Tweet

By Lucinda Borovick and Richard L. Villars of IDC

In today’s IT marketplace, Big Data is often used as shorthand for a new generation of technologies and architectures designed to economically extract value from very large volumes of a wide variety of data by enabling high-velocity capture, discovery, and/or analysis. IDC believes that organizations that are best able to make real-time business decisions using Big Data will gain a distinct competitive advantage over those that are unable to embrace it.
As Big Data efforts grow in scope and importance, the network (both within the datacenter and across the WAN) will play a critical role in enabling quick, sustainable expansion while also ensuring these systems are linked to existing mission-critical transaction and content environments.

Get the White Paper

Tweet

By Cisco Systems

Increase security and reduce risk by using existing technology in a non-traditional fashion.

Security is all about risk mitigation. How much risk is an agency willing to accept, and how much are they willing to spend to lower that risk to an acceptable level?

There are multiple ways to lower risk, such as:

• Increasing situational awareness through continuous monitoring of network, data, hardware and personnel resources.

• Tightening security policies for employees and guests moving within buildings.

• Increasing physical security measures when entering the building.

• Isolating physical networks.

• Using stronger authentication mechanisms (multi-factor authentication).

• Implementing an identity management system.

Unfortunately, these solutions all come at a financial cost and, in some cases, can actually prevent employees from doing their job, impacting their productivity. This paper suggests that by using some non-traditional devices in a security arsenal, and by using the network as the platform, an organization can significantly increase its security posture and reduce risk without requiring significant behavioral engineering or infrastructure costs.

Get the White Paper

Tweet

By Cisco Systems

How Today’s Government, Education, and Healthcare Organizations Are Benefitting from Cloud Computing Environments

Cloud computing is a disruptive technology model that is changing the way public sector organizations consume information and communications technology (ICT), and how they deploy and deliver services to stakeholders. A trusted network infrastructure is the foundation for any successful cloud implementation. This paper briefly reviews the status of cloud computing in government, education, and healthcare organizations. It also helps make the business case for a cloud implementation by summarizing the chief advantages and business drivers. Case study snapshots describe how public sector organizations have successfully implemented cloud services models in various environments worldwide.

Get the White Paper

Tweet

By Deloitte

Enterprises face increasingly complex choices in their network vendor strategies. IT leaders must introduce new technology for critical business functions, while managing IT costs and balancing operational risks.This report summarizes the findings from a detailed customer survey conducted by Deloitte to examine the operational, financial, and risk factors associated with the use of single vendor and multivendor approaches in different types of enterprise networks. By providing a framework for understanding the overall value drivers associated with these networking strategies, this report is intended to help IT decision makers evaluate the potential impact of different approaches.

Get the White Paper

Tweet

There are multiple definitions of Software-Defined Networking or SDN. But this is common in a new breakout space for the computer networking industry that’s evolving fast. The most common SDN definition is based upon splitting the data plane or the forwarding hardware of an Ethernet switch from its control plane or the logic that controls how packets flow from ingress to egress. But this definition alone is too limited and needs to be expanded. In this Lippis Report Research Note, we offer the industry a broader SDN definition and view.

First, the SDN definition that is based upon OpenFlow is important but too narrow. OpenFlow offers a standard-based Application Programming Interface or API that links an Ethernet switch and a controller. This offers a model in which layer 2 Ethernet switches are low-cost merchant silicon based devices where flows are directed by a centralized controller(s). While this is innovative and different, in reality it’s not that interesting. There needs to be much more to SDN and that can be found in what resides on top and along side of SDN controller(s) and associated benefits, both in terms of network design and operational models that it affords.

From an architecture point of view, what resides on top and along side of the controller(s) is another API or set of APIs that promise to virtualize networking like VMware did for servers. With a yet-to-be-defined API on top of the controller, a software ecosystem needs to flourish.

SDN Software Ecosystem

Applications such as traffic management, device configuration, network analytics and control, public-private cloud connectivity and security, firewalls, load balancing, etc., are examples of applications that could and should spring up in the virtualization domain, thanks to SDN. Much work is being done now to automate the network layer and virtualization stack into the virtualization domain via SDN applications that may or may not ride on top of an SDN controller(s). The centralization of network provisioning of layer 2 and 3 devices, firewalls, load balancers, VM stacks, etc., will be a huge SDN advantage as it lowers the number of operations staff required to manage a large network. Look toward management of physical switches in the management domain of virtualization engines.

SDN Enabled Cloud Bursting

Enabling burst capability where a corporation can move workload between public and private clouds will be an SDN function. While there is layer 2 functionality available in some controllers today, to enable cloud bursting, this will move to layer 3 over time. But most importantly, SDN controllers are solving the security problem of workload mobility between public and private clouds today, which offers a huge network design and business agility advantage over existing approaches.

SDN Virtualized Network Services

While many firms, such as F5, Brocade, Cisco, Citrix, et al, offer virtualized network appliances, delivering such services within an SDN will offer huge server efficiency. For example, in highly virtualized data centers, memory restriction strands CPU capacity. Network appliances, such as firewalls and load balancers, typically consume little memory but much CPU processing capacity. Commodity servers inside of racks tend to be only 40% CPU utilized, thanks to lack of memory to run more applications upon those servers. These servers are, in essence, stranded, but a low memory, high CPU network application, such load balancing or firewalling, can utilize that un-used resource, increasing data center efficiency. SDN offers this efficiency and it’s a huge win. In an SDN environment, there will be a controller somewhere in the network, and if this runs in the virtualplex as an application then all of this server efficiency just comes to the IT architect, in essence, for free.

Open SDN

The SDN market is evolving in an inclusive open fashion. The OpenFlow interface is open by definition. In addition, components of SDN controllers are being distributed to the open source community, such as Big Switch Network’s FloodLight. Also, FlowScale, a load balancer, RouteFlow which provides virtualized IP routing services over OpenFlow hardware, Open vSwitch and other projects including layer 2 provisioning, VM Migration, etc., are creating an open SDN environment.

Mobile Market Shows the Way

The mobile market may show the way of how SDN will progress. The national mobile infrastructure is well automated to the point where a single network engineer can mange some 8,000 nodes. Most, if not all, large enterprises and cloud providers would welcome such efficiency. In addition, the mobile market, thanks to Apple’s iPhone and iPad plus Google’s android, has shown how a vibrant software ecosystem can add tremendous value and user choice. An SDN software ecosystem would offer IT business leaders with applications that change the nuts and bolts of networking suited to highly-virtualized environments plus solve some of the industries largest problems and opportunities, especially around cloud bursting and workload mobility. If SDN is able to automate network provisioning in enterprise and cloud computing facilities much like mobile networks today would fundamentally change the network operational model.

A Broader SDN View

The definition of SDN needs to be sufficiently broad enough to communicate the above value. To achieve that, SDN will move well beyond an OpenFlow-based definition to an application and capability definition. SDN promises to commoditize network hardware and provide a standard-based application development platform taking much of the features and functionality that exist inside custom proprietary software and driving it into an open SDN space.

But perhaps even more important is how SDN is implemented. In short, SDN promises to be deployed on under-utilized servers that IT organizations already own and operate. SDN promises to completely revolutionize the way in which we do networking. Trends in virtualization and cloud sourcing are only going to get stronger over time. Stranded CPU capacity in virtual engines is a significant previously unavailable resource to tap into and utilize. Running SDN controllers and applications in that domain is, in essence, free to IT organizations.

Think of it this way: IT business leaders will be taking this huge expensive IT infrastructure they currently own and operate to run SDN software and controllers in capacity that they weren’t capable of using anyway. That is a huge win. Add commoditized network hardware to the equation plus network application/service innovation to the mix, and you have a network environment for the new age of cloud computing. This is the promise of SDN and why it’s so important to every corporation, cloud provider and networking vendor.

Tweet

Virtualizing a physical network into multiple logical networks each with unique attributes has grown in popularity. This network design is popular in healthcare, education, travel and other industries. Network virtualization was available only to the largest of enterprises and service providers, thanks to its cost and complexity of MPLS and VRF-Lite. But a new approach called Easy Virtual Network from Cisco changes all of that by reducing cost and eliminating configuration and management complexity opening network virtualization to a much larger segment of the enterprise market. In this Lippis Report podcast, I talk with Sehjung Hah about Cisco’s Easy Virtual Network.

Listen to the Podcast

Tweet

The Unified Communications market has twisted and turned over the past eighteen months, thanks to mobile and cloud computing plus the huge uptick in web plus video collaboration. This market has recovered from the 2009/2010 downturn with a gusto as providers expand UC to include collaboration and mobile platforms while targeting the red hot Small- to Medium-sized Enterprise (SME) market that consist of some seven million employees. With only a third of SMEs having a communication strategy plus less than a quarter with a deployed UC solution, the SME market is huge and wide open. In this Lippis Report Research Note, we take a look at Avaya’s and Siemens’ new UC offering for the SME market from a traditional voice vendor perspective and explore non-traditional SME offerings from Apple, Google, Facebook, Cisco, Microsoft, et al.

The UC market is no longer. It use to be that UC was defined as an integrated launch point for a wide range of communication services, such as real-time voice, voice-mail access, text messaging packages, etc. Then the stock market crashed and slowed down UC growth. During 2009 and 2010, mobile and cloud computing took off and fundamentally changed enterprise computing and communications. Companies took to video communications as a way to both cut travel and operational cost while improving productivity. Case in point, Camp Dress McKee, a worldwide player in water treatment design and build, consolidated their real estate offices, thanks to centralizing engineering and getting close to customer projects though outpost or smaller offices. High definition video conferencing was the enabler of this operational transformation.

UC vendors took note and started changing their UC platforms to embrace BYOD or mobile end points, collaboration and video. The UC market is now a mUCC market for Mobile, Unified Communications and Collaboration. Yes, some are experimenting with cloud-based UC offerings, but with mixed results, so we defer on this topic for now. As with most other economic recoveries, small business usually leads the way. This time around is no different, and the mUCC vendor community is targeting this market segment with a vengeance.

