Cisco Blogs


Cisco Blog > Security

Executing on our Vision: Cisco’s Comprehensive Advanced Malware Protection

The increased scrutiny on security is being driven by the evolving trends of expanding networks, mobility, cloud computing and a threat landscape that is more dynamic than ever. A combination of these factors has led to an increase in attack access points and a re-definition of the traditional network perimeter.

Due to these concerns, we have been strong proponents of threat-centric security that lets defenders address the full attack continuum and all attack vectors to respond at any time — before, during, and after attacks.

Read More »

Tags: , , , , , , , , ,

Intelligent Cybersecurity at Cisco Live

We are all struggling with the Security problem today. Zero-day attacks and advanced persistent threats have outpaced the capabilities of traditional security methods that rely exclusively on single-point-in-time detection and blocking. There is a tremendous amount of complexity in our environments and security expertise is in short supply. At the same time, the movement to an Internet of Everything (IoE) is accelerating and creating significant opportunities for businesses and attackers alike as more people, processes, data, and things come online.

This is why Cisco is steadfast in its charge of a threat-centric security model that addresses the full attack continuum – before, during, and after an attack.

Read More »

Tags: , , , , , , , , ,

South of Several Borders

Let me tell you a little about a country I’d not been to before until recently: Chile. Beyond its abundant natural resources and terrific terroir for wine grapes, Chile has become a hub for banking and retail companies with operations that span Latin America. Through the continued growth of business and the Chilean public sector and government leadership going through a period of change, Chile continues to adopt cutting edge technology to become more connected. In short, Chile is quite amazing.

Read More »

Tags: ,

Taking Encryption to the Next Level: Enrollment Over Secure Transport Strengthens Adoption of Elliptic Curve Cryptography

Enrollment over Secure Transport (EST) is a new standard (RFC7030) designed to improve the lifecycle management of digital certificates, a key element for secure communications. Cisco Engineer Max Pritikin coauthored the EST standard.

We’re very excited about the potential use cases of EST, which are, as we’ll discuss in a moment, pretty versatile.

To understand EST and how it works, let’s look at a basic use case: A controller, such as a Wi-Fi access point, manages an endpoint. To secure the management communication, both the controller and the endpoint authenticate each other using certificates. EST is a new way to obtain those certificates that is more secure and comprehensive than previous approaches, such as Secure Certificate Enrollment Protocol (SCEP). One area EST is superior to previous approaches is that it enables the use of Cisco’s Next Generation Encryption (NGE), which uses Elliptic Curve Cryptography (ECC) to get the job done as opposed to RSA encryption. That’s a lot of acronyms, so let’s take a step back to explore what this all means.

The next level of encryption

Today’s modern threats demand a new standard of encryption. Cisco’s move to NGE is paving the way for the next decade of cryptographic security. NGE provides a complete algorithm suite that is comprised of authenticated encryption, elliptic-curve based digital signatures and key establishment, and cryptographic hashing. These components provide high levels of security and scalability, aimed at protecting critical data and setting the standard for encrypting sensitive data in networks all over the world.

These cryptographic technologies meet the evolving needs of governments and enterprises by using innovative, battle-tested cryptographic algorithms and protocols, and are beginning to be used in place of legacy cryptographic approaches. EST drives the adoption of ECC, strengthening Cisco’s products and in turn strengthening the security posture of our customers.

EST can be used for a variety of purposes. Enterprises with a number of network endpoints require the “re-enrollment” (re-issuance) of certificates every period, potentially every year. This helps prevent servers going offline due to expired certificates, and the ensuing scramble to obtain and install updates. EST enables automatic re-enrollment to obtain a new certificate, making this a faster and less labor-intensive process. Additionally, EST supports automatic redistribution of CA certificates when they are updated. These improvements are immediately valuable and will be very important for future Internet of Everything (IoE) environments where the large numbers of endpoints will make certificate management highly complex.

Protecting against modern threats

For another example of how EST can help protect the modern network, look no further than your home page and the daily news. The recently discovered Heartbleed bug has thrown the industry into a panic, with enterprises, consumers, and organizations scrambling to assess the fallout and determine an appropriate remediation strategy. Many sites are recommending the replacement of certificates. If EST were in wide deployment, its re-enrollment capabilities would significantly reduce the impact of refreshing the server certificate, supporting much more rapid resolution of the security vulnerability.

Looking ahead

As an open standard, EST will increase interoperability with other company’s offerings, including our CA partners. Cisco has taken steps to accelerate adoption and interoperability by providing EST software in the open source community, through Github. Even at this early stage, we’re seeing some positive feedback. Phil Gibson, chairman of the PSNGB, the Industry Trade Association for Public Services Networks (PSN) suppliers, said: “The Public Services Network is now the primary infrastructure for the majority of government communications in the UK and the encryption solutions it uses must continue to evolve. Due to the large and varied number of encryption devices in use, a scalable certificate provisioning protocol is critical to the migration to next generation encryption (CESG PRIME). Cisco’s release of its EST code into the open source community will facilitate rapid adoption by the PSN community. With the release of this code, other vendors will be able to accelerate their adoption of EST and this in turn expands the choice of encryption solutions available to public sector organizations.”

This is an overview of what we can do with EST, and we’re just getting started. We have started to build libraries to incorporate EST into Cisco products, which will likely begin later this year or early next. Stay tuned for additional updates over the coming months.

Tags: , , , , ,

Recap: Recommendations for a Sound Technology Future

I recently sat down with Arvind Hickman of HR Magazine UK to discuss the skills gap in the technology sector. We talked about the challenges of filling the critical technology slots that business demands, particularly in developed countries, where the biggest gaps exist.

Cisco has been proactive in surveying the global market, forecasting each country’s future requirements for technology talent and engaging to close the skills gap. We invest in the areas where supply would otherwise fall short of demand, and we work with colleges, the military, and with public -- private partnerships to build the needed training and certification programs. We also recruit people early on, either before college or while in college, to consider technology careers in areas such as security, networking, data analytics and cloud.

Read More »

Tags: , , , , , ,