Simple Network Monitoring Protocol (SNMP) has been widely deployed as an important network management tool for decades, is a key component of scalable network device management, and is configurable in nearly all network infrastructure devices sold today. As with any management protocol, if not configured securely, it can be leveraged as an opening for attackers to gain access to the network and begin reconnaissance of network infrastructure. In the worst case, if read-write community strings are weak or not properly protected, attackers could directly manipulate device configurations.
Cisco has recently seen a spike in brute-force attempts to access networking devices configured for SNMP using the standard ports (UDP ports 161 and 162). Attacks we’ve observed have been going after well known SNMP community strings and are focused on network edge devices. We have been working with our Technical Assistance Center (TAC) to assist customers in mitigating any problems caused by the brute-force attempts.
While there’s nothing new about brute-force attacks against network devices, in light of these recent findings, customers may want to revisit their SNMP configurations and ensure they follow security best practices, including using strong passwords and community strings and using ACLs to restrict access to trusted network management endpoints.
Cisco has published a number of best practices documents for securing the management plane, including SNMP configuration:
Tags: ACL, best practices, brute force, security, snmp, TAC
EMC World was wonderful. It was gratifying to meet industry professionals, listen in on great presentations and watch the demos for key business enabling technologies that Cisco, EMC and others have brought to fruition. Its fascinating to see the transition of DC from cost center to a strategic business driver . The same repeated all over again at Cisco Live. More than 25000 attendees, hundreds of demos and sessions. Lot of interesting customer meetings and MDS continues to resonate. We are excited about the MDS hardware that was on the display on show floor and interesting Multiprotocol demo and a lot of interesting SAN sessions.
Outside these we recently did a webinar on how Cisco MDS 9710 is enabling High Performance DC design with customer case studies. You can listen to that here.
So let’s continue our discussion. There is no doubt when it comes to High Performance SAN switches there is no comparable to Cisco MDS 9710. Another component that is paramount to a good data center design is high availability. Massive virtualization, DC consolidation and ability to deploy more and more applications on powerful multi core CPUs has increased the risk profile within DC. These DC trends requires renewed focus on availability. MDS 9710 is leading the innovation there again. Hardware design and architecture has to guarantee high availability. At the same time, it’s not just about hardware but it’s a holistic approach with hardware, software, management and right architecture. Let me give you some just few examples of the first three pillars for high reliability and availability.
MDS 9710 is the only director in the industry that provides Hardware Redundancy on all critical components of the switch, including fabric cards. Cisco Director Switches provide not only CRC checks but ability to drop corrupted frames. Without that ability network infrastructure exposes the end devices to the corrupted frames. Having ability to drop the CRC frames and quickly isolate the failing links outside as well as inside of the director provides Data Integrity and fault resiliency. VSAN allows fault isolation, Port Channel provides smaller failure domains, DCNM provides rich feature set for higher availability and redundancy. All of these are but a subset of examples which provides high resiliency and reliability.
We are proud of the 9500 family and strong foundation for reliability and availability that we stand on. We have taken that to a completely new level with 9710. For any design within Data center high availability has to go hand in hand with consistent performance. One without the other doesn’t make sense. Right design and architecture with DC as is important as components that power the connectivity. As an example Cisco recommend customers to distribute the ISL ports of an Port Channel across multiple line cards and multiple ASICs. This spreads the failure domain such that any ASIC or even line card failures will not impact the port channel connectivity between switches and no need to reinitiate all the hosts logins. You can see white paper on Next generation Cisco MDS here. At part of writing this white paper ESG tested the Fabric Card redundancy (Page 9) in addition to other features of the platform. Remember that a chain is only as strong as its weakest link.
The most important aspect for all of this is for customer is to be educated.
Ask the right questions. Have in depth discussions to achieve higher availability and consistent performance. Most importantly selecting the right equipment, right architecture and best practices means no surprises.
We will continue our discussion for the Flexibility aspect of MDS 9710.
-We are what we repeatedly do. Excellence, then, is not an act, but a habit (Aristotle)
Tags: 16 Gigabit, 16Gb, 16Gb Fibre Channel, 9710, architecture, availability, best practices, Cisco, cloud, Cloud Computing, Consolidation, convergence, data center, Data Mobility Manager, DCNM, design, Director, dmm, FCIP, FCoE, Fibre Channel, Fibre Channel over Ethernet, IO accelerator, it-as-a-service, MDS, MDS design, nexus, NX-OS, reliability, SAN, Storage, storage area networks, switch, switching, Unified Data Center, Unified Fabric, virtualization
I recently contributed a chapter titled “Advanced Technologies/Tactics Techniques, Procedures (TTPs): Closing the Attack Window, and Thresholds for Reporting and Containment” that was published in an anthology Best Practices in Computer Network Defense: Incident Detection and Response, published by the IOS press. In the chapter, I recommend a number of TTPs that can move the cybersecurity balance of power away from adversaries to infrastructure defenders. Acting on the TTPs I propose—including focusing hard work and clear thinking on network security basics—will pay maximum dividends for the cybersecurity defender.
The book’s publishers have graciously granted me permission to reproduce the chapter on the Cisco website, and you are welcome to read it here. Please take a moment to read it and let me know what you think in the form of comments on this blog post.
Thanks in advance for your thoughts and reasonably well considered opinions!
Tags: best practices, network security, security, TTPs
In a world where we are increasingly connected, and other’s opinions or reviews are more accessible than ever, marketing must evolve to keep up. Consumers want, and expect, ‘on-demand’ marketing –customized marketing that caters to what they need, when they want it, and is extremely responsive. 59% of consumers who have experienced personalization believe it has a noticeable influence on their spending. That percentage cannot be ignored –and with all the data available from connected devices and social media –there is no reason it should be.
Social media interactions are a part of many customers’ routine. For marketing, these interactions provide valuable insights and data. Companies like Julep Beauty leverage social media to interact with their customers, discover what they want, and quickly create, test, and sell new products. When negative reviews or comments come up, they promptly address the issue. This allows customers to feel like their voices are being heard and helps position the brand as a company that cares and is responsive to its customers.
Read More »
Tags: best practices, Big Data, Internet of Everything, marketing, optimization, personalized marketing, social media
A Short Trip Down Memory Lane…
On the quest of becoming a truly social-minded culture, about a year and a half ago, we rolled up our sleeves and created a multi-level, multi-track social media training program that used game principles and integrated with our Education Management System to encourage and reward participation. We augmented our on-demand courses with a vibrant community filled with self-service resources, online discussions (we call them “social chats”), team challenges, and recognitions and testimonials.
What I’m most proud of is that we did this in house and on a shoestring budget (imagine toddler-sized shoes and shoestrings). The original team was very small, namely the wonderful Elizabeth Houston (please give it up for @elhoust) and yours truly (@petra1400). Having seen great success with our internal program and inspired by the possibilities of growing and even bringing it to our customers, partners and general public, we have added some resources and upgraded to kid-sized shoestrings. Soon, the external-facing training program pilot, a scaled down version of our internal program was born. (For the record, the current team is still really small and also includes @kmgibbs and some of @nrrivas07 and our fun intern, @efannie’s time).
We knew it was just a matter of time before we wanted to expand the customer-facing program and mirror it after our internal program as much as possible.
Driving in the Fast (and Furious) Lane
Over the past few months, we have been working furiously on making this dream become a reality. While we have a little longer to go before you can test drive our new social media training center, we want to share some screen shots of this new environment. Read More »
Tags: best practices, classes, curriculum, education, online classes, social media, training