Note that some think that iPhones or Android devices are all that is needed in the SME. But this solution does not scale past a few employees, as business critical communications need reliability and quality. Try closing a deal over a mobile phone or transferring calls between employees or conducting group calls, and it becomes abundantly clear that a first-rate company needs a first-rate communications system that includes fixed, mobile and conference solutions.

While we use the “m” in mUCC to denote mobility, this is just a point of emphasis that mobility is now being integrated into the UCC environment, and it by no means is to be construed that fixed endpoints are not part of SME solution. For this Lippis Report Research Note, we focus on the new mUCC market for SME. To do so, we profile Avaya’s and Siemens’ latest launches.

Avaya offers a few options for SME, such as the IP Office, which it has been busy consolidating multiple products from the Nortel acquisition. In addition, it recently announced the availability of Avaya Flare® Communicator for iPad as a download from the Apple App Store. Avaya Flare Communicator is a free software application for both iPad and its own Android-based Avaya Desktop Video Device (ADVD). Avaya Flare Communicator provides secure mUCC capabilities over Wi-fi and 3G networks.

Avaya Flare Communicator for the iPad is enabled by the Avaya Aura® 6.1 UC architecture, which delivers integrated applications to a range of fixed and mobile devices, providing consistency between mobile and fixed endpoints. Some of its capabilities are integrated enterprise directory to easily launch IM, voice call or email. While being mobile, manage two simultaneous voice calls using the iPad, multi-tasking real time communications with internet access. Reduce mobile expenses by using the data channel and avoiding roaming charges while traveling across different cellular networks

Siemens Enterprise Communications offers its all-in-one mUCC suite with recent updates to improve mobility, increasing business efficiency and lowering costs for SME. The upgrades to OpenScape Office and the HiPath 3000 voice platform include a new UC client for tablets, OpenScape Web Collaboration and a UC plug-in for Microsoft Outlook 2010. According to Siemens, these solutions help SMBs better serve their customers and reduce communications costs.

OpenScape Office has been designed to support the increased use of smart phones and tablets, offering a new mobility UC client that extends desktop capabilities to mobile endpoints. In addition, OpenScape Web collaboration has been extended to OpenScape Office MX and LX plus mobile phones and tablets. Unique to Siemens is its embrace of virtualizing its mUCC applications. The
OpenScape Office LX and HX can now run on VMware.

From a user point of view, OpenScape Office is now equipped with a UC plug-in for Outlook 2010, and Open Directory Service that enables access to corporate directories for ease of access. Siemens has had great success with OpenScape Office, having seen it grown some 67% last year.

While we just provide a snapshot of Siemens and Avaya here, Cisco, ShoreTel, Mitel, Microsoft and others offer SME mUCC solutions too. Interestingly here is that Google, Apple Facebook and Microsoft are all positioning to play a larger role in the SME mUCC market. Google offers a suite of services that integrate across desktop and mobile devices leveraging Android, Google Docs, Google Calendar, Google Messenger, Google Voice, Gmail Google Video, and of course circles, et al. Microsoft has been challenged with Lynx as a voice platform, but it now owns Skype, and look for it to offer a mUCC suite for the SME. Facebook is a wild card as rumors circulate that it’s working on a Facebook OS for mobile devices that some project will offer a social mUCC platform.

Apple seems contempt to ride the BYOD trend into the enterprise market without packaging a SME mUCC solution. Apple continues to push the envelope and deliver many of the features promised by the UC vendors for years, such as FaceTime and Siri. The real opportunity for the traditional mUCC vendors is to embrace Apple’s iPad, iPhone and MAC, adding enterprise strength and scale to FaceTime, Siri, contacts, calendar, icloud, etc. Most of the mUCC vendors still view Apple as a consumer device and opt more often than not to develop on Android. That is a mistake.

The SME market is the huge opportunity for the mUCC vendors, but it’s also an opportunity for non-traditional players too, as only 25% of the market has decided upon its mUCC direction. Siemens and Avaya as well as many of the other vendors are all moving in the right direction to integrate mobility, video and collaboration. But some Big Data analytics may very well show all that is needed is enterprise integration plus scale to Apple and Google mobile endpoints on desktop and fixed point phones.

Tweet

By Cisco Systems

This paper introduces the new Layer 3 network virtualization solution Easy Virtual Network (EVN). It discusses the need for enterprise network virtualization and compares EVN with the traditional solutions. In-depth architectural information as well as the new provisioning syntax is included to get users fully familiarized with EVN at first look. Click here for a short video on EVN

Get the White Paper

Tweet

Computer networking vendors have been increasing the speed and port density of their Ethernet switches while reducing power draw and price per port. But while Ethernet switching hardware marches on linearly, thanks to 10, 40 and 100GbE, networking software is taking a different historical path as the pace of compute and network technology evolution has diverged, with networking lagging. Highly virtualized server deployment has broken traditional networking approaches on multiple levels, for example. In response, the industry is now developing a “virtualized infrastructure” or “stack” to add network flexibility. To close the technology gap, Software-Defined Networking (SDN) is promoted as the new “organizing principle” to deliver network software and service value. While it will be, likely, years before SDN’s organizing principles take hold, I propose that these two industry activities are inexplicably linked and phased; here’s why…

Software-Defined Networking

There are multiple definitions of SDN. Making it even harder to pin down SDN, the definitions are evolving too. But this is common in a new breakout space for the computer networking industry that’s evolving fast. For this Lippis Report Research Note, we take the SDN definition that is based upon splitting the data plane or the forwarding hardware of an Ethernet switch from its control plane or the logic that controls how packets flow from ingress to egress. This split of data and control planes opens up an innovation injection point into networking that has not been previously available.

During 2011, a market has opened up for controllers. Currently Big Switch Networks, Nicira Networks and NEC are offering standalone centralized controllers. But limited controllers are also available in open source software, OpenStack and VMware’s vSphere/vCloud too. In addition Cisco’s IOS, Juniper’s Junos, Arista’s EOS, etc., are distributed controllers that may interoperate with centralized controllers in the future. In fact, Arista’s EOS already supports OpenFlow, OpenStack and vSphere/vCloud.

The link between the separated data and control plane is an open interface called OpenFlow. Now some end their SDN definition here, but this is just the beginning as the real promise of SDN are the applications that will reside upon the controller to address a wide range of networking issues and opportunities. In fact researchers at Princeton and Cornell are developing the Frenetic programming language that provides high-level network abstraction that gives programmers direct control over the network, allowing them to specify what they want the network to do without worrying about how to implement it.

One can imagine a wide range of applications residing upon a controller such as WAN optimization, traffic engineering optimization, load balancing, security services, etc. In essence, the control plan allows network services that are currently deployed as appliances to be virtualized appliances/applications much like applications that reside on top of a VM. It gets even more interesting, as a centralized control plane can be easily split in to many little control planes, each of which sees its own slice of the data plane topology. In traditional networking where control and data planes are one and the same and in each box, it is much harder to merge control planes and split data planes. It’s possible, but harder to keep complexity and stability in check over the long term. Splitting control plans can have huge value in public cloud multi-tenant or private cloud multi-team networking.

SDN and OpenFlow are at the early stages of its industry matriculation. But one thing is clear: SDN is an organizing principle whereas network software is developed by both network vendors and third parties, and network services are virtualized. SDN thus represents a new industry order and structure as to how value is added to networks. But I digress. The real issue today is solving network inflexibility in the face of highly virtualized data centers.

Enter the “Virtualized Stack” or Virtualized Infrastructure”

Virtualized server deployment has been propelled en masse, thanks to increased data center efficiency, by delivering the same or greater application workload with a reduced number of servers. While this is good, many IT business leaders are now realizing huge consequences to highly virtualized data centers that span from IP address change management to application management.

At the IP address level, networking has become extremely rigid within virtualized environments, slowing down process, limiting moves and changes as well as elongating the time to spin up an application that resides within a VM. Necessary network services to support the virtual cloud infrastructure, such as IP address assignment and management, are still performed largely with manual tools and processes, such as spreadsheets shuffled between various departments or operational groups, which can result in days of delay for something as simple as assigning an IP address to a VM. Contrast that with the virtual server administrator. Virtual instances of servers and machines can be dynamically provisioned, migrated and shut down by a virtual server administrator in minutes.

Moving up the stack, challenges are rooted in application management plus Layer 4-7 services such as WAN optimization, Application Delivery Controllers and security, especially in environments that include multiple hypervisors, a wide variety of workload types and shifting virtual machines.

For example, the new challenges of enterprise application management in virtualized data centers include: what type of and location of network intelligence is required when multiple hypervisors and various workloads exist and shift? Also how do operations groups maintain consistent security policy across both virtualized and non-virtualized environments consistently? And how do operations groups monitor and maintain application flow visibility?

Cisco

Cisco, for example, is addressing these issues via its Virtualization Stack and is now organizing its products around this initiative. Three components define Cisco’s virtualization stack, those being: 1) virtual networking, 2) virtual security and application networking services and 3) orchestration and provisioning. An important part of Cisco’s strategy is the virtualization of appliances such as its VSG or Virtual Security Gateway, the ASA 1000v, the support of VXLAN, the Nexus 1000v, etc.

Brocade, F5, Citrix

But F5, Citrix and Brocade are all virtualizing their appliances, moving away from physical single application appliances to an integrated virtualized suite. One can imagine that these virtualized applications will some time reside upon an SDN controller as their next stage of evolution. In addition each application delivery vendor has a way for programmers to control application network behavior. For example, Brocade recently launched OpenScript, a Perl-based scripting language used to modify the content of and control delivery of packets at Layer 4 through Layer 7 on its ServerIron ADX products. These scripting languages could be standardized and reside within an SDN controller.

Embrane

A good example of what the virtualized Layer 4-7 future may hold is that of a start-up firm called Embrane.

