Cisco Intelligent, Secure Business Platform in the Digital Age

What does a business need from the network?

Business leaders of modern companies are rarely interested in the subtleties of IT and the nuances of network technologies. This is not surprising: the result is important for business.

But the desired business result is obtained thanks to the coordinated work of many business processes. Most of them are related to the transfer of information. And most of these business processes rely on network applications running on top of the network.

In a modern corporate environment, business cannot work without a network and applications. Moreover, in the era of digitalization and the Internet of Things (IoT), business’s dependence on IT is only increasing, because more and more business-critical applications running on top of the network appear.

Thus, to ensure the proper operation of network applications and, consequently, the network is crucial for modern companies.

How to do it?

To solve this problem, it is necessary to follow the many recommendations described in the design guides and in the special literature. But ultimately, based on them, we can formulate three key areas:

Reliable transportation.
Cross-cutting policies.
Pass-through orchestration.

At the same time, the most important and necessary component of each direction is information security, ideally according to the model of zero trust or "white list", within which access to a specific resource is provided only to those users for whom there is such a business need.

Consider these areas in more detail.

Task 1: reliable transportation

A fundamental and obvious point. The network should work and transmit information from point A to point B whenever the business needs it. Otherwise, business processes will not be able to work, and the business will incur direct or indirect losses.

Task 2: cross-cutting policies

Transferring information from point A to point B is necessary, but not enough. The correct work of business processes is possible only with the implementation of various kinds of policies. For example, to ensure the confidentiality, integrity, authenticity of information, it is necessary to implement security policies. Another example - the proper quality of business applications requires compliance with the required values of delay, jitter and packet loss. In turn, this may require the implementation of a Quality of Service (QoS) policy.

The peculiarity of the implementation of policies is that the effect of them is as strong as the weakest link. This means that end-to-end policy implementation, which covers the entire corporate network, is required to achieve the desired business result.

In addition, the lack of policies or their inadequate implementation can lead to problems in the implementation of the basic point of communication. For example, an ineffective implementation of a security policy can skip an attack on a network infrastructure or services, and the complexity of hardware configurations in conjunction with the "human factor" can lead to errors in hardware configuration. Any of these examples creates the prerequisites for traffic outages and unavailability of services.

Task 3: pass-through orchestration

The implementation of policies can be effective only when the policies are consistent with each other and can be promptly updated at the pace needed by the business.

The realities of modern business dictate the need for prompt updating of these end-to-end policies. This usually occurs when new business processes are launched, changes in existing processes or when work is being done to optimize their support from the network. Delays in updating policies are unacceptable, as they will delay the launch of new business initiatives or increase business risks. Therefore, speed is very important, and in the conditions of digitalization it becomes even more important. A gain in speed can lead to significant financial results. In some cases, speed is so critical that the success of the entire business initiative depends on it.

To fulfill these conditions and properly implement the policies, orchestration tools are needed that operate along the entire information transfer route — for example, from the computer of a remote office employee to a server in a corporate data center.

Orchestration tools are becoming increasingly important and necessary functionality of a modern corporate network. Indeed, without them, it is simply impossible to implement end-to-end policies on a large number of network infrastructure elements, and then to update them quickly, in practice.

Solving the first two tasks — providing reliable transport and cross-cutting policies — is the prerequisite for orchestration. Obviously, any services rely on transport. It is also clear that orchestration is possible only when there are effective, flexible mechanisms for implementing policies. Thus, the orchestration is "at the top of the pyramid" of the three problems considered.

Difficulties of today's corporate networks

How are things going in terms of the designated tasks in the typical corporate networks of today?

Theoretically, a typical corporate network can easily perform task 1 and provide reliable transport, because for this there are the necessary technical means - for example, dynamic routing protocols, high availability tools, etc.

In practice, the solution to this problem is much more complicated. In addition to transferring packets from point A to point B, you must also implement policies. And any non-trivial policy affects transport. There are interdependencies between the functionality that implements policies and the functionality that solves the problems of transport. The configuration of network devices is much more complicated. As a result, network operation and troubleshooting are also complicated. Technological windows are getting longer, the probability of error is higher. Ultimately, the availability of the network, and hence the business processes, is reduced. And this all less often suits business.

