Tweet

By CFO World

With CAPEX accounting for only 20% of the cost of a network, it is important to look beyond initial expenditures and consider TCO and the business value a network can provide. A third-party TCO comparison of a Cisco network versus other vendors illustrates that Cisco can deliver a 13% better TCO even before business benefits, such as network uptime and employee productivity are considered. Further, the Cisco Borderless Network Architecture acts as a platform for service delivery, allowing your IT organization to say “yes” to business and revenue-enhancing opportunities.

Get the White Paper

Tweet

by Cisco Systems

It can be easy to forget how much depends on the enterprise network—until you have to tell the VP of sales that he can’t use his iPhone on the corporate network because the appropriate security controls aren’t in place. Or you must tell the CIO that expanding the virtualization initiative to include business-critical applications will severely tax bandwidth. The truth is, nearly everything in modern businesses is dependent on the enterprise network, and every decision you make is based on whether the network can handle it. This paper takes a look at a common pitfall in IT circles that can have a serious impact on the IT decision maker’s ability to say “yes” to new business initiatives. It also offers recommendations for IT organizations that wish to act as business enablers.

Get the White Paper

Tweet

A third-party business consulting firm analyzed the total cost of ownership (TCO) of Cisco enterprise customer networks, and contrasted that TCO to “good enough” networks from other networking vendors. Key findings:
1) TCO is a better metric than CapEx to assess network cost because it considers the full impact on IT spend, including CapEx, services, labor, bandwidth and energy.
2) The Cisco Borderless Network Architecture can deliver up to 13% better TCO than a “good enough” network, offering compelling value for the strategic Cisco investment.
3) Even if architectural benefits are discounted in the analysis, Cisco is, at most, a 7% TCO premium over other vendors due to IT labor savings and extended product lifecycles from Cisco solutions.
4) The single biggest benefit of Cisco’s architectural approach is labor savings. Labor constitutes 50% of TCO and Cisco delivers 5% to 10% labor savings driven by unified wired and wireless and embedded security.
5) A quality network delivers business benefits beyond TCO, including improved network uptime, higher user productivity and a lower threat of security breaches.

Get the White Paper

Tweet

By Nick Lippis, the Lippis Report

IT business leaders are being confronted with a choice: either embrace users’ freedom or liberty to choose a mobile endpoint and applications that they deem appropriate to support their work, or dictate a limited number of supported mobile endpoints and applications in which employees must choose? At the center of this decision are security concerns and control as the number of mobile endpoints connecting into enterprise networks skyrocket. A larger secondary effect is that employees are downloading low cost (99 cents to $4.99) mobile applications, which is changing the mix of corporate application portfolios without IT visibility but user request for support. At the same time, video communications is expanding throughout the enterprise and the endpoints it supports. IT business leaders can avoid this difficult choice and offer users freedom to choose the mobile endpoint and applications of their liking, and still maintain security and control by deploying a Borderless Network. In this industry white paper, we review market dynamics shaping mobile computing plus video communications and how a Borderless Network offers user choice, IT management control and in the process, a more productive and agile workforce.

Get the White Paper

Tweet

by Cisco Systems

Cisco® Borderless Networks is a next-generation architecture that helps IT evolve its infrastructure to deliver seamless, secure and reliable access in a world with many new and shifting borders. The Cisco Integrated Services Routers Generation 2 (ISR G2) constitute a critical component of the Cisco Borderless Network Architecture and deliver performance requirements for the next generation of WAN and network services, enabling the cost-effective delivery of high-definition collaboration at the branch office, and providing a secure transition to the next generation of cloud and virtualized network services. This white paper discusses the concept of integrated services as they apply to the branch-office router, and how they help to enable the borderless branch office for small- to medium-sized business, large enterprises and service providers offering managed services.

Get the White Paper

Tweet

By Cisco Systems

Key Highlights

• 79% of clicks on “Here You Have” email occurred within the first three hours of the worm’s spread.
• During 3Q10, 7% of all Web malware encounters resulted from Google referrers, followed by Yahoo at 2%, Bing/MSN at 1% and Sina at 0.1%.
• Exploits targeted Sun Java increased from 5% of all Web malware encounters in July 2010 to 7% in September 2010.
• The Rustock Botnet was the highest occurring ROS event in 3Q10, at 21% of events handled during the report period.
• Peak Rustock activity occurred in late August 2010, declining in September 2010.

Download the report here

Get the White Paper

Tweet

By Forrester Research

Read the commissioned study conducted by Forrester Consulting: Total Economic Impact of Cisco’s Borderless Networks.

Get the White Paper

Tweet

By Cisco Systems and Splunk

This document is for the reader who:

-Has read the Cisco Security Information and Event Management and Borderless Networks Enterprise Deployment Guide
-Wants to connect Borderless Networks to a Splunk SIEM solution
-Wants to gain a general understanding of the Splunk SIEM solution
-Has a level of understanding equivalent to a CCNA® certification
-Wants to solve compliance and regulatory reporting problems
-Wants to enhance network security and operations
-Wants to improve IT operational efficiency
-Wants the assurance of a validated solution

Get the White Paper

Tweet

By Cisco Systems and RSA

This document is for the reader who:

-Has read the Cisco Security Information and Event Management and Borderless Networks Enterprise Deployment Guide
-Wants to connect Borderless Networks to a RSA SIEM solution
-Wants to gain a general understanding of the RSA SIEM solution
-Has a level of understanding equivalent to a CCNA® certification
-Wants to solve compliance and regulatory reporting problems
-Wants to enhance network security and operations
-Wants to improve IT operational efficiency
-Wants the assurance of a validated solution

Get the White Paper

Tweet

By Cisco Systems and nFX Cinxi One

This document is for the reader who:

-Has read the Cisco Security Information and Event Management and Borderless Networks Enterprise Deployment -Guide
-Wants to connect Borderless Networks to a nFX Cinxi One SIEM solution
-Wants to gain a general understanding of the nFX Cinxi One SIEM solution
-Has a level of understanding equivalent to a CCNA® certification
-Wants to solve compliance and regulatory reporting problems
-Wants to enhance network security and operations
-Wants to improve IT operational efficiency
-Wants the assurance of a validated solution

Get the White Paper

Tweet

By Cisco Systems and LogLogic

This document is for the reader who:

-Has read the Cisco Security Information and Event Management and Borderless Networks Enterprise Deployment Guide
-Wants to connect Borderless Networks to a LogLogic SIEM solution
-Wants to gain a general understanding of the LogLogic SIEM solution
-Has a level of understanding equivalent to a CCNA® certification
-Wants to solve compliance and regulatory reporting problems
-Wants to enhance network security and operations
-Wants to improve IT operational efficiency
-Wants the assurance of a validated solution

Get the White Paper

Tweet

By Cisco Systems and ArcSight

This document is for the reader who:

-Has read the Cisco Security Information and Event Management and Borderless Networks Enterprise Deployment Guide
-Wants to connect Borderless Networks to the ArcSight SIEM solution
-Wants to gain a general understanding of the ArcSight SIEM solution
-Has a level of understanding equivalent to a CCNA® certification
-Wants to solve compliance and regulatory reporting problems
-Wants to enhance network security and operations
-Wants to improve IT operational efficiency
-Wants the assurance of a validated solution

Download this deployment guide here:

Get the White Paper

Tweet

By Cisco Systems

Over the next few years Wi-Fi networks will transition to 802.11n technology. During this time, many networks will support a mix of 802.11a/g and 802.11n clients. Because they operate at lower data rates, the older clients can reduce the capacity of the entire network. ClientLink technology can help solve problems related to adoption of 802.11n in mixed-client networks by making sure that 802.11a/g clients operate at the best possible rates, especially when they are near cell boundaries.

Find out how by downloading this white paper

Get the White Paper

Tweet

By Cisco Systems

This is a first, while this paper is not “white,” it’s a very cool one- page view of Cisco’s borderless network routers. You have to check this out:

Download Cisco’s Enterprise Routing Portfolio here

Get the White Paper

Tweet

A Comprehensive Approach to Corporate and Government Energy Cost Savings and Carbon Reduction

Being green is increasingly being forced upon IT business leaders from their management, government regulations and societal pressures. Ask a recent college grad what is the number one societal contribution they would like to make with their career and the answer is “make the world greener.” The workforce is changing worldwide with a sense of personal and corporate social responsibility to reduce carbon emissions, and choose sustainable materials and processes to power our lives and deliver products and services. And being green is no longer a luxury that IT leaders can choose as governments, boards of directors and presidential directives issue mandates forcing energy efficiency upon IT executives.

From an IT perspective, much work has been done to reduce data center energy consumption and cooling by virtualizing servers and consolidating data centers. In addition, IT vendors continually work to deliver products with increased feature sets that consume less energy. But one company in particular has taken its core competency and found a way to not only make its own products more energy efficient but everything its products touch, too. That company is Cisco Systems.

A Broader View of Energy Management

Cisco is providing tools and knowledge to IT business leaders to assist them in complying with energy efficiency mandates. And while much attention has been focused on data center energy reduction, a much larger target for energy conservation is IT and non-IT energy consuming assets that are sprawled throughout enterprise and government facilities—this means networks, personal computers, printers, lighting, HVAC, etc. But in addition to energy management of electrical device sprawl, energy consumption can also be avoided by using communication and collaboration tools such as Webex, virtual office teleworking and TelePresence. These collaboration tools allow users to work at home and engage in meetings over the web or via high definition videoconferencing versus traveling, thus avoiding dollar and carbon emission cost of travel. These concepts and initiatives are part of Cisco’s Borderless Networks Green service, one of the key network services within Cisco’s Borderless Networks Architecture.

