I am struggling a lot of times to find the right balance between Planing and FastDeployment. In IT you often have very ambitious projects that have to be finished ASAP. I can not recall how many times I have heard the words: “As soon as Possible” in a project meeting. Most of the times the IT people have to finish their work first , so that the rest of the company or organisation can start to use the IT infrastructure. No matter if it is a new Datacenter, Office Location or technology there will be some planing involved. Some task can be automated, but also for that automation infrastructure is planing needed. In Germany we say this is the point where the cat is biting in his own tail. It is time consuming to do a solid planing. So it happens that something will be half baked brought to production. Here I have seen many outages. People have to fire fight and doing over-hours in these situation to create a workaround that than becomes obviously a permanent solution. Years after that somebody will ask: who has planed this… Or sometimes everything worked as planed but the plan was shit. There must be the right balance between planing and deployment. Make for your self some standards that you always have in your workflow like Documentation, security hardening , stick to standards, monitoring etc.
And sometimes you spend a lot of time to make something work with the tools that you know and find out after the project was finished that there is a better tool/solution out there. The other tool/solution would have safed a lot of work-hours and budget, but you haven´t been aware of it at this point of time. When the only tool in your toolbox is a hammer than everything becomes a nail. So it looks to be more time consuming to spent more time in research and building up a new solution but on the long run this looks to me the better option. It is harder to accomplish something that is replacing the old workflow and way of thinking, for sure. But a great feeling when the new solution is up and running and you can achieve a task that was before taking hours,days or weeks with one klick. That is the essence why all the new technology’s like cloud, SDN and fabrics have changed the IT recently so dramatically.
Cisco has introduced at the Cisco Live the new FirePOWER 4100 device Family. besides a new Hardware Platform the really interesting development is going on the backround. First a short brief of the new 4100 appliances, they come out in 3 different versions at the start and a 4th model will be added in the 2nd half of 2016. It is a 1RU appliance that can do up to 20GB/s FW throughput with L7FW, AVC and IPS enabled.4100 NGFW Datasheet
The real interesting point here is that you can run the unified image for that. In the past we had an Hardware box that runs the ASA code and on top of that the FirePower as an additional instance. I always simplified that in my mind like an VM that runs on a server and in this VM the Firepower was living. To scale that model up you needed additional processing power. For example in the 5585-X models you had 2 devices inside of one chassis. On one part the ASA code was running and on the other the FirePower. That means from a packet flow prospective the packet was proceeded and inspected two times, first from the ASA based code/HW and when that was finished it was passed to the FirePOWER engine to get inspected and processed again. That changes now now with unified Image approach. The functions and features of the ASA have been ported to the FirePower code so that there is no need two run 2 images any more. Finally we have a integration of the L4 statefull inspection and L7 content based polices. At the moment there are missing some of the VPN features, hopefully we will see these functions added in one of the future releases.
To leverage the new unified FirePower 6.x Image approach there is also an Management solution available. Instead of dealing with Cisco Security manager or prime Security manager for the State full inspection L4 rules and the FireSIGHT manager for the L7 content aware policies this is also unified in the “Cisco Firepower Management Center” . It looks very much like the previous FireSIGHT interface and has some additional functions. I like that you now see all polices in one place regardless of the type of policy. FirePOWER Threat Defence for ISR and Advanced Malware protection (AMP) can be managed from here as well.
The Network Autobahn View
It was a long way but finally Cisco has integrated the FirePower NGFW and IDS/IPS Service based on SNORT with a state full inspection FW. That tight integration and a central policy choke point make a lot of sense. This combined with the centralized Management and Logging makes together a great solution. In the past the handling with ASA “ACL” based rules and NGFW L7 content based policys was always difficult to handle. I got the impression at Cisco Live that the new combined Image is the future and the old ASA will fade away completely in the future. A state full Inspection FW is pretty much the security modell of the late 90s and I think even the term “Next Generation Firewall” is outdated. Deep Packet inspection has become the only way to do security and Port numbers are pretty much irrelevant. I am looking forward to the next FirePower Releases that hopefully brings also the VPN features to the unified Image.