The situation with politicians is no better. The TCP / IP protocol stack does not have the means to denote the belonging of packets to any group of users or hosts and apply policies to such packets. Therefore, in practice, administrators have to look for a replacement and the IP address is used almost everywhere as such a replacement, although it is not intended for this. However, it is the IP address that is usually used as a criterion for a package to belong to a certain group of users.

This method of applying IP addresses creates an interdependence between two different functions — addressing and policing. And the changes desired for one function inevitably affect the other. As a result, the network loses its flexibility. For example, addressing optimization, as well as other significant changes in the IP addresses of a corporate network, often become almost impossible, because the result is a violation of policies.

But this is only part of the problem. Work with addresses, as a rule, occurs manually, and the policies based on them become very complex, cumbersome and very vulnerable to the "human factor". As a result, the speed and quality of the application of policies suffers, and the risks of business process disruptions due to network problems significantly increase.

As for the end-to-end orchestration of services, it is not in the typical corporate network. A real corporate network is rarely homogeneous. Rather, it is built on the basis of a set of equipment with heterogeneous functionality, from different manufacturers, with different implementations not only of the command line interfaces, but also of network protocols and standards. Not on all devices such functionality is present in the right form and volume. In addition, the network equipment configurations of the real network are inconsistent and complex, and over time, complexity and inconsistency tend to increase. Orchestrating services in such a network is not only difficult to implement, but is also likely to lead to failures due to conflicts between automated and manual approaches to network management. As a result, implementing a through orchestration of services in such a network is almost impossible.

Another problem is coordination. Before business intentions are translated into specific network equipment teams, you need to go through a chain of people from different departments, with completely different specializations and mentalities - for example, from business leaders through a chain of managers to application technicians and data centers, network technologies, security . Such people "speak different languages." When a task is translated in a chain, its meaning is not always preserved in its exact form and in full. In addition, the situation is often complicated by the peculiarities of interdepartmental cooperation characteristic of many organizations.

In the final analysis, the complexity of implementation often leads to the fact that the initiative a business needs is implemented with insufficient quality, not in full, not on time. Sometimes the implementation is so stretched that the initiative becomes obsolete even before the implementation is completed. Or the implementation is not carried out at all.

What does Cisco offer?

As we saw in the previous section, even the tasks of providing reliable transport and building end-to-end policies, not to mention end-to-end orchestration, are not always satisfactorily resolved in a typical modern corporate network.

But for effective support of business processes, the solution of all three tasks is required - and with high quality and in full.

Understanding this, Cisco purposefully develops not just new products and technologies, but holistic architectures, such as Cisco DNA, aimed at effective business support.

Creating such architectures requires end-to-end implementation of policies and orchestration tools. In turn, for this, the manufacturer must have a product portfolio and in-depth expertise in all technological areas covered by the architecture. For a modern corporate network, such areas are local computing wired and wireless networks (LAN / WLAN) at the central site and in branches, data center networks, wide area networks (WAN), as well as end-to-end information security solutions. In addition, effective implementation of the solution requires additional funds in the area of traffic monitoring and its analysis to the application level, supported by powerful analytics.

Today, Cisco is the only manufacturer able to cover all of these areas. Moreover, Cisco has already implemented solutions in each of the areas. Consider them in more detail.

Network factories: new generation transport infrastructure

Modern Cisco solutions for building corporate network transport infrastructure are based on the concept of a network fabric. The network factory includes two network topologies: the basic IP network, which solves the problem of transferring information from point A to point B, and the overlay network topology that runs on top of this IP network, on the basis of which policies are implemented. According to the established terminology, the term “network factory” often implies an overlay running on top of the core network.

Traditionally, in campus networks, both transport and policies were implemented on the basis of a single network topology. Practice has shown that attempts to solve problems and transport, and a politician in the same network topology usually leads to the fact that it is impossible to effectively solve either the first or second task. This happens because these tasks make conflicting demands on the network. Reliable transport requires high availability of the network and, in turn, its stability, minimum changes. On the other hand, applying policies and keeping them up to date requires making changes to the network and violates its stability.

Moreover, in practice, when combining transport functions and policies in a single topology, interdependencies arise. Changes in the functionality related to the solution of one task change the solution to another. This complicates the network, complicates the implementation of services and policies, slows down the implementation of business initiatives.

The concept of a network factory allows to overcome these contradictions. The single complex task of simultaneously implementing both transport and policies characteristic of a network based on a single topology is divided into two simpler tasks — a separate implementation of transport and policies in an IP backbone network and an overlay of a network factory.

Such a division of logics abstracts tasks from each other, reduces interdependencies to a minimum and creates optimal conditions for solving these problems. That is why it is much easier to implement cross-cutting policies, automation and orchestration in a network factory and, ultimately, to ensure a quick network response to business initiatives.

This is the main idea of the network factory, implemented in modern Cisco solutions for the corporate network, including LAN, WAN and data center.

Network Fabrics for LAN and WAN: Cisco SD-Access and SD-WAN

The network factory of the campus network is implemented in the Cisco Software-Defined Access (SD-Access) solution. SD-Access allows you to build a software-defined campus network. This network is controlled by the Cisco DNA Center controller. The controller also provides a graphical interface that allows you to significantly speed up the process of planning and implementing a network, setting and automating the execution of policies, and monitoring, troubleshooting, and troubleshooting.

SD-Access implements the above logic separation idea, which allows to solve the problem of transport and cross-cutting policies across the campus network. In addition, logics separation and the use of a DNA Center controller allows you to quickly implement new policies and adapt existing policies to new business requirements.

DNA Center also provides a REST API for integration with higher-level orchestration systems, third-party applications, and full-time customer specialists. The API abstracts the network and makes it possible to implement a scalable orchestration of services in terms that are relevant to applications and business. The API also provides access to analytics and trend analysis results from the Assurance tools of the DNA Center controller.

The API allows you to get the orchestration of services not only within the network factory at the central site, but also to integrate this factory with the rest of the corporate network, including the WAN and local networks of the branches.

Overlay network topologies as such have long arrived in the WAN in Cisco solutions. They have already been used in DMVPN technology, then they were further developed in the Cisco IWAN solution based on DMVPN. Today’s and tomorrow’s WAN solutions in Cisco’s portfolio are SD-WANs, managed by a DNA Center controller and incorporating Viptela technologies.

Cisco offers a network factory concept for branch offices. As part of this concept, the network fabric covers the routers, switches, and infrastructure of branch office WLANs, also managed using a DNA Center controller.

The application of the network factory concept in the campus network, in the WAN and in the branches opens the way to building a homogeneous transport environment with flexible end-to-end policies and orchestration possibilities.

As a result, SD-Access and SD-WAN provide an effective solution to all three tasks - from reliable transport to end-to-end orchestration of policies and services in a network factory with the possibility of expanding orchestration to the entire corporate network.

Network Factory for Data Center: Cisco ACI

The implementation of a network factory in a corporate network would be incomplete without the coverage of the data center network infrastructure. Cisco solved this problem in 2013 by releasing the Cisco Application Centric Infrastructure (ACI) solution.

Like SD-Access, ACI includes a core IP network that solves transport problems, and an overlay that implements policies. The Cisco ACI network fabric is managed by a cluster of APIC controllers, with which the administrator sets policies and performs the remaining tasks of managing and monitoring the data center network.

Ultimately, the data center is created for the work of corporate business applications that implement the necessary business services. The landscape of such applications is usually quite complex. Ensuring the operation of even one business service may require complex interactions of groups of different server types. Information is transferred between them and is processed in a certain sequence, executing the required business logic.

The fundamental difference between traditional data center networks and ACI is in the approach to the implementation of such business logic. In a traditional network, you must first translate business logic from the terms of the application world to the terms of the network technology world, and then assemble it from "low-level" network structures, such as VLAN, VRF, etc. This process involves the tight collaboration of people with different areas of expertise, such as experts in the field of network, applications, etc., requires a significant investment of time and effort. And Cisco ACI allows you to initially set the desired interaction logic, implementing it in the network automatically by means of an APIC controller.

