Cisco Blogs


Cisco Blog > Security

Gartner’s perspective on Cisco TrustSec

I am very pleased to be able to share some Gartner research on TrustSec.

While we’re continuing to make progress through broader product support, validation from auditors and implementation by other vendors, we believe that this research and Gartner’s perspective will provide you with a useful and informative viewpoint.

To read Gartner’s perspective on TrustSec please go to Cisco TrustSec Deployed Across Enterprise Campus Branch and Data Center Networks. We’d love to hear your feedback so please leave any comments below.

Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

Source: Gartner Research, G00245544, Phil Schacter, 12 February 2013, refreshed 1 October  2014

Tags: , ,

Addressing Cyber-Security Challenges of Today and Tomorrow

Did you know that Cisco detects over 1.5 million intrusion attempts on Cisco’s network every day? With more than 13 billion NetFlow records captured daily, over 22 Terabytes of traffic inspected, and 750 Gigabyte of system logs collected on a daily basis, it’s changing the landscape for how to secure intellectual property, confidential information, and mitigate malicious attacks.

This brief video shares relevant security information, real-world experiences to help educate customers on security threats, and technology solutions deployed to secure Cisco’s intellectual property.

Tags: , , , , ,

New Nexus 1000V Virtual Switch Release 3.1 Now Available

There has been some seismic activity happening in Bay Area and the epicenter for all Virtual Networking shifts is right here at Cisco HQ in San Jose. (Our sympathies go to all those affected by the real earthquake further to the north.)  At Cisco, it’s all about the applications and the shift to dynamic network virtualization. Cisco pioneered virtual networking with Nexus 1000V virtual switch and recently incorporated it in the application aware Application Virtual Switch (AVS), for Cisco ACI-enabled networks. Cisco is excited to announce the availability of  Nexus 1000 Release 3.1 of Nexus1000V for vSphere (available for download here). We are showing the upcoming generation of the virtual switch at VMworld in San Francisco this week.

Nexus1000V is the edge switch for virtual environments, bringing the network edge right up to the virtual machine, and connecting virtual ports to the physical network and beyond. The Nexus 1000V is the foundation for our virtual network overlay portfolio, including all of our virtual L4-7 application and security services, our cloud orchestration software, VXLANs and more. It is also at the heart of AVS, a purpose-built, hypervisor-resident virtual network edge switch designed for the Application Centric Infrastructure.

Release 3.1 is a new major release enabling enterprise and cloud provider customers running the vSphere hypervisor to leverage the distributed virtual firewall VSG, expand VXLAN footprint in the datacenter, improve secure isolation thru Cisco TrustSec and dramatically simplify updates through Cisco VSUM (Virtual Switch Update Manager).  Most of the new features are value add to the Advanced Edition.  New customers will need a Ver 3 specific license to use the full functionality of Ver 3.  Existing customers with support contract are automatically entitled to free upgrade to Ver 3. AVS incorporates Nexus 1000V capabilities with consistent application policy enforcement for virtual workloads and unprecedented end-to-end visibility for applications in your data center.

Features of the new Nexus 1000V Release 3.1:

