Cisco Blogs


Cisco Blog > Security

Three Steps to Secure Cloud Enablement

I’ve been pretty forthcoming in sharing my belief that the security industry in general continues to struggle to transition from old ways to new, and that in today’s day and age we have to adapt quickly. The rise of mobile computing and communications (users, data, services) combined with increasing volumes of cloud services data traffic (from, to, and via) intersecting with the hacking community’s ever-increasing capabilities, all have made me more than a bit on edge.

I recently participated in an on-line webinar, teaming up with a cloud services provider and a cloud security solutions vendor. It would be indiscreet for me to name the companies in this blog or signal any kind of Cisco “endorsement,” but speaking personally, they are on the right track in a number of ways.

Read More »

Tags: , , , , ,

Summary: Renewable Energy Agency Deploys Scalable, Power-Resilient Network

With its fast-growing economy, India faces significant challenges in meeting the energy needs of its population and industry. And given the growth of the renewable energy sector, the Indian Renewable Energy Development Agency (IREDA) was established in 1987  to promote, develop, and extend financial assistance for projects involving renewable energy generation, energy efficiency, and conservation. IREDA recognized the need to optimize use of its resources and leverage technology advances to better serve its constituents.

To improve the efficiency of its increasingly complex operations, IREDA sought to replace its aging heterogeneous campus network infrastructure with a scalable, unified solution. Key requirements included superior reliability and security as well as energy efficiency to foster the agency’s values while providing cost savings. There was an immediate benefit in lowering network energy consumption and the network would be the tool to both help ensure the security of confidential information and provide high performance for applications such as video.

How did this renewable energy agency approach deploying a network that would be scalable and power resilient while optimizing network efficiency? Click to read the full blog

 

Tags: , , , , , , , , , , , , , ,

Understanding the different types of Ethernet Switches

Ethernet Switches are broadly categorized into two main categories -- Modular and Fixed Configuration.

Modular switches, as the name implies, allows you to add expansion modules into the switches as needed, thereby delivering the best flexibility to address changing networks. Examples of expansion modules are application-specific (such as Firewall, Wireless, or Network Analysis), modules for additional interfaces, power supplies, or cooling fans. Cisco Catalyst 4K and 6K are good examples of Modular switches.

Fixed Configuration switches are switches with a fixed number of ports and are typically not expandable. This category is discussed in further detail below. Cisco Catalyst 2K, 3K and the Cisco 300/500 series are good examples of Fixed Configuration switches.

Let me say up front that there are variations to the categories below as switch makers are constantly adding capabilities and evolving the categories, but the broad essence remains the same.

The Fixed configuration switch category is further broken down into:

- Unmanaged Switches

- Smart Switches

- Managed L2 and L3 Switches

Unmanaged Switches:

This category of switch is the most cost effective for deployment scenarios that require only basic layer 2 switching and connectivity. As such, they fit best when you need a few extra ports on your desk, in a lab, in a conference room, or even at home.

With some Unmanaged switches in the market, you can even get capabilities such as cable diagnostics, prioritization of traffic using default QoS settings, Energy savings capabilities using EEE (Energy Efficient Ethernet) and even PoE (Power Over Ethernet). However, as the name implies, these switches generally cannot be modified/managed. You simply plug them in and they require no configuration at all.

Cisco 100 Series switches are good examples of this category.

Smart Switches (also known as Lightly Managed Switches):

This category of switches is the most blurred and fastest changing. The general rule here is that these switches offer certain levels of Management, QoS, Security, etc. but is “lighter” in capabilities and less scalable than the Managed switches. It therefore makes them a cost-effective alternative to Managed switches. As such, Smart switches fit best at the edge of a large network (with Managed Switches being used in the core), as the infrastructure for smaller deployments, or for low complexity networks in general.