The key concept of Cisco’s Borderless Networks Architecture is the removal of boundaries or borders that create common trade-offs and compromises IT business leaders and users have come to despise. Cisco’s Borderless Networks Architecture is comprised of five pillars that enable borderless connections of anyone, anytime, anywhere and from any device securely, reliably and seamlessly: 1) Mobility through the Motion service, 2) Green or enabling energy cost savings and carbon reduction through EnergyWise, 3) integrated network Security via TrustSec, 4) Application Performance to increase network and application agility, visibility and control with Application Velocity Network Service and 5) Video/Voice services to offer the best possible video experiences to users via the Medianet technologies. These borderless network services are delivered by core infrastructure including switching, routing, security, wireless and wide area application services (WAAS) infrastructure products. It’s the integration of these services into existing network infrastructure and their control via policy and management that enables a borderless experience to occur. In short, a borderless network eliminates friction points and user plus operational frustration associated with common IT use cases such as application access from desktop, laptop, tablet, smartphone, etc. For example, the Borderless Networks Green service enables IT executives to reduce their carbon emissions, save on energy costs, transform their business while satisfying increased IT demand. In this Lippis Report Research Note, I focus on the Borderless Networks Green service as it offers a comprehensive approach to energy management.

Borderless Networks Green Service

There are three main drivers why organizations are looking for ways to be greener—those being cost reduction, sustainability mandates and corporate responsibility. Being a green, socially-responsible organization improves corporate image, which is usually accompanied by increased revenue opportunities. And many companies are in search for effective ways to achieve operational cost savings through green IT practices, especially during the past three years given economic conditions. That is why corporate executives seek to enhance their firms’ image/brand and comply with energy reduction mandates while reducing operational costs, all through green initiatives.

To help customers achieve their green goals, Cisco’s Borderless Networks Green service exploits the network as a platform to extend green borders. This is done in three ways: 1) transform the workforce by making it more flexible with collaboration applications such as TelePresence, Webex, Virtual Office, etc., 2) enable energy cost savings with innovations such as EnergyWise that measures and manages energy usage, and 3) improve network efficiency through virtualization, consolidation plus product and system life-cycle management. As Cisco EnergyWise is a fundamental and unique green enabler, we focus on this technology first.

Cisco EnergyWise is a system-wide framework for energy management that is integrated into Cisco Catalyst switches, routers and building controllers. Every device that connects into the network can eventually have its energy managed, monitored and optimized by Cisco EnergyWise. This concept of using the network as a system to coordinate activities which provide benefits that aren’t available from a single device is a key principle of the Cisco’s Borderless Networks Architecture. EnergyWise delivers on this principle by adding energy management to Cisco’s Borderless Networks services.

Cisco EnergyWise

Cisco EnergyWise is being released in phases. The first phase was launched in January, 2009, and focused on reducing energy usage of Power over Ethernet (PoE) devices. These devices include IP phones, wireless access points, security cameras, etc. The second phase, launched in March, 2010, added the ability to control PC and laptop power. PC and laptop power control is accomplished with a product called Cisco EnergyWise Orchestrator. Orchestrator is a client-server architecture designed to scale up for large organizations. A small software client runs on each PC, collects energy usage information and allows Cisco EnergyWise Orchestrator to distribute centrally-managed, time-based energy policies to each workstation such as shut down after 6:00 p.m. and power up after 8:00 a.m. In addition, EnergyWise Orchestrator can request “on-demand” power reductions. EnergyWise Orchestrator also receives power usage statistics from PCs distributed throughout an enterprise or government facilities, which can be aggregated and displayed in different variations via its sustainability dashboard. As PCs and laptops are sprawled throughout enterprise and government facilities, Cisco EnergyWise Orchestrator is able to manage up to 60% of power used by IT devices, thus the impact of Cisco’s energy management solution is material.

Cisco is extending the reach of EnergyWise to control power of more IT and non-IT devices. The EnergyWise framework includes open APIs that enable an ecosystem of partners to offer comprehensive energy management solutions to meet customer needs of all kinds. For example, recently Cisco announced partners that allow EnergyWise to manage Smart Power Distribution Units from Schneider APC, WTI (Western Telematic, Inc.), Server Technology, Raritan and CyberSwitching. These partnerships extend energy monitoring and reporting to data centers, and expand energy management capabilities to clientless devices like printers, copy machines and digital media displays. .

Business Transformation Applications that Reduce Energy Consumption

While most, if not all, networking concerns stress energy efficiency of their products, Cisco’s Borderless Networks Green service takes this to an entirely different level through energy efficient collaboration applications that transform how corporations conduct business. Collaboration applications, such as Cisco’s WebEx, TelePresence and Virtual Office, reduce travel needs and improve productivity while achieving great in-person work experiences. Underneath these collaboration applications is Cisco’s Borderless Networks infrastructure that ensures security, availability and performance of these business applications with services such as Medianet and Cisco TrustSec.

Product Power Efficiency Gains

Cisco’s Borderless Networks Green service addresses reduced energy consumption of IT assets, such as PCs, laptops, PoE devices, and networking equipment such as routers and switches, plus collaborative applications. And while offering this broad view and tool set for IT business leaders to manage energy policy, Cisco has not taken its eye off the ball of engineering innovations and improvements in network products to ensure energy efficiency. For example, StackPower is a new innovation for the Cisco Catalyst fixed switching products that distribute power across a stack of switches in a unique and efficient way. Further, Cisco recently introduced a 48-port switch that consumes only 40 watts of power…that’s less power consumption than most light bulbs.

Virtualized Data Center Infrastructure Delivers Energy and Resource Efficiency

In addition to EnergyWise, product energy improvements and collaborative applications, Cisco’s Borderless Networks Green service extends green initiatives to the data center too via virtualization. Data center consolidation and server virtualization are solutions that help IT business leaders maximize the usage of existing resources while contributing to data center efficiency. These solutions include VMware and Cisco’s UCS (Unified Computer System). In addition to server virtualization, firewall and WAAS services have become virtualized as well as bandwidth via Storage Area Networking. Desktops too are being virtualized. All of these initiatives contribute to reduced footprint for rack space, cabling and HVAC requirements. Less power is consumed while the data center is more efficient with improved operations, thanks to more flexible use of resources and bandwidth.

Some text to space apart the download boxes

The benefits of Borderless Networks Green service are workforce flexibility and improved productivity, energy cost savings and network efficiency. While some of these improvements are difficult to measure, there are solid ROI examples. GE, for example—a Fortune 500 company that adopted Cisco’s TelePresence—reduced its travel and lodging expenses by 40% while reducing executive management wear and tear. Parque Escolar works with the Portugal Ministry of Education and was able to reduce Portugal schools’ energy consumption by more than 33% by implementing Cisco EnergyWise Orchestrator. Brunel University is saving $143,908 per year thanks to energy control of power usage through EnergyWise.

Cisco’s Borderless Networks Green service offers a range of options to manage corporate and government energy consumption, and the value/cost savings that EnergyWise brings to IT business leaders today will continue to multiply as Cisco delivers more platforms and partner devices that can be monitored and managed from centralized management applications such as Cisco EnergyWise Orchestrator or LMS. While IT executives are implementing virtualization and collaboration applications based upon their own merit, much can be gained by viewing these IT projects through a green prism. For it’s the totality of device energy management along with business transformation collaborative applications and virtualization that may very well define a modern green business.

Tweet

One significant trend that has emerged during the current business/economic cycle is that IT projects that reduce cost are winners. This savings trend is as strong as I have experienced in my twenty-five years within the IT industry. In particular, it’s propelling data center consolidation, server virtualization and mobile computing projects. As enterprises consolidate data centers and miniaturize them with virtualization, cloud-computing providers are busy offering a new lower cost IT delivery economic model. In short, a new tier of computing has emerged were endpoint devices are mobile and applications are delivered via corporate data centers and cloud computing facilities. This new model of computing that also increases convenience and productivity is lacking in one important area; network security for both mobile endpoints and the ability of data center security appliances to keep up with application demand.

And keeping up with application demand is one of the most challenging tasks IT business leaders are encountering. Not only has information demand skyrocketed during this business cycle but content in the form of web pages has become dynamic, where a single page request opens a multitude of connections pulling content from various sources to satisfy user expectations of real time information access. For example, a single web page request can easily spawn more than fifty network connections over physical and virtual infrastructure placing extraordinary demands on network speed, latency, reliability and security. For the uninitiated, just point your browser to any of these sites—disney.com, cnn.com, nytimes.com, et al—and notice rich content in action. As the page is presented, it serves up video, photos, audio, rich text and more, all of which are pulled from various sources within a data center fabric over virtual and physical infrastructure. The calculus IT leaders are seeking to solve includes massive growth in information demand plus Brownian motion traffic flows, thanks to dynamic content plus densely packed data centers, thanks to virtualization. Even with consolidation and virtualization information/application, demand is forcing the overall data center market size to expand from 108 million sq. ft. in 2009 to a projected 117 million sq. ft. by year end 2010, according to Frost & Sullivan. Part of the solution to IT leaders’ calculus problem is found in a data center network fabric that supports millions of connections/session of east-west and north-south traffic flows securely.

To put the mobility trend into perspective, Apple sold over 3.3 million iPads in its first 3 months; the highest uptake of any endpoint device. Google activates 100,000 Android-based phones per day. Cisco recently announced its CIUS android-based table for business use with tight links to its unified communications (UC) and videoconference systems. Every major UC provider will be offering similar devices while traditional computer vendors serve up android-based tablets over the next few quarters. The iPad and Android tablet is a new tier of computing, which are driving users to access applications over mobile and wireless networks in addition to their wired and VPN networks.

And therein lays the rub. In today’s modern IT world, applications are being extended over multiple networks, e.g., wired, wireless, mobile and remote, where users shift their application access back and forth between these different network access methods and expect the same or consistent experience. Security is paramount to user experience and IT asset protection. While IT security executives have fortified their defenses of IT assets within corporate boundaries or perimeters, exponentially growing numbers of mobile endpoints being connected into corporate networks and data centers present significant security challenges that are unfortunately outside the control of IT.