Another fundamental difference lies in the speed of implementation of this logic. The traditional approach involves setting up network infrastructure elements through the CLI or, at best, using a management system. This approach is adequate for static network configurations, but it works the worse, the more dynamic the environment and the more often you need to make changes to the transport settings and policies. But this is exactly what needs to be done in order to implement new services and applications, especially in modern data centers with virtualization.

ACI solves this problem thanks to the capabilities of the APIC controller in the field of automation and programmability. The controller offers a very rich object model, accessible through the REST API. The API accepts and returns messages specified in JSON or XML formats. In addition to the API, Cisco provides additional tools such as ACI Toolkit, Cobra SDK, Arya, etc., as well as automation with Puppet and Ansible.

ACI also offers a high level of information security. To transfer information through the ACI infrastructure, it is necessary to explicitly define groups of interacting hosts with an optional indication of the types of allowed traffic. This approach is convenient for implementing security policies on the model of zero trust ("white list").

Cisco SD-Access and ACI network factories integrate with each other, providing policy translation and end-to-end operation across the entire corporate network — from a personal computer in a branch office to a server in a corporate data center.

Thus, Cisco ACI offers opportunities to solve all three tasks.

Security policies and software defined segmentation: Cisco TrustSec and ISE

In the previous sections, we touched on the importance of implementing Cisco policies and solutions for the corporate network infrastructure, including data center.

A key place among the politician is security policy. Given the incessant growth in the activity of intruders and the abundance of attack vectors, the intrusion of intruders into the corporate network is only a matter of time. This requires the use of effective protection measures in conditions where the attack has already taken place and the attackers "penetrated" inside the network (according to ZK Research, about 80% of intruders penetrate from the inside of the protected perimeter.}.

An effective security measure in such conditions is the segmentation of users and resources into groups isolated from each other, between which only the traffic necessary to solve business problems is allowed to be exchanged. And if the business tasks do not involve the exchange of traffic between groups, then it is completely blocked. Such an approach (according to the model of zero trust or “white list”) makes it possible to significantly limit the damage caused by the attacks, as well as to impede or prevent their further promotion through the corporate network. Quotes:

Digital Guardian: “Eataly's network distribution and other locations across the globe”.
US-CERT: “Effective network segmentation ... reduce the extent to the network”.
If you’re trying to get the best of your health, you’ll be able to do this.

Traditionally, the segmentation problem was solved by creating static virtual topologies and access control lists on the network, using the IP address as a criterion for decision making. But as practice shows, such an approach requires a lot of effort, deprives the network of flexibility and is associated with significant implementation risks. In general, the traditional approach works the worse, the more dynamic the segmentation environment and the more diverse the groups of segmented users and resources. Effective solution of the segmentation problem requires the means to centrally set and automatically apply access control policies throughout the network.

Cisco has developed technology TrustSec to solve this problem. TrustSec does not use IP addresses, but SGT (Scalable Group Tag) tags as a criterion for applying access control policies. Tags are automatically assigned to groups of users at the TrustSec domain boundary by the Cisco ISE server based on the results of authentication and authorization of the user or device, and then the network infrastructure applies access control policies based on the value of the tags and rules based on the labels. These rules are set by the administrator centrally on the Cisco ISE server and are automatically loaded onto the elements of the network infrastructure as SGACL access control lists. The rules can also be set in the DNA Center controller interface, in which case they are synchronized with Cisco ISE and then distributed across the network infrastructure.

SGT tags are used as a criterion for implementing access control policies on network infrastructure elements, such as switches and routers, and on Cisco Firepower firewalls, Cisco Web Security Appliance web traffic control servers, and other devices.

Cisco ISE can be used as a single source of identification (identity) information in the SD-Access campus network and ACI-based data center. In this case, ISE contains the group IP address mappings for the SGT labels on the campus network and the EPG host groups in the ACI environment. This allows you to create end-to-end policies in the corporate IT infrastructure.

In addition, Cisco has implemented the REST API and Cisco Platform Exchange Grid (pxGrid) in ISE, offering automation and integration of information security solutions into a single context-sensitive system that takes advantage of the capabilities of its system components.

