What’s one thing in recent time that has taken center stage along with remote work policies? Security.
No one, I mean no one, ever wants to compromise on security – whether it is for oneself, family, company, or for anything that matters. Here we are going to talk about security that could impact any and all of us. The security of our network, our data, our personal information – family, financial, social, anything for that matter.
A single midnight call from a friend few weeks back was a wake-up call for me. Hey, I got this email from your email account and it seems like spam. My mind started thinking – how is it possible? Finally, I found out that it was a false alert.
But my mind started thinking about security after this. What if someone could fake the hardware or software being used in millions of switches across the network? Customers or engineers on a data center floor will be under the impression that they are using secured hardware and software…but that could all be fake. We fix or patch CVEs and PSIRT alerts with highest possible priority but (unfortunately) don’t pay much attention to this portion.
Remember the 2015-2016 timeframe? A microchip the size of a grain of rice compromised and stole vital corporate information swiftly and silently. The question in my mind was – how and what is Cisco doing to mitigate this? Well, this is 2020 so it was a late wakeup call for me, but not for Cisco. Security is in Cisco’s DNA.
This is why Cisco was the industry leader in implementing Anti-Counterfeit chip technology, along with secure boot during the 2016-2017 timeframe. Many of the Cisco products have integrated this technology successfully now, including Cisco MDS 9000 Series 32G fibre channel module and fabric switches. The Cisco MDS 32G FC products have this technology built in.
So, what’s this Anti-Counterfeit Technology, called ACT2, along with secure boot? Let’s take a quick look at it. The Anti-Counterfeit Technology ensures that the Cisco MDS 9000 Series platform with a Cisco NX-OS software image is genuine, unmodified, non-tempered.
To give you a quick overview of this technology, Cisco burns the unique digital fingerprint (Called SUDI – Secure Unique Device Identifier) in the ACT2 security chip during manufacturing process. When a customer receives this hardware, deploys the hardware in the rack and boots up, the boot-up sequence re-creates the SUDI after reading the hardware component and compares it with the SUDI burnt inside the ACT2 chip. If it matches, voilà, hardware and software are Cisco genuine.
If it fails to boot and returns error message: “ACT2_AUTH_FAIL: ACT2 test has failed on module <module_number> with error: ACT2 authentication failure”, this means something is tampered with – hardware or software. In other words, if the component boots up, you have a peace of mind – we are running Cisco genuine hardware with Cisco genuine software.
The same goes for software components as well. For example, if NX-OS software was malware impacted or corrupt, it will create the SUDI which will not match with the one in ACT2 chip. The result would be the same as above (failure to boot). Cisco Secure Boot helps ensure that the code running on Cisco hardware platform is genuine and untampered.
Now, as a customer, what is the cost of this feature? The answer is: ZERO, yes zero cost. And no configuration required as well, it’s fully transparent.
Another unavoidable reason as to why Cisco MDS 9000 series switches are the better choice compared to any other fibre channel switches in market.
Now you have the peace of mind to relax. You know your data center is running on Cisco MDS 9000 Series Switches with security built in.
So, as Stephen Yu has said, security is better when it is built in, not bolted on. Do you agree?
For more details, please read Cisco MDS 9000 Series Security Configuration Guide, Release 8.x or ask your Cisco account team to engage us for in-depth discussion.
To understand more such unique benefits of Cisco MDS 9000 Series Switches, here are few other blogs:
Question: Does this only protect the switch on boots of supervisors, or will the same authentication be applied to the presented N_ports to verify the server connected is the original and not a clone or fake image?
Comments are closed.