SD-Routing: Unlock Agility and Efficiency for the Secure WAN Edge

Many Cisco enterprise customers have decades of Cisco Catalyst routing and security capabilities functioning at branch locations. However, many of their traditional network management solutions can’t keep up with the demands of cloud adoption, remote work, and ever-growing user expectations. This translates to poor user experience, sluggish applications, and possible security vulnerabilities. These factors are driving the need for a transformation across applications, networks, and security.

This operational paradigm shift aims to seamlessly connect users anywhere to any application and secure user access by protecting against evolving threats. The answer to these operational challenges is Cisco’s software-defined routing (SD-Routing) solution. It goes beyond traditional per-device-based management by enabling full frictionless lifecycle device management, monitoring, configuration, and troubleshooting—as well as robust, next-generation firewall security integrations—from a single dashboard that doesn’t require any changes to your existing environment.

Figure 1. SD-Routing solution overview

Let’s explore some key use cases of SD-Routing that can transform your network:

Frictionless device lifecycle management. Simplify and prepare your network for the future with one management platform. SD-Routing, controlled through the Cisco Catalyst SD-WAN Manager dashboard, can:

• Unify management: Manage device software upgrades, monitoring, and troubleshooting through the intuitive Catalyst SD-WAN Manager dashboard. This simplifies network operations and empowers you to manage both traditional routing and Catalyst SD-WAN environments.
• Tame legacy challenges: Simplify complex legacy operations with SD-Routing. Basic troubleshooting tools within the manager help you maintain and optimize performance. Continuous updates ensure your network stays ahead of the curve.
• Combat configuration drift: Manage and track changes with a unified platform. Use the manager to create configuration templates for standardized deployments and future SD-WAN migration.

Network administrators might be using homegrown automation or third-party vendor tools to solve these problems. You can continue to use these tools, but you don’t need to invest further. Rather, take advantage of SD-WAN Manager, which comes as a part of Catalyst licensing.

Security

Configuring diverse IOS XE security features through the command-line interface (CLI) or customized ad hoc scripts has historically been a complex, labor-intensive process that is prone to errors. This is especially true for defining granular security policies across zones and containers. With the introduction of SD-Routing guided security workflows, customers aiming to implement robust, next-generation firewall (NGFW) security on their on-premises routers will find this a valuable addition, allowing for consistent policy application across deployments. Many customers want Direct Internet Access (DIA) at their branch offices, but security concerns hold them back. SD-Routing can streamline secure DIA deployment on WAN edge routers, offering a simpler approach to securing distributed networks.

Cloud on-ramp for multicloud

Traditional network teams often struggle to securely extend their WANs to cloud providers, where key enterprise applications may reside. SD-Routing simplifies this process, especially for those who are hesitant to adopt it. With SD-Routing, you can securely connect to cloud providers like AWS and Azure following best practices, without months of learning complex, cloud-specific configurations. This empowers you to seamlessly connect to cloud providers and focus on your business outcomes.

As you tackle the modern network challenges, explore SD-Routing to simplify, streamline, secure, and future-proof your WAN environment. The single management platform for Catalyst SD-WAN and SD-Routing saves time and operational expenses with agile and automated workflows that quickly respond to network changes.

Beyond these immediate benefits, SD-Routing also can help strategically position your network for simplified future migrations to SD-WAN, depending on where you are in your digital transformation journey.

Whether you have existing enterprise networking equipment in your WAN or are considering a future purchase of Cisco Catalyst 8000 Edge Platforms, Cisco 1000 Series Integrated Service Routers, Cisco 1000 Series Aggregation Service Routers, or Industrial Routers, SD-Routing can unlock their full potential. Even better, if you’re already using Cisco Catalyst SD-WAN Manager, you can leverage the same platform to manage your SD-Routing deployments.

Source: cisco.com

Continue reading

GenAI will Transform B2B Interactions and Solutions in the Year Ahead with New Depth of Context and Control

Human-like interaction with B2B solutions, bespoke multimodal LLMs for better accuracy and precision, curated workflow automation via LAMs and customized B2B applications will become the norm as GenAI expands in the business sphere.

With the rapid launch of new solutions powered by generative AI (GenAI), the business-to-business (B2B) landscape is being reshaped in front of our eyes. Many organizations have taken a cautious and meticulously planned approach to widespread adoption of artificial intelligence (AI), however the Cisco AI Readiness Index reveals just how much pressure they are now feeling.

Adverse business impacts are anticipated by 61% of organizations if they have not implemented an AI strategy within the next year. In some cases, the window may even be narrower as competitors pull away, leaving very little time to properly execute plans. The clock is ticking, and the call for AI integration – especially GenAI – is now louder than ever.

In her predictions of tech trends for the new year, Chief Strategy Officer and GM of Applications, Liz Centoni said GenAI-powered Natural Language Interfaces (NLIs) will become the norm for new products and services. “NLIs powered by GenAI will be expected for new products and more than half will have this by default by the end of 2024.”

NLIs allow users to interact with applications and systems using normal language and spoken commands as with AI assistants, for instance, to instigate functionality and dig for deeper understanding. This capability will become available across most business-to-consumer (B2C) applications and services in 2024, especially for question-and-answer (Q&A) type of interactions between a human and a “machine”. However, associated B2B workflows and dependencies will require additional context and control for GenAI solutions to effectively elevate the overall business.

The point-and-click approach enabled by graphic user interfaces (GUIs) effectively binds users to a limited set of capabilities, and a restricted view of data that is based on the GUI requirements set by the business at the point of design. Multi-modal prompt interfaces (mainly text and audio) are fast changing that paradigm and expanding the UI/UX potential and scope. In the coming year, we’ll see B2B organizations increasingly leverage NLIs and context to “ask” specific questions about available data, freeing them from traditional constraints and offering a faster path to insight for complex queries and interactions.

A good example of this is the contact center and its system support chatbots as a B2C interface. Their user experience will continue to be transformed by GenAI-enabled NLIs and multi-modal assistants in 2024, but the natural next step is to enrich GenAI with additional context, enabling it to augment B2B dependencies (like services) and back-end systems interactions, like application programming interfaces (APIs) to further boost accuracy and reach, minimize response time, and enhance user satisfaction.

Meanwhile, as the relevance of in-context faster paths to insights increases and the associated GenAI-enabled data flows become mainstream, large action models (LAMs) will start to be considered as a potential future step to automate some of enterprise workflows, most likely starting in the realm of IT, security, and auditing and compliance.

Additional B2B considerations with GenAI

As Centoni said, GenAI will be increasingly leveraged in B2B interactions with users demanding more contextualized, personalized, and integrated solutions. “GenAI will offer APIs, interfaces, and services to access, analyze, and visualize data and insights, becoming pervasive across areas such as project management, software quality and testing, compliance assessments, and recruitment efforts. As a result, observability for AI will grow.”

As the use of GenAI grows exponentially, this will simultaneously amplify the need for comprehensive and deeper observability. AI revolutionizes the way we analyze and process data, and observability too is fast evolving with it to offer an even more intelligent and automated approach from monitoring and triage across real-time dependencies up to troubleshooting of complex systems and the deployment of automated actions and responses.

Observability over modern applications and systems, including those that are powered by or leverage AI capabilities, will be increasingly augmented by GenAI for root-cause analysis, predictive analysis and, for example, to drill down on multi-cloud resource allocation and costs, as well as the performance and security of digital experiences.

Driven by growing demand for integrated solutions they can adapt to their specific needs, B2B providers are turning to GenAI to power services that boost productivity and accomplish tasks more efficiently than their current systems and implementations. Among these is the ability to access and analyze vast volumes of data to derive insights that can be used to develop new products, optimize dependencies, as well as design and refine the digital experiences supported by applications.

Starting in 2024, GenAI will be an integral part of business context, therefore observability will naturally need to extend to it, making the full stack observability scope a bit wider. Besides costs, GenAI-enabled B2B interactions will be particularly sensitive to both latency and jitter. This fact alone will drive significant growth in demand over the coming year for end-to-end observability – including the internet, as well as critical networks, empowering these B2B interactions to keep AI-powered applications running at peak performance.

On the other hand, as businesses recognize potential pitfalls and seek increased control and flexibility over their AI models training, data retention, and expendability processes, the demand for either bespoke or both domain-specific GenAI large language models (LLMs) will also increase significantly in 2024. As a result, organizations will pick up the pace of adapting GenAI LLM models to their specific requirements and contexts by leveraging private data and introducing up-to-date information via retrieval augmented generation (RAG), fine-tuning parameters, and scaling models appropriately.

Moving fast towards contextual understanding and reasoning

GenAI has already evolved from reliance on a single data modality to include training on text, images, video, audio, and other inputs simultaneously. Just as humans learn by taking in multiple types of data to create more complete understanding, the growing ability of GenAI to consume multiple modalities is another significant step towards greater contextual understanding.

These multi-modal capabilities are still in the early stages, although they are already being considered for business interactions. Multi-modality is also key to the future of LAMs – sometimes called AI agents – as they bring complex reasoning and provide multi-hop thinking and the ability to generate actionable outputs.

True multi-modality not only improves overall accuracy, but it also exponentially expands the possible use cases, including for B2B applications. Consider a customer sentiment model tied to a forecast trending application that can capture and interpret audio, text, and video for complete insight that includes context such as tone of voice and body language, instead of simply transcribing the audio. Recent advances allow RAG to handle both text and images. In a multi-modal setup, images can be retrieved from a vector database and passed through a large multimodal model (LMM) for generation. The RAG method thus enhances the efficiency of tasks as it can be fine-tuned, and its knowledge can be updated easily without requiring entire model retraining.

With RAG in the picture, consider now a model that identifies and analyzes commonalities and patterns in job interviews data by consuming resumes, job requisitions across the industry (from peers and competitors), online activities (from social media up to posted lectures in video) but then being augmented by also consuming the candidate-recruiter emails interactions as well the actual interview video calls.   That example shows how both RAG and responsible AI will be in high demand during 2024.

In summary, in the year ahead we will begin to see a more robust emergence of specialized, domain-specific AI models. There will be a shift towards smaller, specialized LLMs that offer higher levels of accuracy, relevancy, precision, and efficiency for individual organizations and needs, along with niche domain understanding.

RAG and specialized LLMs and LMMs complement each other. RAG ensures accuracy and context, while smaller LLMs optimize efficiency and domain-specific performance. Still in the year ahead, LAM development and relevance will grow, focusing on the automation of user workflows while aiming to cover the “actions” aspect missing from LLMs.

The next frontier of GenAI will see evolutionary change and totally new aspects in B2B solutions.  Reshaping business processes, user experience, observability, security, and automated actions, this new AI-driven era is shaping itself up as we speak and 2024 will be an inflection point in that process.   Exciting times!

Source: cisco.com

Continue reading

Increase Market Share Quickly with Cisco Specializations and GTM Tools

Your Managed Services opportunity with Cisco is exploding, with a total addressable market of $161 Billion by 2027. Within that, the SMB segment is growing 1.6 times faster than other segments. However, you may not realize how quickly and easily we can help you capture more of this market. Here’s how the Cisco Partner Program and incentives help:

• Differentiate yourself from your competition by earning more Cisco Powered Services Specializations and pave your way to Gold-level advantages.
• Use your market development funds for business development, demand generation, funding headcount, and internal training.
• Leverage ready-made marketing kits and templates and get access to experts to help you grow your business.
• Earn greater pricing incentives and discounts that help you reach your revenue goals faster. Cisco continuously updates and adds marketing resources, so you can maximize your earning potential as your sales grow.

Growth drivers

Customers want speed and flexibility when achieving their targeted business outcomes, and with managed services as part of your value proposition, you can deliver both. Organizations across all industries face a common set of business challenges: lean IT staffs in complex IT environments, IT skills gaps, and a lack of resources needed to manage, optimize, and automate their networks. On top of that, security issues can arise when policies do not encompass both on-prem and cloud environments. Often, traditional on-prem consumption models do not align with cloud solutions and marketplaces. As a managed service provider, you can close these gaps, address your customer’s business challenges, and help them achieve their goals.

Greater Together

By working together closely and partnering to create unrivaled value for customers around their needs, we can capture more managed services opportunities. Building on Cisco’s industry-leading platforms and technologies like Cisco Powered Services, you can create and deliver your own innovations that help customers accomplish their specific business outcomes. We can achieve more innovation faster than ever across platforms, networking, security, collaboration, and optimized applications. Together we have a unique advantage, the ability to serve customers of every size and industry segment solving their biggest technology challenges.

Create marketplace differentiation with Cisco

With Cisco Powered Services specializations, you can elevate your organization above your competition. These recognized technology credentials help you build greater demand for your services and win new customers. They showcase your ability to build, provision, manage, and support managed services using industry-leading Cisco technologies that deliver the business outcomes your customers need. Grow your organization’s skills efficiently by building repeatable and scalable managed services. In addition, Cisco Powered Services give you:

• Proven blueprints: Validate your competency in areas including Power Hybrid Work, Secure the Enterprise, Transform Infrastructure, and Reimagine Applications.
• Quicker path to advancement: Meet specialization training requirements with up to 40 percent cost reductions. Role-share using CCIEs and CCNPs helps you meet Provider-level requirements faster.
• Showcase capabilities: Once you achieve these specializations, you gain access to industry-recognized logos and exclusive go-to-market resources to build successful solutions and services for Managed SD-WAN, Meraki, SASE, FSO, and many more.
• Sales acceleration: Expand your Cisco Powered Services portfolio and earn greater rewards within the Provider role, including exclusive upfront discounts and market development funds.

New resources available

You don’t need a large marketing team to reach current and potential customers. Cisco provides a variety of marketing materials and creative assets to help you highlight your unique capabilities. These ready-made materials will help you build targeted campaigns quicker and reach your customers faster. Newly added assets within Marketing Velocity Learning include a video and a companion guide with step-by-step guidance to help you grow your managed services business more quickly.

Source: cisco.com

Continue reading

Transforming the Economics of Superfast Broadband with Cisco Routed PON

Today marks the launch of Cisco Routed PON, a truly disruptive solution that enables agile, differentiated broadband services through a software-defined broadband network. It’s part of our ongoing mission to transform the economics of networking for the benefit of communication service providers and communities worldwide. Routed PON drastically improves the cost of broadband deployment in rural, suburban, and urban areas, to help bring reliable, superfast connectivity to both residential and business customers.

In July 2016, the United Nations declared the internet a basic human right. Recognizing the importance of high-speed internet access in improving people’s lives and growing the digital economy, governments worldwide are investing heavily in broadband builds. The $42.45 billion Broadband Equity, Access and Deployment (BEAD) fund in the U.S. is just one example. Its goal is to ensure that every American can reap the benefits of high-speed internet access.

Communication service providers have welcomed initiatives like this because of the high cost of building new infrastructure and declining ARPU. Yet, bridging the digital divide and meeting both consumers’ and businesses’ growing bandwidth demands requires more than just public funding. It calls for a complete rethink of how broadband networks are built. That’s why we developed Cisco Routed PON—to help communication service providers and municipalities to deploy broadband networks in a better and simpler way.

Why can’t we just keep doing things the old way?

In today’s hyperconnected world—where hybrid work is the new normal, artificial intelligence (AI) innovation is accelerating, and new bandwidth-hungry applications continue to emerge—rolling out and managing profitable, high-performance broadband access networks is difficult and complex. And, it’s going to become even more difficult as bandwidth growth continues—from 10G, 25G and to 100G, and beyond.

The challenges are about connectivity and the services that broadband solutions enable. Our customers want to deliver services in an agile and cost-effective way, but they are increasingly constrained by traditional broadband architectures with large, dedicated optical line terminal (OLT) chassis that require dedicated space and power. Additionally, these chassis are separate from the access router, so they require separate layer management that can be costly. Traditional broadband architectures also offer less flexibility because they come as an integrated solution from a single vendor.

What sets Routed PON apart?

Unlike traditional chassis-based solutions, Cisco Routed PON enables communication service providers to put a small form factor PON pluggable in a router and converge FTTx access with their end-to-end network. It has three building blocks, all underpinned by a software-defined end-to-end architecture based on the IOS XR operating system.

1. Cisco Routed PON OLT Pluggable – A pluggable 10G OLT that replaces traditional stand-alone OLT chassis and connects the PON network to Layer 3 routing and services through a small form factor pluggable (SFP+) port on the router. The SFP is a cost optimized and power efficient way to deliver 10G symmetrical upstream and downstream data. Open and compliant with the OMCI standard, the OLT pluggable is compatible with any optical network terminal (ONT), helping customers avoid vendor lock-in.

2. Cisco Routed PON Controller – A stateless management controller that runs as a container on the router, configuring and monitoring end points in the PON network. It applies configurations to OLT and ONT devices and collects state information, statistics, alarms and logs from devices, and reports the information to higher layer applications.

3. Cisco Routed PON Manager – A WebUI application that acts as a graphical user interface for the PON network. The PON Manager facilitates device and service provisioning, and enables the management of users, databases, and alarms.

Flexibility, service differentiation, and investment protection

The capabilities of Cisco Routed PON lead to multiple positive business outcomes. The innovative architecture offers customers more flexibility because it’s interoperable with many ONTs. So, communication service providers can decide for themselves which ONT best meets their requirements and cost targets, upgrade to new features as needed, and not be tied to a single vendor’s roadmap.

Cisco Routed PON also makes their end-to-end architecture much simpler to manage, which in turn lowers OpEx. Instead of having separate systems and processes for PON, communication service providers can converge it with other access technologies on IP routers like active Ethernet – all unified by a common operating system, IOS XR, and automation.

At a time when reducing churn and growing revenue is critical, Cisco Routed PON helps customers stand out from competition and monetize their network investments in a smarter way. Thanks to its end-to-end architecture—with powerful IOS XR capabilities, such as segment routing and EVPN—it improves subscriber experience.

These capabilities also enable communication service providers to offer differentiated services for business and residential customers, such as ultra-low latency connectivity or additional security features. Crucially, Cisco Routed PON protects communication service providers’ investments as they build the Internet for the Future – ready for 10G, 25G, 50G, 100G, and beyond. When new higher-bandwidth Cisco pluggable OLTs become available, customers can simply plug them into their router on a port-by-port basis.

I’m proud of how Cisco keeps pushing the boundaries of routing and optical innovation to enable our customers to create more efficient and profitable network architectures. I see Cisco Routed PON as a further demonstration of how we are transforming and simplifying networking like we have done previously with Routed Optical Networking. I look forward to working with our customers as they leverage this new solution to accelerate the deployment of high-speed broadband in cities and rural communities around the world to bridge the digital divide.

Source: cisco.com

Continue reading

Complexity drives more than security risk. Secure Access can help with that too.

Modern networks are complex, often involving hybrid work models and a mix of first- and third-party applications and infrastructure. In response, organizations have adopted security service edge (SSE) solutions, such as Cisco Secure Access, to protect users regardless of where they are located or what they are accessing.

This reliance on third-party infrastructure doesn’t only drive security risk, it also increases the likelihood of performance outages and disruptions. Oftentimes, these disruptions are the result of service outages and slowdowns in third-party infrastructure, which make it difficult for IT teams to detect and remediate the problem. Experience Insights, a component of Cisco Secure Access, allows administrators to maintain a positive end user experience by detecting and responding to connectivity problems as soon as they occur, all from the same dashboard they use to manage security capabilities and access policies.

Cisco Secure Access is our flagship Security Service Edge (SSE) product, which provides all the tools you need to enable remote and branch users to securely connect to the Internet, software-as-a-service (SaaS) applications, and private apps. While much of these capabilities are focused on security, it is also important to monitor network performance, ensuring a strong digital experience with minimal outages and connectivity problems.

Experience Insights is powered by Cisco ThousandEyes technology, which enables rapid root cause identification and resolution from device to application and every network in between. According to the Forrester Total Economic Impact report for ThousandEyes, the technology’s end user monitoring capabilities resulted in a 50% productivity boost for IT and network operations and a 50-80% reduction in the time it took to identify intermittent or degraded performance, whether it was global or localized.

Provide a strong user experience and troubleshoot performance issues

Performance problems can originate in many sources, including:

• Devices, such as laptops
• Wi-Fi networks
• Internet service providers
• Corporate resources, such as VPNs or security tools
• Applications

For many organizations, it can be a challenge to simply detect these problems, let alone mitigate them. This results in ongoing, undetected connectivity problems, causing a loss of productivity and end user frustration.

Experience insights is a digital experience monitoring (DEM) solution that provides a comprehensive view of endpoint, application, and network performance, making it easier to identify and troubleshoot performance problems as they arise. Ultimately, these capabilities result in a reduced mean time to resolution (MTTR) for performance incidents.

This includes a variety of metrics related to:

• Device – detailed user and system information, including CPU and memory utilization and Wi-Fi signal strength.
• Internet and network paths – key metrics regarding the network path from the device to the Secure Access gateway, including latency, packet loss, and jitter.
• Collaboration applications – automatic performance tests for key collaboration tools, such as Cisco Webex, Microsoft Teams, and Zoom.
• SaaS applications – insight into the most popular SaaS applications, including the overall health status and details such as HTTP response times and status codes.

Single-dashboard, single-agent

One of the primary benefits of Cisco Secure Access is a single-dashboard experience. The solution combines 12 different technologies and provides unified management, configuration, and troubleshooting capabilities. Experience insights is a core component of Secure Access, which means all its data and alerts are provided in the same management portal as the rest of Secure Access’ capabilities. This prevents administrators from being forced to juggle numerous technologies and management portals, streamlining operations and reducing frustration.

In addition, all Secure Access capabilities, including Experience Insights, rely on the Cisco Secure Client, a single agent on the end-user’s machine. This simplifies administration and deployment while optimizing workflows.

All at no extra cost

We recognize how important it is to be able to identify and troubleshoot connectivity problems in an SSE solution, which is why we are including it in the base Secure Access license at no extra cost. In addition, customers can purchase a full license for Cisco ThousandEyes for more advanced capabilities and broader coverage across their network.

Experience insights is just one capability of an incredible solution

While experience insights is our latest announcement, Secure Access includes many capabilities, including a secure web gateway, cloud access security broker with data loss prevention, firewall-as-a-service, and zero trust network access. It is an all-encompassing solution for securely connecting remote and branch users to the Internet, SaaS applications, and private apps.

Source: cisco.com

Continue reading

Simplify DNS Policy Management With New Umbrella Tagging APIs

This blog post will show you how you can automate DNS policy management with Tags.

To streamline DNS policy management for roaming computers, categorize them using tags. By assigning a standard tag to a collection of roaming computers, they can be collectively addressed as a single entity during policy configuration. This approach is recommended for deployments with many roaming computers, ranging from hundreds to thousands, as it significantly simplifies and speeds up policy creation.

High-level workflow description

1. Add API Key

2. Generate OAuth 2.0 access token

3. Create tag

4. Get the list of roaming computers and identify related ‘originId’

5. Add tag to devices.

The Umbrella API provides a standard REST interface and supports the OAuth 2.0 client credentials flow. While creating the API Key, you can set the related Scope and Expire Date.

To start working with tagging, you need to create an API key with the Deployment read/write scope.

After generating the API Client and API secret, you can use it for related API calls.

First, we need to generate an OAuth 2.0 access token.

You can do this with the following Python script:

import requests

import os

import json

import base64

api_client = os.getenv('API_CLIENT')

api_secret = os.getenv('API_SECRET')

def generateToken():

   url = "https://api.umbrella.com/auth/v2/token"

   usrAPIClientSecret = api_client + ":" + api_secret

   basicUmbrella = base64.b64encode(usrAPIClientSecret.encode()).decode()

   HTTP_Request_header = {"Authorization": "Basic %s" % basicUmbrella,

"Content-Type": "application/json;"}

   payload = json.dumps({

   "grant_type": "client_credentials"

   })

   response = requests.request("GET", url, headers=HTTP_Request_header, data=payload)

   print(response.text)

   access_token = response.json()['access_token']

   print(accessToken)

   return accessToken

if __name__ == "__main__":

   accessToken = generateToken()

Expected output:

{“token_type”:”bearer”,”access_token”:”cmVwb3J0cy51dGlsaXRpZXM6cmVhZCBsImtpZCI6IjcyNmI5MGUzLWQ1MjYtNGMzZS1iN2QzLTllYjA5NWU2ZWRlOSIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJ1bWJyZWxsYS1hdXRoei9hdXRoc3ZjIiwic…OiJhZG1pbi5wYXNzd29yZHJlc2V0OndyaXRlIGFkbWluLnJvbGVzOnJlYWQgYWRtaW4udXNlcnM6d3JpdGUgYWRtaW4udXNlcnM6cmVhZCByZXBvcnRzLmdyYW51bGFyZXZlbnRzOnJlYWQgyZXBvcnRzLmFnZ3Jl…MzlL”,”expires_in”:3600}

We will use the OAuth 2.0 access token retrieved in the previous step for the following API requests.

Let’s create tag with the name “Windows 10”

def addTag(tagName):

   url = "https://api.umbrella.com/deployments/v2/tags"

   payload = json.dumps({

   "name": tagName

   })

   headers = {

   'Accept': 'application/json',

   'Content-Type': 'application/json',

   'Authorization': 'Bearer ' + accessToken

   }

   response = requests.request("POST", url, headers=headers, data=payload)

   print(response.text)

addTag("Windows 10", accesToken)

Expected output:

{

   "id": 90289,

   "organizationId": 7944991,

   "name": "Windows 10",

   "originsModifiedAt": "",

   "createdAt": "2024-03-08T21:51:05Z",

   "modifiedAt": "2024-03-08T21:51:05Z"

}

Umbrella dashboard, List of roaming computers without tags 

Each tag has its unique ID, so we should note these numbers for use in the following query.

The following function helps us Get the List of roaming computers:

def getListRoamingComputers(accesToken):

url = "https://api.umbrella.com/deployments/v2/roamingcomputers"

payload = {}

headers = {

'Accept': 'application/json',

'Content-Type': 'application/json',

'Authorization': 'Bearer ' + accessToken

}

response = requests.request("GET", url, headers=headers, data=payload)

print(response.text)

Expected output:

[

{

“originId”: 621783439,

“deviceId”: “010172DCA0204CDD”,

“type”: “anyconnect”,

“status”: “Off”,

“lastSyncStatus”: “Encrypted”,

“lastSync”: “2024-02-26T15:50:55.000Z”,

“appliedBundle”: 13338557,

“version”: “5.0.2075”,

“osVersion”: “Microsoft Windows NT 10.0.18362.0”,

“osVersionName”: “Windows 10”,

“name”: “CLT1”,

“hasIpBlocking”: false

},

{

“originId”: 623192385,

“deviceId”: “0101920E8BE1F3AD”,

“type”: “anyconnect”,

“status”: “Off”,

“lastSyncStatus”: “Encrypted”,

“lastSync”: “2024-03-07T15:20:39.000Z”,

“version”: “5.1.1”,

“osVersion”: “Microsoft Windows NT 10.0.19045.0”,

“osVersionName”: “Windows 10”,

“name”: “DESKTOP-84BV9V6”,

“hasIpBlocking”: false,

“appliedBundle”: null

}

]

Users can iterate through the JSON list items and filter them by osVersionName, name, deviceId, etc., and record the related originId in the list that we will use to apply the related tag.

With related tag ID and roaming computers originId list, we can finally add a tag to devices, using the following function:

def addTagToDevices(tagId, deviceList, accesToken):

   url = "https://api.umbrella.com/deployments/v2/tags/{}/devices".format(tagId)

   payload = json.dumps({

   "addOrigins":

   })

   headers = {

   'Accept': 'application/json',

   'Content-Type': 'application/json',

   'Authorization': 'Bearer ' + accessToken

   }

   response = requests.request("POST", url, headers=headers, data=payload)

   print(response.text)

addTagToDevices(tagId, [ 621783439, 623192385 ], accesToken)

Expected output:

{

   "tagId": 90289,

   "addOrigins": [

       621783439,

       623192385

   ],

   "removeOrigins": []

}

After adding tags, let’s check the dashboard

Umbrella dashboard, list of roaming computers after we add tags using API

A related tag is available to select when creating a new DNS policy.

Notes:

• Each roaming computer can be configured with multiple tags
• A tag cannot be applied to a roaming computer at the time of roaming client installation.
• You cannot delete a tag. Instead, remove a tag from a roaming computer.
• Tags can be up to 40 characters long.
• You can add up to 500 devices to a tag (per request).

Source: cisco.com

Continue reading

Enterprise security: Making hot desking secure and accessible on a global scale

Making hot desking secure and accessible on a global scale

The first rule of interviewing a CISO at the Australian division of Laing O’Rourke is this: You can’t dig deep into use cases or clients.

And this makes perfect sense, because when you’re responsible for securing critical infrastructure for an AUD $6 billion global construction and engineering firm, with projects ranging from transport to defense, even scant details can lead to cyberattacks.

Crafting security for joint ventures, and a very distributed network

Despite the high stakes, Laing O’Rourke’s security challenges are distinctly universal – especially post-2020, where the world saw a massive boost in the sophistication and number of DDoS, VPN, and other web-related attacks. And like peer companies, the company needed to set a firm foundation to block internet-based attacks on distributed infrastructure.

But here’s where things are different. Thanks to business requirements, Laing O’Rourke’s network environment is complex. The company often works on what James Fields, Group Deputy CISO for Laing O’Rourke, calls “mega projects,” joint ventures (JVs) with other companies that are – to put it plainly – competitors.

“Being a construction business, physical security is a real challenge out on project sites. Often, for some of our larger-scale projects, we find ourselves in collaborative partnerships with our rivals,'” Fields commented. “At one moment, they’re our partners in a project, and in the next, they could be our competitors for fresh contracts. By engaging in these joint ventures, we’re effectively inviting our competition into our network.”

So, it is imperative that Laing O’Rourke delivers secure network access to staff, clients and JV partners in a hot-desking environment AND satisfy clients demanding adherence to different frameworks and certification. The company must also prevent threat actors — as well as anyone who could benefit competitively, financially, or in any other way – – from accessing or exfiltrating information from the network.

And they did it this by adding two different Cisco solutions to the stack: Cisco Secure Firewall and Cisco Identity Services Engine (ISE).

Streamlining security in the face of unnecessary, time-consuming tasks

Getting backing from leadership to invest in the best traffic and threat management tools can seem impossible for many teams. Thankfully, Fields has enthusiastic backing from the board.

“My team and I are truly passionate about cybersecurity, and we have the board’s support not just for compliance’s sake (not just performing a tick box exercise), but also for establishing the best practices and instilling a cyber-centric mindset throughout the business.”

But that doesn’t mean it’s been easy building that framework.

As a snapshot, before Cisco ISE, Fields says, “Our joint venture partners and clients had a potential risk of unintentionally (or deliberately) accessing our corporate network due to shared office space. This prevented business agility, necessitating fixed desks. Consequently, IT had to frequently reconfigure ports on project sites as staff assignments changed based on project phases or collaboration needs.”

Developing those pre-designed workspaces based on whether the user was from Laing O’Rourke, or a JV took precious time and energy that could have been used elsewhere. The Laing O’Rourke team needed intelligent automation to streamline the process.

Laing O’Rourke already had multiple firewalls in place, but it needed a Cisco Secure Firewall to help the company control network access, prevent intrusions and exfiltration, filter URLs, and conduct deep packet inspection. Meanwhile, Cisco ISE would help wrangle all those joint venture devices.

Since the Laing O’Rourke team was already using Cisco switches and was familiar with how Cisco solutions work, it made the choice to add more Cisco to the stack all that much easier.

“We, like most enterprises, use Cisco switches at our core and at the edge. So it made sense to talk to Cisco about how they could help us protect our network.”

Using Cisco Secure Firewall to streamline access and safeguard the network

Laing O’Rourke needed physical security that could accommodate hybrid staff members and contractors through hot-desking (multiple workers using a single physical workstation) and achieving seamless connectivity and network management was crucial.

To address this, Laing O’Rourke turned to Cisco Secure Firewall, allowing the company to achieve and maintain the confidentiality, integrity, and availability — the coveted CIA triad — of data. By effectively controlling network access and preventing unauthorized data changes, Cisco Secure Firewall played a pivotal role in safeguarding Laing O’Rourke’s network infrastructure.

Key stakeholders, including Fields, emphasized the importance of Cisco’s wide-ranging threat intelligence. These updates ensured that the firewalls remain current with the latest threat and vulnerability signatures, reinforcing the strength and effectiveness of Laing O’Rourke’s security measures.

By partnering with Cisco, Laing O’Rourke has enhanced its ability to identify and mitigate a wide range of threats by using advanced features of Cisco Secure Firewall, including intrusion prevention, URL filtering, and deep packet inspection capabilities.

The team also used Firewall Management Center (FMC) dashboards to manage firewalls using a single pane of glass, which was ultra-convenient when they needed insights on intrusion events, potential threats, and geolocation. Thanks to the proactive security measures implemented through Cisco’s Secure Firewall solution, Laing O’Rourke has experienced a considerable decrease in web-related vulnerability attacks.

Once the Cisco Firewall was in place for Laing O’Rourke, it was ready to do what it’s known for: helping prevent DDOS, malware, VPN, and many other attacks.

“When it comes to firewalling, we take a dual vendor approach. Around five years ago we went out to market to replace our [competitor] firewalls. Given our positive experience with Cisco’s networking equipment, Cisco FTD’s were on our shopping list,” Fields said. “We still take a dual vendor approach and Cisco is still helping secure our edge.”

Adding a zero-trust framework with ISE for identity

Cisco Secure Firewall has proven itself a formidable force to manage traffic and block threats, with automatic updates and frequent attack intel as a sweetener. But ISE has been a revelation for Laing O’Rourke, giving the team a firm, confident hand when managing IP phones, tablets, and laptops – all used to conduct business.

“ISE was a real game changer for us. It has transformed the way we operate on project sites, negating the need for predefined workspaces based on if the user was a Laing O’Rourke staff member, JV partner, client, or guest, while simultaneously increasing protection of our corporate network”.

With ISE, ports can be configured to dynamically reconfigure a port based on security posture and device ownership, permitting access to the right network segments at the right time. This includes access to the company’s corporate wireless (and wired) networks, guest Wi-Fi, and BYOD – including operational technology (OT) networks.

“While ISE takes a bit of effort to set up right, once it up and running, it’s a very stable platform, easy to configure and integrates well with other security platforms like Firewall Threat Defense (FTD) and mobile device management (MDM) solutions,” Fields said.

If he had to name three things that make Cisco ISE a solid solution for Laing O’Rourke, Fields spoke of dynamic profiling that detects device type and applies the right policy, the MDM integration and compliance check that makes sure devices are up-to-date, and anomalous behaviour detection.

According to Fields, many years ago, a pen-tester discovered a technical gap that absolutely needed to be closed. So now when an IP phone starts to communicate as Windows traffic, for instance, ISE catches it with behavioural detection.

“With the lack of physical security on our project sites, along with actively inviting our competitors onto our network, seems like a disaster waiting to happen,” he said. “Cisco ISE has proven to be an invaluable solution for segregating access between our employees and our clients and partners, protecting us from threat actors and rogue network devices.”

Cisco Secure Firewall and ISE save money and time

Many network and security pros understand how painful it can be to secure a network – especially one that’s distributed. But with a Cisco Secure Firewall in play and ISE to manage BYODs, Laing O’Rourke’s networking team has already seen a difference.

To start, those Monday morning calls about desk moves and disrupted network access are no more. Laing O’Rourke is saving minutes, hours, and days, while simultaneously bolstering network security:  something that notoriously…takes time.

The user experience has improved, and the team has more time to focus on threats. Though Laing O’Rourke uses a dual vendor approach, Cisco is the go-to for this critical, global company, with ROI already evident once the company’s other firewalls were replaced with Cisco Firewalls.

“The [competitor] firewalls were significantly more expensive and offered no additional functionality. The replacement [Cisco] actually saved us money,” Fields said. “What I can say is one of the few things that doesn’t keep me up at night is our network uptime or network-based security — thanks to Cisco Firewall Threat Defense (FTD) and Cisco ISE.”

Source: cisco.com

Continue reading