Embrane has virtualized server load balancing, firewalls and VPN termination and placed them upon a distributed software platform called heleos. Heleos runs on x86 servers and any hypervisor. It leverages a distributed virtual architecture that decouples network services functionality from the underlying physical infrastructure and hypervisor technology that it says provides high scalability, flexibility and performance.

IBM & NEC

IBM and NEC offer the best example of a commercial SDN offering with OpenFlow. NEC’s pFlow OpenFlow controller that resides within an IBM server manipulates IBM System Networking G8264 OpenFlow switch’s flow table. The link between the two is OpenFlow 1.0.0. The NEC pFlow controls traffic, discovers topology, gathers stats and other functions while the G8264 forwards traffic based upon these flow commands.

What’s impressive about the IBM/NEC SDN solution is that it has customers such as: Tervela validated the IBM and NEC OpenFlow solution ensures predictable performance of Big Data for complex and demanding business environments. Selerity’s IBM and NEC’s OpenFlow solution improved real-time
decision-making for global financial markets. Stanford’s IT Department chose IBM and NEC’s OpenFlow solution to deliver network capacity on-demand to its academic community. What’s important about these use cases is that IBM is communicating SDN via OpenFlow’s value in business terms, which will only increase as industry adoption accelerates.

In essence the SDN market has started, and as its technology underpinnings solidify, many of today’s network services will fall under the SDN umbrella. In fact, nearly all network vendors are launching SDN programs as a new way to communicate existing product value and their evolution into a SDN. Just like the Appian Way where all roads lead to Rome, all network services may very well lead to an SDN.

Tweet

By CFO World

With CAPEX accounting for only 20% of the cost of a network, it is important to look beyond initial expenditures and consider TCO and the business value a network can provide. A third-party TCO comparison of a Cisco network versus other vendors illustrates that Cisco can deliver a 13% better TCO even before business benefits, such as network uptime and employee productivity are considered. Further, the Cisco Borderless Network Architecture acts as a platform for service delivery, allowing your IT organization to say “yes” to business and revenue-enhancing opportunities.

Get the White Paper

Tweet

Modern corporate networks are under increasing pressure to support a wider variety of applications thanks to mobile and cloud computing, desktop virtualization plus video traffic having skyrocketed. Not only are bandwidth rates increasing from 1 to 10 to 40 GbE, but most importantly network services are needed to manage and support a different application portfolio mix and network access methods. Network services such as firewalls, WLANs, network diagnostics and monitoring plus application performance acceleration are needed to deliver a consistently excellent user experience. Cisco recently announced an upgrade to its popular Catalyst 6k with the availability of the Supervisor 2T that included re-vamped high performance service modules to deliver these network services. Goyal, product line manager at Cisco Systems joins me to discuss which network services need to be available in modern networks.

Download “A Comprehensive Testing of Cisco Systems Catalyst 6500 Sup2T” report here.

Listen to the Podcast

Tweet

By Cisco Systems

A new enterprise architecture for delivering policy-based services has become available. This document discusses the need for a policy-based architecture in today’s enterprise networks and presents “Policy-Governed Network” architecture as a pragmatic business solution. Building identity and context awareness into the network is critical to implementing an effective infrastructure.
Major topics include:

● What policies are and who implements them
● Changing network dynamics and problematic new technologies
● Important challenges to implementers
● Characteristics of a Policy-Governed Network architecture
● Policy-implementation platform: the Cisco® Identity Services Engine
● Scenarios showing how policies can address specific network issues
● How to begin transitioning to a Policy-Governed Network

Get the White Paper

Tweet

by Cisco Systems

It can be easy to forget how much depends on the enterprise network—until you have to tell the VP of sales that he can’t use his iPhone on the corporate network because the appropriate security controls aren’t in place. Or you must tell the CIO that expanding the virtualization initiative to include business-critical applications will severely tax bandwidth. The truth is, nearly everything in modern businesses is dependent on the enterprise network, and every decision you make is based on whether the network can handle it. This paper takes a look at a common pitfall in IT circles that can have a serious impact on the IT decision maker’s ability to say “yes” to new business initiatives. It also offers recommendations for IT organizations that wish to act as business enablers.

Get the White Paper

Tweet

A third-party business consulting firm analyzed the total cost of ownership (TCO) of Cisco enterprise customer networks, and contrasted that TCO to “good enough” networks from other networking vendors. Key findings:
1) TCO is a better metric than CapEx to assess network cost because it considers the full impact on IT spend, including CapEx, services, labor, bandwidth and energy.
2) The Cisco Borderless Network Architecture can deliver up to 13% better TCO than a “good enough” network, offering compelling value for the strategic Cisco investment.
3) Even if architectural benefits are discounted in the analysis, Cisco is, at most, a 7% TCO premium over other vendors due to IT labor savings and extended product lifecycles from Cisco solutions.
4) The single biggest benefit of Cisco’s architectural approach is labor savings. Labor constitutes 50% of TCO and Cisco delivers 5% to 10% labor savings driven by unified wired and wireless and embedded security.
5) A quality network delivers business benefits beyond TCO, including improved network uptime, higher user productivity and a lower threat of security breaches.

Get the White Paper

Tweet

By all counts, Cisco’s upgrade of the Catalyst 6K via its new Supervisor 2T, or Sup2T, is its most ambitious and thoughtful yet for the venerable platform. The Sup2T is a 2 Terabit (Tb) platform that triples the previous Sup720 performance. Thanks to the support of Virtual Switching System (VSS), the platform allows two 2 Tbps switches to combine into a single 4 Tbps virtual switch. The Sup2T is a major upgrade to the most widely-deployed switching platform in campus and data center networking in the industry. But while these performance numbers are impressive, it’s the new Cat6K’s network services and pricing that deliver most of the value. From a services’ point of view, the Cat6K stands alone.

Cisco’s Cat6K is the firm’s most successful product with over 700,000 systems and 110 million ports installed, worth some $42 billion. This product’s success increases the stakes for Cisco as it introduces a major upgrade. Cisco had to consider backward and forward customer migration, increased competition and pricing pressure especially as many firms are starting to offer core switches based upon merchant silicon. In short, Cisco had to eliminate the trade-off of innovation versus investment protection and find a way to deliver both simultaneously. A detailed review of the new Cat6K with Sup2T finds that Cisco has navigated well by incorporating customer feedback from multiple theaters and industry segments in the form of some 200 features, most of which are incorporated into ASICs, something with which merchant silicon based switching firms cannot compete.

Merchant Silicon versus Custom ASIC

There will be an increase in the number of core switches offered from various vendors during 2012 thanks to the availability of merchant silicon, but these products, for the most part, will be focused on primarily performance while falling short on network services. Network services are hardware and software features that provide the tools, customization and design options for IT architects to optimize their networks and applications to either run faster and maintain secure, reliable, high-quality user experiences whether it’s for video traffic, virtualized desktops, general purpose office productivity or client facing web traffic.

For example, consider something as mundane as counters. In the Cat6K Sup2T and new modules, there are more than two million counters, enough to have separate counters for every protocol, including IPv4, IPv6, multicast, unicast, MPLS, etc. What this says is that Network Operations engineers will be afforded a level of granularity and visibility into the network well beyond anything they previously could gather. But I digress; let’s focus on the big picture of the new Cat6K.

The New Cat6K by the Numbers

The last major upgrade for the Cat 6K was the Sup720-10G in 2007, which was the first management module with 10GbE uplinks. The Sup2T enables 40GbE interoperability and interface speed transition as the Cat6K will support 100MbE, 1GbE, 10GbE and now 40GbE in a modular chassis platform. The performance leap on the 2 Tb portfolio is complemented by a quadrupling, or more, of the NetFlow, Access Control List and Quality of Service capacities of the platform to meet the increasing manageability, security and service demands of enterprise networks. The platform now offers 720 Mpps of IPv4 and 360 Mpps of IPv6 performance, roughly a twofold increase over the previous generation. In a word, the Cat6K scales logically.

What Cisco engineering has done is tripled the performance, quadrupled the platform scalability and added new network services—several of which are industry firsts and all of which protect investment by being backward compatible with these forward innovations. For example, central forwarding line cards that started shipping in 2003 are supported in the Sup2T. The E-series chassis and power supplies that started shipping in 2004 are supported with the Sup2T. For a large segment of the Cat6K installed base, all that is required is the install of the new Sup2T to gain increased performance, scale and network services. This is perhaps one of the easiest refresh offers Cisco has ever made.

Network Services Rich

As for network services, the Cat6K supports some 2,600 features that the market has demanded. Most of these features were developed over time with many firms depending upon them to run their networks. In addition to hardware backward compatibility, Cisco had to be software backward compatible too by supporting these 2,600 features, which are supported in the Sup720 and the wiring closet Sup32, in the Sup2T. Some of these features include IPv6, multicast, NetFlow, MPLS, etc. But clearly the market does not stand still, and Cisco engineering has added some 200 new innovations to the Sup2T, some of which will also be supported on previous versions of supervisor engines.

Interestingly enough is that with backward support of new network services supported on the Sup720, IT architects can choose to move these Cat6Ks down a network layer and place the Sup2T Cat6Ks in the distribution and core, extending the entire portfolio of network services from access, distribution and core. Some of these new innovations are Flexible NetFlow, Role-based Access Control, Virtual Private LAN Service (VPLS), Bridged Domain Technology, etc. Following are a few of the next generation innovations introduced with the Sup2T.

NetFlow: NetFlow scalability in the Cat6K Sup2T has increased fourfold with larger tables being supported in the ASICs. Up to 13 million NetFlow entries are possible in a single system. That is up to eight times the visibility afforded by the previous generation of NetFlow hardware. Over time, most networks will have a mix of 1GbE, 10GbE and 40GbE; this new version of NetFlow introduced sample NetFlow so NetOps does not have to export all traffic to collector, a huge complexity and time reduction. Also NetFlow visibility is now protocol independent, meaning that it does not matter if a network is running IPv4, IPv6, MPLS, Unicast, Multicast, etc. In addition, select modules, rather than the central supervisor, are able to export NetFlow to the NetFlow collector offering yet another way to scale.