The nature of mobile smart phone endpoints is to combine personal and business IT services, thereby creating a unique user experience. Part of that experience includes information access from a plethora of online destinations, such as public WIFI hotspots, SaaS applications, e.g., Salesforce.com, workday.com, netsuite.com, etc, corporate VPN, and a wide range of personal sites for social networking, banking, music, videos, news, communications, etc. Therefore, for every employee equipped with a mobile endpoint, security vulnerabilities and threats are opened unless IT mitigates with network security. Clearly mobile devices are becoming ubiquitous, and there are security solutions available, such as VPN support, data wipe after loss, cloud-based security services, etc. But mobile devices need a security solution that works in real time, meaning it’s always-on protection and provides comprehensive coverage.

For example, mobile endpoints, and thus corporate assets, need to be protected from users accessing the corporate network from insecure home WIFI networks and hackers. Internal applications need to be secured against attacks such as SQL injection/data leakage, request forgery/impersonation, cross site scripting/phishing, etc. SaaS access needs to be secure against unauthorized access, exposure from password reuse, layer 7 attacks and more. Also the same level of reporting for mobile users as wired users needs to be supported to assure activity/audit trail, regulatory compliance plus governance and reporting. In short, IT needs the same level of control over mobile endpoints as it does over devices within the corporate perimeter without ruining the mobile experience.

Mobile Endpoint Policy and Enforcement

The most important aspect of real-time mobile security is policy enforcement as it places control of corporate asset and SaaS access back into the hands of IT. Not only does policy and enforcement mitigate threats from being transmitted from mobile endpoints onto corporate networks, it makes them safer devices, too, by providing a means to adhere to corporate policy as corporate devices, even though they are used for business and pleasure. This is important as many mobile devices are purchased by employees, part of the huge consumerization trend that has been building over the last five years. With IT able to administer policy with a means of enforcement, mobile devices can deliver personal and business IT services. Employees may purchase mobile devices but if they require access to corporate IT, then the endpoint has to comply with corporate policy and IT needs a means to enforce such policy. In short, policy and enforcement enables IT to extend the corporate perimeter around mobile devices to creating a virtual perimeter around IT assets.

Consider the following example of policy and enforcement creating a virtual perimeter… A user may be accessing an SaaS application while at his/her desktop. This flow traverses the corporate firewall with associated policy and enforcement. When this user is outside the corporate perimeter, he/she could access the SaaS application directly without corporate policy or enforcement opening vulnerabilities. However, with mobile policy and enforcement, this same user could access the SaaS application with the same policy, enforcement and protections as available when within the corporate perimeter mitigating any vulnerability. Solutions to this usually require the mobile device to first pass through the corporate firewall or a security cloud service where IT controls policy before the user connects to the SaaS application.

New Security Performance Demands

With mobile endpoints under corporate IT policy and enforcement, this huge security vulnerability can now be managed and mitigated. At the same time that mobile devices are becoming ubiquitous, data center security appliances are failing to keep up with the huge demand for information and application access. As more compute power is concentrated into smaller spaces, traffic volume increases exponentially, and security appliances need to adjust accordingly.
Consider how web sites serve up a rich media web page. Every time a user requests a webpage, its server typically needs to request 50 to 100 different objects just to display the one webpage requested. Now consider a data center with thousands of servers and five-thousand connections per second of requests each spawning 50 to 100 server requests. The backend east-to-west traffic flows between servers are one to two orders of magnitude larger than the north-to-south user request flows with the combination of both flows being immense.

New Firewall/IPS Performance Metrics Needed

From a security point of view, not only is firewall throughput an important performance metric, but “connections per second” is becoming more important. A high number of “connections per second” supported assures IT that backend server flows are being screened without delaying user experience. In addition to the number of connections per second, another performance measurement is “maximum connections” supported per second to assure that the number of server-to-server flows to deliver a webpage can be securely delivered. The combination of throughout, connections per second and maximum number of connections can be defined as “true scale performance.” Typically a firewall can deliver hundreds of thousands of connections per second, but this is too slow for most demanding data centers by at least a factor of 2 to 3. Typical maximum number of simultaneous connections supported per firewall is around a few million, which is too low by at least a factor of 4 to 6. Also consider a more realistic throughput measurement other than a range of UDP packet sizes, which is common in the industry. Real world throughput performance numbers that represent a mixture of traffic profiles is a better measurement to assure throughout quoted is throughput experienced.
In addition to raw security performance, data center rack space too needs to be carefully managed as IT executives quickly start running out of rack space as they consolidate. Security appliances need to reduce their footprint as many appliances occupy 16 to 24 RU or a half rack of space and more consuming footprint, energy and cooling resources. Expect security appliances to start delivering on the above performance metrics at up to an 8th of their size or 2 RU high if not smaller.

Threat Protection

To assure this security infrastructure protects IT assets at the rate in which cybercriminals and hackers wish to penetrate it, the industry is serving up cloud-based threat protection. A few suppliers have launched cloud-based security services, which collect anomalistic data throughout the internet and corporate networks via sensors, analyze/correlate the anomalies with reputation scores and when a new exploit’s signature is detected, the cloud transmits mitigation code/signature updates to corporate IPSs. The speed in which this process takes place is a competitive differentiation. Those that send updates every five or so minutes have the best chance of mitigating exploits from cybercriminals which tend to change IP address every hour to avoid detection. IT business leaders will know when cloud-based threat protection becomes highly reliable. It’s at that point that suppliers will start offering “guaranteed protection” that incorporate penalties to suppliers if protection is penetrated.
Policy and enforcement of mobile devices creates a virtual perimeter while true scale performance enables security appliances to keep up with application demand and new traffic flow realities. Smaller security appliance footprint allows IT executives to maximize data center space while minimizing energy and cooling. Cloud-based threat protection keeps the security infrastructure updated in near real time with signatures to mitigate threats throughout the corporate and virtual perimeter. In short, IT business leaders gain control and manage mobile security vulnerabilities while delivering applications to users securely at speed with small footprint consumption. Mobile, data center consolidation and virtualization plus cloud computing are powerful trends rooted in economic efficiency and increased information demand. To maximize the value of these investments, a new security model is needed.

Tweet

By Nicholas John Lippis III

Network access has evolved rapidly as IT business leaders have embraced new network technology. Access methods such as wired, Wireless Local Area Networks (WLANs), and mobile plus Virtual Private Network (VPN) methods have flourished over the past business cycle. In addition, a plethora of new endpoint devices have emerged using multiple access methods. But all of these network access approaches have evolved at different rates resulting in siloed networks that do not interact with each other, thus increasing IT operational cost and decreasing application portability and flexibility with user experience suffering. In this paper, we offer a new unified approach to network access that is based upon a thoughtful five-phase method to enable IT business leaders to simplify management, increase user experience and decrease operational cost.

Find out how to eliminate network silos by downloading this white paper:

Get the White Paper

Tweet

By Nicholas John Lippis III

Information flow precedes cash flow, and in the Global economy, networks and applications deliver intrinsic value to both. The huge investment in corporate application portfolios has never been optimized in a holistic manner, rather each application or suite of applications is optimized via specialized management tools. In today’s corporate world, IT business leaders are faced with increasing application performance demands for both legacy and new cloud-based applications to deliver excellent user experience while contributing to corporate agility. In this paper, we offer a new holistic network service approach to application performance optimization called Application Velocity.

Find out how to increase application performance by downloading this white paper:

Get the White Paper

Tweet

Major IT Delivery Transitions IT Business Leaders Are Managing
Application owners and developers have been deploying and writing applications as if networks had no boundaries or were borderless. By “application owners” I mean IT departments chartered with IT application delivery and management. By “application developers” I mean in-house corporate software developers, independent software vendors (or ISVs) and software companies. There has always been a disconnect between applications and network architects where developers write applications to run over a network as long as there is connectivity. In addition, service-oriented architecture (SOA) based applications call for greater application componentization, which increases messaging between application components, resulting in the network having a direct impact on application performance. In essence, application owners, developers and application standard bodies assume that networks are borderless as the industry is organized around the OSI model where knowledge and skills at one layer, e.g., the network is not necessarily taken into account at another layer, i.e., the application. Therefore, the normal state of affairs is that network designers have been tasked to optimize applications to improve user experience especially when the application was not written to run over a particular kind of network. This status quo does not scale and needs to be re-thought.

Business Drives Applications that Drive Computing that Drive Networking

Every cycle of computing has brought with it this discontinuity between applications and networks with the possible exception of mainframe computing and SNA. Minicomputer applications designed for local ASCII terminal connections were extended over the Wide Area Network (WAN) and via virtual terminals. Client-server computing applications designed to run over Local Area Networks (LANs) were extended over the WAN. At first the internet was text based until the mid 1990s when the web was developed, bringing graphics, audio and video to a network that needed a massive upgrade to support new media rich applications.

IT today is no different. Application developers are writing mobile applications at a frenzied pace thanks to Apple’s iPhone and iPad, Google’s Android, RIM’s Blackberry and now Cisco’s CIUS plus Avaya’s Flare, etc. Legacy enterprise applications are being extended to mobile platforms too with the assumption of a suitable network for delivery. At the same time, applications are being increasingly centralized into consolidated data centers creating greater distance between users and their applications plus data. Some estimate that over 80% of enterprises have undergone a data center consolidation process, which is significant, but we are just at the beginning of the centralization trend.

Thanks to the economics and performance offered by server virtualization, much more consolidation will occur with associated challenges. For example, IT leaders require application tracking as applications are moved from Virtual Machine (VM) to VM as they tune/optimize their virtual infrastructure or respond to peak loads as well as manage VM failovers. In addition to virtualization, massive data centers we call cloud-computing facilities are being built to host applications at scale plus offer infrastructure, platform and other IT services. According to the Yankee Group, 56% of IT business leaders seek to take advantage of cloud-computing technology and build their own private cloud center while 24% seek a fully-managed cloud-computing facility. In the same study, 32% of IT business leaders will seek a hybrid cloud approach that is, connect their private cloud to a service provider’s public cloud. While these market numbers are impressive, they could be much higher as IT leaders express that their top three concerns as they consider cloud services is application performance issues, according to IDC.

In addition to increased mobile and cloud-computing trends, video communications, both on-demand and real-time, have become the largest percentage of internet traffic type. In fact, Cisco Systems recently predicted that by 2014 video traffic will be greater than 94% of all global internet traffic!

This disconnect between applications and network architects will more than likely continue as application owners/developers/standards continue to view networks without borders and boundaries. However, for most network architects, there is no single network, but a wired network, wireless, campus, wide area, data center, branch office network, telecommuting network, mobile network, etc. In fact, most enterprises have a diverse infrastructure in which they are tasked to delivery applications over and for those applications to perform at high standards. The good news is that network designers and architects are starting to build borderless networks that anticipate unforeseen application changes, are equipped with a portfolio of application performance features and simplify deployment and management of IT services…more on this below.

Application Performance Challenges

From the above discussion, it’s clear that enterprise-computing applications are being demanded and stretched over increasingly borderless networks. Consider that the number of small or remote offices and mobile employees are increasing significantly. It’s impossible to argue the mobile computing surge with over 3.3 million iPads shipped in the first three months of its launch, and new entrants such as Cisco and Avaya offering CIUS and Flare tablets, respectively, for business users. In addition, data centers are being consolidated with cloud computing, offering further consolidation and centralization of applications. Applications are changing too as developers add rich media features, and video becomes a dominate application type. Employees, customers, partners and suppliers will be accessing applications over ever-larger distances, via a plethora of endpoints and different networks.

To assure applications perform their task and deliver an excellent user experience, network architects and designers will be increasingly challenged with network capacity being taxed as a wider application portfolio competes for network resources. Today’s model of application performance optimization is to implement appliances within remote sites and data centers, which increases certain application performance, but at the high capital and operational expense of increased network complexity. In addition to network capacity and complexity issues, latency or application transaction delay and how to efficiently utilize data center resources are challenges faced by network architects as they seek to maintain high application performance over a borderless network. Relating specific application transaction problems to network behavior to ascertain if a correlation exists is yet another challenge.

Application Performance Creates Corporate Value

At the center of application performance is corporate performance. The ability of IT leaders to respond to executive management directives is directly linked to corporate performance. Executive management may be challenged with a competitive threat or a new market opportunity, etc., requiring fast corporate response. IT leaders who can execute directives quickly have built an agile business capable of changing when markets or customers shift under them, placing their corporation in a better competitive position to serve its customers and prospects. For example, consider a retail store under competitive pricing pressure where executive management decides to respond with an alternative offer. IT may be able to display the new offer via digital signage quickly allowing the business to respond.

Key to business agility is the IT attribute of rapid innovation absorption–that is, the capability to deploy new applications and technologies at the speed of business opportunity. Most IT infrastructures consist of innovation and features which are already in place, but IT organizations require knowledge, skills and tools to put them to work when needed.

A borderless network that is capable of application performance delivers these attributes of innovation absorption and business agility. In addition, IT resource utilization can be optimized, and most important to users is that they gain an excellent IT experience independent of geographic location, endpoint device or application, which in the end improves productivity.

As an example of optimal resource utilization, consider Cisco’s ISR G2 branch office router that integrates unified communications, wide area application optimization, network security, LAN/WAN networking plus supports its AXP (or Application eXtension Platform), which run applications at the branch office router. In one branch office, an IT manager can deliver networking, security, voice and video communications and host applications while gaining visibility to applications. This type of resource utilization not only saves on capital cost and energy spend, but offers IT operational efficiency, rapid application deployment and innovation absorption.

To gain the full value of corporate applications, their performance must deliver excellent user experience. An excellent experience should not only occur while working in the office or at home, but anywhere in between, even while talking on a mobile endpoint. Independent of geographic location, a user accessing his/her business services and/or personal services should be the same seamless experience. Application performance is key to excellent experience and should be consistently good whether sitting at a desktop watching a video or engaged in a Web conference, and then immediately transitioning to an iPhone for example. The user should have an excellent experience at the highest level afforded by his/her endpoint. To deliver this seamless user experience, application performance technology needs to be incorporated in corporate IT infrastructure, endpoint devices or a combination of both.

That is, networking silos need to become an integrated network without borders. For applications to offer the best possible user experience, then the use of application acceleration technology as appliances or an overlay needs to be integrated into the network fabric and into network operating systems. This technology, which has improved application delivery for specific applications, needs to become systemic and fully distributed throughout the network fabric. The integration or pervasiveness of application acceleration technology within networks and endpoints is its natural evolutionary next step. Over the next few months we’ll see vendors such as Cisco, HP Networking, Juniper, Riverbed, Citrix, Blue Coat, et al, start to deliver on this vision.

Tweet

Networking is entering a new phase or era. During the 1990s, new networking markets opened up, creating multi-billion dollar opportunities for the vendor community and corporate cost savings for IT business leaders. First, it was shared LANs and routing, then switched LANs, then Frame Relay to speed up WANs, then SNA over IP, then remote access via dial-up and VPN, then MPLS, then IP telephony, then Wireless LANs etc… and now, it’s video and cloud networking. You get the picture. But what we didn’t realize as we build these networks is that they are silos with disparate management systems and unique access methods resulting in operational cost overlap and, most importantly, user frustration as they transition application use from desktop, to mobile end point, to remote endpoint. In short, we built boundaries around applications in the form of networks and it is the dismantling of these borders that vendors are now starting to deliver and differentiate upon. It’s not just Cisco that communicates borderless networks, but HP Networking, Juniper, Brocade, Extreme, Avaya, Force10 and others too. Why is the industry entering a new age of borderless networking and what’s in it for IT business leaders, is explained in this Lippis Report Research Note.

As each new wave of computing entered corporate IT departments, a new set of networking requirements arose. To connect remote 3270 terminals via SNA to mainframes, IT implemented an analog multipoint wide area network or WAN. To connect remote ANSI terminals to minicomputers, IT departments implemented pools of dial-up modems and private line WANs. To connect personal computers (PCs) via Client-Server computing, IT departments implemented Local Area Networks or LANs via LAN switches, which we now call wired connections. To connect multiprotocol LANs over the corporate WAN, IT departments implemented routed networks. To gain access to LAN based applications while remote, IT departments implemented Virtual Private Networks or VPNs. And, as computing and applications go mobile, IT has been implementing Wireless Local Area Networks or WLANs. In short, each network was deployed to service a certain computing style and application set. These networks are silos, and with advances in technology, IT business leaders can now design one borderless network to provide a broad array of common access methods to support a plethora of endpoints and applications.

Siloed networking frustrates users, as each access network performs differently depending upon its access method. Siloed networking also frustrates IT, as each siloed network has its own management system creating inefficient IT operations. In addition, siloed networking does not meet today’s IT “any access” requirements.

There are boundaries or silos that need to be broken down in many places of the network. In today’s modern IT world, applications are being extended over multiple networks e.g., wired, wireless, cellular, remote, virtual, etc where users need to shift their application access back and forth between these different network access methods and expect the same or consistent experience. In short, networks need to be borderless so that applications can be accessed independent upon network entry point and IT operations efficient. This “any access” trend is accelerating as IT business leaders seek to connect not only traditional desktops and laptops, but smartphones, notebooks, tablets, iPads, cameras and building control systems into a common general purpose network that support multiple logical network topologies.

Crossing purpose-built silos is difficult for applications, as bandwidth and quality of service issues limit application portability thus their usefulness. These different access methods offer limited consistency resulting in user frustration when they shift application access from desktop to mobile smartphone to VPN and back again.

And this shifting of application access between different networks and endpoints is only going to increase. Apple sold over 3.3 million iPads in its first 3 months, the highest uptake of any endpoint device. Google activates 100,000 Android based phones a day. Cisco recently announced its CIUS android-based table for business use with tight links to its unified communications (UC) and videoconference systems. Every major UC provider will be offering similar devices while traditional computer vendors serve up android-based tablets over the next few quarters. The iPad and Android tablet is a new tier of computing which will drive users to access their applications over mobile and wireless networks in addition to their desktop and VPN networks.

If IT business leaders are unable to get ahead of this curve and think of network access from an architected and unified design point of view, than unfortunately, their users and IT cost will be more frustrated and expensive, respectively, than others. Siloed networks are friction points as they create boundaries between network access types degrading user experience, which results in decreased productivity and increased IT operational cost. The result is a high total cost of ownership and less then optimal user experience, and thus decreased corporate productivity. The status quo of siloed networking is about to change.

Cisco’s Borderless Network Architecture

From a design point of view, borderless networking requires three core attributes: 1) reliability, 2) security and 3) seamlessness. Cisco was the first to articulate a vision for borderless networks, which has resonated with IT business leaders as it represents a solution to their pain. For example, Cisco’s borderless network architecture is built upon five services: 1) mobility or users in motion, 2) Energy efficiency called EnergyWise, 3) integrated network security via its TrustSec architecture, 4) application performance and 5) video management, control and distribution via its MediaNet. These borderless network services are built within switching, routing, security, wireless and wide area application services or WAAS infrastructure products. It’s the integration of these services into existing network infrastructure and their control via policy and management that enable a borderless experience to occur.

Juniper’s New Network

But Cisco is not the only supplier to grasp the problem siloed networks create. Juniper Networks is working to a similar end, albeit it hasn’t articulated it well. It provides VPN, LAN Switching, mobile security through its acquisition of SMobile and is working toward a flat cloud Ethernet fabric through its project Stratus and New Network initiatives. For example, Juniper plans to integrate SMobile security into its JUNOS Pulse endpoint software for network connectivity and acceleration breaking down the boundary between LAN based and mobile network access.

HP Networking’s Converged Infrastructure

When HP Networking launched its comprehensive network portfolio in April of this year it emphasized the elimination of network silos. The HP Networking portfolio strives to eliminate redundant equipment by integrating wired and wireless environments with security from edge to core. From an IT operations perspective, this translates into a “single pane of glass” for management, configuration, deployment and monitoring these networks as if one. HP Networking hopes to implement a common policy management to reduce human error of network operations while creating a consistent user experience across access mediums.