At NFD11 Cisco has presented their vision of modern buildings and how IoT could change the way LED lightning inside of office buildings is designed today. Basically modern LED lights consume less power as that what we can deliver with UPoE over an Ethernet cable. The maximum power that can be delivered over an ethernet cable was increased over time. At the beginning the main use-case was to deliver power to VoIP Phones. With the original IEEE 802.3af standard it was possible to deliver ~15 Watts. After that we had 30Watts with the 802.3at for power hungry access-points and now with UPoE Cisco has increased this with a proprietary standard up to ~60 Watts UPoE specifications . That makes it possible to deliver to all office lights of a building the power via Ethernet cables and UPoE without the need of traditional power cables. Cisco has formed up a strategic partnership with Phillips to deliver that vision of IoT based LED lightning for buildings. Philips and Cisco form global strategic alliance
To enhance their IoT strategy Cisco has aquired recently Jasper Technologys . With that acquisition Cisco can round up the IoT story to a full blown service that goes beyond LED lightning. The prediction is is that it will start with digital lightning and grow to building automation with sensors. This Cisco calls the Digital Ceiling strategy. Besides the PoE capabilities Cisco is contributing to open protocols like CoAP to deliver a complete package for IoT. Partners will get a predictable infrastructure that can deliver all the needed features for IoT deployments.
The Network Autobahn View
IoT and the automation around buildings is getting more momentum. I am personal still concerned about the security aspect. Cisco mentioned a new Class of switches for building automation that works PNP, so that it is easy to deploy for facility managers. If some hacker is messing up my PC that is one thing, but when my lights are shut down or I have in the winter no heating because somebody is manipulating my building automation network it becomes a completely different story IMHO. For a corporate network you have in most cases IT Security people that do hardening and logging of all the systems. When now Janitors have to apply these task in the next generation of buildings I have my doupts that this will be secured probably. I compare this to the situation that we have with a lot of SCADA Systems that are a security nightmare, the world where telnet and default passwords is still a common thing. I have to admit that IoT brings a lot of benefits regarding to automation, but always remember with great power comes great responsibility.
I have the pleasure to attend to the Cisco Live event wich is this year in my beloved hometwon Berlin. Even more exciting is that on the Cisco Live I will be part of the Tech Field Day Extra event by GestaltIT. With me together there will be joining other delgates from a wide range of different backrounds the Tech Field Day Extra at Cisco Live. Lokking forward to meet up with:
This time I will not be the one with a jet-lag. If you would like to meet up at Cisco Live in Berlin drop me a massage , glad to talk about all of the new tech goodness that we will see during the event. As a born Berliner I am happy to have this great event directly in my backyard.
It is quiet hard to track software release streams and available features sets across the different Cisco switch and router familys. I have been more than one time get confused with the same software release version on different platforms that has different feature sets. It is not nice when there is a feature missing that you had expected. Cisco has addressed that problem finally with the 16.x Denali release. Cisco has worked on the Denali release for 3 years to bring a unified SW release across multiple platforms. In the backround Cisco has 3 abstraction components the CLI, the unified SW Stack and the ASIC related part of the code. The big benefit here is that you didn´t need a separate
development team for each switch / device family. CLI and unified Software Stack can be developed centralized with one team across different products. That enables faster development for new features and feature parity across different device families. Besides the benefit of exactly the same CLI on all devices that runs Denali Cisco has also added a new WebUI that is completely rebuild and has more features and a better usebility than the previous web interface. Costumers have demanded this for a long time and finally Cisco has responded with Denali.