MACsec: From a security perspective, the Cat6K Sup2T natively supports MACsec, or IEEE 802.1AE, embedding it within line cards offering line-rate, hop-by-hop encryption and decryption. In addition to the new Cat6K, the Nexus 7K, Cat 3K and Cat 4K currently support MACsec, thereby enabling end-to-end secure communications much like IPSec and SSL but over the LAN.

Role-Based Access Control List (RBACL): Access Control Lists, or ACLs, can now be programmed in role-based scenarios controlling user access to IT resources. Roles can be finance, human resources, marketing, engineering, sales, executive management, etc. Role-based access control allows NetOps to configure which IT resources each user is allowed to access for each type of job role, thereby controlling their access to servers, applications, WAN connections, etc. Role-based access control is an addition to the Sup2T’s ACL Dry Run, which first tests if ACL changes will fit in the ACL Ternary Content-Addressable Memory or TCAM before they go live with the configuration. Using ACL Dry Run will help avoid potential network disruption since NetOps engineers will know whether the ACL changes will be supported in hardware before implementing them. If an ACL change does not pass the Dry Run, then the system will indicate which resources are being exhausted, allowing the NetOps staff to adjust the ACL accordingly.

Network Virtualization: The new Cat6K Sup2T boosts its network virtualization capabilities that enables physical infrastructure to be logically divided. For example, airports, such as Zurich, Munich, Toronto, etc., use network virtualization to change gate attributes as an airline carrier completes the boarding process and transitions the gate to another carrier. They also use network virtualization to separate out kiosk vendors from operations from WLAN AP guest access to airline carrier support, etc. Governments network virtualization to logically segment departments while they share the same physical building/floors/office spaces. Universities use network virtualization to logically segment administration, research, faculty and student interests. Just as with other previously-mentioned capabilities, Sup2T increases the scalability for network virtualization up to fourfold with support for up to 4K MPLS VPNs, 32 instances of (VPN Routing and Forwarding) VRF-lite, native VPLS in hardware, allowing for VPLS-facing interfaces to be any interface in the system, and more.

New Service Modules

Admittedly, the Cat6K with the Sup2T is not the fastest Ethernet switch on the market with 2 Tbps of switching capacity. Cat6K doesn’t need to be the fastest given its place in campus networking and mid-range data centers. However, it does need more than enough performance to never be the bottleneck in IT delivery while providing a wide range of software options to control traffic and optimally design enterprise IP networks. Cisco engineering has done this with 2 Tbps, and 4Tbps with VSS, far greater capacity of most, if not all, campus and mid-range data center networks operating at a range of 10/100/100, 10GbE and soon 40GbE. For higher performance, Cisco offers the Nexus 7K with 9 Tbps of switching capacity for data center switching designs.

To increase performance in the Cat6K, it’s not just the supervisor engine that’s been upgraded. New service modules, such as the new Wireless Service Module 2 (WiSM-2), Adaptive Security Appliance Service Module (ASA-SM) firewall, Network Analysis Module 3 (NAM-3) and Application Control Engine 30 (ACE30) load balancing were introduced to take the Cat6K with Sup2T to the next level of hardware-based services processing. Remember, service modules allow IT business leaders to reduce the number of devices in their network they need to manage, improving energy efficiency and reducing carbon footprint. These new service modules have been upgraded for performance and scalability, as services performance has to scale with network performance. For example, the ASA-SM offers a threefold increase in performance with 15-20 Gbps of stateful application firewalling. NAM-3 has been upgraded in performance by a factor of fifteen, allowing application visibility and analysis at 15 Gbps. The WiSM-2 scales up to 20 Gbps of throughput and support for up to1,000 centrally-managed access points, a threefold increase in performance and scalability.

Integrated and Virtualized Network Services

Unique to a Cisco environment is that service modules and appliances basically share the same operating system, meaning that there is operational consistency between the two platforms. For example, if an IT architect implements an ASA appliance and ASA-SM, NetOps will experience the same operating system, management and look and feel between the appliance and service module. This consistency allows NetOps to best utilize and manage network services independent of physical packaging and network location, thereby increasing operational efficiency and innovation injection. Thanks to network services being integrated into the Cat6K, and the ability to virtualize services, IT architects are afforded design choices where they can regulate the number of appliances versus service modules in their network by choosing to utilize service modules more over time and obtain their green benefits too. Note that the ASA-SM and ACE-30 can be virtualized or divided between users/groups, thereby extending their reach throughout a corporate network and reducing the number of appliances in the process.

Cat6K with Sup2T Pays to Upgrade to 10GbE

From a pricing point of view, it’s best to think of the Cat6K with Sup2T as the device to transition a campus and mid-range data center network from 1GbE to 10GbE. With 1GbE in the access layer, via upgraded Cat4K with Sup7-E and/or Cat3K / 3750X, connected to a Cat6K with Sup2T in the distribution layer providing 10GbE to the core, Cisco estimates that this configuration will be 20% less costly than a similar configuration utilizing the Sup720 and older versions of the Cat4K and 3K. This design provides for 10GbE between access, distribution and core. In essence, Cisco is paying IT leaders 20% to upgrade to 10GbE with a new generation of switching.

Economics plays a large role in network design. From an economics perspective, Cisco is responding to competitive pressure with new pricing and design options with this Cat6K upgrade. While the Cisco Cat6K Sup2T represents increased performance, what IT business leaders will find is that for typical configurations independent of data center or campus, 1GbE, or 10GbE, the overall cost of a Cat6K network is actually reduced by 20 to 25%. For example, the 48 port 10/100/1000 copper line cards were sold in two versions: centralized and distributed forwarding modes. The centralized forwarding mode is priced at $15K and comes with 256MB of memory, while distributed forwarding is $22.5K. New Ethernet line cards (6800 Series) have Distributed Forwarding Card 4 (DFC4) daughtercards by default and come with 1GB of memory that are priced at the same $15K as the centralized forwarding mode cards, closing the price gap between centralized and distributed forwarding mode to the lower cost centralized pricing. IT architects are offered distributed forwarding performing line cards, which are higher performance throughout the system, at a third of previous generation cards. This is but one important example that demonstrates that the Sup2T is a price reduction over Sup720 around 10GbE.

New Network Design Options and Economics

Campus networking traffic patterns are dominated by north-to-south flows, thanks to the centralization of IT application delivery within data centers. While over time, an increase in east-to-west flows may occur thanks to peer-to-peer applications, north-to-south flows are getting thicker and denser especially as the industry adopts virtualized desktop computing and real time video communications. These thicker north-to-south flows are being accentuated as more applications are being hosted in corporate data centers and private cloud facilities for IT complexity and cost reduction. At the same time, enterprise mobile computing has skyrocketed with the adoption of iPhones, Android-based devices and iPads. For example, Gartner predicts that 55 million tablets will be sold worldwide by the end of 2011. Thanks to lower power output antennas on these new mobile devices, the density of WLAN APs are also increasing to provide coverage. This is creating a challenge to roam seamlessly without user experience interruption.

Mobile and cloud computing economics and increasing traffic volume are driving a new model for campus networking. It’s a model that seeks to increase wired and wireless network bandwidth, scale logical networking and extend network services such as security throughout the enterprise network via centralized management control methods. It’s a model that also seeks greater visibility and control of flows to optimize performance and apply resources where needed. Network virtualization, where physical network infrastructure is logically segmented to assign different network attributes to various groups/departments/entities, has become a mandatory requirement in some industry segments. And from a design point of view, high reliability needs to be systemic as all corporate productivity is flowing across this IT asset.

For those with Cat6K-based networks, installing the Sup2T offers a range of new network design options and economics. For example, encryption is now embedded and integrated. Network services are increasingly becoming virtualized, offering greater reach, cost effectiveness and lower carbon footprint. 10GbE and 40GbE speeds can be strategically placed where bandwidth is needed. NetOps is offered a common look and feel between appliances and service modules, reducing operational cost and increasing efficiency. Logical networking can scale to support more IPv6, more WLAN APs and users, greater visibility into the network via NetFlow, greater stateful application firewalling, etc. It’s clear that Cisco engineering has made tremendous efforts on security with TrustSec, taking ACLs to the next level, NetFlow’s deeper visibility, network virtualization via MPLS or VPLS for segmentation and bringing parity to IPv6 and IPv4.

Cisco is paying customers to upgrade to both the Cat6K Sup2T and 10GbE. Obviously, there’s additional capital cost to spend to gain the return, but from a historic perspective, the upgrade cost is a fraction of previous switch generations. With the Cat6K Sup2T upgrade, IT business leaders gain a wide range of network services, some of which are mentioned above, that will prove to be invaluable as IT marches on toward an IT delivery model dominated by mobile and cloud computing with nearly everything becoming virtualized.

Tweet

By Cisco Systems

Enterprise workspace is quickly evolving with new networked devices to improve communication, collaboration, security and productivity. Power over Ethernet (PoE), a way to deliver electrical power over LAN cabling to networked devices, has been widely deployed over the years to provide power to various endpoints. Cisco® Catalyst® 4500E, a market leader of PoE technology, continues to innovate to deliver Universal PoE (UPOE) technology with up to 60 watt power to enable even broader endpoint support, with additional benefits of higher availability, lower OpEx and faster deployment.

This paper provides an overview of the Cisco UPOE technology. It describes how Cisco has evolved PoE technology to UPOE, the use case examples of UPOE to simplify enterprise deployment, and UPOE architecture and operations.

Get the White Paper

Tweet

By Cisco Systems

Hundreds of Cisco customers have debated the trade-off of prioritizing the lowest price for a point product or service in their network over a strategic plan for how they architect their network infrastructure. Through interactions with many customers, Cisco has analyzed various network designs and implementations. Our findings show that although there is a place for building a low-cost tactical network, the ongoing operations, upgrades and lack of preparedness to meet new business challenges prove to be hindrances to organizations in the long run. Rather than just considering capital cost, organizations are well served to look at total cost of ownership, including operations and return on investment plus business capabilities enabled by a strategic network, as they build out their networks to address business needs today and tomorrow. Forrester Consulting Group provides an excellent analysis in this paper too.

Get the White Paper

Tweet

On Tuesday Auguest 16th a week before HP’s news of potentially exiting the PC business, Zeus Kerravala, Senior VP of Research at the Yankee Group and Andre Kindness Senior Analyst at Forrester Research joined me in a round table discussion to reflect on HP Networking. We assess HP Networking’s progress since it announced the acquisition of 3Com back in Nov of 2009 and its prospects for the future. In a word our mutual assessment is disappointment with major short and long-term threats from Huawei. But there is hope for the future if HP can create a bold new vision for the industry and execute it. If you are going to listen to one podcast this year about HP, this should be it.

Listen to the Podcast

Tweet

By Nicholas John Lippis III

IT business leaders are demanding a unified policy-driven
management strategy for network access and security, mobile
endpoints including iPads, tablets and smartphones. A holistic
network approach is the unification of these management assets
to simplify operations and shift control to IT leaders. A holistic
network approach from Cisco Systems is to streamline NetOps
through the automated orchestration of policy, management and
infrastructure. In this model, network administrators will not have
to access multiple different management systems to collect data,
correlate it manually and then attempt to identify problem location.
One management system, Cisco Prime NCS with integrated
links to ISE delivers this service to NetOps drastically improving
network visibility and reducing troubleshooting time through a
client- or user-focused approach to managing corporate networks
in the age of mobile and cloud computing.

Get the White Paper

Tweet

By Cisco Systems

The Payment Card Industry Data Security Standard (PCI DSS) Version 2.0 has been released, providing clarification and reinforcing the need for merchants and other organizations to identify all system components, people and processes to be included in a PCI DSS assessment. Simply achieving device and system compliance is not enough to protect your retail business and your customers. Cisco® PCI Solution for Retail 2.0 helps you:

• Address current PCI compliance requirements
• Protect customer data in your data center, stores, Internet edge, contact center and between partners, such as payment processors
• Simplify compliance
• Offer guidance on security best practices

Get the White Paper

Tweet

In Cisco’s Data Center Fabric, it has delivered a set of features and innovations that solve some of the most difficult networking challenges found in virtualized infrastructure. IP address and VM mobility plus adapter and VM Fabric EXtenders (FEX) offer increased support for virtualized data center infrastructure, offering designers flexibility to move virtualized assets independent of location. These innovations are proposed by Cisco that promises virtualization aware networking, lower cost and increased performance. Omar Sultan, Senior Manager, Data Center Architecture at Cisco Systems, and I discuss Cisco’s new data center virtualization tools.

Listen to the Podcast

Tweet

Two years after Cisco launched its Unified Computing System it has 5,400 customers, holds the #3 market share ranking for x86 blade servers WW, behind only HP and IBM, according to IDG and recently broke numerous world computing performance benchmark records. While UCS has leaped frog competitors with performance plus memory and I/O capacity the most important aspect of UCS is the business value it drives. I explore this topic with Todd Brannon, Senior Manager for UCS marketing at Cisco Systems about the vision and strategy of Cisco’s Fabric Compute and the value its customers are gaining from its use. Todd brings great customer examples to this podcast, which is a must for any IT leader evaluating a data center fabric.

Listen to the Podcast

Tweet

By Cisco Systems

CareCore National, a health benefit management concern, increased business agility by being able to launch new lines of business in just two weeks, down from six months. This business benefits were gained, in large part through the insight and leadership of IT executives and their deployment of Cisco’s Data Center Fabric architecture. This white paper describes how the CareCore National achieved this transformation.

Get the White Paper

Tweet

By Cisco Systems

Avago Technologies is a manufacturer. Its IT business leaders accelerated batch processing by 30 to 40%, increased business flexibility and decreased operational cost by 40% while adding a third data center. This white paper describes how Avago Technologies achieved this transformation.

Get the White Paper

Tweet

By Cisco Systems

The Apollo Group, owner of the University of Phoenix and other educational properties doubled the size of its network without an increase in IT staff, lowered per-port switching cost while increasing port volume and freed up several rows of space in its data centers. This white paper describes how the Apollo Group achieved this transformation.

Get the White Paper

Tweet

By Cisco Systems

Consider how central and critical the capabilities that the network provides are to business goals. In all other areas of the company, business leaders look to strategic thinking and innovation to pull the company ahead of its competitors. Why should the network be any different? The allure of the tactical is always present in any business. A “good-enough-for-now” network may solve some of the problems of today, but does it set up businesses to solve the problems of tomorrow? When the network fails to adapt to the challenges of the future, the business follows the same path. Taking a strategic approach to the network is not just a good idea. It makes business sense. This white paper argues the strategic importance of the corporate network to achieving business objectives.

Get the White Paper

Tweet

Cisco has expanded it relationship with Fax over IP partner Sagemcom by integrating its XMediusFAX into Cisco’s Unity Connection and Cisco Unified Communication Manager (CUCM ) in its 8.0 update. Further, at Cisco Live in Las Vegas, the two announced interoperability testing with Cisco UCS Express (SRE-V). John Nikolopoulos, Marketing and Product Management Director at Sagemcom, discusses Sagemcom’s deepening relationship with Cisco and what it means to IT business leaders who manage branch office networks and communications.

Listen to the Podcast

Tweet

Eric Murray, Senior Network Engineer at Kindred Healthcare, and Ashish Shah, Senior Product Manager, Data Center Switching Technology Group at Cisco Systems, discuss the value gain of data center convergence or a single Ethernet fabric to support IP datagram and storage traffic. In this podcast, Eric Murray shares his experience of deploying a converged data center while Ashish explains Cisco’s end-to-end Data Center LAN/SAN consolidation strategy. This is a fascinating discussion of data center network design with cost and benefit trade-offs. In short, Kindred Healthcare has saved many millions of dollars in capital spend plus operational cost, thanks to a reduction in the number of management points.

Listen to the Podcast

Tweet

Cisco is the only large vertical IT supplier with compute, storage and deep networking capabilities making its data center offering unique. It’s Unified Network Services or UNS, Unified Computing System or UCS, Unified Fabric and policy based management make up the Cisco Data Center Fabric. In this Lippis Report podcast I talk with Shashi Kiran; Director of Market Management for Data Center/Virtualization at Cisco Systems about the vision and strategy of Cisco’s Data Center Fabric and the value its customers are gaining from its use.

Watch the Video

Tweet

This paper revisits the benefits of centralized 802.11n wireless LAN networks and describes the case for transforming the controller-based architecture to match market needs. Centralization of wireless LANs (WLANs) delivers networks that are easy to deploy, scale, and manage. A local-mode controller-based campus environment delivers increased device scalability and an interactive multimedia experience coupled with enhanced policy to manage the full range of mobile devices. A controller-based deployment using FlexConnect technology enables multisite, lean branches to manage the increased scale of deployments without additional increase in operational complexity.

Get the White Paper

Tweet

By Ted Ritter Senior Research Analyst, Nemertes Research

The data center is undergoing tectonic shifts with virtualization the primary cause. Everything is moving faster within the data center—moving at the speed of virtualization—putting centers into a state of transition from physical to virtual, which can be long, complex and messy. At the same time, security models remain largely static, anchored by physical security devices. Not only does this put the organization at greater risk, it also puts in jeopardy the core benefits of virtualization. To address this, organizations need a security architecture delivering agile security and supporting the physical infrastructure, the virtual infrastructure, and all the transitional states in between the two. This requires a new security model seamlessly integrating existing security controls for physical infrastructure with comparable security controls for the virtual infrastructure. This new model requires virtualization security.

Get the White Paper

Tweet

By Nick Lippis, the Lippis Report

IT business leaders are being confronted with a choice: either embrace users’ freedom or liberty to choose a mobile endpoint and applications that they deem appropriate to support their work, or dictate a limited number of supported mobile endpoints and applications in which employees must choose? At the center of this decision are security concerns and control as the number of mobile endpoints connecting into enterprise networks skyrocket. A larger secondary effect is that employees are downloading low cost (99 cents to $4.99) mobile applications, which is changing the mix of corporate application portfolios without IT visibility but user request for support. At the same time, video communications is expanding throughout the enterprise and the endpoints it supports. IT business leaders can avoid this difficult choice and offer users freedom to choose the mobile endpoint and applications of their liking, and still maintain security and control by deploying a Borderless Network. In this industry white paper, we review market dynamics shaping mobile computing plus video communications and how a Borderless Network offers user choice, IT management control and in the process, a more productive and agile workforce.

Get the White Paper

Tweet

Written by Jim Metzler for Cisco Systems

The movement on the part of enterprises to adopt a Cloud-based service model combined with the growing interest on the part of IT organizations to provide an internal SLA (Service Level Agreement) for the services they provide creates tremendous opportunities for Communications Service Providers or CSPs. The primary opportunity is for CSPs to offer a wide range of network centric solutions that are supported by an SLA. CSPs are in a unique position to offer these solutions because, unlike the Internet, the Next Generation Networks (NGNs) that CSPs have deployed are capable of providing contracted levels of availability, delay, jitter and packet loss. This paper provides three recommendations for CSPs to capture Cloud-based service revenues.

Get the White Paper

Tweet

Cisco recently launched its SecureX architecture that extends perimeter-based network security to secure modern IT, recognizing the huge growth in mobile and cloud computing. SecureX is a multi-layer architecture built upon Cisco’s AnyConnect client, its global footprint in real-time threat intelligence found in SIO (Security Intelligence Operation), Cisco TrustSec, including policy servers of NAC manager and server appliances, ASA firewall and the security enforcement features of its switches and routers. SecureX is an architecture to Cisco’s network security products and service to work together in an effort to create deeper defenses and contain exploit infestation if, and when, they occur. Fundamental to SecureX is the concept of “context aware” policy across the enterprise, including remote endpoint devices, centralized policy creation with distributed security device and network enforcement. SecureX provides for innovation injection points through APIs (Application Programming Interfaces) for management and SIEM or Security Information and Event Management. In this Lippis Report Research Note, we explore SecureX with a focus on how context increases defenses and keeps IT assets safer.

SecureX offers something for everyone…such as a simpler, yet richer, management model for SecOps, deeper levels of security for users within and outside the corporate network, centralized policy creation that extends beyond the corporate firewall, and increased protections for users as they utilize mobile endpoints to access corporate and cloud-based applications. IT business leaders should be pleased with better protections and compliance tools, especially as their vulnerabilities increase with mobile endpoints seeking network access growing.

SecureX is not just about extending security to mobile devices but to capturing contextual information in the use of policy creation. Contextual information includes user and device identity plus location, login time of day, plus which specific applications users attempt to access too, and this information is not only collected upon login but during their entire network connected session. Context aware policy allows IT leaders to use this information in the creation of policy with the end result of either allowing or denying access to IT resources, independent upon endpoint device and method of which access is attempted. And this context aware policy attribute of SecureX, over time, will be extend beyond normal data traffic streams to apply consistent unified policies to application, video or voice traffic also.

And while SecureX is security, in reality, it’s bigger than just security, because security is a necessary integrated attribute to enable mobility, video, voice and web collaboration, etc. To create a secure IT environment, IT services need to interact with security services with minimum to no user intervention that steals productivity. In short, SecureX seeks to make Cisco security and network devices work better together through context aware policy so access and deny decisions are improved, and are built upon so that anomalistic behavior remediation is automated post access through traffic monitoring.

Use cases have changed dramatically since a new tier of computing has emerged, that being smartphones and tablets. For example, a laptop could be plugged into an iPhone, which is streaming video into the corporate network. The network should be able to differentiate between data traffic, video traffic, phone traffic and even iPhone application traffic, then monitor all of those traffic types for behavior so if a Virtual Machine (VM) is launched on the laptop, the network recognizes this new entity and performs a new series of monitoring. Security needs to be much smarter as the combinations and permutations of acceptable user behavior are fundamentally changing.

So where does this monitoring come from? Is it centralized, distributed, within appliances, in the cloud? The answer is all of the above. It’s in the network infrastructure and highly distributed. The SIEM ecosystem plays a role, TrustSec provides monitoring as does SIO, ASA, IPS, etc. The network infrastructure itself is monitoring behavior that’s outside of parameters/rules/policy that have been established for each network connection, and can take defined action when anomalistic behavior is identified. With monitoring and enforcement being so highly distributed, the chances of capturing anomalistic behavior increases significantly. Anomalistic behavior can occur anywhere, so depending upon where alerts are triggered, what type of traffic is involved, the kind of device being used, the location, the identity of the user, the time of day, etc., it’s this contextual information that adds color to tripping anomalistic behavior and remediation options.

SecureX is much like Cisco’s self-defending network concept, but with a global perspective and tools to extend contextual base security to the Cloud, virtualized environments and out to the growing mobile workforce. And this extension of security services is the biggest challenge with which IT business leaders struggle. IT leaders want to push context aware policy into their virtualized datacenters, their Cloud(s) and to mobile users, because it solves a large set of security problems. In fact, security concerns is one of the primary gating factors limiting enterprises from deploying these new innovative IT services that offer favorable business processes outcomes.

Context Is Fundamental to Access Decisions

We already have perimeters and defenses within the enterprise, but IT has gone mobile, thanks to smartphones, iPads, tablets, etc. Also, applications are selectively moving into the Cloud as well. SecureX is a security architecture delivering control to SecOps and IT business leaders to extend their IT services to mobile workers, enabling them to embrace a new tier of computing and a new way of application delivery via the Cloud.

SecureX adds the concept of context aware policy to the principles of visibility and control as context provides insight into threats as employees are working outside of defined enterprise perimeters. The type of context that’s important includes identity—such as who are you, where are you located, the device that you’re using and can I trust the device—and what resources are you seeking to access. All of this contextual information needs to be considered when a firewall is determining network resources it will allow access to. In addition, contextual information may also instruct the network to enforce encryption on a session based on who you are and where you’re trying to go.

Policy Driven

To make contextual information work, a policy wrapper needs to surround context elements of personal identity, device identity, location, time of day and application access request. That is empowering the network to being able to create a uniform policy, such that the network is able to intelligently negotiate a variety of context options that are being considered when individuals attempt to access IT resources. This is the perfect job for a policy appliance.

To add context information to firewall decisions, Cisco is leveraging key pieces of its security product portfolio. For example, its TrustSec architecture provides access control plus encryption, which is the first and most critical piece of context information. Within access control, a device’s security posture is assessed, the end user is identified, and their device is profiled, all of which is used to make an intelligent decision to grant or deny network access. In addition, the network can “tag” a user’s data stream, so that as the stream transverses throughout the enterprise IT infrastructure, the network can enforce defined policy independent upon the stream’s destination(s). For example, once the user has passed access control, should this user decide to search for a payroll server location, the network may recognize that he/she is not allowed access, thanks to defined policy, and the network can drop the requests and log the event. This set of sequences is a benefit of TrustSec.

Access Control and Contextual Information

With trusted systems on the inside of an enterprise network providing enforcement through policy of mostly fixed endpoints, such as desktops and IP phones, the question on most IT business leaders’ minds is how to extend these protections to the exponentially-growing mobile community and non-user network devices. IT leaders are confronted with an increasing number of both mobile endpoints and non-user endpoints, such as printers, video surveillance, wireless access points, etc., attempting to access their network and IT assets. To protect IT assets, IT leaders are seeking a process in which all devices connecting to the network, independent upon inside or outside the perimeter, are profiled to analyze device function and apply appropriate policy. For example, an IP camera may be identified during profiling and then a policy applied that allows IP cameras to transmit data, but not allowed to request data. In addition, during post access control, the network then monitors the IP camera to assure policy is applied while the IP camera is connected to the network.

This type of contextual information to build another level of defense is also extended to the virtualized data center environment. For example, once a virtual server comes online, policy can be applied to it, which is then communicated to the entire infrastructure. Policy may allow a virtual server to pass traffic between VMs on a select number of hypervisors. In addition, these VMs may also recognize that the new virtual server can do X and Y with these VMs but not Z. This level of control granularity enables SecOps to define virtual environment behavior in a meaningful way.

The Network Can Be the Firewall

Clearly policy management is an integral component of SecureX. To define policy, Cisco offers the Cisco TrustSec solution, which can be deployed using the NAC Appliance or with a network-centric 802.1X strategy, combined with the Access Control Server. These solutions offer posture assessment, remediation and quarantine functionality. Device profiling for non-authenticating devices such as IP Cameras, printers, WLAN access points, etc., are placed on guest services with triple-A services. The aggregate of these features with the ability to create centralized policy that can be pushed out to the entire network infrastructure creates, in essence, a highly-distributed firewall. If a firewall’s job is to allow or deny access to IT resources, then SecureX turns the entire network into a highly-distributed firewall, where every component of the network is now analyzing and processing traffic.

Enforcement and Layers of Context

Context aware policy enforcement is performed with network infrastructure such as network switches, routing, firewalls, IPS, VPN, etc. There are layers of context: who are you, and should you be allowed to go to this website; or who are you, and what should I do with the types of email that you’re creating, or the traffic you’re generating based on who you are? It’s a meta context environment that asks, “Who are you in a dynamic environment?” In this dynamic environment, a higher-level policy may ask, “When you’re inside the network, there’s one set of rules. But if you leave the network, policy moves and perhaps changes with you.” For example, an exchange between two users may be allowed while both are inside the network. The network could allow certain content to pass between the users. But if one moves outside the network, then the network could stop some content from moving between them. Another example of enforcement due to anomalistic behavior could be a user logging in from within his/her New York network while another login request comes in from the same user located in Shanghai, China; the network needs to make a decision about which one of these users is authentic, and what action to take upon both users.

Networking Is Much More than a Connectivity Service

Enforcement is performed in both security appliances and network infrastructure. This elevates the network beyond a connectivity service to a secure IT service where it provides visibility, context and control, thanks to SecureX. When a network utilizes 802.1X for access control, the network is not only providing connecting, but also enforcement, for example. A SecureX network is creating and analyzing policy tags, performing enforcement of policy, dynamically identifying new devices, monitoring traffic, communicating with policy server(s) and making decisions about which access rules to apply to a device.

Protecting Mobile Users

The key architectural approach to SecureX is that the mobile device is equipped with a thin client, that being AnyConnect with the heavy processing burden of threat intelligence, mitigation and enforcement left in the Cloud or at the corporate head-end. Cisco’s AnyConnect plays an important role in SecureX to protect mobile devices as it leverages a huge resource of threat intelligence. SIO collects and analyzes traffic of approximately 5 billion emails per day, 3 billion Web requests per day and 700,000 network sensors or IPS; expand that to include approximately 100 million endpoint devices that are equipped with an AnyConnect client, and SecureX provides the most comprehensive real-time threat intelligence telemetry and mitigation to endpoints.

All of these numbers can be boiled down through a few examples. Consider a user—with a laptop equipped with an AnyConnect client—is attempting to log into her/his corporate network. At the point of login, the network will identify the user, her/his role and which resource she/he is attempting to access. For example, Bill from finance is requesting access to the payroll server. Policy may be defined as Bill can only have access while he’s inside the network perimeter, but not outside. Further, if Bill’s inside the network perimeter, policy may dictate that access to financial servers are encrypted via MACsec. No need for Bill to take any action, as a MACsec tunnel is established automatically as a matter of policy.

