One of the most visited booths at NRF in New York was focused on security and the PCI Architecture that Cisco offers. This is always a sticky subject of course and it is interesting to see the foundational nature of security still given some focus in a bad economy. Now, in my experience, people talking about security and people actually working on it and/or spending money to improve can often be from two different groups. None-the-less, take a look at this short overview I got from Wayne Kennedy while I was out there.Robb
This can be a tough topic to understand for sure. A Private is not a VLAN nor do any of the essential VLAN rules apply. A VLAN is a layer 2 boundary and a Private VLAN is really a layer 1 boundary kinda… A Private VLAN is really port isolation. When I config up a private VLAN I am basically telling the switch, ignore port X from your bridge table. A Private VLAN is really allowing YOU the network admin to dictate communication behavior. Consider, I have a hotel or apartment and I want to provide Internet access for all folks BUT I do not want them to see each other. With the VLAN model, I have to route to do this PLUS carry all of the VLAN protocol overhead.A better way, would be to define one common port for Internet access that every port would access, lets say port 1. On a 48 port switch, the other 40 ports, need only to access port 1 and that is it, but the remaining 5 ports need to talk to each other because they are the door security system. So a private VLAN fits the bill here in a simple fashion. port 1 is a community port. I would set up a private vlan that would allow ports 2-43 to access only port 3 and the is it. Then another private vlan would be for my security system which would allow the doors to communicate with the server, but that is it.So the REAL question is, are they secure? Well, they can indeed isolate your ports in their own micro segment. If a hacker cracks one device they can not use it as a jumping off point to all the rest in that subnet. I caution folks when calling VLANs and Private VLANs a security feature. In my testing here in the code cave, I have noticed that a packet sent from a device on an isolated port to another device on another isolated port will not be passed by the switch. Works as planned right? Very true but a packet sent from a device to the MAC address of the default gateway will be passed through the switch. If at an IP layer, it’s addressed to another isolated device, the GW will pass it. I always recommend access lists as to protect against this behavior. I love ‘um and use them often, I just know they are part of my security tool chest and not the end all to be all. Of course in security, what is? Summing it up:Private VLANS: Are only used per switch.VLANS: can span the entire networkPrivate VLANS: allow only data traffic to and from the mapped portsVLANS: allow maintenance protocols per VLAN like NTP, VTP, ICMP, etcPrivate VLANS: have specific uses like; service providers, hotels, DMZ’sVLANS: are used for applications like wireless, voice, political boundaries, etc..Jimmy Ray Purser
The NRF (National Retail Federation Show) in New York last week had a ton of innovation. It was a much more technology laden conference than I would have expected despite the fact that it is one of the best ‘business oriented’ conferences around. The show floor was huge and packed. Packed with vendors of course…but a few less customers this year given the challenging economy. The overwhelming focus within every discussion was around the need to focus on investments that would not only bring measurable results but also bring them in the short term. I will be trickling out video that we captured at the event as things get edited. Scopix Solutions was in our Cisco ‘Connected Retail’ booth and had a small crowd consistently hovering as they were doing something that I did not know was even possible. Read More »
New Cisco technology called ‘EnergyWise’ is being announced today and we are very fortunate to be featuring it in our next episode ‘Network Energy Efficiency: The New Frontier’ on February 19. I used to think that ‘going green’ was perhaps not in line with basic business functions and the desire to make money. So given the state the economy is in, my first thought would have been that we are going to see rapid deceleration of green initiatives. Au contraire -- we are seeing much more evidience to the contrary: economic trouble is actually ‘driving’ green initiatives. We have covered the subject of green before our TechWiseTV episode 36: ‘Energy Efficiency in the Data Center’ . Cisco makes announcements today however that we are excited to be a part of. Read More »
My first appearance and work on BizWiseTV now showing up -- we just released “Collaboration, bridging the productivity gap” where we addressed collaborative innovation in three different vertical areas -- retail, healthcare and manufacturing. We had some great guests on that show, Big Thank You out to Curtis Foster from our Retail team, his guest from Reflexis, Rich Lewis, Dan Knight from our Manufacturing team and Frances Dare, a fellow Texan and extremely sharp healthcare expert from our IBSG -- Internet Business Solutions Group. Let me know what you think of the show.And in podcast news, two new shows out today -- Jimmy Ray and I talked about ‘Traffic Flow Engineering” for our podcast released today, audio only. On the BizWise podcast side, we released a pretty good interview I did with Dan Knight, Senior VP of Product Development for Webex. He some very interesting insight into the true, but often confusing nature of enabling collaboration. Its not about personal productivity he said, its about business process improvement. He was putting this in the framework of their new Webex Connect product but I think you will find great alignment with your opportunities even if you have not tried it out yet.