The capabilities available for this Smart switch category vary widely. All of these devices have an interface for Management – historically a browser-based interface used to be the only way to configure these devices, though nowadays you can manage some of these devices with CLI and/or SNMP/RMON as well. Regardless, these capabilities are lighter than what you will find in their Managed switch counterparts.  Smart switches tend to have a management interface that is more simplified than what Managed Switches offer.

Smart switches allow you to segment the network into workgroups by creating VLANs, though with a lower number of VLANs and nodes (MAC addresses) than you’d get with a Managed switch.

They also offer some levels of security, such as 802.1x endpoint authentication, and in some cases with limited numbers of ACLs (access control lists), though the levels of control and granularity would not be the same as a Managed switch.

In addition, Smart switches support basic quality-of-service (QoS) that facilitates prioritization of users and applications based on 802.1q/TOS/DSCP, thereby making it quite a versatile solution.

Cisco 200 Series switches are good examples of this category.

Fully Managed L2 and L3 switches:

Managed Switches are designed to deliver the most comprehensive set of features to provide the best application experience, the highest levels of security, the most precise control and management of the network, and offer the greatest scalability in the Fixed Configuration category of Switches. As a result, they are usually deployed as aggregation/access switches in very large networks or as core switches in relatively smaller networks. Managed switches should support both L2 switching and L3 IP routing though you’ll find some with only L2 switching support.

From a Security perspective, Managed switches provide protection of the data plane (User traffic being forwarded), control plane (traffic being communicated between networking devices to ensure user traffic goes to the right destination), and management plane (traffic used to manage the network or device itself). Managed switches also offer network storm control, denial-of-service protection, and much more.

The Access Control List capabilities allows for flexibly dropping, rate limiting, mirroring, or logging of traffic by L2 address, L3 address, TCP/UDP port numbers, Ethernet type, ICMP or TCP flags, etc.

Managed switches are rich in features that enable them to protect themselves and the network from deliberate or unintended Denial of Service attacks.  It includes Dynamic ARP Inspection, IPv4 DHCP snooping, IPv6 First Hop Security with RA Guard, ND Inspection, Neighbor Binding Integrity, and much more.

Additional Security capabilities may include Private VLANs for securing communities of users or device isolation, Secure Management (downloads through SCP, Web-based Authentication, Radius/TACACS AAA, etc), Control Plane Policing (CoPP) for protecting the CPU of the switch, richer support for 802.1x (time-based, Dynamic VLAN Assignment, port/host-based, etc)

From a Scalability perspective, these devices have large table sizes so that you can create large numbers of VLANs (for workgroups), devices (MAC table size), IP routes, and ACL policies for flow-based security/QoS purposes, etc.

For highest network availability and uptime, Managed switches support L3 redundancy using VRRP (Virtual Router Redundancy Protocol), large numbers of Link Aggregation groups (which is used both for scalability and resiliency), and capabilities for protecting L2 such as Spanning Tree Root Guard and BPDU Guard.

When we talk about QoS and Multicast features, the richness of capabilities goes far beyond what you’d see in a Smart Switch. Here you’d see things such as IGMP and MLD Snooping with Querier functions for optimizing IPv4/v6 multicast traffic in the LAN, TCP Congestion Avoidance, 4 or 8 queues to treat traffic differently by importance, setting/tagging traffic by L2 (802.1p) or L3 (DSCP/TOS), and rate limiting traffic.

In terms of Management, things such as multiple ways to configure (using CLI, Web GUI, SNMP Management application), discovering of neighbor devices in the networks (using CDP, LLDP, Bonjour, etc), and troubleshooting capabilities (such as VLAN and Port Mirroring, Traceroute, Ping, Syslog, Cable Diagnostics, RMON, etc) are all included.

What I highlighted is by no means exhaustive, but gives you a sense of what some of the differences may be between Managed and Smart Switches.

Cisco Catalyst and Cisco 300 Series and 500 Series switches are good examples of this category of products.