Mobile Internet Browsing

Consider an AnyConnect iPhone mobile user browsing the Internet with Cisco’s ScanSafe dynamically managing the Web interaction. With the endpoint’s VPN connection terminated on an ASA firewall, behavior is monitored. If anomalistic behavior occurs, such as malware activity traversing terminated VPN connections, ASA, in conjunction with ScanSafe and SIO, can extract that information and analyze it. In the event that a virus is propagating on iPhone-based smartphones, SecOps can be notified with a message such as “This is a warning. There’s something big happening on iPhone smartphones, and it’s happening in this part of the world. SIO is analyzing this information, will create and distribute a signature fix shortly.” This type of message can be pushed to all AnyConnect VPN terminating devices: “There’s an iPhone virus coming on. SecOps is blocking it for the moment, and in the next few minutes, we’ll distribute a signature to destroy this virus.”

A SecureX Ecosystem Is in the Works

There are two innovation inject points into SecureX to enable an ecosystem for management and SIEM. The management API offers an approach to a wider and consistent management view of network and security resources. SecOps often requested a super management platform where visibility and control is available from one tool. Unfortunately there is just too much information to display in one management window. But if multiple management tools/windows consulted the same policy data and shared this information, then a more consistent view of network assets can be obtained. An API to enable this type of information sharing would enable NetOps to manage its switched environment and be able to control not only switches, but also gain visibility in a security context of what policies have been applied to that switch. This concept can be extended to all network element management where they share policy information.

While not detailed in Cisco’s SecureX architecture, Cisco did announce a new SIEM ecosystem last month as it placed CS-MARS in end-of-life. This SIEM ecosystem will contribute to the contextual element of SecureX. For example, there are a number of ecosystem partners in place providing sophisticated types of analysis as they deepen their interaction with Cisco’s network infrastructure products. These partners collect and gather real-time alarm information and are correlative to global SIO. The combination of Cisco’s SecureX and its SIEM ecosystem will be able to span threat intelligence from local machines to the global footprint of SIO, offering an expanse of security information that can be put to work to protect assets and mitigate threats once detected. These real-time local and global threat intelligence assets can also be interfaced with a policy engine to not only identify and control devices requesting network access, but to monitor behavior within and outside a corporate network.

The value benefit to a SIEM ecosystem and SIO feeding real-time global information to a policy server is best described through example. Should a device suddenly begin behaving anomalistically, the network can automatically identify the device and its closest switch, and take action, such as lock the device and redirect it to a remediation server. That is, SecureX will be able to perform infection containment and control, thanks to adding real-time local intelligence to the policy sever, thereby changing policy on the fly based upon contextual information.

SecureX is Cisco’s latest attempt at integrating security deep into the network infrastructure as this infrastructure expands to mobile devices, cloud service providers and virtualized infrastructure. Its core component is context aware policy that is centrally administrated with enforcement highly distributed. SecureX is a modern security architecture for a new age of mobile and cloud computing.

Tweet

By Cisco Systems

According to the Wi-Fi Alliance, about 200 million households use Wi-Fi networks, and there are about 750,000 Wi-Fi hotspots worldwide. Wi-Fi is used by over 700 million people, and there are about 800 million new Wi-Fi devices every year. Cisco has shipped over 10 million access points worldwide. In this white paper, Cisco details how Wi-Fi hotspots are changing to accommodate cellular offload of iPhones, iPads and Android devices.

Get the White Paper

Tweet

By Cisco Systems

There are three major trends sweeping through the enterprise: the rapid rise of the consumerized endpoint, the onset of virtualization and cloud computing, and the growing use of high-definition video conferencing. Each of these critical technologies is transforming business—and forcing a fundamental shift in how security is developed and deployed. In this white paper, Cisco describes its SecureX architecture and how it has evolved IT security so that IT leaders can enjoy the benefits of these IT trends securely.

Get the White Paper

Tweet

By Cisco Systems

Deploying network services in virtual data centers is extremely challenging. Traditionally, such Layer 4 through 7 services relied on intrusive, inline deployment and static network topologies. They were thus completely at odds with highly scalable virtual data center designs with mobile workloads, on-demand virtual machine (VM) provisioning, and strict service-level agreements (SLAs).

Cisco® Unified Network Services (UNS) addresses all of these problems by creating a framework for multiple services that can be configured and provisioned on demand, dynamically, to suit the service needs of enterprise applications and cloud users. This dramatically reduces network management overhead, allowing for a much more agile data center and business while providing improved application performance and a secure infrastructure. Cisco UNS comprises Cisco’s industry-leading solutions for virtual data centers that deliver.

● Load balancing and application controllers
● WAN acceleration
● Network security
● Network analysis and monitoring

Get the White Paper

Tweet

by Cisco Systems

Cisco® Borderless Networks is a next-generation architecture that helps IT evolve its infrastructure to deliver seamless, secure and reliable access in a world with many new and shifting borders. The Cisco Integrated Services Routers Generation 2 (ISR G2) constitute a critical component of the Cisco Borderless Network Architecture and deliver performance requirements for the next generation of WAN and network services, enabling the cost-effective delivery of high-definition collaboration at the branch office, and providing a secure transition to the next generation of cloud and virtualized network services. This white paper discusses the concept of integrated services as they apply to the branch-office router, and how they help to enable the borderless branch office for small- to medium-sized business, large enterprises and service providers offering managed services.

Get the White Paper

Tweet

There are powerful market forces changing IT delivery. IT application delivery is becoming increasingly centralized thanks to data center server virtualization plus mobile and cloud computing. Desktops are being virtualized, too, thanks to network speeds that deliver low latency and high bandwidth, creating a thin client user experience that is indistinguishable from a thick client but at lower desktop management cost. One serious implication of this concentration of IT in data centers is that a new IT security model is needed as mobility brings greater threat exposure while virtualization changes traffic patterns and the rules of security appliance placement. In this Lippis Report Research Note, we present a new model for IT security in the virtualized mobile and cloud-computing era.

Users are demanding IT support commercial mobile computing platforms in the enterprise market, driving nearly exponential growth of these devices within corporations. And while commercial mobile computing use, that is Apple’s iPhone/iPad and Android smartphones and tablets, rises, it’s pushing applications, data and IT critical resources into private and public data center cloud facilities. In short, IT is shifting toward both mobile and cloud computing simultaneously, as the two are inextricably linked. Factor in the need for geographically and time independent access to IT services on any end point device, and you have the making of a major shift of centralizing application delivery to geographically dispersed end points that can scale globally.

This pull to centralize IT applications is driven by technology innovation of mobile and cloud computing with financial and performance gains afforded virtualization. But while there are material business benefits to this IT transition, there are risks too. Threats continue to increase, especially as mobile computing expands the diameter of access to data center resources. Virtualization provides huge efficiency benefits but changes the way in which security devices, such as firewalls, need to work to secure applications.

For example, traditional network services are frequently placed in-line or in the flow of traffic, that is firewall, IPS, VPN tunneling etc., forming a line of layer 4-7 network services. But as applications are virtualized, their movement may take them out of the path of traffic flow, thus creating difficulty to maintain network services to Virtual Machines (VMs) and their applications. In most data centers, a mix of physical and virtual network services is emerging as well as a mix of virtual servers and physical servers based upon old and new investment. What IT business leaders demand is that their investment in physical and/or virtual network services support both virtualized and non-virtualized applications, so they may extract the highest value from their IT dollars and that the same level of security services are applied to both virtualized and non-virtualized applications. This is a hard problem to solve and requires new thinking in network security.

The New Approach to Network Security

Before we dive into security architecture, a new approach to network security thinking is in order. Traditionally, network security was based upon the hard-shell and soft-core concept; that being, build a perimeter of firewalls and IPS equipment creating a hard shell around IT assets, but keep the internal network free of security services—that is a soft core. Then security layering was added to this model by offering defenses in depth to harden the soft core. While these approaches are still valid, thinking needs to be expanded in step with the directions of IT.

Modern day network security architecture needs to defend, extend, prevent and comply. By defend, we mean mitigate threats as the number of exploits/malware, etc., continue to rise. Network security services need to be extended to support virtualized data centers as well as mobile users and cloud-computing facilities. Network services need to prevent business loss, be it data loss prevention and business continuity. And lastly network security needs to assure compliance of government legislation/regulation/orders to mitigate risks of non-compliance.

Applying this new thinking in network security to major user behavior scenarios and IT assets creates both a broad security blanket that is also deep. For example, systemic across the enterprise, progressive IT business leaders are developing cloud security, desktop virtualization security and, for those engaged in on-line transactions, a PCI solution. These three security services support IT assets in need of protections, such as application security, mobile user experience security, virtualization security, service security such as encryption plus infrastructure security, e.g., firewall, IPS, VPN.

Cisco’s Data Center Virtualization Security Approach

There are only a few IT firms that can deliver the depth and breadth of this type of a security approach. These firms are Cisco, IBM, HP, Microsoft, Oracle and perhaps CA. For this Research Note, we focus on Cisco as it possesses all the technologies to deliver on a broad data center virtualization security solution. In the above example, Cisco’s ScanSafe would provide email and web application security. Its AnyConnect mobile client provides mobile security for VPN and cloud access. Service security is delivered via TrustSec, an architecture providing policy, identify and encryption services. For infrastructure security, its ASA (or Adaptive Security Appliance) security product combines firewall, IPS and VPN, while infrastructure security services are also embedded in its switch and router product lines. While all of the above products have been in production for some time, Cisco has launched an innovative approach to solving one of the biggest virtualization security problems, and that is to virtualize firewall services and to steer traffic to it as application flow changes from in-line to off-line as occurs when applications become virtualized.

Virtual Security Gateway

Within Cisco’s Unified Network Services (UNS) umbrella of products, it has launched its data center firewall called VSG or Virtual Security Gateway, and provided it management and policy services via its VNMC or Virtualized Network Management Center software. VSG is an example of a virtual service node, as compared to physical ASA security appliance. The key underpinning technology to VSG is the Nexus 1000V and vPATH, which enable traffic to be re-routed or steered to the virtual firewall nodes…more on this below.