Brocade One

Brocade has jumped on the borderless bandwagon also in June of this year with the introduction of its “Brocade One”. Brocade One emphasizes the convergence of wired, wireless and cellular networking to offer a seamless user experience. In addition, Brocade One describes its view of a simplified virtualized data center network fabric that scales to cloud spec. In essence, Brocade One is about eliminating the boundaries around wired, wireless and data center networking.

Arista Network’s VM Tracer

Arista Networks doesn’t use the terminology of borderless networking either, but its recent VM Tracer strives to eliminate the boundaries between physical and virtual networking environments. VM Tracer does this by being integrated into Arista’s EOS linking Arista switches to VMware’s vCenter. This linkage creates an adaptive infrastructure in which the network responds to changes in the VM network while also providing complete visibility into the virtual machine network.

Extreme’s DirectAttach

Extreme Networks has focused on removing two network boundaries; the wired and wireless boundary and the physical to virtual network boundary. For the latter, Extreme has introduced its Direct Attach approach to data center networking that eliminates the virtual switch layer, simplifying the network and improving performance.

Force10’s Open Automation

Force10’s focus in eliminating boundaries is in the data center between physical and virtual networks. Force 10′s Open Automation initiative seeks to align dynamic data center changes with network configuration and policies, a huge barrier to virtualized data center management and scale.

While each of the above suppliers are at different points in their borderless network initiatives, the direction is clear. The boundaries between siloed networking are coming down be it in the data center, campus, branch office or home. For IT business leaders this means simplified operations and management as a key attribute is the “single pane of glass” approach to network management for siloed networks. The big surprise and delight will be found in enhanced user experience, as borderless networking strives to deliver a common access method for all networking types while enabling applications to be extended across a plethora of different endpoints, depending upon endpoint capabilities and network resources.

In essence, borderless networking’s value proposition is that it enables a corporation to be more adaptive or agile while increasing user experience and reducing operational cost. With the majority of IT business leaders trading off reductions in operational spend for an increase in capital expenditure, borderless networking is the right solution at the right time.

Tweet

By Infonetics

In this white paper, Matthias Machowinski of Infonectics Research describes how network borders came to be. He then describes Borderless Networking and its associated attributes plus benefits. A checklist to aid in the implementation of a borderless network is then provided.

Download this white paper now and learn how to get started with borderless networking.

Get the White Paper

Tweet

By Cisco Systems

Traditional security techniques are unable to respond to threats that can arise from anywhere. To protect today’s borderless networks, IT managers must adapt by implementing faster, smarter security measures that monitor the constantly changing global landscape. This white paper, written for IT managers and executives, examines the security risks and needs of borderless networks, details a systematic plan of action, and describes how Cisco can help implement threat defenses that will serve you today and for years to come.

Find out how by downloading this white paper

Get the White Paper

Tweet

By Cisco Systems

We work, live, play, and learn in a world that has no boundaries and knows no borders. We expect to connect to anyone, anywhere, using any device, to any resource—securely, reliably, transparently. That is the promise of borderless networks. To fully deliver on this promise, Cisco is advancing along three critical fronts: workplace transformation, technology leadership, and operational excellence.

Get the White Paper

Tweet

With all the investment in IT security over the years, one would think that threats would have subsided; but they have only increased and largely increased with exploits and iframes (redirection on a reputable website to infect its visitors) up nearly by a factor of 2000 over the past two years. This has resulted in an increase in data theft Trojans over the same period by a factor of 6000, according to the 2009 ScanSafe Global Threat Report, enriching hackers and cybercriminals. What’s driving this exploit growth is that hackers and cybercriminals are automating successful techniques for mass website infection. In addition, hackers increasingly collaborate, sharing best practices to infect websites for personal gain. In short, IT and business leaders are not confronting individual hackers, but a community of cybercriminals working together to steal corporate data that is increasingly organized as a traditional business with suppliers, resellers and end users. And this community’s opportunities to attack individuals and corporations have only increased with the huge growth in mobile access and deep corporate reliance of web-based applications to automate business processes.

IT leaders, especially those in small- to medium-sized companies are at a disadvantage with limited and even decreased IT staff and capital budgets, making it difficult for them to keep up with an ever-increasing volume of threats and complex exploit profiles. To mitigate these fears and concerns IT leaders have been turning to Cloud Web Security offerings by Cisco, BlueCoat, Websense, McAfee and others. While limited at first to URL filtering, Cloud Web Security is becoming sophisticated enough to identify threats by analyzing content in a contextual basis. Further, Cloud Web Security is in essence a SaaS offering affording on premises and mobile threat defense by extending a corporate perimeter around its mobile workforce.

The Web has become fundamental to business and the overall economy. The use of the internet has evolved from a static research tool to a dynamic communication platform, with corporate revenue directly linked to Web availability. Second, Web access is wide and varied in terms of end-points used, be it desktops, laptops, netbooks, smartphones, kiosks, etc., and networks providing access such as corporate networks, broadband, WLAN, hotspots. From a security point of view exploits infect corporate IT assets primarily through malicious content on web sites, email and blended email/web combinations. The Web will be used increasingly as the threat vector of choice by hackers and cybercriminals to distribute malware and perpetuate identity theft, financial fraud, and corporate espionage. As networks have become borderless, security vulnerabilities have increased by opening up doors or entry points that hackers can exploit, be those doors end-point devices, web sites, bad sections of web sites, applications, email, etc.

To mitigate these vulnerabilities IT leaders have deployed Web Security services in their enterprises in an effort to control which web sites employees’ access. But with the huge growth of laptops and smartphones, Cloud Web Security has been introduced beyond the corporate perimeter to protect all users and mobile devices too. Cloud Web Security threat prevention is getting much smarter by incorporating both content analysis with context offering, a powerful defense against zero-day exploits for all users regardless of location.

Cisco ScanSafe

To make these points, I focus on Cisco’s Cloud Web Security offering through their acquisition of ScanSafe. Prior to Cisco’s acquisition of ScanSafe, IDC’s “Worldwide Web Security 2009-2013 Forecast and 2008 Vendor Shares” ranked it as the worldwide market leader with over 30% share with Websense in second place at 7%. ScanSafe’s suite of services includes Web Malware Scanning, Web Filtering and Anywhere+ for roaming user protection. Unlike other solutions, which rely on URL databases and signatures to filter and identify malicious sites, ScanSafe, through its Outbreak Intelligence engine scans all Web requests in real time, so IT leaders receive comprehensive protection from all threats, including threats that appear before an anti-virus signature is available – and that’s a huge advantage.

What’s unique about Cisco ScanSafe is the sheer volume of data – billions of web requests daily – it processes for threat identification. The visibility gained from ScanSafe is also fed into Cisco’s Security Intelligence Operations (SIO) that incorporates data from IntelliShield, SensorBase and the huge footprint from participating Cisco customers who have opted into send their IPS appliance security data to SIO, creating the largest threat collection network on the planet. SIO’s broad threat collection and exploit mitigation dissemination will only increase the accuracy of the entire Cisco security portfolio, including ScanSafe.

Since ScanSafe is a Cloud Web Security service consisting of over 15 data centers deployed across the world, access is independent of geographic location. In essence a user connecting to the Web will have their traffic pass through one of ScanSafe’s data centers. In the ScanSafe data center the requested Web page is split into its basic components such as Java, PDF, Windows EXE, etc., and scanned within an analysis engine called Outbreak Intelligence for zero-day exploits via twenty-six specialized scanlets. The output of the scanlets is processed by a meta scanner that processes contextual information to decide if the content should be blocked or allowed to pass. This process of content scanning takes less than 5ms assuring user performance is not impeded. What’s impressive about ScanSafe is its scale. It sees billions of web requests per day and all of this scanning and filtering of traffic is captured within Outbreak Intelligence that provides real time harvesting of data that allows it to identify and stop an exploit well before anti-virus vendors can produce a signature and propagate it to their customers.

Signatures Defense Is Not An Effective Zero Day Threat Mitigation Technique

For example, during the Zeus Botnet and Gumblar exploit ScanSafe was blocking these exploits from propagating to clients well before anti-virus firms developed and distributed a signature. This lapse of time between exploit identification, signature development and mitigation is reduced to zero in ScanSafe’s Outbreak Intelligence, offering a much better approach to defense. Consider Gumblar, which first spiked near the 16th of April 2009 and took anti-virus vendors nearly a week to develop a signature, all the while ScanSafe was blocking it from clients. After anti-virus vendors released a Gumblar signature Gumblar traffic did indeed decline, but the hacker modified his/her exploit and near the 23rd of April Gumblar spiked again forcing the anti-virus vendors to identify it, analyze it, write a new signature and finally distribute it. During this time ScanSafe had been blocking the mutated Gumblar from its clients. This cycle continued for nearly six weeks starting from threat outbreak and included four hacker mutations and subsequent signatures until the anti-virus vendors delivered consistent protection.

The above is an example of ScanSafe’s ability to detect and block exploits in scale. The more content ScanSafe’s data centers scan the smarter its Outbreak Intelligence gets. This is important for two reasons. First in this market the suppliers with the largest market share are rewarded with the greatest visibility into exploits and thus offer the quickest and most potent defenses. Thus with its dominant share ScanSafe has a level of threat visibility that allows it to accurately and quickly mitigate exploits. Second since ScanSafe is a cloud-based service it can deliver a solution for on-premise and mobile users quickly and easily. This combination is not only powerful for large enterprises but for small- to medium-sized business as well, where IT skills and capital constraints had precluded them from offering the same protections as larger firms, until now. In fact the small to medium enterprise (SME) market can offer its employees the same level of protection as large enterprises when using ScanSafe.

ScanSafe’s data centers not only offer scale of processing but fault tolerance and redundancy are built into their design so that in the case of a data center outage, the data center that’s nearest in proximity is equipped with enough capacity to support all users without negatively impacting performance. ScanSafe has a track record of 100% availability over the past 7 years. For traveling mobile users their protection follows them anywhere in the world. For example a traveling mobile worker may deplane in Singapore connecting to the ScanSafe Singapore data center, but upon arrival in the U.K. the London data center will service this mobile user so that his/her policy is consistent worldwide while performance is maximized.

Reporting Is A Key ScanSafe Differentiator

ScanSafe reporting is arguably the most detailed in the market at analyzing web security threats and offers depth unattainable by enterprise system thanks to its position in the cloud. There are over 5000 customizable reports with 75 reporting attributes and 11 categories with comprehensive drill downs. This reporting flexibility allows administrators to define important data too. There are virtually no report design restraints offering great insight and visibility into web activity. The reports are based on a data warehouse infrastructure providing cumulative, trending and forensic reports being processed and maintained by ScanSafe’s storage, compute and network infrastructure. Its reporting is SaaS-based, meaning that IT leaders do not need to purchase or run reporting software on-premise. Reporting is key as IT leaders are provided with visibility for both on-premise and off-premises Web usage, offering them tools for charge back, forensics, application planning, etc.

Consistent or Different Policy

Policy is an enabler for IT leaders to gain control over Web use by in office and mobile workers. ScanSafe delivers IT leaders control knobs over content such as URL filtering, dynamic classifications of websites, end-user education through threat labeling of search engine results before employees click on links plus other traditional policy settings. In addition, ScanSafe’s Anywhere+ allows IT Security leaders to set flexible on- and off- premises policy. For example, in-office employees may have policy set for both acceptable use and malware prevention; however, off-premises employees may have policy set for malware prevention. As Anywhere+ becomes integrated with Cisco’s AnyConnect client, this capability will be pushed to the millions of users that use the AnyConnect client. Providing a consistent policy framework for on- and off-premises is a work in progress at Cisco, but they do have the product breadth to deliver on its implementation.

Cloud Web Security has primarily been focused on URL filtering as its primary control. But URL filtering has become less effective as a control or security technique due to large quantities of dynamic content delivered over the internet. URL filtering schemes are unable to identify different types of content within pages especially within Web 2.0 sites. This is where content analysis has blossomed as an accurate approach to identify every component of web page content that is attempting to traverse a corporate firewall or reach a mobile end-point independent of website categorization.

Cloud Web Security offerings are delivering a network approach to zero-day exploit mitigation that is faster and more accurate than traditional client-based anti-virus signature approaches. Cloud Web Security offerings that are based upon content analysis with a contextual basis are best positioned to mitigate exploits. As these offerings are cloud-based their use is naturally extended to static and mobile locations offering protection to both desktop and mobile users with consistent reporting and customizable policy creation. Another large benefit is that Cloud Web Security solutions are well within the reach of small- to medium-sized businesses, offering these firms an effective way to close the gap between effective defense and budget plus staff limitations. Cloud Web Security should be considered as part of IT’s overall arsenal to defend workers and corporate assets from hacker and cybercriminal threats.

Tweet

No matter where you look today the structure of IT is fundamentally changing. Applications are increasingly being accessed from mobile devices along with traditional laptop, desktop and even kiosk machines. SaaS has taken off and is far more prevalent than most executives realize as they are acquired by line of business and divisional budgets, leaving many IT leaders blind-sided and out of control with their relevance coming into question. As a result corporate application portfolios are shifting in their mix under IT leaders from one of total control to partial control to none. In short, IT leaders are finding that the largest application growth in their corporation is coming from outside of their traditional perimeter and with no control knobs. In essence applications and networks are becoming borderless.

While borderless networks offer productivity improvements allowing work to follow individuals, IT leaders are concerned about its security implications, that being are corporate assets secure when applications are being accessed and used within and outside of corporate perimeter? Can IT leaders deliver the ease of use afforded by borderless networks securely? In this Lippis Report Research Note we review Cisco’s New AnyConnect approach to securing mobile devices, which promises invisible use along with safeguards, visibility, control and relevance for IT security leaders.

With mobility comes productivity. As users work anywhere through a wide range of devices or end-points business productivity accelerates. This has been the case with every cycle of computing, from mainframes, minis, PCs, internet-connected PCs to now mobility; a correlated significant jump in productivity at a macro-economic level occurred and the mobile computing cycle will be no different. But to cease this productivity IT leaders need to be comfortable with mobile computing security. And they do have a lot to be concerned about as securing a plethora of different devices accessing both corporate and Web/SaaS applications from a vast array of locations and network access methods is a challenge.

Three major mobile computing themes stand out:

Theme one: Increase Productivity: IT business leaders need employees to be productive, so they provide access to information, making that access as seamless as possible so employees obtain the tools they need and information they require to do their jobs. A central component to this is providing consistency between out-of-office and in-office IT experience.

Theme two: Deliver Mobile Security: Many IT leaders feel this way: “I built all of this infrastructure to protect my users when they’re sitting within the organization. When they leave and are remote what is protecting them and corporate assets? I protect them eight hours a day, then they go home with their laptop and get infected for 16 hours.” In short a disproportionate amount of security investment has been made within the corporate perimeter that needs to be extended to remote and mobile access.

Theme three: End-point Agnostic: Consumerization of the enterprise is forcing IT business leaders to not only support traditional remote devices such as laptops, but also IPhones, Android, Blackberry, netbooks and other end-points that are on the horizon such as the iPad. Consumerization is focusing IT business leaders to deliver seamless network access with always-on security and protection across a broad array of devices to enable business productivity.

Securing Mobile End-points With Existing Defense Techniques
From a security point of view, IT defense for mobile devices share many of the same concerns as securing fixed end-points. Unique to mobility is the security issue of lost mobile devices/end-points. To address this concern IT leaders typically need complementary product that can enforce PIN locks/encryption and support remote data wipe. Common to mobile and desktop security are concerns with acceptable use and threat protection. Malware plus web-based threats have spiked over the past 18 months, increasing threat awareness as business press coverage of exploits have expanded. IT leaders have data security on the top of their minds too. Therefore, access control, threat protection, data security, etc., are common security concerns to fixed and mobile computing with IT leaders and vendors seeking to expand/extend existing defenses to this new wave of computing.

Legacy VPNs Too Cumbersome: A New Generation of Remote Access Emerges
Clearly existing technologies such as Virtual Private Networks (VPN) is a remote access approach that seeks to provide a solution to mobile computing, but it falls short. The challenge with legacy VPNs is its cumbersome use model with multiple boxes to check, tokens and keys to exchange plus certificates to obtain. The process is not transparent and as a result is too painful to use resulting in legacy VPNs use only when absolutely necessary. This use difficulty is both a lost productivity opportunity and security vulnerability.

The vast majority of time a user is outside the corporate network its end-point is unconnected to that network and thus largely unprotected and invisible to IT. Laptops in essence have no security except perhaps a desktop anti-virus (AV) client, which is becoming less and less effective over time due to signature-based defenses lagging exploit propagation. Connectivity may even be so rare that end-points spend much of their time out-of-compliance on patch levels. SaaS makes the problem even worse. Many use SaaS applications such as Salesforce.com, et al., to conduct business-critical or business-relevant tasks by simply accessing these sites over the internet where IT doesn’t have visibility let alone control over these sessions. Most don’t use VPNs to access SaaS applications, which would route traffic through the corporate network, due to the use hassle.

With corporate applications having moved rapidly to both HTTP/Web/SaaS web security is an increasing threat breeding ground that requires a new defense model. There are web security solutions in the market such as Websense and BlueCoat, but their current models are limited to URL-filtering clients, which enforce approved URLs to each end-point. Further, their current operating system support for clients is limited to Windows XP omitting MAC OS X and smartphone mobile platforms. And while URL-filtering does provide limited acceptable use and malware security it does not address data loss, access control and thus full threat prevention, particularly given the nature and mechanism used by hackers to propagate threats today.

Enter Cisco AnyConnect Secure Mobility

To address mobile computing, Cisco has announced its Cisco AnyConnect Secure Mobility to combine access control and web security, which in essence creates a flexible perimeter around a corporation’s mobile end-points providing them the safeguards and security that desktop systems enjoy behind the corporate firewall. AnyConnect Secure Mobility combines Cisco’s AnyConnect client, Cisco’s ASA (VPN, Firewall, IPS, content switch appliance), IronPort (Web security), ScanSafe (Cloud Web Security), and SIO (Security Intelligence Operation) to deliver the next generation of remote access and security for mobile end-points.

While AnyConnect utilizes and integrates much of Cisco’s security technology, the real innovation is how the mobile client captures ease of use and simplicity, allowing users to access both corporate and Web/SaaS applications without the hassle of traditional VPNs for any type of end-point, be it laptop, smartphone, netbook, etc., while protecting corporate assets. In many cases the user experience will be far superior to existing remote access solutions as they don’t need to be concerned with network access type, be it VPN, internet, 3G, WLAN, 4G, etc. The hope is that AnyConnect will provide IT leaders with the assurances they need to enable employees to embrace mobile computing allowing their corporations to exploit its productivity advantages.

Making Remote Access Secure and Invisible

AnyConnect is a pervasive end-point controlling network access and security. The idea is that it fades away into the background, versus the very manual VPN configuration of today. AnyConnect decides where to connect and establishes the connection when the end-point needs to network. If a laptop or iPhone moves from WiFi to the 3G network, AnyConnect figures out what it needs to establish the connections. In addition, AnyConnect provides persistence, keeping all session state. The more intelligent AnyConnect gets over time the more it will fade into the background, being invisible to the user. Cisco is committing to a broad range of device support. Support for Windows XP, Vista, Windows 7, MAC OS X laptops has been made. Smartphones from Apple’s iPhone, Android and Windows Mobile are rapidly changing the enterprise mobility landscape which has been dominated by BlackBerry thus far and it seems logical that these end-points will be supported by Cisco at some point.

Flexible Policy Creation

For web security clients AnyConnect delivers an innovation around policy so that specific policies for remote workers can be distinguished and reported differently than desktop policies. This is important from a compliance point of view as IT leaders often set policy for workers within the network perimeter around “acceptable use” and from a compliance and liability standpoint IT leaders need to be concerned with “where” users go on the web. However, when an employee is home on their own time using their laptop to browse the internet, IT Security leaders don’t care “as much” about which web sites they visit, only that they are secure and protected from propagating threats. Therefore, AnyConnect allows IT Security leaders to set flexible on- and off-premises policy. For example, in-office employees may have policy set for both acceptable use and malware prevention; however, off-premises employees may have policy set for malware prevention.
Device Collaboration Takes Complexity Away From Mobile End-point

AnyConnect promises to deliver an end-to-end user experience, thanks to the engineering that Cisco has done to enable the above mentioned security products to collaborate between each other. One example of this value is during AnyConnect user authentication via the ASA configured for remote access VPN headend. The ASA authentication information along with the fact that the user is mobile is passed to the web security appliance so that both can apply the right policy without delivering another prompt to the user; thus allowing mobile-specific policy to be applied to the remote access session. For the mobile user this process streamlines their access as he/she is not greeted with two different screens (ASA and Web security) during authentication, just one.

Hybrid Hosting: The Way We Work

Backhauling internet destined traffic from remote sites over the corporate network is unfortunately more often done for security reasons. As many security leaders are requiring remote or mobile users to pass through the corporate perimeter to access SaaS applications and other Web content, application performance may suffer. AnyConnect performs performance optimization between VPN and Web access scenarios to significantly lower latency improving user experience even during backhaul scenarios. But as internet video traffic has skyrocketed there’s increased pressure and demand to maintain high user experience by allowing these flows to bypass backhauling and go straight to internet, or “enforcement points” such as a ScanSafe cloud. AnyConnect promises to seamlessly find the closest network attach point and optimal enforcement point, whether that’s the backhaul path, a ScanSafe cloud or even a Cisco ISR G2 running in a branch office equipped with web security capabilities. It’s logical that Cisco will release these capabilities over time.

Securing mobile/remote users via cloud-based services and desktop users with on premise security appliances have emerged as an important security design approach. Security services delivered to mobile and desktop users via on premises and cloud solutions respectively are what some call “hybrid hosting”. Policy consistency is important to a successful hybrid hosting implementation. That is the ability to define user access policy on one policy server and propagate it to on-premises and cloud providers, providing common enforcement, single consolidated reporting and a better user experience.

Key to hybrid hosting is the mobile client. Cisco has built connection intelligence into the Cisco AnyConnect Secure Mobility Client. AnyConnect manages connections by finding a trusted network, meaning assessing if the connection is a secure enforcement point. If an end-point is currently connected to an unsecured public internet link, but the user application requires a secure connection, Secure Mobility Client will find it without operator intervention. Optimal gateway detection is another feature that automatically finds the fastest gateway for VPN access and connects to it.

Security For Thin Client End-points: Full Context Awareness

As end-point devices become thinner and thinner, meaning devices with less processing power and memory, the harder it is to enforce security on the end-point. Laptops can run sophisticated AV and scanning software to protect the end-point, but this software will not run on iPhones, BlackBerries, Android, etc., as they don’t possess adequate resources to run the code. Therefore as end-points become thinner and their numbers balloon while threats continue to be more sophisticated and web-based the question is how to protect these devices and corporate IT assets from them if they become infected? The answer is to leverage the processing power that resides within the network. With the network providing security services on behalf of thin client mobile end-points, a consistency across devices is gained that is independent of end-point type. Malware or exploits are identified along with web site destinations, policy can be enforced, reporting is captured and in the process IT Security leaders gain visibility.

For web security AnyConnect has integrated Cisco’s Web Security Appliance, which provides malware security, acceptable use, access control, and data security for web traffic. By performing this in the network rather than the end-point it’s possible to obtain powerful security capabilities such as multiple layers of malware defense and web application controls which are very difficult to deliver, especially across a breadth of end-points via an end-point solution.

Malware defense includes Web reputation, which is delivered by Cisco’s Security Intelligence Operation (SIO), and is effectively a risk rating for how likely a specific Web object is to be hosting malware. Additionally, multiple AV signature sets are run in parallel on suspicious traffic providing better coverage than any single engine. Currently Cisco offers Webroot and McAfee, and is planning to offer Sophos in the near future.

For acceptable use, Cisco offers standard URL filtering. But URL filtering has become less effective as the number of pages on the Web is exploding, making it impossible for URL lists to keep up. To address this, Cisco dynamically categorizes web sites in real-time. In addition, Web 2.0 sites and tunneling applications mean that a URL filter is not enough to protect users or create meaningful policy. Enter application control. What Cisco has done to expose web traffic is build an engine that understands web traffic and applications that traverse within it. That is to be able to identify if the traffic is IM, WebEX, Facebook, Facebook chat, an application running on Facebook such as Mafia Wars, Twitter, streaming media, etc. With all traffic being distinguished Web Security Appliance’s application control can “block” or “allow” the traffic but more importantly provide greater policy granularity.

Consider this. An IT leader can develop a policy that allows chat on IM, but it’s a data security violation if a user attempts to send a file via IM. Or a user can participate in a WebEx session but he/she can’t relinquish remote control of his/her desktop because it’s a security violation. A user may be allowed to go to Facebook and read, but not post as this may be a potential DLP risk. Cisco’s AnyConnect Web Security Appliance offers this deep application control thanks to its parsing of web traffic and subsequent policy granularity.
It’s difficult if not impossible to obtain this level of security and policy enforcement even on a traditional mobile end-point like a laptop. Imagine trying to make it possible for all of those smartphones that are flooding into the enterprise; virtually impossible. This is the value of Cisco’s network-based approach.

With SaaS Growth, IT Managers May Become Less Relevant

With the large number of mobile devices that access SaaS applications that are out of an IT leader’s control and visibility, IT leaders have become concerned with their own relevance. Most SaaS purchases are in fact not from IT departments but from business unit or line of business managers. Therefore, IT becomes less relevant as IT leaders don’t see this surge in SaaS application use, how to secure it and protect existing IT assets from potential threats. As SaaS use grows so does this challenge to IT.

To address this challenge, Cisco is building in SAML (Security Assertion Markup Language) assertion into the Cisco IronPort Web Security Appliance, in addition to authenticating web traffic as it egresses the enterprise. IronPort already works with AD (Active Directory) and LDAP to authenticate users. Therefore, Cisco is adding the capability to create a SAML token, which will offer a better user experience by delivering single sign-on into SalesForce, WebEx, Concur, Google Docs, and all SaaS applications that support SAML.

SaaS Access Control

What this does for IT leaders is provide control back as IT can demand that their SaaS providers support SAML token, meaning that users can’t access the SaaS application directly but through the corporate network. So if a user is at home he/she can’t go directly to SalesForce.com and download a customer list onto his/her home PC or onto an unmanaged end-point. Users have to come back through the corporate infrastructure via AnyConnect to obtain their token. This provides IT leaders with both control and visibility independent upon where applications are hosted; be it in their data center or the cloud. With this link to all applications IT leaders can apply access control policy, data security policy and in the event of data loss or theft IT leaders now have granular forensic evidence too. With SAML token in IronPort, IT leaders have both control and great visibility that gives them the confidence to enable SaaS applications for workers and remain relevant. This is a huge point as many companies don’t know how many SaaS applications are being used. Cisco for example has over 350 SaaS application in use throughout their corporation, which is more than likely the rule rather than the exception.

One critical challenge SaaS presents is when employees leave or are terminated from their employer. How does IT remove access to these SaaS applications? It’s easy if there are only a few SaaS applications in use, but when the number of SaaS applications grows to the tens and hundreds the process becomes daunting and DLP vulnerabilities increase. With Cisco’s Web Application Controls IT can simply implement a zero day revocation; that is pull the terminated employee’s credential out of the AD and all access to every SaaS application is terminated.

What AnyConnect is offering IT leaders is the assurances and safeguards to say yes to employees to use the IT tools they desire, be it a laptop, iPhone, SaaS applications, Android, Blackberry, etc. For users, they get a simplified way to connect to applications independent upon where they are hosted along with the protections and safeguards once only available to them while in their offices behind the corporate perimeter. From a security leader perspective they get increased control and more security as AnyConnect extends out to that entire mobile workforce. Cisco’s AnyConnect promises to successfully thread the needle to avoid the typical tradeoffs that accompany security products such as security versus business process or security versus user experience. With AnyConnect IT leaders will be able to enable business mobility, increased user experience, and protect corporate assets through strong security services. In short the AnyConnect Secure Mobility Client offers a simple use model for mobile workers that leverages Cisco’s ASA, IronPort Web Security Appliance, SIO, and more then likely in the future ScanSafe, to wrap a corporate perimeter around its mobile workforce.

For existing Cisco customers that utilize ASA and WSA their implementation of AnyConnect is straightforward and the ability to absorb this innovation fast. These IT organizations would install AnyConnect Secure Mobility Client on end-points with required configuration changes to ASA and WSA. AnyConnect can be implemented piece meal too starting with AnyConnect Secure Mobility Client and ASA adding other security defenses when appropriate.

But to make AnyConnect a success Cisco needs to expand its smartphone support and prove that its AnyConnect Secure Mobility Client is indeed as simple and invisible as it claims. Also IT leaders will have to get comfortable with and trust the various enforcement points and its policy granularity. AnyConnect will have to work in conjunction with other security technology such as anti-malware engines, PIN locks and data encryption, plus remote data wipe to protect against lost devices. Look for Cisco to partner with others to deliver these aspects of mobile security. The key value proposition of AnyConnect is a simple yet powerful user experience. The success of AnyConnect rests upon Cisco’s ability to deliver on the promise of an exceptional user experience with an always-connected remote access and security architecture.

Tweet

IT leaders are not comfortable with mobile computing security. And they do have a lot to be concerned about as securing a plethora of different devices accessing both corporate and SaaS applications from a vast array of locations and network access methods is a challenge. Traditional VPN methods are too cumbersome for users and don’t factor the huge growth in SaaS application use. A new model for securing remote and mobile access is needed and Cisco has delivered one. Cisco just launched AnyConnect Secure Mobility Client that offers a simple use model for mobile workers that leverages Cisco’s ASA, IronPort Web Security Appliance, ScanSafe, and SIO to wrap a corporate perimeter around its mobile workforce. Kevin Kennedy, Product Marketing Manager at Cisco Systems discusses a new approach to securing mobile computing.