  • Scale
    • Increased Scalability (Advanced Edition) – More than doubles the scale from the previous release. The virtual switch now supports 250 hosts/servers per switch with 10,000 ports per switch. In addition it supports 4094 active VLANs and  16 million VXLAN (6144 active VXLANs) per switch across 6144 port profiles.
    • VXLAN control plane: BGP based control plane across multiple virtual switches provide expanded Layer 2 domain footprint that can potentially support nearly 40,000 VMs in a single domain
    • Increased Resiliency – Supports headless Port bring up where Virtual Machines can be bought up on the host even if VEM is offline i.e. the VSM is not reachable by VEM. Both VSM headful and headless VM vMotion is supported.
  • Security
    • Cisco TrustSec 2.0 (Advanced Edition) – Continues to extended Cisco TrustSec solutions for network based segmentation of users and physical workloads, leveraging Security Group Tags (SGT) for defining security segments and SGACL support  (Enforcement) and Native(in-line) SGT tagging.
    • BPDU Guard -- Keeps virtual network safe from misconfigured VLANs and strictly enforces VLAN boundries.  It prevents Misconfigured VLAN Rogue devices from flooding the network
    • Storm Control -- Prevent network disruptions from a broadcast, multicast, or unknown-unicast traffic storm.
  • Simplification
    • Simplified Deployment, upgrade and visibility with Cisco VSUM – Cisco VSUM is a FREE virtual appliance that enables Server and Network administrators to Deploy, Upgrade and Monitor Nexus1000V and to Deploy and Upgrade Cisco AVS from within their vCenter web interface.
    • Customer Experience - Here’s what one of our Beta customers, Josh Coen says about Cisco VSUM. Josh is a Principal Cloud Architect with Varrow and has been working in the IT industry since 1999, with a heavy focus on virtualization and storage since 2008.

Nexus 1000V has already reached the 10,000 customer milestone with some customers purchasing 1000+ CPU licenses.  Nexus 1000V continues to provide the foundation for the most advanced virtual networks by supporting, 1) multiple hypervisor environments, such as VMware vSphere, Microsoft Hyper-V and Openstack KVM 2) the most extensive set of virtual network services, including ASA 1000V Cloud Firewall, distributed zone-based virtual firewall, vWAAS WAN optimization, the Cloud Services Router (CSR) 1000V, Cisco Prime Network Analysis Module (NAM) and advanced service insertion and chaining technology, vPath and 3) a true management control plane that provides greater policy and control features for richer networking functionality.

We’ll be showing a lot of these features this week. Come by our booth and check it out. If you are around #VMworld this week, give us a shout out on twitter using Cisco hash tag #ciscovmw. For those of you that can’t make it out to VMworld, listen to the review of these new features in Ver 3.1 in this webcast.

Tags: , , , , , , , , , , , , , , , , ,

Putting a Damper on ‘Lateral Movement’ due to Cyber-Intrusion

Analysis of high-profile cyber breaches often reveals how intruders gain their initial footprint in the targeted organizations and bypass perimeter defenses to establish a backdoor for persistent activities. Such stealthy activities may continue until intruders complete their ultimate mission—claiming the “crown jewels” of the victim organization.

“Lateral movement” is a term increasingly used to describe penetration activities by intruders (more information on lateral movement is available in Verizon’s 2014 Data Breach Investigations Report[1]). These activities begin with network reconnaissance, typically leading to compromises, hijacking of user accounts and ultimately privilege escalation to access sensitive data. Organizations may go to great lengths to detecting and stopping the initial breach and final data exfiltration as well as establishing more intelligence at their ingress/egress perimeters. But how can you minimize the damage caused by an intruder’s lateral movement once your network is already compromised?

Read More »

Tags: , , ,

Batman, TrustSec, and PCI

One of my passions is around PCI compliance. I know that sounds oxymoronic. How can someone actually be passionate about something as dry as compliance? Well, for the sake of argument, I prefer delusional rationalization. I think of myself as Batman! I don’t have his intelligence, money, car, or cape (well, I do have the cape, but that is another story), but I DO want to fight injustice where I can. I do think that there are bad guys out there trying to steal my family’s hard earned money. PCI compliance is the leading method for securing the world’s payment systems. The bad guys are real, security is getting harder, and I want to fight on the side of good.

The problem with fighting crime with compliance is that it can be so complex. The general strategy to minimize the complexity of PCI compliance is to use segmentation. Segmentation typically involves putting credit card applications and devices onto its own network, and use traditional firewalls to secure the perimeter. Although effective, this method brings about its own headaches around management. Firewall rulesets can become tedious and complex. Readdressing an entire enterprise with the sole driver of compliance is Herculean. Over time, if not properly managed and sustained, this method, can lead to bloat, misconfiguration, or worse, a breach.

Read More »

Tags: , ,