Cisco to Secure the IoE (Internet of Everything) by building Security accross their products

Cisco says it is adding more sensors to network devices to increase visibility, more control points to strengthen enforcement, and pervasive threat protection to reduce time-to-detection and time-to-response. The plan includes:

  • Endpoints: Customers using the Cisco AnyConnect 4.1 VPN client now can deploy threat protection to VPN-enabled endpoints to guard against advanced malware
  • Campus and Branch: FirePOWER Services solutions for Cisco Integrated Services Routers (ISR) provides centrally managed intrusion prevention system and advanced malware protection at the branch office where dedicated security appliances may not be feasible
  • Network as a Sensor and Enforcer: Cisco says it has embedded multiple security technologies into the network infrastructure to provide threat visibility to identify users and devices associated with anomalies, threats and misuse of networks and applications. New capabilities include broader integration between Cisco’s Identity Services Engine (ISE) and Lancope StealthWatch to allow enterprises to identify threat vectors based on ISE’s context of who, what, where, when and how users and devices are connected and access network resources.

StealthWatch can also now block suspicious network devices by initiating segmentation changes in response to identified malicious activity. ISE can then modify access policies for Cisco routers, switches, and wireless LAN controllers embedded with Cisco’s TrustSec role-based technology.

Cisco has also added NetFlow monitoring to its UCS servers give customers greater visibility into network traffic flow patterns and threat intelligence information in the data center.

Other aspects of the plan include Hosted Identity Services, which is designed to provide a cloud-delivered service for the Cisco Identity Services Engine security policy platform. The new hosted service provides role-based, context-aware identity enforcement of users and devices permitted on the network, Cisco says.

The strategy also includes a pxGrid ecosystem of 11 new partners that plan to develop products for cloud security and network/application performance management for Cisco’s pxGrid security context information exchange fabric. The fabric enables security platforms to share information to better detect and mitigate threats.

The company is also investing heavily in integrating its ASA firewalls with its Application Centric Infrastructure SDN,

More information can be found at http://www.networkworld.com/article/2932547/security0/cisco-plans-to-embed-security-everywhere.html

 

Cisco Enhances SDN Strategy and Offerings Across the Entire Nexus Portfolio with new VTS Automation Solution

Interest in Software Defined Networking (SDN) continues to grow through the ability to make networks more programmable, flexible and agile. This is accomplished by accelerating application deployment and management, simplifying automating network operations and creating a more responsive IT model.

Cisco is extending its leadership in SDN and Data Center Automation solutions with the announcement today of Cisco Virtual Topology System (VTS), which improves IT automation and optimizes cloud networks across the entire Nexus switching portfolio. Cisco VTS focuses on the management and automation ofVXLAN-based overlay networks, a critical foundation for both enterprise private clouds and service providers. The announcement of the VTS overlay management system follows on Cisco’s announcement earlier this year supporting the EVPN VXLAN standard, which underlies the VTS solution.

Cisco VTS extends the Cisco SDN strategy and portfolio, which includes Cisco Application Centric Infrastructure (ACI), as well Cisco’s programmable NX-OS platforms, to a broader market and for additional use cases, which includes our massive installed base of Nexus 2000-7000 products, and to customers whose primary SDN challenge is in the automation, management and ongoing optimization of their virtual overlay infrastructure. With support for the EVPN VXLAN standard, VTS furthers Cisco’s commitment to open SDN standards, and increases interoperability in heterogeneous switching environments, with third-party controllers, and with cloud automation tools that sit on top of the open northbound API’s of the VTS controller.

Blog graphic

Cisco is committed to delivering this degree of interoperability and integration with multi-vendor ecosystems for all of its SDN architectures, as we have previously exhibited with ACI, with the contributions we have made on Group Based Policies (GBP) to open source communities, and with our own Open SDN Controllerbased on Open Daylight. With VTS, we now offer the broadest range of SDN approaches across the broadest range of platforms and the broadest ecosystem of partners in the industry.

Programmability | Automation | Policy

Programmable Networks: With Nexus and NX-OS Programmability across the entire portfolio, we deliver value to customers deploying a DevOps model for automating network configuration and management.  These customers are able to leverage the same toolsets (such as existing Linux utilities) to manage their compute and networks in a consistent operational model.   We continue to modernize the Nexus operating system and enhance the existing NX-APIs by adding secure SDK with native Linux packaging support, additional OpenFlow support and delivering an object driven programming model.  This enables speed and efficiency when programming the network while also securely deploying 3rd party applications for enhanced monitoring and visibility such as Splunk, Nagios and tcollector natively on the network.