Listen to the Podcast

Tweet

No matter where you look today the structure of IT is fundamentally changing. Applications are being increasingly accessed from mobile devices along with traditional laptop, desktop and even kiosk machines. Applications are downloaded for free or a few dollars on mobile devices, while cloud computing and anything as a service offers a new approach to application delivery. As a result corporate application portfolios are shifting in their mix under IT leaders from one of total control to partial to none. In short, IT leaders are finding that the largest application growth in their corporation is coming from outside of their traditional perimeter and with no control knobs. In essence applications and networks are becoming borderless.

While borderless networks offer productivity improvements allowing work to follow individuals, IT leaders are concerned about its security implications, that being how do I secure corporate assets when applications are being accessed and used within and outside of corporate perimeters? Can IT leaders deliver the ease of use afforded by borderless networks securely? In this Lippis Report Research Note we offer an approach to securing networks without borders.

Traditionally security has taken the form of a perimeter environment where IT assets are housed in the data center under tight corporate control. This environment offers the ability to protect and control these assets. For example, remote access via VPN for employees, customers, suppliers and partners access can be managed as security is managed via firewall perimeter. This approach is the traditional security model and it will stay in place for a long time to come.

But IT is fundamentally changing. There is tremendous diversity in network access from a device, network type and geographic independence points of view. The explosion in device diversity accessing networks, be it smart mobile phones such as the iPhone, blackberry, Nexus One, Android or laptops, notebooks, desktop, readers and kiosk is challenging traditional IT security norms. Not too long ago IT leaders would distribute a corporate-approved computer with a locked corporate standard software image to employees as their IT tools. Not any longer; legitimate business applications have arrived for mobile devices and cloud computing scenarios offer new approaches to application development and delivery. In addition a richness and increased velocity of applications tunneling through Port 80 further challenges perimeter security and IT control. The new world of IT is device diversity, network access point diversity and application diversity, changing how IT leaders mitigate threats while enabling users freedom of access to applications without boundaries.

As device and application diversity flourish, data too is increasingly being distributed. This is very different from the early 2000s IT model and before that as data was centralized in data centers. What used to be stored in a data center and locked behind a firewall is shifting out into clouds. Salesforce.com offers a good example of how proprietary information such as sales leads and prospects are now outside a corporate perimeter and into a public cloud. Further, most corporations don’t know how much their employees are using clouds or SaaS offerings for mission critical business functions. One client conducted an internal survey asking business and IT leaders “how many kinds of SaaS cloud-based applications do you use?” The initial answer was “probably a dozen or so.” After an audit, the real answer was well over 300 SaaS applications were being used from ADP, engineering to Salesforce. The bottom line is that there are a tremendous number of applications already moving outside the data center and the question now being asked is how to protect corporate assets in this new IT environment.

The New World IT Order

With device, network access and application diversity booming along with distributed data, more and more of IT is happening outside the traditional corporate boundary or perimeter. The diversity trend while small in terms of overall corporate application use will only grow and may very well dominate typical corporate application portfolio mixes in the next five years. But in the mean time the traditional perimeter does not go away but needs to be a pillar in a more expansive overall approach to securing borderless networks.

Borders by nature define trust and create trust boundaries. The European Union has eliminated many borders such as walls, physical access, currency differences, etc., but what remains are rules, regulations, passports, etc. The EU reconfigured their boundaries to allow greater freedom of movement and trade. Networking is undergoing a similar transition as corporate defense shifts from a single perimeter to a set of pervasive fungible perimeters or trust boundaries where protection is pushed out to follow users around based on what application they are using, how network access is gained and on what device. Security services have to move in this direction as forcing the new world order of IT into an old world IT security model will not scale and defend corporate IT assets.

For example, IT leaders could choose to back haul all their internet connections to a central site but this will clog their enterprise network, drive up internet access bandwidth and routing requirements plus slow application performance. In addition with more and more devices such as mobile end-points, notebooks, etc., readers connect to the network differently than laptops, IP phones, desktops, etc., and thus don’t lend themselves to back hauling. Therefore, IT and business leaders are thinking about a need to provide IT delivery in the cloud, or maybe perhaps a virtual environment. A much more dynamic approach is needed for applying security in the new IT world order.

An Approach to Borderless Security

One approach is to utilize a family of existing security appliances including firewalls, IPS, web filtering, web security, email security, VPN, etc., as a security enforcement array. These appliances could be put to work to enforce existing and create new trust boundaries such as cloud security, the enterprise perimeter, mobile security, etc. The enforcement array can be segmented into four architecture components. Cisco is the only large IT company to embrace this approach thus far. Cisco breaks down a secure borderless network into 1) Borderless End Zone; 2) Borderless Internet; 3) Borderless Data Center; and 4) Borderless Policy.

The Borderless End Zone provides security services to end-point devices such as securing the end-point and obtaining secure network access. End-point security is increasingly important as a plethora of new mobile and innovative end points have emerged and are consumed in mass. One significant trend is that end-points are thin with little footprint or storage/memory for large security agent software. In addition mobile end-points access networks and IT assets differently than traditional laptops and desktops, requiring a different approach to protecting today’s powerful mobile devices that preserve the ease of user experience. A transparent VPN connection that is able to select an appropriate persistent network connection and apply the right kind of security independent of end point device without user intervention will go a long way to securing new thin and mobile end-points.

The second component is the Borderless Internet which plays a large enforcement array role by delivering real time threat protection, signatures, etc., to existing gateways, appliances and network infrastructure to make enforcement decisions. For example, even though users may be accessing cloud-based applications as simple as email and not even traversing back to their corporate premise, a borderless internet applies some of the same security policies and protections afforded to them within their enterprise to enforce what users can do and then protect them from exploits and threats. Expect to see large security portfolio moves into this enforcement array as the borderless internet develops.

The third security component of a secure borderless network architecture is a Borderless Data Center. Data center network security has become more critical, particularly as servers and soon I/O becomes virtualized. Data center security services such as firewalls, et al., are becoming virtualized, affording a wide range of threat protection without additional hardware. There is a new dynamic security model needed in the data center that allows security services to move without operational intervention when VM workloads are moved. To address dynamic security more security services are required in the hypervisor such as moving firewall features closer to the virtualization layer.

The fourth and last security component of a secure borderless network architecture is Borderless Policy including access control, acceptable use, data security and exploit mitigation. Policy has traditionally been focused on permissions and access control of resources within the corporate perimeter, but policy now needs to be pushed out across enterprise, internet and mobile networks to follow users and afford them policy enforcement. In other words, as users traverse outside their corporation using different devices, network access and a mix of applications how do IT leaders provide the same policy enforcement across a global network and ensure that access and data usage is appropriate while protecting users and corporate assets from exploits, threats and malicious websites, avoiding back haul into the corporate perimeter?

The main point of borderless policy is to enable IT leaders to make greater policy decisions that are pushed out across a global network that factors who, what, when, where and how a user accesses networked resources. Borderless policy will strive to provide ubiquitous control over how users are using IT assets across different devices. To achieve this, policy needs to be translated into code that a machine understands, can enforce, and then monitor.

Securing networks without borders needs to provide protections and enforce policy in a new set of use scenarios that are growing rapidly in their adoption and use within corporations. This is not to say that existing IT security is not critically important. None of today’s security appliances will be displaced or removed any time soon. Private data centers will be with us for decades as will the need for effective corporate perimeters. IT leaders want to leverage existing security investments to protect corporate IT assets when users access applications on mobile end-points, across and behind the perimeter. The Secure Borderless Network offers an approach of providing security, protection by setting new boundaries for a different IT use and delivery model that will only accelerate as the global economy continues its recovery.

Tweet

Garter has moved Cisco up to the Leaders Quadrant in its Magic Quadrant for 2009 Secure Web Gateways. Gartner reflected in their analysis that Cisco’s long-term focus on innovation and quality has resulted in market leadership. Garter identifies the following Cisco strengths.

On-Premise
* On-box malware prevention
* Performance & scalability
* DLP
* Real-time categorization

Cloud
* Simple management interface
* Reporting
* Ease-of-deployment
* Real-time categorization

Visit the Link

Tweet

Gartner has recognized Cisco as a Leader in the 2009 Magic Quadrant for SSL VPNs. Cisco has made the move from Visionary Quadrant last year to the Leaders Quadrant on the strength of its innovative AnyConnect VPN technology and direction. Here are a few items Gartner highlights in the report:

* Cisco is the only vendor to move from a non-leader position into
the Leaders’ Quadrant

* Cisco is forging the path as 10 of the surveyed vendors consider
Cisco a major competitive threat

* Cisco exceeded all other vendors in the number of new concurrent
SSL VPN seats in the period

* Gartner clients report that feedback and satisfaction with the
Cisco SSL VPN product have improved significantly

Visit the Link

Tweet

By Cisco Systems

The Cisco Annual Security Report provides an overview of the combined security intelligence of the entire Cisco organization. The report encompasses threat information and trends collected between January and December 2009. It also provides a snapshot of the state of security for that period, with special attention paid to key security trends expected for 2010.

Get the White Paper

Tweet

How we do IT is fundamentally changing. Applications are increasingly being accessed from mobile devices while cloud computing offers a new approach to application delivery. Case in point, the iPhone adoption rate is 8 times faster than AOL was! As a result corporate application portfolios are shifting in their mix of total IT manager control to partial control to none. IT leaders are finding that the largest application growth in their corporation is coming from outside of their traditional perimeter/firewall with no control knobs. In essence applications and networks are becoming borderless and as a result a new flexible security model is needed to reestablish boundaries. To address this industry concern, I talk with Fred Kost, Director Security Solutions for Cisco Systems about a new approach to securing networks without borders.

Listen to the Podcast