Some vendors and analysts contend that the network just connects boxes and all you need is a tactical infrastructure, capable of addressing current requirements. But with all the challenges today around security, plus mounting evidence that the winners in today’s market are those that are differentiating themselves with innovative customer experiences, I can’t help but ask, “why?” The tactical, ‘good-enough’ network is not only shortsighted; it’s potentially harmful. A disrupter? Yes, but not the desirable kind.
Building a forward-looking network that can evolve through today’s business challenges into the future is not pie in the sky. In fact, it’s a smart business decision that can ultimately save lots of IT dollars while beefing up your capabilities and security. More importantly, it’s key to creating a platform that doesn’t give out on or frustrate your end users—employees, customers, and partners.
At Cisco Live, I stopped for a quick chat about the next generation network. Listen in, below:
To learn more about the Cisco next generation network, go to cisco.com/go/borderless. In the meantime, though, please share your thoughts. What stands in your way when it comes to building a smart, strategic network?
Bitcoin is an emerging technical and economic phenomenon, based upon a self-published paper by Satoshi Nakamoto. Many sites have taken notice of Bitcoin and have published some very thoughtful “what is Bitcoin,” “How-to get started” documentation. But the resources available to address Bitcoin are few, and primarily oriented toward enthusiasts, casual hobbyists, or those interested in making and securing a profit off of Bitcoin generation (“mining”). In this post, we make an effort to extend the Bitcoin security body of knowledge, but from an organizational perspective: what are the risks associated with adopting Bitcoin, intentionally or unintentionally.
I started my professional life using a mainframe. Back then the people running the mainframe world were known as the “data center guys.” These guys had a certain DNA combination that created an expanding waistline, a retreating hairline, a belt buckle the size (and shape) of Texas, and a penchant for big iron. This crowd ruled the data center for a long time, but virtualization in the data center is now driving a radical shift that seems to be changing everything.
Instead of having an application running on a dedicated tower of hardware power, apps are now free from the limitations of the infrastructure underneath. Hardware is evolving rapidly into dynamic blocks of utility computing (and storage and networking) that can be standardized, widely deployed, and efficiently utilized. This change is good news, as it can cut data center costs by 50 percent or more. If the big iron crowd from the mainframe days doesn’t adopt this fundamental shift, they’ll be hanging up their Texas belt buckles in the computer museum next to the punch card, the VAX, and a replica of the ILLIAC.
The same shift is also happening with security. Since most security products are primarily software based, it is not much of an effort to repackage these products as “virtual security.” But merely repackaging security products misses the point. Today’s security architecture was built at a time when the workplace was very different than it is today. End users would come into the office and work on a PC, which sat on a desk and was connected by a wire to a port on the wall. At this time, the IP address was a pretty good proxy for the user’s identity. And applications would each run on their own tower of power—hardware that was often running in a unique data center rack or racks. Therefore segmenting the data center in this era was relatively easy; it was based on IP address ranges and, later, on virtual LANs (or VLANs).
But the workplace of today (and tomorrow) looks very different. We’re no longer tied to a specific lump of hardware. We expect to access our apps in the cloud from any device, at any time, from anywhere. Therefore the IP address is a less useful means of defining data center boundaries.
We need a new capability that allows the security team to maintain its meaningful policy enforcement capability, while enabling that policy to be relevant across all infrastructure—physical and virtual. An important nuance here is that the policy should be consistently enforced across physical infrastructure as well as across virtual infrastructure from any virtualization vendor. This level of enforcement requires special access to the hypervisor. Without this access, a virtual security solution can’t see traffic between two virtual machines (VMs).
How the various security vendors plan to address hypervisor access is still an open question. And how that question gets answered is significant—and is likely to reshape the security vendor landscape.
So as we consider various virtual security solutions, simply repackaging today’s security software as a VM running in a cluster of other VMs is extremely uninteresting. Instead we must reimagine the way that we build and deploy security solutions. How do we bridge the policy model from today’s hardware-based firewalls to the virtual firewalls of tomorrow? How can we maintain a separation of duties, so that security policy definition is separate from traditional network operations? And how will we orchestrate all of these components in the dynamic, nimble data center of tomorrow? These are not small issues. But of course, that’s what makes my job fun.
Many of you have asked me and my team about the session codes for the new Manufacturing Industry Industrial Intelligence day on 12th July 2011 and how to register for the exclusive sessions if you’re attending Cisco Live! So here’s the scoop:
Since many of you have a full conference registration package, you have access to Industrial Intelligence Day as part of your pass. Yes -- we made it possible! You can game the system. We made it easier than Groupon!
You can sign up for the following 3 sessions on CiscoLive Scheduler at https://www.ciscolive2011.com/scheduler (use your login you received with your confirmation) and just click ‘add to schedule’.
The great thing is you can now win an iPAD2by attending these sessions*
Please note that all 3 sessions will all be conveniently held in the same room -- Mandalay Bay F on Tuesday, July 12th, starting with a hosted breakfast at 7 am. An informal networking hosted lunch is also included as part of the day. Read More »
Today, there are many strong cryptographic algorithms and protocols, standards for their use at every layer of the network, and interoperable implementations in many products and in open source. When used appropriately, they provide strong safeguards against attacks that target our networks. Unfortunately, none of this good cryptography will protect anybody if it is used with secrets that are guessable.
Humorist Gene Weingarten claims he knows the secrets that protect the U.S. nuclear launch codes: 070494, which happens to be the date of Obama’s daughter’s birthday. No doubt the secrets are actually better chosen than that, but the joke conveys an important truth: you can’t expect everyone to choose passwords well. You should regard passwords that are human-generated or human-memorable as being guessable. A cryptographic system is only as strong as its weakest element. When human-generated keys are used in cryptography, the system should not be expected to resist a knowledgeable attacker.
The most secure key management technology is digital certificates; you should use them when you can. If for some reason you can’t, and you need to use shared secret keys, then you should make sure that those keys are generated by a uniform random process, and not by an administrator in a hurry. I will get to advice on certificates and key generation later, but first, I would like to explain why passwords and cryptography don’t mix well.