As a result, businesses receive flexible, scalable, and powerful segmentation tools suitable for automating access control policies. Such means are necessary to solve the tasks of implementing policies and orchestration.

Analytics and Telemetry

The requirements of modern business to the availability of IT-infrastructure, as well as the rapid and effective implementation of policies lead to the need for new tools. It is important for administrators to make sure that the infrastructure acts as it should, and, if necessary, take measures to bring the infrastructure to the target state as soon as possible. That's why Cisco pays close attention to analytics and telemetry. Consider some of them.

Campus Network Analytics and Telemetry: DNA Center Assurance

Traditionally, in the course of network operation and troubleshooting, administrators use an extensive array of disparate tools and sources of information, trying to ensure business continuity. But as practice shows, this has at least three serious drawbacks.

First, a reactive rather than proactive approach to exploitation. The available funds do little to help with prevention. In most cases, administrators solve problems, not prevent them.

Secondly, numerous disparate tools complicate operation and troubleshooting and do not provide a holistic picture of what is happening.

Thirdly, the abundance of data that requires processing and reflection, leads to overload and does not speed up the solution of problems. Administrators need no data as such, they need conclusions.

To solve these difficulties, Cisco implemented Assurance analytics functionality based on a DNA Center controller. It offers opportunities to increase the availability of business processes by proactively identifying and solving problems in the network infrastructure.

The principle of Assurance is based on the collection of service data, streaming telemetry and contextual information from the network infrastructure, client devices and service servers such as Cisco ISE, as well as ITSM (IT Services Management) and IPAM (IP Address Management) systems.

Assurance analyzes and correlates the collected information in real time using analytics and machine learning tools. Based on the findings, Assurance provides the administrator with a comprehensive picture of what is happening, including conclusions about the state of network infrastructure elements and client devices, problems and trends, as well as specific recommendations and steps for troubleshooting. In addition, Assurance offers assistance in resolving incidents through the automated implementation of issued recommendations.

As a result, Assurance allows you to ensure the proper operation of your IT infrastructure and, if necessary, immediately take concrete measures to resolve incidents, thereby helping administrators ensure business continuity.

Data Center Analytics and Telemetry: Cisco Tetration Analytics

Effective policy development requires a mandatory understanding of the information flows for which these policies are developed. Such an understanding of the corporate network can be obtained by analyzing business processes running on top of the network. Such an analysis reveals the key applications needed for business, the protocols on top of which these applications work, the location of sources and consumers of information flows.

This task, already difficult in the corporate network, becomes especially difficult in the conditions of the modern data center. This happens because the landscape of modern applications that implement the necessary business services, is very complicated. Applications can have a distributed architecture with multiple interdependencies. With the spread of microservices, the picture becomes even more complicated. And taking into account the dynamics of the data center application environment and the mobility of modern virtualized loads, the task of identifying and analyzing information flows in a modern data center is becoming a rapidly moving target. In practice, such a target is unattainable by "manual" methods of analysis due to the enormous volume of information flows and their dynamics. It does not help to solve the problem with proper quality and automation with the use of third-party applications due to the lack of necessary input data and insufficient performance of the available tools for such analysis.

To solve this problem, Cisco offers the Tetration Analytics platform, which includes data acquisition and analytics tools. Data collection is implemented by compact software sensors at the level of server operating systems, hardware sensors based on integrated circuits (ASIC) of the corresponding Cisco Nexus 9000 series switches, as well as sensors that process ERSPAN and NetFlow traffic. Analytics is implemented by software that runs on a high-performance server cluster.

The server cluster receives highly accurate information from the sensors on the data center every 100 ms. The system analyzes information flows in real time with packet accuracy at the speed of the communication channel, while the solution is currently scaled to 25,000 servers (virtualized and physical). Having such data sources makes Tetration Analytics a unique solution in the market.

Using tools for behavioral analysis and machine learning, Cisco Tetration Analytics provides accurate and relevant insights about the information flow in the data center, the interdependencies of applications, the possibility of retrospective analysis and real-time analysis. As a result, the IT service gains a deep understanding of the flow of information, allowing it to take concrete actions, in particular, to form effective policies. In addition, based on the obtained data and machine learning tools, Tetration Analytics offers behavioral analysis functionality. The expansion of threat detection and prevention capabilities is also realizable through integration with the specialized behavioral analysis system Cisco Stealthwatch, as well as in the future through interaction with the Cisco Talos cloud security service (in the plans).