Managed Switches can go even further than what I’ve highlighted. For example, there’s even richer support for Dynamic Unicast and Multicast Routing protocols, deeper flow intelligence or macro flow statistics with Netflow/SFlow, non-Stop Forwarding capabilities, MPLS/VRF support, Policy enforcement, and many others.

Now, to take a deeper dive into these switch categories and talk about various options, you can select the switches based on:

- Speed

- Number of ports

- POE versus non-POE

- Stackable versus Standalone

Speed:

You can find Fixed Configuration switches in Fast Ethernet (10/100 Mbps), Gigabit Ethernet (10/100/1000 Mbps), Ten Gigabit (10/100/1000/10000 Mbps) and even some 40/100 Gbps speeds. These switches have a number of uplink ports and a number of downlink ports. Downlinks connect to end users -- uplinks connect to other Switches or to the network infrastructure. Currently, Gigabit is the most popular interface speed though Fast Ethernet is still widely used, especially in price-sensitive environments. Ten Gigabit has been growing rapidly, especially in the datacenter and, as the cost comes down, it will continue to expand into more network applications. With 10GBase-T Ten Gigabit copper interfaces being integrated into LOM (LAN on the Motherboard) and 10G-Base-T switches becoming available now  (see the new Cisco SG500XG-8F8T 16-port 10-Gigabit switch), building a Storage or Server farm with 10 Gigabit interfaces has never been easier or more cost-effective. 40G/100G is still emerging and will be mainstream in a few years.

Number of ports:

Fixed Configuration Switches typically come in 5, 8, 10, 16, 24, 28, 48, and 52-port configurations. These ports may be a combination of SFP/SFP+ slots for fiber connectivity, but more commonly they are copper ports with RJ-45 connectors on the front, allowing for distances up to 100 meters. With Fiber SFP modules, you can go distances up to 40 kilometers

POE versus non-POE:

Power over Ethernet is a capability that facilitates powering a device (such as an IP phone, IP Surveillance Camera, or Wireless Access Point) over the same cable as the data traffic.  One of the advantages of PoE is the flexibility it provides in allowing you to easily place endpoints anywhere in the business, even places where it might be difficult to run a power outlet. One example is that you can place a Wireless Access Point inside a wall or ceiling.

Switches deliver power according to a few standards -- IEEE 802.3af delivers power up to 15.4 Watts on a switch port whereas IEEE 802.3at (also known as POE+) delivers power up to 30 Watts on a switch port. For most endpoints, 802.3af is sufficient but there are devices, such as Video phones or Access Points with multiple radios, which have higher power needs. It’s important to point out that there are other PoE standards currently being developed that will deliver even high levels of power for future applications. Switches have a power budget set aside for running the switch itself, and also an amount of power dedicated for POE endpoints.

To find the switch that is right for you, all you need to do is choose a switch according to your power needs. When connecting to desktops or other types of devices which do not require POE, the non-POE switches are a more cost-effective option.

Stackable versus Standalone:

As the network grows, you will need more switches to provide network connectivity to the growing number of devices in the network. When using Standalone switches, each switch is managed, troubleshot, and configured as an individual entity.

In contrast, Stackable switches provide a way to simplify and increase the availability of the network. Instead of configuring, managing, and troubleshooting eight 48-port switches individually, you can manage all eight like a single unit using a Stackable Switches. With a true Stackable Switch, those eight switches (total 384 ports) function as a single switch -- there is a single SNMP/RMON agent, single Spanning Tree domain, single CLI or Web interface – i.e. single management plane. You can also create link aggregation groups spanning across multiple units in the stack, port mirror traffic from one unit in the stack to another, or setup ACLs/QoS spanning all the units. There are valuable operational advantages to be gained by this approach.

Here’s a word of warning. Be careful about products in the market which are sold as “Stackable” when they merely offer a single user interface, or central management interface, for getting to each individual switch unit. This approach is not stackable, but really “clustering”. You still have to configure every feature such as ACLs, QoS, Port mirroring, etc, individually on each switch. Use the following as a proof point -- can I create a link aggregation group with one port in one unit of the stack and another port of that group in another unit of the stack? Can I select a port on one unit in the stack and mirror the traffic to a port on another unit of the stack? When I configure an ACL for Security purposes, can I apply that to any port on any unit in the stack? If the answer is “No” to any of these questions, you’re probably not working with a stackable switch.

There are other advantages of True Stacking as well. You can connect the stack members in a ring such that, if a port or cable fails, the stack will automatically route around that failure, many times at microsecond speeds. You can also add or subtract stack members and have it automatically recognized and added into the stack.

Cisco Catalyst 2K-X and 3K or Cisco 500 Series Switches are examples of Switches in this category.

As you can see there’s a multitude of switch options to choose from. So, have a close look at your current deployment and future needs to determine the right switch for your network.

Tags: , , , , , , , , , , , , , , , , , , ,

Dimension Data Series #4- The Opportunities and Risk of Secure Mobility from the Top Down

Mobile security is a top concern for IT and business leaders. This blog series with Dimension Data explores how organizational leaders can work together to mitigate concern and implement clearly defined policies and mobility goals. This blog will address the opportunities and risk of secure mobility from the top down. The first blog in this series discussing how concerns outweigh actions when it comes to mobility security can be found here. The second blog in this series highlighting how IT and business leaders can work together to develop secure mobility policies can be found here. The third blog in this series discussing how to close the gap between vision and real-world implementation can be found here.

Throughout this blog series, we’ve discussed several key aspects of implementing secure mobility policies and programs to ensure organizations can reap the benefits of mobility now and in the future. It’s clear that mobility is a top priority for IT and business leaders and most have a clear vision of the role mobility can and will play in their organization. Overall, they see both the risks and the rewards.

That said, responses gathered in the recent Dimension Data Secure Mobility Global Survey point to a gap between that overall vision and the likely real-world outcomes organizations will face – given that a number of crucial initial steps can ultimately save time, reduce costs, and, most importantly, ensure appropriate security controls are in place.

In this post, I’ll highlight the real opportunities and risk regarding mobility and security – and how business leaders can address the disparity between vision and actual deployment now and for years to come.

Understanding the Opportunity and the Real Risk

The threat to an organization’s proprietary information is certainly foremost in the minds of IT and security leaders. Interestingly, 71% of respondents of the recent Dimension Data survey indicated that their business leaders view employee utilization of personal mobile devices as potentially dangerous, costly and not business critical.

IT concerns about secure enterprise mobility risk are many. These include the introduction of malware into the environment from largely unmanaged devices or devices that organizations have little to no control over and the data leakage challenges by allowing users to have various parts of data outside of the network. In addition, many IT leaders ask:

  • “How are we actually going to deploy mobility security?”
  • “How are we going to support the users?”
  • “Will our IT help desk be able to meet the around-the-clock requests that today’s users demand?”

Read More »

Tags: , , ,

Empower Your Employees with a #MobileWorkspace

byod

[Webinar] Mobilize Your Employees with Cisco Solutions for a Mobile Workspace

We discussed the considerations behind the Cisco-Citrix Mobile Workspace solution to set the stage for the CVD (design guide available now!) earlier this month, and now we’ve planned a great technical deep-dive for customers and partners interested in finding out more about the Mobile Workspace Solution. It’s going to be at 10am PST Wednesday June 4, 2014 (Click to Register).

 Organizations are moving from just dealing with bring your own device (BYOD) and the influx of mobile devices to proactively developing solutions that use the full power of mobility. Because of the complexities and fluid technology horizon, this is often simpler said than done. Now you can simplify and accelerate your mobility projects by deploying a comprehensive mobility solution that has been tested and validated end to end.  Read More »

Tags: , , , , , , , , , , , , , , , , , , , , , , , , , , ,