Cisco Blogs


Cisco Blog > Data Center and Cloud

vPath: The Secret Sauce to Enabling Virtual Network Services

July 31, 2012 at 4:09 pm PST

Wow, there’s been a lot of news in the SDN and virtual networking space in the last week or so! VMware acquiring Nicira, and Oracle acquiring Xsigo are testimony to how important virtual overlay networks and virtual switching infrastructure has become for data center vendors, and how integral they are to each company’s strategy. Speaking of our own Nexus 1000V-based virtual networks, last week I provided an overview and some new resources on Virtual Extensible LANs (VXLAN) for Nexus 1000V virtual switches. That turned out to be quite a popular post, so I’m following up this week on another fundamental component of Nexus 1000V-based virtual networks, vPath, the secret sauce that allows us to deploy virtual network services in the data center.

What is vPath? Well, if VXLANs can set up secure tunnels over a shared, multi-tenant virtual network, vPath is a feature of the Nexus 1000V virtual switch that can redirect traffic to virtual application services before the switch sends the packets down into the virtual machine. Very important stuff, but how does it do that? I find that my blog posts are more popular the less I type, and the more I embed cool TechWiseTV videos that illustrate the concept, so I’m dusting off this classic from the TWTV team on just how vPath does that with our Virtual Security Gateway (VSG). Take it away Robb

But wait, there’s more… Read More »

Tags: , , , , , , , , , , , , , ,

BYOD, Mobility, and Remote Access VPN – How Can I Troubleshoot All These Technologies and Solutions?

June 8, 2012 at 7:22 am PST

Mobility enables the extension of IT resources and application availability to anytime, anyplace, any way. Initially people thought that the “mobility movement” was just hype; however, it is definitely a reality, as it has become ubiquitous with efficiency. All of these new devices and social applications are bringing potential security risks to the enterprise and public sector organizations. The threat landscape ranges from potential data leakage to lost and stolen devices that may contain corporate and private information.

The question now is how can we address the customers’ challenge of enhancing productivity without compromising network security. Cisco’s AnyConnect Secure Mobility Client and the Cisco ASA 5500 Series Adaptive Security Appliances enable desktop and mobile users to connect to the corporate network, giving access to the network from any device based on comprehensive secure access policies. Cisco AnyConnect Secure Mobility Client works in conjunction with Cisco’s IronPort Web security appliance, the Cisco ASA appliance, and also provides integration with ScanSafe, an in-the-cloud Web security solution.

Read More »

Tags: , , , , , , , , , , , , , , , , , ,

Lock It Down or Free It Up?

March 1, 2012 at 12:54 pm PST

On February 29th, Christopher Young, Senior Vice President of Cisco Security, delivered a rousing keynote address at the RSA 2012 conference in San Francisco.

The title and theme of his presentation, “Lock it Down or Free it Up?”, spoke to the dilemma organizations of all sizes face every day. Read More »

Tags: , , , , , , , ,

Firewall, IPS, and Web Security Without Degrading Performance? Yes You Can Have It All!

February 28, 2012 at 4:00 am PST

In an effort to reduce costs and improve operational efficiency, organizations of all sizes have begun compressing their firewall and other security services into smaller form factors and fewer physical units. Many small and midsized companies have opted for UTMs to run all of their security on a single box. Unfortunately, UTMs have failed to deliver on their promise to deliver true multi-service security. Most UTMs do one or two things really well, but add all the other services as “checkbox” items just to say they have it. Read More »

Tags: , , , , , , , , ,

Think You Know What’s Going on in Your Network? Think Again!

February 28, 2012 at 4:00 am PST

One of the most commonly used – yet misunderstood – terms in all of network security is the “next generation firewall”. When we look under the covers, we see that most “next generation” firewalls are still relatively limited, providing only application and user ID awareness. Visibility into how the network is being used might produce a report that may make for a curious read. But there’s so much more going on in your network, app and ID just don’t go far enough to help administrators with actionable security enforcement. For example, knowing which interns are the heaviest Facebook users is one thing; knowing that the majority of their network traffic is due to video uploads to Facebook – and having the ability to disallow those uploads – is quite another.

Think of it this way. In scenarios that require additional context beyond what can be provided by a classic firewall, current next generation firewalls still lack the level of visibility required for administrators to make intelligent security decisions. I liken it to a knock at your door at midnight, and the porch light is out. How many of us would open the door anyway, without knowing who or what is on the other side? Of course, the safest thing to do is to keep the door closed and locked, rather than opening it to a potential threat. That’s exactly what so many firewall administrators are doing today – in fear of opening the network to unknown attacks, they say “no” to users, applications, devices, and new use cases that can tremendously improve the efficiency of the organization.

Unfortunately, the behavior with “next generation” firewalls isn’t much different. Though our porch light may be on now, it’s dim and we can’t see much out of the peephole in the door. What’s more, we only have two options – either completely open the door or leave it completely closed. This is because next generation firewalls don’t offer the level of granularity required, so entire applications must be allowed or denied. Think of a complex application with an array of micro-applications such as Facebook; current next generation firewalls on provide administrators with the capability to “allow” or “deny”, without the additional granularity to “Allow Facebook, but deny Farmville”.

As a result, we still have to be weary of opening the door, since we can’t truly know who or what is out there. Bottom line, unless we’re sure, it’s still safer to say “no”. That means saying no to the growing number and types of devices that are being used to access the corporate network, including iPhones, iPads, and Android devices; it also means locking down applications such as Facebook and Twitter, which have legitimate business uses. So not only is having to always say “no” a dark, lonely place to be – it also puts an artificial cap on corporate productivity!

Today’s announcement of Cisco ASA CX Context-Aware Security changes all of this by extending the ASA platform with unprecedented visibility and control. ASA CX uses the Cisco SecureX framework to gain end-to-end network intelligence from the local network using Cisco AnyConnect Secure Mobility, and to gain near-real-time global threat information from Cisco Security Intelligence Operation (SIO). As a result, ASA CX empowers enterprises to finally say “yes” to applications, devices, and the evolving global workforce while maximizing protection and control.

Going back to our example of a knock at our door, ASA CX is like looking through a picture window at noontime, rather than the peephole at midnight. While the firewall itself is powerful, what really makes ASA CX so exceptional compared with current “next generation” firewalls is its capability to gather extraordinary amounts of intelligence from throughout the local and global network, including deep application visibility; identity of users, as well as the devices they are using to access the network; and proactive, reputation-based threat protection backed by global correlation. It makes this intelligence available in a simple, intuitive interface. This, in turn, enables administrators to truly understand what’s happening throughout the network, so that they can make more informed security decisions and write more effective policies. As a result, they can strike a real balance between flexibility and control!

So now that we know what true visibility really is, who would still settle for making decisions based on looking through the peephole at midnight?

For more information, visit http://www.cisco.com/go/asacx or the following video.

Tags: , ,