Tetration Analytics offers the ability to automatically distribute security policies to hosts in the data center and keep them up-to-date with the help of pre-installed software agents. Agents translate policies into system firewall rules (IP Tables, IP Set, Windows FW) and allow you to implement nano-segmentation of services by isolating services and applications directly at the host and operating system level, before they enter the network. In addition, by integrating with the Cisco ISE access control server, the Scalable Group Tag (SGT) tags are provided for use in defining policies, annotations, etc.

As a result, the implementation of a white list model in the data center is greatly facilitated, for which a complete understanding of information flows and integration with specialized information security solutions is very important.

Tetration Analytics allows you to implement a policy orchestration in the data center using the open REST API.

Thus, Tetration Analytics is a key tool for solving the problems of policy implementation and orchestration in the data center.

Monitoring and managing software performance: Cisco AppDynamics

As modern business processes increasingly rely on network applications and IT infrastructure in their work, ensuring proper performance of business applications becomes critical. This is especially true of large companies in which failures or even just non-optimal workflow of business processes can lead to losses of millions of dollars.

Performing even a single business transaction usually covers multiple servers and software processes distributed and interconnected. Therefore, monitoring and managing the performance of business applications is a very difficult task and requires special tools.

To solve this problem allows the platform Cisco AppDynamics. It provides end-to-end monitoring and performance management of the entire application landscape, from a browser on a user's computer or an application on a mobile device to backend application servers or databases.

The key components of the solution are the controller and software agents installed on the hosts. Agents can integrate into a wide range of software environments, including C / C ++, Java, .NET, Python, PHP, Node.js, etc. Further, they collect relevant information, including performance metrics, conditions and errors in the execution of program code, and much more. Agents send this information to the controller for further analysis and decision making.

AppDynamics automatically calculates the baseline values of performance metrics that are “normal” for a given environment. Using these metrics set by the policy manager and data from agents, the system detects performance anomalies and helps to localize the source of the problem.

- , backend , IT-, .

, Business iQ , -, -, . AppDynamics -, IT- .

AppDynamics (extensions) REST API. .

: Cisco Stealthwatch

Cisco , .

, , Cisco Stealthwatch Enterprise.

Stealthwatch , . , . , , NetFlow, IPFIX .., Stealthwatch . , , , , , Cisco AnyConnect Network Visibility Module (NVM).

, Stealthwatch , . , .

Stealthwatch Cisco ISE pxGrid. "", Stealthwatch. Cisco Rapid Threat Containment Cisco.

, Stealthwatch ( ) , , , TLS. Encrypted Traffic Analytics (ETA) Enhanced NetFlow Cisco.

, , , : , .

Cisco . , .

, . , .

, Cisco , . , , .

, , , , .

, . , , , - .

IT-, , "" DNA Center APIC.

Cisco Network Services Orchestrator (NSO) , , - API . , NSO SD-Access API DNA Center.

API IT- Cisco Cisco , , .

Cisco , Cisco — , , . , Cisco IT-, - .

Cisco?

— "", AS-IS, , , . , .

— Cisco, TO-BE, . , " Cisco".

- :

;
;
.

, Cisco .

, , , , -.

- , — -.

Cisco , Cisco , , -.

. Cisco , .

, Cisco . , . , . , . , - , , .

— . IT - . - . . , .

Cisco, 2016 . 90% , . IT- .

IT- — , SDA. , .

, IT- , , - , .

, , , , , , -.

Cisco , . , "-", , , .

Cisco , - .

Gartner, - .

, , - — " ". Cisco, 70% .

, . , " ".

Cisco , , "-".

, , . , , "" , . .

. , , . , , . . , "" , , . .

, . Those. , .., . - IT , . , , -.

, IT- , "" — . . . .

Cisco .

, . Cisco IT- , , . , .

Cisco TrustSec, .

Cisco - — - " ", - .

Summing up

, . — , -.