Mobility and Collaboration are dissolving the internet border and cloud computing is dissolving the corporate data center border as well.This is a diagram of the new, Borderless network environment we live in. Users, devices, cloud-based services and head-office resources are all accessible, but without traditional network perimeters. Cisco’s new architecture to secure this borderless network is able to restore the auditing, logging, access control, verification, malware policy and threat prevention. We’ve had to rethink how security is done, and how to accommodate this dramatic shift. We can help customers migrate to a protected network without borders, but this kind of security has to be “baked in” to the architecture and the products. Security as an afterthought is much less likely to restore the traditional levels of control. ----------------------------------------------------------------------------------Cisco Promotion Points: There is no single best practice for securing a Borderless Network – instead, Cisco’s new architecture is flexible and adaptable.
So how does this change the business landscape?Traditionally companies looked at themselves as siloed entities – the enterprise with its perimeter… with external facing applications, internal operations, and everything was secured.But what we see today is a shifting of those boundaries; things are becoming more borderless. As the number of mobile and remote workers continues to rise, we have to overcome the location border so we can work from anywhere. At the same time, the increasingly broad range of devices we are using (MACs, PCs, iPhones, smartphones) —whether in the office, at home, or on the go—requires us to reconsider the Device Border. Another shift happening is the application border: Software as a service, video, cloud. You want your applications to work everywhere, regardless of device or location.As the borders of the traditional enterprise perimeter fall away, we face new challenges as a network, as an IT team, as a company.These changes increase the complexity [CLICK – Transition] of the CIO’s environment.
As the environment becomes more complex, certain areas of concern remain: Scalability, Availability, Performance, Security, and Manageability.In the past, the way IT addressed these things was very linear:Network not big enough? Add another switchNeed better availability? Deploy more products or features to increase availability.Poor performance? Tweak the QoS.Today the problem is very multi-dimensional – IT has to do the same thing, but across the device, the application, and the location border.And guess what? They still have to ensure scalability, availability, performance, security and Manageability – but now, not just over IT controlled stuff, but also over non-IT-controlled devices.[CLICK – Transition] We’ve talked about the market transitions, the changing environment, and the increasing CIO’s complexity. These are the factors that inspired Cisco’s Borderless Network Architecture. Let’s look at a snapshot of the Borderless Experience.
Traditionally companies looked at themselves as silo’d entities – the enterprise with its perimeter… with external facing applications, internal operations, and you made sure everything was secured.But what we see today is a shifting of what those borders are, and a changing of the boundaries, where things are becoming more borderless.One of them is the mobile worker or remote worker – we have to overcome the location border so you can work from anywhereAnother is the device border – we use MACs, PCs, iPhones, smartphones – and IT has to figure out how (and which) to support.Another shift happening is the application border: Software as a service, video, cloud – things coming in to your network You want your applications to work everywhere, over whatever.So there are new borders coming into play over what was the traditional enterprise perimeter –And it’s changing the challenges we need to overcome as a network, as an IT team, as a company.
Cisco Secure Borderless Networks promote workforce-enabling technologies while protecting company data, resources, and staff.
AuthenticationAuthenticate users and devicesPervasively apply across networkAuthorization (and Accounting)Dynamically differentiate and control network accessAccess is based on who, what, when, where, howCentralized accounting of user and device accessCompliance (PCI, company)Cisco TrustSec provides access controls based on a consistent policy for users and devices across wired and wireless environments.This is especially critical when collaborating with outside partners.Cisco TrustSec controls how a user or a device can be granted access, what security policies endpoint devices must meet, such as posture compliance, and what network resources a user is authorized to use in the network. TrustSec ensures that guest access is administered securely and appropriately.Accessing the environment is tied into:What’s the role of the individual / machine: this can be based on the group the user is in (such as in Active Directory a notion that Fred is in marketing)What type of device is being used: personal PC, corporate laptop, some other peripheralOther conditions apply to determine the level of access – when, is it healthy, where is it coming fromAt the end of the day, authorization is granted to allow the user/device a certain level of network access, for example:Broad access for compliant employeesLimited access for contractors, only to specific resourcesGuest/internet only access for visitorsQuarantine for non-compliant devicesAnd deny access for undesirablesThis is coarse-grained access, controlling where the user/device is able to “send a packet” = IP reachability. It is not the same as IAM, or authenticating to a server. Rather the ability to even send a packet to the serverTrustSec incorporates both 802.1X port-based access control as well as MACsec or 802.1AE to provide hop-by-hop security through encryption, key authentication, and integrity checking to ensure data confidentiality behind the LAN, between select Cisco switches and endpoint devices.Whether applications such as voice and video go across the network or any form of data, it is important to protect against eavesdropping, denial of service, and spoofing (man in the middle attacks) to name just a few potential malicious attacks. TrustSec is the next generation security framework that uniquely offers end to end protection.
