Cisco Blogs


Cisco Blog > Data Center and Cloud

Virtual Desktops are Special….

I, just like my colleague Tony Paikeday, am somewhat preoccupied these days with the fast changing world of the desktop and its impact on data center infrastructures. I wanted to pick up on Tony’s desktop virtualization “just another workload” blog back in November because it is a subject of growing discussion, especially with “cloud” being all the buzz. While desktops are an increasingly popular workload to get started with private cloud initiatives, does that mean that data center architects are mixing desktops with more traditional data center workloads?

Talking to our system engineers who are helping plan and design desktop virtualization deployments day in day out…..the more I learn there are very good reasons for treating this workload as special and separate.

The first thing I hear about is sizing of the desktop workload. A “desktop” is not a “desktop”. You can’t just characterize a generic Win 7 desktop for compute, memory, I/O and storage IOPS. You need to be able to customize the infrastructure profile to the specific user type being deployed. Therein lays the danger of mixing these virtual desktops with production workloads, where desktops could end up capturing valuable resources of mission critical services.  For example consolidating a company procurement application on the same compute pool as your desktop workloads could result in a lot of unproductive – or even worse –unhappy employees.

Read More »

Tags: , , , , , , , , ,

Cisco 1Q11 Global Threat Report

The Cisco 1Q11 Global Threat Report has been released. The report covers the period from 1 January 2011 through 31 March 2011 and features data from Cisco Security Intelligence Operations. This quarter’s contributors includes Cisco Intrusion Prevention System (IPS), IronPort, Remote Management Services (RMS), Security Research and Operations (SR&O), and ScanSafe.

Unique Web malware increased 46% from January to March 2011. 16% of encounters were via online searches and webmail. Likejacking, where users are tricked/forced into registering a click with the Facebook “Like” button, increased from 0.54% to 6% throughout the quarter.

Read More »

Tags: ,

Live Interop Session: Customer Case Study, Take Control of Mobile Devices on Your Network

Tablets and mobile devices are driving massive change in the IT world. We are seeing a few key shifts that need to be addressed:

The user to device ratio has changed, while IT resources stay the same:

  • Early 1990s: Each user has one device on a wired connection.
  • Late 1990s: Users have gone mobile with laptops and other local devices.
  • Today: Employees require anytime, anywhere access with multiple devices per person.

IT is struggling to secure, manage and support employee-owned devices in the workplace, bringing it’s own set of challenges:

  • Classifying managed vs. unmanaged endpoints.
  • Ensuring proper identification and authentication of devices.
  • Associate each user with the proper host.

It all comes down to this: when your employee brings an iPad into work, how can you centralize access and policy management, without adding IT resources?

Join our session to learn how the Cisco Identity Services Engine and Cisco Prime Network Control System offer the solution. Timothy Abbott, Senior Network Engineer, CCNA, CCNP will be on-site to present a case study from his experience at the San Antonio Water System.

We hope to see you Wednesday May 11th, 11:15am -- 12:00pm in the Mandalay Bay L conference room. Learn more.

Tags: , , , , , , , ,

Social Media Brings a New Wave of Threats, Part 2

The next wave of spam is now making its way into social networks. One example of this type of threat is the Koobface malware, distributed through social networks such as Facebook. Koobface tricked users into downloading the malware, which then spread via the network of trusted friends. (For more details please read Unsociable: Social Media Brings a New Wave of Threats)

Facebook recognized this malware was a major problem. The trick to solving it, though, was determining how to distinguish the behavior of a bot acting like a human from the behavior of a real human. The initial answer seemed clear: selectively use a “captcha.” A captcha is the squiggly letters or numbers with interspersed lines that websites use to verify the user is a real person, not a bot. It’s very difficult for a machine to read the captcha and enter the right characters. (IMHO it is difficult for a person to enter the right characters, too—so no wonder a bot can’t do it.)

Read More »

Tags: , ,

Credential and Attribute Providers in the NSTIC

This is part of an ongoing series on the National Strategy for Trusted Identities in Cyberspace. The introduction to this series can be found here.

The National Strategy for Trusted Identities in Cyberspace (NSTIC) describes two types of intermediaries between subjects (users) and relying parties: identity providers and attribute providers. This is a separation not frequently found in identity systems. In order to emphasize this distinction, I often use the term “credential provider” or “authentication provider” rather than identity provider to refer to a service that provides authentication services and makes assertions resulting from authentication but does not directly provide attributes about the subject.

A credential provider can be thought of as a key cabinet. The subject authenticates to the credential provider in order to “unlock” the cabinet of credentials. As with a physical key cabinet where different keys inside are used for different things, the credential provider serves different credentials to different services. Ideally, the identifiers used for each of these services would be different; a good identifier is also opaque, meaning that the identifier itself provides no additional information about the subject. Provided that the choice of credential provider itself does not reveal significant information about the subject, a subject can be generally pseudonymous with respect to the relying party until the subject authorizes the release of identifying attributes.

Read More »

Tags: , , , ,