The Network Autobahn View
Thanks Cisco for releasing Denali. I have been waiting for this a long time. Besides Cisco internally all Cisco customers will benefit from this unified Software release approach. It makes tracking of software releases more easy and also the testing process. Cisco internally benefits also from a unified approach. I suggest that makes the development process faster and more efficient. At the end of the day hopefully the costumers get paid back with more new features that come out across multiple device platforms. I see here a general trend in the IT industry. It is needed to have an abstraction layer that is independent from the underlying hardware platform. Hopefully all new Cisco devices will follow this unified SW approach in the future.
Silverpeak has shown their Unity EdgeConnect SDWAN solution. Silverpeak has done WAN optimization for many years and has leveraged from that for their SDWAN products.
Silverpeak has several different Hardware Platforms that all have the same feature set from a software prospective.
The devices can handle multiple WAN connections and traffic types. You have seemless failover between WAN links and active-active loadbalancing across all these links as well. All the WAN links will use an encrypted tunnel for the outgoing traffic. The connected endpoints can be centrelized managed with a controller with a nice looking UI.
Network Autobahn View
The Silverpeak SDWAN solution has looked well put toghter. I was impressed by the Silver Peak CEO David Hughes. Hughes has shown a very deep technical understanding of the product. It looks like as if all the expierence that Silverpeak has in the WAN optimization space has been put into the SDWAN product from the beginning. Many problems that we had in the WAN space are finally solved. To buy a SDWAN product today will pay off very quickly when you compare the ISP costs of a privte MPLS that you can safe.
The Business Unit inside of NETSCOUT that many of you know as Fluke networks has shown at the NFD11 their new TruView product. It is a monitoring and network measurement as a service offering.
The components of TruView are measurement endpoints and a cloud based management and analytics platform. The endpoints can be deployed as software package or hardware device. The TruView Pulse 1000 comes in a small form factor that is PoE powered. The Endpoints have to establish a connection to the Cloud based management to get registered. It was quiet impressive how easy the deployment of these measurement endpoints is. NetScout has put in serious thoughts to keep the complete process as simple as possible to get results fast and easy. After an endpoint is registered you get immediately results of the performance tests. The cloud based Pure View server presents the results of the performance test.
Network Autobahn View
To have constant data from all your locations that are based on real data like emulated VoIP calls is pretty need. The biggest value for me is that you have a base line and can compare that to the current data.
Instead of shipping expensive measurement equipment that is complex to configure to a remote location, than make one test session and ship everything back. NetScout offers with TruView a compelling model with many small measurement endpoints, that can stay in the remote locations and gives constant data output. At the moment all the data will be in the cloud. I would like to see a server version of TruView so that it can be hosted in your own data center and all the measurement data would stay in your own control.
Skyport Sytems has used the NFD11 to show the first time their new innovativ product.
Skyport is a startup company with a very unique product that brings a new layer of security to the table.
Basicly you can verify that a server is not compromised for e.g. by a rootkits. The problem is to verify that a server is not compromised these days. To survive a wipe/installtion process, rootkids are placed in HW componetnts like e.g. the Firmware of HardDisks and SSDs. Even with a fresh OS installation the server would be immediatly compromised again. At the moment it is hard to address this attack vector. Skyport positioned their product as an extra layer of security for the high mission critical appliactions. How does it work ? Skyport has shown a Hardware based NIC that has TPM Chips, CPUs and RAM. So all the hardware and firmware inside of a server can by verified and inspected.
It is also possible to control and manipulate the traffic that goes across the Skyport hardware. Besides Firewall functionsalitys you have with Shield WEB Application a Crypto Creditional Proxy that can act as an encryption break up point so that SSL encrypted data can be inspected here as well.
You also get new Logging capabilities for your Skyport protected servers. Of course you can run a Virtualization Hypervisor on a Skyport protected Server.
Network Autobahn View:
We have to protect a System against attackers in all possible ways. Skyport adds an additional layer of security and addresses an attack vector that is not covered by any other classic security solution that I am aware of.
Will we deploy a Skyport NIC to all our servers ? Maybee not, but for the buissness critical application I see a pretty sharp usecase.
For more informations check out the Video from the NFD11 Skyport presentation: