Category: Cloud

Cisco Identity Services Engine (ISE) version 3.3

On By MikeIn AWS, Azure, Cisco, Cloud, SecurityLeave a comment

 

Simplified Operations

 

New Split Update: Upgrading Cisco ISE has never been easier. With the new Split Upgrade feature, customers now have complete control over the upgrade process from the UI, allowing them to upgrade specific ISE nodes in parallel, with multiple iterations, at their convenience without experiencing any downtime. Say goodbye to complex and time-consuming upgrades.

 

Control Application Restart: Minimize Downtime, Maximize Efficiency. Downtime during certification renewals can be disruptive. Cisco ISE 3.3 introduces Controlled Application Restart, which allows customers to plan the renewals of the ISE administrative certificate, eliminating the need to reboot the entire ISE deployment at once without control. Schedule updates during low network usage periods, ensuring a smoother security update process without impacting operations.

 

Navigation improvement: ISE admins use the ISE UI in order to perform their job. ISE 3.3 introduces a new and improved navigation, allowing ISE admin to faster perform their tasks, with fewer clicks and without hiding their screen while navigating throughout ISE pages. Each ISE admin can now save the pages he or she is using most frequently on ISE and reduce the time it takes them to access those pages. 

 

IPv6 Support: in addition to the RADIUS, TACACS+, and ISE management over IPv6, customers can now enable additional services over IPv6: the ISE guest portal can now be accessed over IPv6 address and serve guests on the IPv6 network. profiling of IPv6-enabled endpoints and doing posture checks is also available for IPv6-enabled endpoints. 

 

Enhanced Platform Security

 

TPM Chip: Strengthen Security with the TPM Chip Security is paramount. Cisco ISE 3.3 with SNS-3700 (or virtual machines supporting VTPM) introduces the TPM Chip, a dedicated and secure storage location for sensitive information. With true random number generation for key generation, the TPM Chip enhances the security of stored data, providing you with peace of mind.

ISE Cipher Control: By allowing ISE admins to disable unwanted and weak ciphers manually, ISE 3.3 helps customers to meet compliance and regulations without the need to wait for the next release or a patch. 

 

TLS 1.3 for ISE admins: ISE admins can now connect to ISE UI over TLS 1.3. TLS 1.3 provides enhanced security and improved performance by reducing latency and eliminating outdated cryptographic algorithms, ensuring stronger encryption and more efficient communication between clients and servers. 

Certificate-Based Authentication for API calls: ISE 3.3 supports Certificate-based authentication for API calls. Certificate-based authentication offers stronger security by eliminating the vulnerabilities associated with traditional username and password authentication methods. It provides robust protection against credential theft, unauthorized access, and phishing attacks, ensuring a higher level of trust and authentication for users accessing sensitive systems or resources.

 

Visibility and Compliance

 

AI/ML based Profiling: Effortlessly Identify Unknown Endpoints with AI/ML Profiling Unidentified endpoints on the network can be a challenge. Cisco ISE 3.3 employs AI/ML Profiling and multi-factor classification (MFC) to swiftly identify clusters of similar unknown endpoints. This cloud-based ML engine helps customers categorize these devices accurately, making it easier to determine their nature and apply appropriate policies.

 

Unlock Valuable Insights with Wi-Fi Edge Analytics 

Our exclusive Wi-Fi Edge Analytics feature enables customers, who use the Cisco Catalyst 9800 wireless controllers, to exchange data between ISE 3.3 and the controller and get profiling information from Apple, Intel, and Samsung devices, enhancing endpoint profiling. 

This information includes endpoint-specific attributes such as model, operating system version, and firmware. 

 

Multi Factor Classification: ISE 3.3 introduces a new way to profile endpoints on the network. The profile is no longer a descriptive string of the endpoint. Instead of that ISE uses MFC – Multi Factor Classification which breaks the profile into 4 categories: Manufacturer, Device Type, Model and OS. This allows our customers to build more granular policies, based on the different MFCs. 

 

Posture for ARM based Windows: for customers who move to computers based on ARM processor, ISE 3.3 can now perform posture checks in order to check compliance status before letting those endpoints access to the network. 

 

Cloud Availability 

 

ISE 3.3 is going to be available on all the supported platforms: AWS, Azure, and Oracle Cloud. Release dates depend on the different cloud vendors:

ISE 3.3 on Azure  – Already available

ISE 3.3 on OCI – Already Available

ISE 3.3 on AWS – Already Available

 

ISE 3.3 Resources:

 

ISE 3.3 download page

ISE 3.3 release notes

Cisco acquired Valtix: What is Valitx?

On By MikeIn Cisco, CloudLeave a comment

Valtix is a cloud-native network security company that provides next-generation firewall and web application firewall (WAF) solutions for businesses looking to protect their cloud-based infrastructure. The company was founded in 2018 by seasoned technology executives who recognized the need for a modern approach to network security in the cloud.

Valtix’s cloud-based approach to network security is designed to be both scalable and flexible, allowing businesses to secure their cloud-based infrastructure without having to worry about the complexities of managing hardware or software. By leveraging cloud-native security technologies, Valtix enables businesses to deploy security policies that can be enforced consistently across their entire infrastructure, regardless of the cloud provider or network topology.

One of the key benefits of Valtix’s approach to network security is its ability to provide real-time threat detection and response capabilities. Using advanced machine learning algorithms, Valtix can analyze network traffic in real-time, identifying potential threats and responding quickly to mitigate any risks. This helps businesses stay ahead of the constantly evolving threat landscape and ensure their infrastructure remains secure.

In addition to its advanced threat detection and response capabilities, Valtix also provides businesses with granular control over their network security policies. This allows businesses to tailor their security policies to their specific needs, ensuring that their infrastructure is protected in the most effective way possible. With Valtix, businesses can easily manage their security policies from a centralized dashboard, making it easy to enforce policies consistently across their entire infrastructure.

Valtix’s cloud-based approach also makes it easy for businesses to scale their network security as their needs evolve. Whether they need to protect a small cloud environment or a large, complex infrastructure, Valtix can provide the necessary security solutions to meet their needs. This flexibility allows businesses to focus on growing their business, rather than worrying about managing their network security.

Finally, Valtix’s cloud-native approach to network security is designed to be highly automated, which helps businesses reduce the burden of managing their network security. By automating many of the routine tasks associated with network security, Valtix enables businesses to free up their IT resources to focus on more strategic initiatives.

In conclusion, Valtix is a cloud-native network security company, recently acquired by Cisco that provides businesses with advanced threat detection and response capabilities, granular control over their security policies, and the flexibility to scale their security solutions as their needs evolve. With its cloud-based approach and automated processes, Valtix helps businesses stay ahead of the constantly evolving threat landscape while reducing the burden of managing their network security.

https://valtix.com/blog/ciscos-intent-to-acquire-our-journey-and-why-it-matters/

Mike

What’s the difference between GCP and AWS Regions?

On By MikeIn AWS, Cloud, GCPLeave a comment

To understand the global infrastructure of a cloud provider, consider a coffee shop. If an event such as a flood, or power outage impacts one coffee shop location, customers can still get their coffee by visiting a different location only a few blocks away.

A cloud provider’s global infrastructure provides high availability that consisting of several components: Region, Zone, and Edge locations. 

A Region represents independent geographic areas that hosts cloud services. Each Region is isolated from each other unless you allow traffic out of that Region. Thinking back to our coffee shop analogy, all the coffee shops in the Northeast could be considered Northeast Region Coffee. If all Northeast coffee shops went out of business, it wouldn’t affect any Coffee shops located in the Northwest. And a Region consists of Zones. 

A Zone is where cloud resources are deployed generally consisting of two or three independent data centers located tens of miles apart from each other but close enough to have low latency or in our case coffee shops. Let’s say there are three coffee shops in town, one of the coffee shops loses power, however the other two coffee scops can still service customers in town. Zones provide high availability to cloud services and applications in the cloud.

An Edge location is part of the cloud provider’s network also known as Point-of-Presence that places cloud services closer to the user improving the user’s experience and convenience. 

Choosing where your applications are located affects qualities like user experience, availability, durability, and latency. 

GCP and AWS terms

Comparing Regions and Zones in Google Cloud and AWS

Google and AWS both use Regions to provide Cloud services to customers. 

One difference is that Google will have at least three Zones in each Region, whereas AWS uses Availability Zones to provide high availability. Every region will have at least two availability zones in an AWS Region.

Google Cloud infrastructure is based in five major geographic locations: North America, South America, Europe, Asia, and Australia.

Google Cloud currently supports 106 Zones in 35 regions

AWS Cloud infrastructure functions in North America, South America, Europe, the Middle East, Africa, Asia, and Australia

The AWS Cloud spans 96 Availability Zones within 30 Regions.

The Google and AWS networks have many of the same attributes with some slight differences! Regardless of which cloud provider you use selecting a region should include four key factors.

  1. Compliance
  2. Proximity to your customers
  3. Available Services within a Region
  4. Pricing

Mike

“Global Locations – Regions & Zones  |  Google Cloud.” Google, Google, https://cloud.google.com/about/locations/. 

Indeglia, Shaun. “GCP Networking- Regions and Zones.” Medium, Google Cloud – Community, 11 Nov. 2022, https://medium.com/google-cloud/gcp-region-and-zones-4eb4bf1f99ab. 

“Select Geographic Zones and Regions  |  Architecture Framework  |  Google Cloud.” Google, Google, https://cloud.google.com/architecture/framework/system-design/geographic-zones-regions. 

“Whitepapers.” Amazon, Earthpledge Foundation, https://docs.aws.amazon.com/whitepapers/latest/aws-overview/global-infrastructure.html. 

Cisco Solutions for AWS Cloud Modernization

On By MikeIn AWS, CloudLeave a comment

If you missed my prior blog on app assurance check it out!

Forecasting cloud spend and assuring application performance

It’s challenging to know all the native cloud solutions available to use, it’s even more challenging to know which Cisco solutions are available for use with AWS. 

You will find that there are solutions that repeat or even overlap portions of the AWS Migration stages. For example, in the Discovery stage of cloud migration, the tool you’d likely use for Application Discovery / Infrastructure Discovery is Application Dynamics (AppD). 

It’s important to know that this is not an extensive list, nor should this be used in a silo; rather these are the most relevant products for a migration.

Below is a reference to the relevant Cisco solutions associated with the AWS Cloud Migration journey. Business outcomes will evolve as a customer matures in the cloud and so will the solutions to meet those outcomes. 

ciscosolutionsforawscloudmodernizationDownload

“A Process for Mass Migrations to the Cloud” Orban, Stephen, 2008. Retrieved September 6, 2022, from https://aws.amazon.com/blogs/enterprise-strategy/214-2/. 

Cloud Workload Optimization – Cost and Performance?

On By MikeIn AWS, CloudLeave a comment

I took inspiration to write this blog from the “Workload Optimization” section from the digital book “Cisco Intersight: A Handbook for Intelligent Cloud Operations” – Please consider connecting and send a thank you to the hard-working authors of this fantastic book.

IT operations have one fundamental goal, to deliver performant applications at the lowest possible cost while maintaining compliance.

Because of this, organizations turn to cloud providers to achieve a lower variable cost compared to an on-premises data center, which is generally finite in scale and fixed in cost.

Cloud providers such as AWS can achieve higher economies of scale, which translates into lower pay-as-you-go prices and effectively infinite infrastructure.

Having a handle on which application requires which underlying resources, license constraints, and placement rules are beyond the scale of humans.

As a result, determining the placement of workloads minimizing cost while assuring workload performance becomes a guessing game.

Cost Optimization Pillar

According to AWS, a cost-optimized workload fully utilizes all resources, achieves an outcome at the lowest possible price point, and meets your functional requirements(AWS, n.d.).

Put another way, the Desired State is to assure workload performance and minimize spend in the public cloud (Intersight Handbook, 2021).

AWS provides a vast array of instance sizes to achieve optimized workloads and various ways to consume instances in an on-demand or via Reservice Instances (RI) which are heavily discounted for a specific term, generally one year or three years. Think of RIs as a billing discount applied to running On-Demand Instances. RIs are appropriate for consistent and predictable workloads.

The challenge with consuming RIs is that the public cloud consumers will pay for the RI whether they use them or not. RIs become more like “the sunk cost of a physical server on-premises than to the ongoing cost of an on-demand cloud instance (Intersight Handbook, 2021).” This consumption model can create behaviors that lend to horseshoeing application into an undersized instance or neglect to resize an instance when a workload outgrows its current resource needs.

“There are hundreds of different instance options in AWS and Azure, with new options and pricing emerging almost daily (Intersight Handbook, 2021).”

Automation to optimize costs

The lack of expertise and security is more critical at the beginning stages of cloud than managing cloud spending. However, as organizations mature their cloud practice, managing cloud spending becomes the number one issue, and they struggle to forecast cloud costs accurately.

An average of 24 percent of the organization reported that their cloud spend was over budget and expected to increase by 39 percent in the next twelve months (Flexera, 2021).

This issue is further compounded when you include more than one cloud provider and requires automation to decide on price and performance vs. price for performance.

Assuring applications performance while optimizing cost is precisely what Cisco’s Interisght Workload Optimizer SaaS will do. (Workload Optimizer is a separately licensed feature set within the Intersight platform)

Workload Optimizer is constantly receiving real-time data on consumption, pricing, and instance options from the cloud providers and combining such data with the knowledge of applicable customer-specific pricing and enterprise agreements to determine the best actions available at any given point in time.

It does this through direct API target integrations with the cloud provider in real-time to add value far beyond any cloud-specific or hypervisor-specific, point-in-time tools that may be available. Besides being multi-vendor, multi-cloud, and real-time by design, Workload Optimizer does not force administrators to choose between performance assurance and cost/resource optimization.

Wrapping up

The underlying resources, license constraints, and placement rules of running workloads in the public cloud are beyond what most organizations can handle. While the organization’s capability to use the cloud continues to grow, so does its need to forecast and manage cloud spending. The solution requires automation, real-time information, and optimization to make informed decisions. Cisco Workload Optimizer has the ability to do just that and a whole lot more. If you’re interested in understanding Intersight and the components that make up the hybrid-cloud tool, you can find the documentation here.

Mike

Baker, M., Beck, B., Chosnek, D., McGee, J., McKeown, S., TerEick, B., & Vaswani, M. (2021). Cisco Intersight: A Handbook for Intelligent Cloud Operations. https://www.booksprints.net. 

Cost optimization pillar – AWS well-architected framework. (n.d.). Retrieved February 28, 2022, from https://docs.aws.amazon.com/wellarchitected/latest/cost-optimization-pillar/welcome.html 

Reserved instances – amazon elastic compute cloud. (n.d.). Retrieved February 28, 2022, from https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-reserved-instances.html 

“2021 State of the Cloud Report.” Flexera, 2021, https://info.flexera.com/CM-REPORT-State-of-the-Cloud?dtid=oblgzzz001087. 

Cisco at AWS re:Invent 2021

On By MikeIn AWS, CloudLeave a comment

Here is a summary of Cisco’s mentions and highlights at AWS re:Invent 2021!

Please note: each of these links require registering on the AWS re:Invent site.

cisco2021reinvent-1Download

Launches and Mentions

AWS GATEWAY LOAD BALANCER >> Now featuring Cisco Firewall as a Service (FWaaS)

Learn more by reading Cisco’s blog

AWS MARKETPLACE LAUNCH >> Cisco Snort 3 Anywhere

Snort 3 Anywhere is a containerized form factor of the well-known, industry defacto standard standard IPS engine. With this latest offering now available in AWS Marketplace you can easily deploy Snort 3 in your EKS or on-premises container environment. Learn more in Cisco’s blog

AWS MARKETPLACE LAUNCH >> Cisco Intersight Workload Optimizer SaaS

Cisco Intersight Workload Optimizer is a real-time decision engine that drives continuous health of applications across on-premises and public cloud environments to analyze workload consumption, costs, and policy constraints across the full stack. Learn more via the new listing in AWS Marketplace and Cisco’s blog.

NEW AWS QUICK START >> Featuring Cisco Meraki Virtual MX

Customers can secure SD-WAN traffic between branch offices to resources on AWS with this new AWS Quick Start. Click to view and deploy.

Mike