The challenge of applying security in a borderless network experience has become very multi-dimensional - across devices, applications, and locations. There are more devices accessing applications and data from multiple locations over the internet. While the challenges are the same at the core – Access Control, Acceptable Use Enforcement, Threat Protection and Data Security, the problem has become multi-dimensional in this new environment.
While the challenge has become multi-dimensional, the policy issues remain the same:There is a need to apply access controls to ensure the right people have access to the right parts of the network and applications.Acceptable Use controls for compliance and productivity, to ensure employees are using the web resources appropriately. Threat Protection to block all the bad stuff like malware, botnets, intrusions and spam from coming into the network.And finally data protection to ensure that confidential information is not getting out into the open or into wrong hands, either inadvertently or with a malicious intent.
Mobility has great promise in increasing business productivity. However, there are several barriers that stand in the way of realizing it: Make the in-office and out-of-office user experience consistent, meaning that workers have access to the tools they need to do their job from anywhere. Traditional VPNs have required lots of clicks and steps and still often fail or drop connectivity—it needs to just work. The smartphone to Salesforce.com has no company-controlled firewall or other security infrastructure in its path. No visibility, no policy enforcement other than what the SaaS vendor chooses to provide. Businesses must have ways to insert policy and security into every transaction. As if the first two challenges weren’t difficult enough…they’re exacerbated by the trend to consumerization. The days of the standard corporate device are over. Businesses must meet the first two challenges in a way that will allow them to embrace the wave of new devices—smartphones and laptops—that workers are bringing in and/or demanding.
The next attribute of the enforcement array is the ability to bring full context awareness for policy writing and enforcement. User identity and application or destination identity are the foundation of this but we don’t stop here. We also bring in location awareness – whether the user is in the network or outside the network and in the future the geo-location of the user as well. Next is knowing the priority of the traffic – things like throttling YouTube but allowing WebEx streams and other business critical applications without any restrictions. We also bring content awareness for files and other data traversing the internet edge to apply the right scanning policies, like DLP, malware scanning etc. Finally we also bring device awareness which allows one to deploy devise specific policies.Bringing all these policy elements together allows customers to create policies that best meet their needs, giving flexibility and greater control. Basic Application Control is available on the Firewall as well as the Web Security Appliance. By mid-2010, we will have advanced application control features on the Web Security Appliance. Since most of the applications tunnel over the Web, we will introduce this advanced application control using application signatures on the Web appliance first and then extend this capability on the Firewall and IPS in future releases. The application control capability will allow us to dynamically add new application types and applications allowing us to quickly respond to market demands as applications get popular and customer need greater control over these.
Let’s take a look at how we enable visibility and control over the SaaS traffic. More and more enterprises are realizing the benefits of SaaS and jumping on that bandwagon. In fact, did you know that we here at Cisco use over 300 SaaS applications? With SaaS traffic growing, an increasing area of concern is how to enable authentication and authorization with the enterprise user directory as opposed to managing user accounts separately with each of the SaaS vendors which can quickly become an administrative nightmare. A good example here would salesforce.com. Employees today are accessing salesforce.com directly with login credentials that are separate from their enterprise network login. Now if the employee leaves the company or is let go, the company has to ensure it disables the user account at each of the SaaS application they have an account with. Else there’s a risk to the information accessible to the user. We have an architecture today where all the SaaS traffic going over the Web can be directed using our network security devices to the Web Security Appliance where the user is automatically authenticated and authorized for access to the SaaS app thus giving SSO and a single source of revocation at the enterprise user directory. This makes the administration dramatically easier and reduces the need for enterprises to deploy complex Identity and Access Management solutions just for SaaS access.
There are many different remote access use cases, which highlight the variety of end-users groups, connectivity options and devices that must be met by a VPN secure remote access deployment.The ability to offer a single appliance solution to such varied and complex requirements is invaluable to a customer, both from an operational and management standpoint, as well as from a core security standpoint.Let’s look at these requirements more in detail :1. Consider for instance the case of a typical remote access user, who may connect from home and require full virtual LAN access to work efficiently. She may then put her laptop on standby and leave for work, use her smartphone during her commute time to check email, stop in a café and use her laptop over a wifi hotspot to finish an urgent task, then drive to the office and connect her endpoints directly to the corporate network.2. Another typical example depicts a business partner, who may not have the benefit or be trusted to use a corporate asset for accessing corporate resources and data. He only needs restricted access to few applications and /or to a specific database. Such users typically use their own (partner) company’s laptop to access resources.3. Yet another example depicts an emergency situation, where a high number of regular employees need to work remotely, without necessarily have been provided with a corporate endpoint for full VPN client access. Business continuity is key to many businesses, and is even outline in some legislation mandates (COOP) This may occur for instance when a natural catastrophe, a pandemic, a national threat, or a local network outage occurs. Corporate employees would benefit from clientless VPN access to essential work tools and resources such as OWA, RDP, citrix presentation server tools,…By enabling such access, the corporation ensures that its key business functions are resilient, and maintains its productivity.
Customer Pain Points …Qualification Questions Cisco EnergyWise Value PropositionsCutting costs…Are you concerned with finding new ways to conserve energy and cut costs across the company? …Gain visibility and control of energy consumption using the network, IT and facility convergence through CiscoEnergyWise and Network Building MediatorsFacing regulations…Are you facing worldwide, regional, or industry-specific sustainability regulations? …Correlate energy supply/demand, help enable real-time control, reduce carbon emissions, and build a baseline toward meeting regulatory concernsNo visibility, no tools…Would you be interested in knowing your overall energy consumption and potential cost savings?...Measure, reduce, and report energy usage with EnergyWise, Save money and resources, Use the Cisco EnergyWise Business Value Calculator for planning, Help enable integration with ecosystem partner applications
EnergyWise is an end to end Cisco solution including 3rd party partners and a series of management applications. EnergyWise includes that capabilities to manage IT, datacenter, building and eventually Smart Grid devices.The vision of EnergyWise includes full integration with many Cisco devices managed by third party and Cisco applications:POE and switching devices (now)PC power management, router power monitoring and router module control (soon)Direct integration with wireless controller, MSE, IP telephony (phones with sleep modes), Cisco Building Mediator for building management (Future)Smart Grid and Data Center integration (Future)Management partners in 9/2009 include LMS 3.2, SolarWinds, IBM Tivoli, Cisco Energy ManagerEnergyWise Power Management Orchestrator Product 2/2010
For consumers, video is interactive and immersive.For service providers, the demand for video provides new revenue opportunities and the ability to monetize demanded video services. In essence, they transition to ‘experience providers’. For business, video enables operational efficiency: whether new ways to collaborate, to drive presence with customers, employees, and business partners….drive seamless, global operations, or to reduce energy or travel costs
Transcript:CISCO PANEL: First of all, collaboration, video, voice, all of those are real-time technologies. And a lot of customers may have sort of thought about dealing with the challenges with some of those areas, but sometimes they don't even know or they haven't even realized what challenges they're going to face with some of these new technologies like video. And so video in particular is, they know it's coming and they're scared a little bit. So some of them are just kind of ignoring it and hoping that if I ignore it long enough, the technology will fix all of this so I won't have to worry about it. Which in many ways, that's exactly what we're doing. So part of the challenge that we try to highlight to them is you may not be having this problem today, but you better start thinking about this and having the right infrastructure. Because if you think about it, in our case, if 50% of our network is video, how do your prioritize it? Video is all real-time, what happens... ROSS FOWLER: QoS doesn't cut it anymore, does it? CISCO PANEL: Yes, QoS doesn't do it at all, so you need to be thinking about something different in terms of how you prioritize video. The other aspect is, is even in business communications, we talked about can the network help enforce some of the different rules? If you have multiple real-time streams going on, how do you ensure that you understand the identity of the person, apply those rule sets to prioritize your conversations with a John Chambers versus mine and Mike's for example? Actually, we'd be prioritized probably. Exactly. So how do you prioritize this traffic when it is all video? And then the other aspect of it is, video is so demanding. A lot of the real-time collaboration experiences, whether it's voice or video or anything real-time, that is the most suspect to any disruption. So how can we provide that seamless user experience, especially when you get into some of the mobile devices? How do you ensure you're delivering this over a mobile device in a way that provides that ultimate experience? ROSS FOWLER: Like with different encoding, different screen sizes. CISCO PANEL: Exactly, exactly. So those are some of the challenges, and some of them the customers are aware of and some of them it takes us to actually raise that to them. When I use that example... ROSS FOWLER: You're saying it's part of our sales calls, we sort of create a bit of fear and uncertainty in them, yes? CISCO PANEL: Not uncertainty and doubt, we're just preparing them. ROSS FOWLER: Yes, that's right. CISCO PANEL: We're just asking the right questions. CISCO PANEL: Yes, I think my favorite story from the global customer advisory board is when we were talking about this whole area of real-time collaboration, and we asked the customers, how business critical video was today? And some of them raised their hand and said it wasn't that critical for them. And then we asked the question, how many of you are building -- want to build your networks today to prepare for video? The customers who said it wasn't business critical, raised their hands and said, I want to prepare for it today. ROSS FOWLER: That really took me by surprise because in individually BCs, most customers have said it's around the corner. The EG Cap customers said, they're really frightened about it and they need to prepare for it now. CISCO PANEL: Well, that's the thing, some of them may not be looking to deploy it right away, but... ROSS FOWLER: It's about getting ready. CISCO PANEL: Exactly, and that's the key message that we need to highlight is make sure your network is ready for video because it is more demanding than anything else. And what you may have in place today if you haven't thought it through may not cut it.Author’s Original Notes:The use of video in businesses is rapidly increasing. Cisco did a study that estimates that video will make up 90% of network traffic by 2012. And it’s no surprise, because video lets people collaborate in real time wherever they are. But delivering a real time collaboration experience is a major challenge. When enterprises deploy IP-based video applications they must often deploy them over dedicated overlay networks or over-provision their WAN and campus networks in order to meet the scalability requirements and assure the service levels required to achieve the expected quality standards. Video quality standards are very high, as the threshold for poor quality VIDEO is much lower than voice or data.Deploying these services is another challenge as each end-point, such as an IP video surveillance camera, must be manually provisioned and configured to its respective application. This challenge is further complicated when an end-point is moved, or worse yet, is mobile. The potential for human error is not insignificant.Enterprises invest in collaboration tools to improve communications and increase employee productivity. Yet many of these rich media systems have the opposite affect, as each collaboration tool has its own user-interface and is limited in where it can be accessed and on what devices it is available on causing employees lost time dealing with multiple interfaces and limited availability of services.Can a Cisco network deliver a real time collaboration experience? Yes.
Medianet is an End to End Architecture for a media-optimized Network . Medianet allow the deployment, scalability and optimization ofquality of experience of Rich Media Solutions into the organization. Media Aware : Deliver the best experience. Detection and Optimization of different media and application Any-to-AnyAny contentAny timeAny whereEndpoint aware : Easy deployment. Automatic Detection and Configuration of endpoints.End-to-EndDevicesNetwork of networksSoftwareNetwork Aware : Easy to deploy and Administrate. Detect and respond to changes in devices, connnecton and service availabilityPlatform, Systems and ServicesEnable medianets via new tech, prodCollaboration, Broadcast/StreamingRobust services offerings
Customers are rapidly adopting rich media applications including telepresence, conferencing, signage and surveillance. This opens up the opportunity to drive network infrastructure refresh, to address the needs of these new application deployments. Much as Unified Communications raised the bar in terms of assuring quality of service, the demands of the new generation of rich media applications require customers to re-evaluate their existing end to end infrastructure. This encourages customers to migrate from their existing infrastructure and enables account teams to use medianet as a competitive differentiator against low cost, low feature competitors. What’s new?What’s new is a Borderless Collaboration Architecture where voice and video traffic runs over the same IP network rather than overlay networks. What’s new are new rich media network services built into both Cisco’s routing & switching infrastructure AND Cisco voice and video applications and end-points. These new APIs bridge the application, network and end-points to ensure rich media applications are easy to install & manage, voice/video traffic is identified and prioritized, and embedded smart diagnostics and monitoring tools help troubleshoot and isolate issues, all to ensure a rich collaboration experience.And finally, what’s new is the need to fundamentally change how enterprise networks are designed because video not only loads the network it changes the way networks are built. So this includes validated end-to-end rich media architectures and design guidance that deliver these new Media Aware Routing, Monitoring, Optimization and Intelligent Network services, all with seamless security. ---Auto-configuration address challenges in Mass deployment of rich media applications such as Physical Security or Digital Media SystemChallenges today for such deployments are : Needs for a lot of preparation and planning as each switch ports have to be manually configured Personnel installing cameras and DMP do not have the right IT skills – Is it the right port/config? Result is an increase of the operational cost !Medianet Auto-Configuration help in reducing installation time and costWhat type of configuration is needed? Cameras, DMP need IP address, Data rate and Bandwidth information Access Switches need VLAN ID, QoS, Port Security and to be sure that device is connected to the right port.Access Switch can Auto-configure those parameters using Auto Smartports based on CDP or Mac range. Endpoint can provide information to the Network using MSI (Medianet Service Interface).
Nice slide, may want a tag line about building a resilient, media aware wireless network for future wireless enabled applicationsAdds resilient wireless IP Multicast support to ensure reliable delivery of mission-critical live video stream traffic
Delivering business value through transformative networking 20012011