralized system

Similar to distributed systems, centralized systems have in-service, replaceable, redundant RPs with CPU and redundant switch cards (SCs) with NPUs to support both data plane and control plane redundancy. Cisco 8600 Series Routers have modular port adapters (MPAs) that can be replaced while in service and enable interface flexibility. Like fixed systems, the forwarding decisions on centralized platforms are handled centrally on the RP/SC instead of the line card.

With the unique centralized design of Cisco 8600 Series Routers, the life of a data packet is carefully managed such that when traffic ingresses on one of the MPA interfaces, the physical layer (PHY) on the ingress MPA sends the traffic to both SCs. The Silicon One ASIC on both SCs processes the packets, so in the event of a failure with the active SC, the other standby SC always has all the packets to support data plane redundancy. At a point in time, only the packets processed by the active SC are forwarded to the network, and packets processed by the standby SC are dropped.

Use cases

With currently over five billion global internet users, it is becoming increasingly impractical for capabilities such as peering to happen at only traditional, centralized internet exchanges. Distributed peering points are emerging across the network to help avoid unnecessarily backhauling traffic to centralized locations. However, metro locations such as colocation sites, data centers, and central offices can be space-constrained, and every additional rack unit (RU) of space is extremely costly.

Deploying right-sized platforms like Cisco 8600 Series Routers can address some of the operator resource challenges while achieving lower upfront costs, data plane and control plane redundancy, port diversity, and architectural simplicity using single-chip forwarding with less components to help lower TCO.

Additional use cases for the Cisco 8608 router include as a core label switch router (LSR), routed data center top-of-rack (ToR)/leaf, and aggregation for cloud and CSP networks. Cisco 8600 Series Routers are also part of the Cisco routed optical networking solution, with support for 400G DCO optics to improve network operational efficiency and simplicity.

Cisco innovations

Cisco Silicon One offers unmatched flexibility with a common silicon architecture, including software development kit (SDK) and P4 programmable forwarding code across multiple network roles (see Figure 4), while supporting fixed, distributed, and centralized systems (see Figure 5). With Cisco Silicon One used in Cisco 8600 Series Routers, we maintain the architectural simplicity and uniformity across the three architecture types. Having a unified architecture helps network operators simplify operations through consistency with upgrades, feature parity, training, testing/qualification, deployment, and troubleshooting.

Figure 4. Cisco Silicon One portfolio and network roles

Figure 5. Form factor types using Cisco Silicon One

Silicon One architecture achieves high performance and full routing capabilities without external memories. The clean-sheet internal architecture includes on-chip high-bandwidth memory (HBM) and supports multiple modes of operation by enabling a router to operate with a single forwarding chip, a line card network processor, and a switch fabric element. This flexibility enables consistent software experience in multiple roles and rapid silicon evolution.

Benefits of simplicity and uniformity across the three architecture types for network operators include:

• Consistent software experience across multiple network nodes.
• Simplified network operations through consistency with upgrades, qualification, deployment, and troubleshooting.
• Unified security and trust across the network.
• Programmable interfaces via consistent APIs.

In addition to the capabilities of the Silicon One chipset, Cisco 8600 Series Routers include significant innovations, such as the Cisco IOS XR network operating system (NOS) and the chassis design itself. For example, Cisco 8600 Series Routers enable all major components to be in-service field-replaceable, which helps reduce operational costs.

The single-forwarding chip design on Cisco 8600 Series Routers is well suited for smaller locations by offering simplicity through more bandwidth with fewer components, which helps streamline costs, power, and space (including with chassis depth of less than 600 mm) while also reducing latency.

The first platform in the Cisco 8600 Series Routers product line is the Cisco 8608 router, which includes these components:

• Chassis: The router has an eight-slot 7RU chassis at 580 mm depth, which hosts fans, power supplies, RPs, SCs, and MPAs.
• Route processor: The RP hosts the CPU complex and the I/O ports. RPs fit vertically in the chassis from the front panel. Up to two RPs are supported in the system and the RPs operate in active-standby mode for a redundant system.
• Switch card: SCs sit orthogonally in the back of the MPAs with connections to all MPAs. SCs directly host the NPUs, with up to two SCs in the system that work in active-standby mode to deliver data plane redundancy.
• Power supplies: The router has four power supplies that can provide redundant power to the system. The power options include pluggable 3.2 KW AC and pluggable 3.2 KW DC.
• Fans: There are eight fans in the system, with each fan individually removable or replaceable to provide N+1 fan redundancy to the system.
• Modular port adapters: With a high degree of flexibility, the Cisco 8608 router supports a diverse range of interfaces, including 4×400 GbE, 24×10/25/50 GbE, and a combination of 16×100 GbE or 12×100 GbE+1×400 GbE or 8×100 GbE+2×400 GbE.
• Network operating system: Cisco IOS XR is the common NOS across access, aggregation, edge, and core platforms, including Cisco 8600 Series Routers. IOS XR provides network intelligence, programmability, and trustworthy solutions to help deliver operational efficiency.
• Manageability: Cisco Crosswork Network Automation is a comprehensive software platform that helps plan, provision, manage, optimize, and assure multi-vendor/multi-domain networks, including Cisco 8600 Series Routers, to help reduce operational costs.

Customer benefits

The centralized architecture of Cisco 8600 Series Routers enables customers to take advantage of three main benefits (see Figure 6), including:

• Reliability: The unique hardware architecture provides industry-leading reliability with both control plane and data plane redundancy without loss of any front face plate.
• Flexibility: In-service upgradability and mix-and-match port support from 1G to 400G to help to efficiently meet both user and network traffic demands.
• Value: Customers can experience greater value with:
• Investment protection
• MPA backward compatibility
• Next-generation SC compatibility
• Optimized CapEx spending with right-sized platform to meet specific scale, space, power, and redundancy requirements
• Optimized OpEx spending with field-upgradeable and reusable components (similar to distributed systems) combined with using automated operations
• Sustainability that can help customers toward meeting their sustainability goals using a simplified centralized architecture.

Figure 6. Enabling customer outcomes

Meet evolving network priorities

Cisco is empowering customers with a hybrid architecture to meet their ever-changing network demands. Cisco 8600 Series Routers are a culmination of innovations in silicon, software, and hardware—all coming together to deliver a new breed of simple, reliable, flexible routers that give customers more choices and help maximize value.

Source: cisco.com

Continue reading

Secure Network Analytics 7.5.0 Launch

Secure Network Analytics (SNA) Release 7.5.0 is generally available as of January 22, 2024. All current customers are eligible to upgrade and should look at the release notes to better understand the upgrade process and any additional considerations.

SNA is Cisco’s Network Detection and Response solution.  SNA provides enterprise-wide network visibility to detect and respond to threats in real- time. The solution continuously analyzes network activities to create a baseline of normal network behavior. It then uses this baseline, along with non–signature-based advanced analytics that include behavioral modeling and machine learning algorithms, as well as global threat intelligence to identify anomalies and detect and respond to threats in real- time. Secure Network Analytics can quickly and with high confidence detect threats such as Command-and-Control (C&C) attacks, ransomware, Distributed-Denial-of-Service (DDoS) attacks, illicit cryptomining, unknown malware, and insider threats. With an agentless solution, you get comprehensive threat monitoring across the entire network traffic, even if it’s encrypted.

Read More: 300-735: Automating and Programming Cisco Security Solutions (SAUTO)

This release delivers the innovation and usability that customers expect from the platform. By directly integrating firewall logs, improving response management, and updating the platform to meet the latest certification mandates, release 7.5.0 combines essential platform development with new features and enhancements.

Firewall Logs Generate Events in Secure Network Analytics

Given their location at the edge of the network, firewalls see a vast amount of traffic and behaviors that may be indicative of an attack. In this release, Secure Network Analytics can take logs directly from Cisco Firewall Management Center (FMC), Firewall Threat Defense (FTD) and ASA. These logs are converted into a format that looks like NetFlow but does not count against your flows per second (FPS) license. Enabling this configuration gives further insight into your traffic patterns, risks, and the scope of an attack.

New Response Management Actions

Automated responses improve the workflow for Security Operations Center (SOC) analysts and are a core component of our Network Detection and Response solution. By providing flexibility for multiple response actions, SOC analysts can ensure proper action is taken based on a specific alert type. This release adds Central Analytics detections to Response Management workflows, including the ability to deliver email, syslog, threat response, or webhook.

Data Enrichment from Secure Network Analytics to Cisco XDR

With the 7.5.0 release, security events contribute directly into XDR investigations. Also, XDR response actions can now be applied to alerts.

Other Enhancements

Additionally, this release provides improvements to the overall security and usability of the platform. Secure Network Analytics can achieve the certifications required by customers, including DODIN-APL, FIPS 140-3, Level 1, Common Criteria, USGv6, and IPv6 ready Logo. Some of these enhancements include:

• TLS 1.3: TLS 1.3 is now supported, and TLS 1.2 is still supported. These protocols should be used for inter-appliance and external TLS connections, and can be configured in SystemConfig to be TLS 1.3 only or both TLS 1.2 and 1.3
• Root access restriction: Root access has been removed. TAC will have access for troubleshooting purposes using the Cisco Consent Token mechanism via SystemConfig.
• New SystemConfig workflows: New workflows added that non root user sysadmin can action, including Diag Packs, License Reservation, Data Store operations, and more.
• MongoDB upgrade: Moved to a version that uses an already available package rather than a custom-built version.

In addition to these enhancements –we have improved certificate rotation and management, IPv6 support, and support for M4, M5, and M6 appliances.

By simplifying workflows, increasing compliance, and expanding detections, Secure Network Analytics Release 7.5.0 continues to prove its value as a central component of your SOC. We encourage you to review the release notes and speak with your local Cisco provider to begin planning your upgrade.

Source: cisco.com

Continue reading

How GLP-1 Drug Success Transforms Healthcare Revenue – Is your Organization Ready?

The huge revenue opportunity stemming from recent success of GLP-1 drugs is not just for the pharmaceutical companies. Is your healthcare organization poised to capture the patient care opportunity emerging from GLP-1 pharmaceutical innovation?

Revolutionizing Healthcare with Breakthroughs in Diabetes and Obesity Treatment

The new category of Diabetes, weight loss and obesity drugs called GLP-1s is predicted to be a game-changing innovation in population health management of some chronic disease types.  These drugs have shown tremendous success in treating their target diseases of Diabetes and Obesity, and adoption by patients continues to grow. The 42nd annual J.P. Morgan healthcare conference in San Francisco this month gave considerable coverage to this topic and to the group of pharmaceutical companies at the core of this unparalleled movement in reducing population health issues around diabetes and weight. Drugs such as Wegovy, Mounjaro and Ozempic are currently the most highly in demand and many patients are having trouble finding supply as a result of the accelerating adoption and approvals for use. But innovation in pharma can create opportunity in other areas, and this one is already doing just that for hospitals, clinics and ACOs in the healthcare industry.

Analysts Forecast Massive Growth

Chris Schott, JP Morgan Sr. Analyst covering US Diversified Biopharma says the revenue opportunity for the pharma sector could be as much as $100B as we approach 2030 which would make it the largest therapeutic market they have ever seen.  He further predicts the capacity for GLP-1s to double in 2024 and increase another 50% in 2025, alleviating bottlenecks from a capacity standpoint.

Lisa Gill, JP Morgan Sr. Analyst covering Healthcare services says things to watch are policies around coverage of these drugs. They are not currently covered by Medicaid or Medicare and should that change, volumes would likely be impacted even further.

Seizing the Opportunity in GLP-1

So, what does this mean for healthcare provider organizations?  This is where accelerating healthcare’s digital transformation comes into the equation. The opportunity is huge for providers to realize significant increases in volumes of patients seeking primary care services to authorize, prescribe and manage the use of these medical treatments. These GLP-1 patients will need to be evaluated and monitored throughout their use of these medications and the current staffing levels within the US healthcare system are already strained with patients experiencing delays in appointments, long wait times for scheduling appointments and ongoing challenges in reporting daily vitals into the electronic health records without in-person visits. In addition to tracking vitals, these patients are ideally monitored for lifestyle elements such as sleep, exercise, diet, mental health and overall wellness. They benefit from coaching to help keep them on track with the lifestyle changes that go along with a successful program.

Maximizing Patient Engagement for Financial Growth and Innovation

Providers who have invested in digital-first engagement technologies such as messaging, chat, bots, voice and efficient patient orchestration processes using integrated contact centers will be best poised to handle the volumes of patients seeking care and will see the financial benefits of engaging and servicing these patient’s needs.

Healthcare providers, overwhelmingly experiencing financial challenges stemming from COVID era dips in billable visits and procedures, have been exploring ways to expand into new types of care and new sources of patients. The innovation and success of the GLP-1 category of pharmaceuticals could be one of the opportunities that provides both, and drives acceleration of new care models, digital workflow re-designs and remote patient monitoring. Providers will need to evaluate their infrastructure’s readiness for some of these new engagement models and quickly deploy technologies to capture this new business opportunity.  The good news is Cisco’s Healthcare team is already helping hospital systems deploy next generation collaboration systems including messaging, video conferencing, virtual care, and devices that are interoperable with other collaboration systems, for affordability and ease of use with existing systems and processes.

Experts predict more innovation in the pharmaceutical pipelines that will produce huge gains for other disease types too. Is your hospital system ready with a digital healthcare infrastructure that seamlessly engages patients, scales your valuable clinical resources and secures operations? The time to start is now!

Source: cisco.com

Continue reading

Cisco and Megaport Simplify Cloud Networking with Pay-As-You-Go Model

In the ever-evolving world of digital connectivity, Cisco continues to pave the way with innovative solutions not just centered around technological advances, but also around how those advances can easily be consumed by customers. Over the last three years, Cisco and Megaport have collaborated deeply by:

1. Integrating Cisco Catalyst SD-WAN with Megaport global network connectivity services (Megaport Virtual Edge and Megaport Virtual Cross Connects)

2. Delivering a single vendor consumption model for customers to purchase Megaport services via Cisco (available since September 2021 on Cisco Global Price List)

Cisco’s Pay-as-You-Go Initiative

Today, we are happy to announce that Cisco and Megaport are extending their partnership by introducing a pay-as-you-go (PAYG) offer for Megaport Virtual Edge, Virtual Cross Connects, and Ports through Cisco’s Global Price List. As an alternative to the existing term-based offer, Cisco’s pay-as-you-go offer provides businesses with unprecedented flexibility, scalability, and a cloud-like consumption model for Megaport underlay services.

Cisco’s PAYG offer for Megaport services is a dynamic approach to network resource management. It is designed to ensure businesses only pay for the infrastructure resources they utilize, providing an efficient and economical solution. This model signifies a shift from the traditional, static network infrastructure to a more dynamic, flexible, and cost-effective alternative. The pay-as-you-go offer will be available in March 2024 and will be integrated with Megaport Virtual Edge, Megaport Virtual Cross Connects, and Megaport Ports.

Both consumption models give customers a single vendor experience for their global connectivity requirements through Catalyst SD-WAN Manager, allowing them to bring up network infrastructure to create global wide area networks, connect to multiple cloud environments, and setup easy data recovery systems in a matter of minutes. There’s no need for customers to deal with multiple vendors, manage various contracts, or navigate multiple portals.

Key Benefits of Cisco’s PAYG for Megaport Services

Currently adopted by a wide variety of business verticals (healthcare, tech, global IT services, financial services, and public sectors), middle-mile optimization with Catalyst SD-WAN and Megaport, allows businesses to realize a range of benefits.

• Flexibility and scalability: The PAYG offer allows for dynamic scaling of network connectivity, thus creating a cloud-like consumption model for site-to-cloud, site-to-site, and cloud-to-cloud connectivity requirements. This flexibility is crucial in today’s ever-changing business environment, where adaptability, agility, and ease of use are key determinants of success.
• Cost-effectiveness: Organizations can manage their network resources based on their specific requirements and only pay for the resources they consume. With a $0 upfront commitment and a single billing and support platform, Cisco aims to reduce the multi-vendor requisite customers must deal with for their global networking infrastructure needs.
• Secure and reliable: By leveraging Megaport’s robust global platform with a 99.999% SLA, businesses can enjoy seamless, secure connections to a vast network of service providers (data centers, public clouds, and SaaS) in a colocation-agnostic manner, while Catalyst SD-WAN ensures end-to-end encryption for data at rest and data in transit.
• Global WAN: Megaport’s extensive global footprint allows businesses to deploy Megaport Virtual Edge hosting the Catalyst 8000V in 70+ metros across the globe, giving users access to Megaport’s backbone in a data center agnostic manner. Multi-national enterprises have deployed resilient and responsive global WANs in a manner of minutes using Catalyst SD-WAN and Megaport underlays, thus empowering them to do away with their legacy networks, long term contracts, and the insecurities of using public internet services. This global reach, combined with Cisco’s Catalyst SD-WAN, enables organizations to create a truly borderless and responsive network infrastructure.