Programmable Fabrics: Overlay networks provide the foundation for scalable multi-tenant cloud networks. VXLAN, developed by Cisco along with other virtualization platform vendors, has emerged as the most widely-adopted multi-vendor overlay technology. In order to advance this technology further, a scalable and standards-based control plane mechanism such as BGP EVPN is required. Using BGP EVPN as a control-plane protocol for VXLAN optimizes forwarding and eliminates the need for inefficient flood-and-learn approaches while improving scale. It also facilitates large scale deployments of overlay networks by removing complexity, fosters higher interoperability through open standard control plane solutions, and access to a wider range of cloud management platforms.

Application Centric Policy: Cisco will be able to offer the most complete solution on the Nexus 9000 series whether it is ACI policy-based automation or BGP EVPN-based overlay management.  Customers will now have a choice for running an EVPN VXLAN controller in a traditional Nexus 9000 “standalone” mode, or to leverage ACI and the APIC controller with the full ACI application policy model, and integrated overlay and physical network visibility, telemetry and health scores. VTS will support EVPN VXLAN technology across a range of topologies (spine-leaf, three-tier aggregation, full mesh) with the full Nexus portfolio, as well as interoperate with a wide range of Top of Rack (ToR) switches and WAN equipment.

VTS Design and Architecture

The Cisco Virtual Topology System (VTS) is an cloud/overlay SDN solution that provides Layer 2 and Layer 3 connectivity to tenant, router and service VMs. Cisco VTS is designed to address the multi-tenant connectivity requirements of virtualized hosts, as well as bare metal servers. VTS is comprised of the Virtual Topology Controller (VTC), the centralized management and control system, and the Virtual Topology Forwarder (VTF), the host-side virtual networking component and VXLAN tunnel endpoint. Together they implement the controller and forwarding functionality in an SDN context.

The Cisco VTS solution is designed to be hypervisor agnostic. Cisco VTS supports both VMware ESXihypervisor and KVM on RedHat Linux. VTS will support integration with OpenStack and VMware vCenter for integration with other data center and cloud infrastructure automation. VTS also integrates with Cisco Prime Data Center Networking Manager (DCNM) for underlay management. The Cisco VTC, the VTS controller component, will provide a REST-based Northbound API for integration into other systems.

Cisco VTS will be available in August. 2015

Source of Blog post was from  @ http://blogs.cisco.com/datacenter/vts

Benefits of Cisco ACI (SDN) architecture

Cisco ACI, Cisco’s software-defined networking (SDN) architecture, enhances business agility, reduces TCO, automates IT tasks, and accelerates data center application deployments.

Why Today’s Solutions Are Insufficient:

Today’s solutions lack an application-centric approach. The use of virtual overlays on top of physical layers has increased complexity by adding policies, services, and devices.

Traditional SDN solutions are network centric and based on constructs that replicate networking functions that already exist.

ACI Key Benefits:

Centralized Policy-Defined Automation Management

  • Holistic application-based solution that delivers flexibility and automation for agile IT
  • Automatic fabric deployment and configuration with single point of management
  • Automation of repetitive tasks, reducing configuration errors

Real-Time Visibility and Application Health Score

  • Centralized real-time health monitoring of physical and virtual networks
  • Instant visibility into application performance combined with intelligent placement decisions
  • Faster troubleshooting for day-2 operation

Open and Comprehensive End-to-End Security

  • Open APIs, open standards, and open source elements that enable software flexibility for DevOps teams, and firewall and application delivery controller (ADC) ecosystem partner integration
  • Automatic capture of all configuration changes integrated with existing audit and compliance tracking solutions
  • Detailed role-based access control (RBAC) with fine-grained fabric segmentation

Application Agility

  •  Management of application lifecycle from development, to deployment, to decommissioning—in minutes
  • Automatic application deployment and faster provisioning based on predefined profiles
  • Continuous and rapid delivery of virtualized and distributed applications

ACI Technology Benefits

The main purpose of a datacenter fabric is to move traffic from physical and virtualized servers, bring it in the best possible way to its destination and while doing so apply meaningful services such as:

  • Traffic optimization that improves application performance
  • Telemetry services that go beyond classic port counters
  • Overall health monitoring for what constitutes an application
  • Applying security rules embedded with forwarding

The main benefits of using a Cisco ACI fabric are the following:

  •  Single point of provisioning either via GUI or via REST API
  • Connectivity for physical and virtual workloads with complete visibility on virtual machine traffic
  • Hypervisors compatibility and integration without the need to add software to the hypervisor
  • Ease (and speed) of deployment
  • Simplicity of automation
  • Multitenancy (network slicing)
  • Capability to create portable configuration templates
  • Hardware-based security
  • Elimination of flooding from the fabric
  • Ease of mapping application architectures into the networking configuration
  • Capability to insert and automate firewall, load balancers and other L4-7 services
  • Intuitive and easy configuration process

More information can be found at www.cisco.com/go/aci

Basic Network Virtualization Components Explained

I found this great article about different network virtualization industry concepts that are incorporated into networks today.  I thought I share this post from Henk Steneker that helps explain some of the virtualization technology.

What is virtualization?

With Virtualization a physical device or a pool of physical devices is divided into several virtual or logical devices.

What is a VLAN?

A Virtual Local Area Network (VLAN) occurs when a physical LAN is divided into several LANs.

 

 

The network diagram above shows two switches that are connected with a trunk. Both switches have an access port in VLAN 101 and VLAN 102. Ethernet frames of VLAN 101 that are transmitted to the other switch are provided with a VLAN 101 tag on the trunk connection. The receiving switch removes the tag and passes the frames on to the access port of VLAN 1.

What is Virtual Routing and Forwarding?

With Virtual Routing and Forwarding (VRF) a physical router is divided into several virtual routers.

 

The VRFs can be separated completely from each other and the same subnet can be used in several VRFs. VRF routers communicate with each other via an address family that works with a Route Distinguisher (RD) and an IP address.

What is Port Channel?

Port Channel (PC) is the combining of several physical links into one virtual link.

 

Another name for this is Ether Channel (EC) or Link Aggregation Group (LAG). If one of the connected links fail, the virtual link continuous to work. You can apply PC or LAG for ports on routers (Layer 3 PC) or switches (Layer 2 PC). Because the switch sees a PC as one virtual link, a broadcast storm cannot occur.

You can apply Port Channel for redundancy of for load balancing between physical links.

What is a Virtual Switching System?

With a Virtual Switching System (VSS), two physical switches (for example the primary and the secondary switch) are combined into one virtual switch.

 

 

The virtual switch has one management plane and one control plane. In the example above this is the case with the two distribution switches that are connected with a Virtual Switch Link (VSL). Both the access switches see one logical distribution switch. Because there is a Port Channel between the access switch and the distribution switch, the Spanning Tree Protocol is not needed. VSS can be used with the Cisco Switch series 4500 and 6500.

What is Multichassis Ether Channel?

The physical ports of an Ether Channel must be connected on one physical device or on one virtual device on every side.

But if two physical devices support Multichassis Ether Channel (MEC) it also is allowed. The other side of the Ether Channel then sees one virtual device. Another name for this is Virtual Port Channel (vPC) or Multichassis LAG.

vPC can be applied with Cisco switches of the series Nexus 5000 and 7000. Both the switches have their own management plane and control plane.

What is a Virtual Device Context?

With a Virtual Device Context (VDC) a physical switch can be divided into several switches. You can divide a primary Nexus switch into a primary Core VDC and primary Aggregation VDC.

What is a Virtual Storage Area Network?

A Virtual Storage Area Network (VSAN) occurs by combining several SANs from a pool SANs. On their term, these can be divided into several VSANs.

What is a Virtual Machine?

A Virtual Machine (VM) occurs by combining several physical servers into one Virtual Server. On their term the Virtual Server can be divided into several Virtual Machines (VM).

Original Post can be found here: http://ipmigrations.nl/index.php/en/en-designtools/en-09

Cisco Introduces New ASA 5506/5508 to replace ASA 5505 SMB Firewall

Cisco is introducing a new line of ASAs to replace the existing SMB ASA 5505 line of firewalls.  Since Cisco’s acquisition of SourceFire, Cisco has rapidly been integrating the technology into their Firewalls and in doing so has created the most advanced perimeter network appliance on the market.  The vast breath of technology that is now incorporated into a single ASA Firewall allows business to gain all of the next generation security appliances capabilities under a single platform in their network.  Up to now Cisco hasn’t brought this advanced security technology down to the 5505 ASAs until now.  With the introduction of the new ASA 5506 it brings new capabilities and allows companies to leverage the same capabilities across all of Cisco’s firewalls.  Below I have highlighted  some of the new features that the ASA 5506/5506W (wireless version) and the 5508 ASA firewalls include.

Key Enhancements Over ASA 5505:

  • NGFW(NextGen Firewall) – FirePOWER Services
    • threat-focused NGFW; provides ASA firewall functionality, advanced threat protection, and advanced breach detection and remediation combined in a single device
  • Application Visibility & Control
    • Identify applications and create rules based on applications and users.
  • AMP (Advanced Malware Protection)
    • Detection, blocking, tracking, analysis, and remediation to protect the enterprise against targeted and persistent malware attacks
  • NGIPS (Next-Gen IPS)
    • Superior threat prevention and mitigation for both known and unknown threats
  • URL Filtering Subscriptions.
    • Application-layer control (over applications, geolocations, users, websites) and ability to enforce usage and tailor detection policies based on custom applications and URLs
  • Simplified Purchase Experience: Unlimited User (node) support
  • VPN: Enhanced Mobility Support
  • Throughput: Over 2.5x stateful Performance
  • Intergraded Wireless Access Point
    • AP is similar to AP702i 2×2 MIMO
    • Autonomous and CAPWAP mode operation support
    • Separate Management for Wireless, HTTP to AP GUI
  • Ruggedized Option 

 

 

 

 

 

 

 

IWAN: ­ What can IWAN do for your Business?

Traditionally businesses take on huge investments in their WAN and at many times the cost of upgrading to keep up with the network demands or moving to a new provider is painful and typically becomes a long drown out project that ties up business time, money and resources.  This is where IWAN helps; this solution is transparent to the underlying network that is runs on.  Thus, making the corporate network an overlay to the underlying ISP’s network(s).  At the same time simplifying the overall WAN architecture and providing a flexible, consistent management domain that allows businesses to be provider agnostic and bring branch offices online in days rather than weeks.

Today private backbone networks in general are high-cost networks that get sold due to them providing a consistent end-to-end reliable network. They also fall short in many aspects that are critical to businesses. Businesses are almost always constrained with provider’s time and WAN provisioning, effectively making the business move slower. Now with improvements in the reliability, performance, and relative cost of Internet connections lead many organizations to leverage the Internet to address these challenges by connecting branches directly to the Internet, to supplement the WAN; and by using the Internet as the WAN. This is an example of how IWAN(Intelligent WAN) has great potential to solve many business issues and creating a more flexible architecture to meet business needs.

Cisco’s IWAN strategy is a new concept that many businesses are looking at to make the business more flexible and agile.  IWAN helps business improve efficiency in all aspects of the business.  From simplifying the network, streamline operations, deployment and management of their WAN while at the same time provide huge savings by right sizing the branch office WAN to provide intelligent active/active connectivity to the Internet and corporate network.  Today’s workforce and their associated applications depend more and more on the network with each application carrying key network metrics and thresholds that define the QoE (quality of experience) to users.   This is where the IWAN is able to dynamically steer applications across links when performance fallout out of threshold.  This is one of many key components that make up the IWAN strategy.  Below I outline some more benefits that encompass the overall IWAN strategy that business can leverage to overcome limitations in their current architecture.

Intelligent WAN Deployments: Balancing Cost with SLA

Cisco, iWAN, iWAN Deployment Models,

PfR, Intelligent Path Control with PfR

Here is a great article giving more information on how Cisco’s IWAN strategy could be your future WAN backbone.  http://www.provenmethod.com/iwan-cisco-betting-internet-will-future-wan-backbone/

Key Business Outcomes that IWAN can bring:

    • Transport Independent Design
      • Fast to deploy.  (Faster-to-Market) Provider agnostic providing a consistent operational model.
      • IWAN allows you to get up and running fast and still maintain a single management routing domain to simply design and operational support. This design supports multiple internet delivery options including 4G, satellite, etc. so that business operations can be brought up day 1.
      • Makes network more flexible, reliable and more effective in meeting the business needs.
    • Distributed Secure Internet Access
      • Local internet access without backhauling to corporate
      • Increased performance and productivity.
      • Branch workers using SaaS Apps and apps run slowly and users get frustrated because they share bandwidth with all traffic on the network and gets hair-pined through the DC to enforce security and compliance centrally.  With IWAN CWS (Cloud Web Services) can allow to enforce security and allowing Internet traffic go directly off at the Internet taking load off the internal WAN.  You are able to centralize policy and enforcement but in the cloud and now you have faster app performance witch allows for happier users and increase productivity.
    • Intelligent Path Control
      • Allowing the network to adapt to Applications performance needs bringing a reliable and consistent user experience.
      • IWAN PfR able to detect brown-outs (packet drops) Meeting normally interrupted and meeting rescheduled.  With IWAN it provides alternate paths dynamical to keep Video conference working and provide consistent Video experience.   Meeting is not canceled and due to intelligent WAN detecting poor quality and moves traffic to another link.  Increases productivity.
    • Optimizing Applications Performance
      • Application acceleration and bandwidth optimization to give users LAN like speeds.
      • (MediaNet) enabled  media-aware network so that the network can intelligently apply critical network services to provide a consistent media rich experience to the users.
        • Accelerating deployment of applications, minimizing complexity and ongoing operational costs, increasing visibility into the network, and helping to scale the infrastructure for the best quality of experience (QoE), by ensuring predictability, performance, quality, and security
        • Can detect and optimize different media and application types (telepresence, video surveillance, desktop collaboration, and streaming media) to deliver the best experience
        • Network-aware: Can detect and respond to changes in device, connection, and service availability
    • Simplify network approach and increase operational efficiencies.