Cisco’s launch of the pay-as-you-go offer for Megaport services delivers unparalleled flexibility, scalability, and cost-efficiency to organizations looking to modernize their global network infrastructure while transforming to a cloud-first environment by providing a network that mimics the same.

Source: cisco.com

Continue reading

Helping customers reduce cyber risk by complying with NIS2 and securely managing industrial assets

This week, I’m attending Cisco Live in Amsterdam! Together with my team, we’re excited to exchange insights and network with our customers and industry leaders. Our focus is to interact with customers firsthand, grasp their preferences, and highlight how our latest portfolio upgrades cater to their requirements.

Up to this point in the event, numerous customers have emphasized that cybersecurity in industrial settings is a primary concern, alongside the introduction of the new NIS2 regulations. Our team is present to assist customers in navigating and adhering to these latest regulations, ensuring a seamless transition as we adjust to new mandates. Let me share some insights into NIS2 and outline our investments aimed at aiding customers.

Cisco helps customers comply with NIS2 regulations to reduce cyber risk with enhanced cybersecurity capabilities

The European Union created Network and Information Security (NIS2) to update and strengthen the existing NIS1 framework, addressing emerging cybersecurity threats and evolving technological landscapes more effectively. The intent is to enhance cybersecurity resilience and coordination across critical sectors and digital service providers. It will impact more than 350,000 organizations and will extend to non-European companies that are part of the EU supply chain. This directive will be enforced as of October 18, 2024.

To comply with NIS2 requirements, customers need a good understanding of their security posture to implement cyber risk management best practices and zero-trust security policies. Meeting these requirements requires our customers to control risks from their supply chain (machine builders, control system vendors, contractors, hardware service providers, etc.) as well as risks from connected assets that now need access to external applications and cloud services. This translates into a problem of scale for our customers due to the diverse ecosystem of supply chain vendors, and tens of thousands of assets in their environments.

Cisco has comprehensive capabilities and a market-leading industrial networking portfolio, which helps our customers address these challenges. Our portfolio complies with ISA/IEC 62443 security standards so that customers can trust their supply chain.

The Industrial IoT team has been investing in enhancements to industrial security solutions, Cisco Cyber Vision and Secure Equipment Access, to help customers reduce cyber risk and drive compliance with NIS2 cybersecurity regulations as they securely connect assets in their critical infrastructure.

First, we have enhancements to Cisco Cyber Vision with new reports and risk scores from Cisco Vulnerability management. Cyber Vision software, deployed on the industrial network, builds a detailed inventory of all connected assets and their security posture. This will help customers monitor and manage cyber risks of their OT assets. The new report engine helps industrial organizations drive compliance and governance by sharing OT Security Posture insights with all stakeholders.

“With Cyber Vision, we now have the visibility into our mission-critical OT networks as a first step to mitigate vulnerabilities and improve our security posture. Cyber Vision found more than 20 instances of malware in our substations and identified features and protocols that don’t need to be active.”

 – Emerson Cardoso, Chief Information Security Officer, CPFL Energia

External users need to connect to OT assets for maintenance and troubleshooting. Operational teams can use Cisco Secure Equipment Access to remotely deploy, configure, and troubleshoot assets and applications connected to Cisco industrial routers and switches. Secure Equipment Access solution adopts a ZTNA architecture that enforces strong security controls to grant remote users access only to specific resources at specific times. Another exciting announcement is the new Secure Equipment Access dashboard that helps administrators to monitor and audit remote access activities and trends for compliance. The dashboard works to enable advanced users and partners to automate remote access workflows with a new set of APIs for easy integration with other software solutions.

“As the NIS2 cybersecurity regulation is implemented across Europe, our industrial customers need to better control remote access to their operational networks. Cisco Secure Equipment Access simplifies the enforcement of zero-trust network access policies within an OT environment. By embedding this capability into the industrial network, Cisco makes it easy for customers to deploy OT cybersecurity at scale.”

 – Damiano Di Mauro, OT Networking Solutions Team Leader, Lutech (Cisco partner)

In our journey to help customers with Cyber Vision capabilities, we are very excited to see our partner Orange launching ‘Secure Industrial LAN’ managed service for industrial organizations. They are combining the Cisco Industrial IoT networking portfolio with Cisco Cyber Vision for OT security and skilled resources from Orange Cyberdefense and Orange Business worldwide. This service can be delivered to multinational customers with production sites across the globe with a single offer.

“As industries are accelerating the digitization of their operations, they need help to manage and secure industrial networks anywhere they are on the globe. By combining Cisco’s leading industrial networking and OT security portfolio with Orange Business’ and Orange Cyberdefense’s IT and OT expertise with human resources worldwide, our Secure Industrial LAN offer is the ideal solution for industrial organizations to scale their operations, improve resilience, and meet ever-growing cybersecurity regulations.”

– Emmanuel Routier, VP Smart Industries, Orange Business (Cisco partner)

The excitement of new enhancements doesn’t just stop there. Because different industries and use cases require different network technologies and capabilities for connectivity, we are continuing to expand our industrial networking portfolio to ensure customer success for a variety of deployment scenarios and locations. Therefore, we are also announcing:

• Catalyst IW9167E is now available for hazardous environments (Class 1, Div 2), so that customers in locations such as oil & gas, chemical, and pharmaceutical can deploy Wi-Fi or Cisco Ultra Reliable Wireless Backhaul (Cisco URWB).
• The Catalyst IW9165 series now also supports Wi-Fi 6/6E as well as Cisco URWB. With different form factors, we are enabling customers to deploy in more locations such as inside a cabinet in manufacturing, and roadways intersections.
• The 5G PIM now supports both public and private standalone on Catalyst Industrial Rugged Routers (IR1100, IR1800, IR8300) for roadways (cameras and sensors at intersections), public safety (ambulances, police cars), utilities, and other mission critical industrial settings.

If you are at Cisco Live Amsterdam, come and find the Cisco Industrial IoT Team at the World of Solutions to experience live demos and a coffee machine powered by Catalyst Center and Secure Equipment Access. Innovation and a cup of coffee come together to fuel digitization and connectivity for the whole week. I look forward to seeing you there!

Source: cisco.com

Continue reading

Safeguard Your Network in a Post-Quantum World

Security is critical when transmitting information over any untrusted medium, particularly with the internet. Cryptography is typically used to protect information over a public channel between two entities. However, there is an imminent threat to existing cryptography with the advent of quantum computers. According to the National Institute of Standards and Technology (NIST), “When quantum computers are a reality, our current public key cryptography won’t work anymore… So, we need to start designing now what those replacements will be.”

Quantum computing threat

A quantum computer works with qubits, which can exist in multiple states simultaneously, based on the quantum mechanical principle of superposition. Thus, a quantum computer could explore many possible permutations and combinations for a computational task, simultaneously and swiftly, transcending the limits of classical computing.

While a sufficiently large and commercially feasible quantum computer has yet to be built, there have been massive investments in quantum computing from many corporations, governments, and universities. Quantum computers will empower compelling innovations in areas such as AI/ML and financial and climate modeling. Quantum computers, however, will also give bad actors the ability to break current cryptography.

Public-key cryptography is ubiquitous in modern information security applications such as IPsec, MACsec, and digital signatures. The current public-key cryptography algorithms are based on mathematical problems, such as the factorization of large numbers, which are daunting for classical computers to solve. Shor’s algorithm provides a way for quantum computers to solve these mathematical problems much faster than classical computers. Once a sufficiently large quantum computer is built, existing public-key cryptography (such as RSA, Diffie-Hellman, ECC, and others) will no longer be secure, which will render most current uses of cryptography vulnerable to attacks.

Store now, break later

Why worry now? Most of the transport security protocols like IPsec and MACsec use public-key cryptography during the authentication/key establishment phase to derive the session key. This shared session key is then used for symmetric encryption and decryption of the actual traffic.

Bad actors can use the “harvest now, decrypt later” approach to capture encrypted data right now and decrypt it later, when a capable quantum computer materializes. It is an unacceptable risk to leave sensitive encrypted data susceptible to impending quantum threats. In particular, if there is a need to maintain forward secrecy of the communication beyond a decade, we must act now to make these transport security protocols quantum-safe.

The long-term solution is to adopt post-quantum cryptography (PQC) algorithms to replace the current algorithms that are susceptible to quantum computers. NIST has identified some candidate algorithms for standardization. Once the algorithms are finalized, they must be implemented by the vendors to start the migration. While actively working to provide PQC-based solutions, Cisco already has quantum-safe cryptography solutions that can be deployed now to safeguard the transport security protocols.

Cisco’s solution

Cisco has introduced the Cisco session key import protocol (SKIP), which enables a Cisco router to securely import a post-quantum pre-shared key (PPK) from an external key source such as a quantum key distribution (QKD) device or other source of key material.

Figure 1. External QKD as key source using Cisco SKIP

For deployments that can use an external hardware-based key source, SKIP can be used to derive the session keys on both the routers establishing the MACsec connection (see Figure 1).

With this solution, Cisco offers many benefits to customers, including:

• Secure, lightweight protocol that is part of the network operating system (NOS) and does not require customers to run any additional applications
• Support for “bring your own key” (BYOK) model, enabling customers to integrate their key sources with Cisco routers
• The channel between the router and key source used by SKIP is also quantum-safe, as it uses TLS 1.2 with DHE-PSK cipher suite
• Validated with several key-provider partners and end customers

Figure 2. Cisco SKS engine as the key source

In addition to SKIP, Cisco has introduced the session key device (SKS), which is a unique solution that enables routers to derive session keys without having to use an external key source.

Figure 3. Traditional session key distribution

The SKS engine is part of the Cisco IOS XR operating system (see Figure 2). Routers establishing a secure connection like MACsec will derive the session keys directly from their respective SKS engines. The engines are seeded with a one-time, out-of-band operation to make sure they derive the same session keys.

Unlike the traditional method (see Figure 3), where the session keys are exchanged on the wire, only the key identifiers are sent on the wire with quantum key distribution. So, any attacker tapping the links will not be able to derive the session keys, as having just the key identifier is not sufficient (see Figure 4).

Figure 4. Quantum session key distribution

Cisco is leading the way with comprehensive and innovative quantum-safe cryptography solutions that are ready to deploy today.

Source: cisco.com

Continue reading

Redefining the IT war room with end-to-end observability

Transforming the war room starts with Customer Digital Experience Monitoring (CDEM) to break down silos with correlated, cross-domain insights and efficiency for rapid resolutions.

Time is money and commandeering a lot of time from many of the smartest and most expensive people across your organization, often at short notice, can be unthinkably expensive.

There’s the hourly cost of their time. Plus, the cost of lost opportunities related to the work they’re doing, which is now delayed. That’s far from the full story though. The costs extend far beyond their own input as everybody needs time to speak, listen, consider, and work through the possibilities.

And yet, when a new software release rolls around, that’s exactly how many organizations respond. They can’t be sure what might go wrong with a software release, so they make sure all the right people are available, just in case.

When it’s obvious that something is going wrong in the application runtime environment, or a mission-critical application starts to experience performance problems, and it needs to be fixed immediately, that same wide group is gathered to figure out the problem and determine the best way to fix it.

Meanwhile, reputational damage to the company is growing with every minute of disruption, and the financial clock is ticking with each minute spent identifying and remediating issues while customers and end users have limited or no access to the applications that make modern business work.

The war room is a blunt instrument that casts a wide net 

Convening an IT war room is born of a lack of visibility. The team must leverage their collective expertise to determine the likely root cause of a performance-impacting issue, because it’s typically not obvious to anyone at the outset exactly where the problem lies.

The time required to pinpoint the issue can be significant, even when the war room is filled with skilled, intelligent subject matter experts. That’s because modern applications are built on cloud-native architectures and can be accessed from anywhere using different devices. They leverage packaged code and dependencies deployed as microservices to increase developer speed and flexibility.

That includes containers, third-party libraries, and application programming interfaces (APIs) which create a complicated environment in which updates, changes, and conflicts between dependencies need to be constantly managed to ensure applications run optimally. If the application slows down, doesn’t work as it should, or crashes, the result is poor user experience and even lost business.

Application dependencies can also affect the security of an application. This is particularly true when an application depends on third-party code or libraries which could contain vulnerabilities which offer an attack path. That puts not only the application, but also user data, at risk.

For example, misconfiguration and even ransomware or distributed denial-of-service (DDoS) attacks can all present confusingly similar symptoms as network packet loss in terms of performance degradation, with no clear indication of the root cause.

Consider the scenario of a large supermarket at the height of holiday season shopping. Products are flying off the shelves and need frequent restocking throughout the day. It’s critical to know inventory availability right up to the minute, so shelves remain full. Inaccurate inventory or running out of stock undermines trust the business has worked hard to build, not to mention lost sales.

At that point, the hand scanners used for inventory start to falter. They’re not reliably scanning, which means the movement of products from the stock room onto the shelves isn’t being recorded accurately. The team can no longer be sure what’s on the shelves, what’s left in the stockroom, what needs to be reordered and when it needs to arrive.

A call is made to the IT team and a war room is convened to investigate what’s causing the problem. The Wi-Fi network is an obvious culprit, however as time passes, the networking team can’t find any Wi-Fi problems. Eventually, they realize it’s the scanner firmware. The scanners themselves need to be replaced, and once they are, normal service is resumed.

Customer Digital Experience Monitoring (CDEM) changes everything  

This story is one of many that illustrate the shortcomings of infrastructure monitoring which lacks visibility into the digital experience.

In this example, the war room participants must sequentially sort through all the different scanner dependencies according to their collective experience to spot the most likely culprit, in the least amount of time. The effort involves cross-functional teams, who each investigate their area of responsibility, so there’s a similar level of effort and time required from everyone. The result is that most teams can typically prove their “innocence” — that is, they can show that their area of responsibility does or does not harbor the root cause.

In effect, because they lack clear insight, each team spends a huge amount of expensive time looking for an issue that isn’t theirs to find. There’s a better way. Cisco Full-Stack Observability allows operational teams to completely change their troubleshooting perspective.

Customer Digital Experience Monitoring (CDEM), a capability of Cisco Full-Stack Observability (FSO) solutions, allows teams to track the user journey itself starting with the device and traversing every touchpoint including dependencies like APIs and microservices.

Had they used CDEM, the teams in our example would have seen the user journey failing at the first step. Eliminating their theoretical most likely culprit – the Wi-Fi network – would have taken just moments instead of hours, and attention would have immediately focused on the scanners themselves.

It’s easy to see how observability at this level fundamentally changes the IT war room, and dramatically accelerates mean time to resolution (MTTR) through bypassing many of the steps that teams would otherwise have to take.

Answers lie in observable telemetry data

War rooms are complicated by multiple different data sets surfaced by separate monitoring tools. For example, Network Ops looks at data from the network, DevSecOps looks at data from the application and third-party dependencies.

Achieving a complete view of all relevant application data from normal business operations is a massive task. Worse yet, it’s impossible to correlate these endless streams of incoming data within a workable timeframe using disparate tools and systems that were never designed for the job. That makes spotting anomalies across the full stack, let alone prioritizing and acting on them, virtually impossible in a reasonable timeframe.

Cisco Full-Stack Observability solutions democratize data access, breaking down cross-functional silos and bringing teams together to collaborate on the next best step for resolving problems. Customer Digital Experience Monitoring combines Cisco’s application observability capabilities with industry-leading network intelligence, allowing IT teams to quickly identify the root cause of issues before they hurt the overall performance of the application, affect the end user and ultimately the business.

Cisco’s solution provides insights into both the application and the network, with internet connectivity metrics for application operations and real-time application dependency mapping for network operations. This combined application and network view significantly reduces MTTR with actionable recommendations that help teams prioritize remediation activities based on business impact and criticality.

For instance, teams can see at which point along the user’s path performance degradation is occurring, or communication is failing altogether. Vitally, they have contextual visibility that helps them collaboratively identify, triage, and resolve issues because they’re all working from the same data sourced from every possible touchpoint, including the network, which is an area often missing from other solutions.

The result is the end of war rooms as we know them. Instead, teams have end-to-end visibility, correlated insights, and recommended actions all tied to business context, across applications, security, the network, and the internet. Only Cisco combines the vantage points of applications, networking, and security at scale to power true observability over the entire IT estate.

Source: cisco.com

Continue reading