VSG is a proof-point of Cisco’s ability to solve the firewall problem within virtualized infrastructure; that is how to provide firewall services to flows destined to and between various VMs. vPATH, a software module within the Nexus 1000V softswitch, steers traffic to VSG, which blocks or allows traffic flow to its destination. Further, VSG assures that the correct network security service is applied, and a VM’s policies follow it as it moves between physical servers. VSG policy is centrally managed through the VNMC umbrella management platform.

By inserting vPATH technology/software into the Nexus 1000V virtual switch, hypervisors and VM’s traffic is re-directed as needed to deliver network services, such as firewall.

vPATH

In the case of VSG, through VNMC, policy is created to define what type of traffic needs to be redirected, and then what action to take upon that traffic once it arrives at the firewall. As traffic reaches a server or Nexus 1000V, it is intercepted as it’s destined for a particular VM by vPATH, which redirects it to VSG for inspection. VSG then performs its network security service, then forwards the traffic, if allowed, to its destination just like a firewall appliance operates. vPATH intercepts traffic and sends it to VSG while VSG performs its security service and decides if traffic will be forwarded to the destination VM.

Fast Path

vPATH also benefits from a concept called fast path. Fast path is similar to a cut-through method in that once traffic has been forwarded to VSG for firewall services, for example, the remaining traffic flow, it’s routed directly to its VM destination. Note that fast path can be utilized for most network services. Fast path obviates the need to route all traffic through VSG once the first packet of the flow has been processed by the firewall. Therefore, all traffic does not require packet-by-packet inspection, speeding up flows and reducing processing and latency.

For example, if the first packet of a flow passes through VSG without alteration then the rest of the flow should pass uninspected as the security rules are the same. However, this wouldn’t be the case for an IPS system, where the entire payload is inspected to assure there is no malware residing in the flow.

A key benefit of vPath is that it intelligently steers traffic via flow classification and redirection to associated VSGs to implement security policies in a virtual environment. Fast path offload: Policy enforcement of flows are offloaded by VSG to vPath thanks to Fast path and deliver improved efficiency and performance of firewall services to virtualized applications. These capabilities, along with physical firewalls, help IT leaders to regulate how virtualized and non-virtualized applications receive firewall services. In addition, as VMs move between physical servers, firewall settings do not need to change as they follow the VM move within the data center. Thus VSG is mobility aware and is VLANs and topology agnostic enabling flexibility not seen before in virtualized data center environments.

Going back to the need for a modern approach to network security, the combination of Cisco’s ASA, VSG, AnyConnect and Security Intelligence Operations or SIO start to deliver the attributes of defend, extend, prevent and comply to IT business leaders concerned with protecting modern IT business assets. For example, AnyConnect 3.0 provides security services for remote and mobile end points via client software on laptops, tablets and smartphones with centralized policy control. In short, AnyConnect provides protections against the increased network diameter afforded by mobile and cloud computing. SIO is one of the most comprehensive and globally expansive threat detection services that update Cisco IPSs with exploit signatures in near real time, thanks to its global threat correlation service. SIO is based upon over 1 million sensors (Cisco IPS) distributed around the globe from which it sends and receives updates and is staffed with over 500 security experts.

So as servers and applications are virtualized and computing goes mobile and to the cloud, a new modern approach to network security is taking hold. With Cisco, its network security architecture and products of ASA, VSG, AnyConnect and SIO span the new nature of borderless IT to offer business leaders protections as they manage their business and exploit the value created by this new cycle in Information Technology.

Tweet

Any IT business leader knows that the single most important technology driving data center design change is server virtualization to the point that a virtual machine (VM) is now the data center building block. As server virtualization marches on until nearly every physical server has been virtualized, networking in a virtualized environment is being forced to fundamentally change too. By networking, I mean not only layer 2 and 3 forwarding but network services too, such as application controllers, WAN optimizes, firewalls, etc., which are fundamental for mission critical application performance, cost reduction and high application availability especially where service level agreements are required.

Adding new applications to a data center has become highly complex, thanks to all the routing paths that need to be set-up to provide connectivity and reach of network services plus the configuration and policy set-up for network services specific to the application. Then, once the application is operational, it’s hard to virtualize it and move it via v-motion, et al, while keeping set-up and policies intact, especially routing paths. The current state of rigid networking consumes time and cost, but most importantly limiting the speed and agility in which new applications can be delivered and businesses react to market dynamics. This is a nasty problem, riddled with complexity and associated cross-administrative operational cost limiting the number of applications that can be virtualized until this problem is solved.

An entirely new approach to deploying, provisioning and managing data center network services in a virtualized environment is needed, and Cisco is addressing this need with its Unified Network Services or UNS. Cisco’s UNS is not just a suite of its layer 4-7 network service offerings such as ACE, WAAS, etc., but a framework for transparently inserting network services into a virtual server environment for steering traffic to network services on a per-VM basis plus an extensible and integrated policy management architecture. The key word in UNS is “unified,” as UNS makes network services available to both physical and virtual servers and their associated applications via steering traffic to network services hosted in appliances/modules/blades or within a VM. UNS promises to help reduce the costs to deploy new applications plus to enable more applications to be virtualized. In short, UNS offers an approach to deploy, provision and manage new applications without the network set-up complexity mentioned above. In addition, it also promises to remove network complexity associated with virtualizing applications and their moves. UNS is a main pillar of Cisco’s Data Center Business Advantage architecture, along with Cisco’s Unified Fabric and Unified Computing Services. These pillars combine to form the tightly-integrated next generation data center components including the network, storage, application services, virtualization layers and network services.

Cisco’s UNS is addressing mobile (v-motion) applications and their associated changing or dynamic network topology requirements by steering traffic to appropriate network services that are centrally controlled via policy. These network services such as firewalls, application controllers, WAN acceleration, load balancing, etc., can be packaged in appliances, modules, server blades and/or other form factors and/or increasingly as a virtualized service. UNS is a modern approach to applying layer 4-7 network services to both non-virtualized applications and VMs, while in the process solving some of the most complex problems associated with virtualized infrastructure.

Dedicated Hardware Services to Virtualized Network Services

Traditional network services are frequently placed in-line or in the flow of traffic, that is firewall, IPS, load balancing, application controllers, WAN acceleration, etc., forming a line of layer 4-7 network services. But as applications are virtualized, their movement may take them out of the path of traffic flow, thus creating difficulty to maintain network services to VMs and their applications. In most data centers, a mix of physical and virtual network services is emerging as well as a mix of virtual servers and physical servers based upon old and new investment. What IT business leaders demand is that their investment in physical and/or virtual network services support both virtualized and non-virtualized applications so they may extract the highest value from their IT dollars. This is a hard problem to solve and requires new thinking in networking which is what UNS is focused upon delivering. In short, UNS allows a mix and matching of physical and virtual network services to support either virtualized or non-virtualized applications through a more flexible approach to networking and policy management. So how do IT architects create this level of flexibility?

In a UNS environment, the physical placement of network services in appliance/modules/server blades, etc., or virtualized form is moot, offering IT architects a new degree of freedom to access these services anywhere in a virtualized infrastructure. A network service can be offered to a VM and its associated traffic, independent upon its form factor, be it a physical appliance, dedicated module or virtualized network service as long as the VM and softswitch send traffic to the appropriate service as the application moves around the data center.

That’s important as traffic patterns have shifted from primarily north-south to a mix of east-west and north-south, resulting in the need for network services to offer far greater flexibility in their reach to service VMs and the applications they contain. And as network services are logically wrapped around a VM via policy, they receive the benefit of all moving together, solving one of the biggest virtualization problems in the industry, manually intensive change management. Parallel to making network services accessible independent upon location and its packaging is the added benefit of virtualizing network services as this will decrease the number of hardware appliances in a data center, reducing complexity, total cost of ownership and energy consumption.

Unified Network Services Is a Platform for Inter-Cloud Mobility and On-Demand Provisioning

But perhaps even more important than solving the immediate change management problem is that unified network services deliver a set of attributes that put in place the tools and ability to deliver elastic IT services between clouds—the holy grail of cloud computing. With core network services unified, a degree of flexibility is gained far beyond current technology and offers a platform in which service advertising and registry can occur so that a “provision proxy” can automate network service configuration to meet new IT service delivery needs in near real time; but this is a topic for another day. The important point is that a unified network service is a platform that all large IT firms, cloud providers and enterprises will be investing in over the next business cycle.

Cisco’s Unified Network Services or UNS

In this Research Note, we review Cisco’s UNS, the most comprehensive approach to data center and cloud network service deployments in the industry thus far. UNS addresses the on-demand provisioning problem so sought after in virtualized infrastructure. That is when IT leaders need to allocate resources from within or between a private or public cloud on demand and quickly, UNS will respond to a capacity request so that network services are provisioned in the right order, at the right capabilities and within minutes rather than months. In short, UNS’s vision is to enable on-demand network service delivery and on-demand provisioning to accommodate VM container workload mobility within the construct of an Enterprise’s IT model or service architecture.

The Virtual Security Gateway

UNS is both a vision of on-demand service provisioning and the products that enable its construct. Within UNS, Cisco has launched its data center firewall called VSG or Virtual Security Gateway, and is on a path of virtualizing its data center service products including the Wide Area Application Services or WAAS, et al, and providing them with consistent policies via its VNMC or Virtualized Network Management Control software. VSG is an example of a virtual service node, as compared to physical ASA security appliances. The key underpinning technology to VSG is the Nexus 1000v and vPATH, which enable traffic to be re-routed or steered to the virtual firewall nodes; more on this below.

Cisco’s VSG offers a model of how network services are virtualized and in the process, solves some of the biggest server virtualization problems while delivering added flexibility value. VSG is a proof-point of Cisco’s ability to solve the firewall problem within virtualized infrastructure; that is how to provide firewall services to flows destined to and between various VMs. vPATH, a software module within the Nexus 1000v softswitch, steers traffic to VSG, the firewall, which blocks or allows traffic flow to its destination. Further, VSG assures that the correct network security service is applied and a VM’s policies follow it as it moves between physical servers. VSG policy is centrally managed through the VNMC umbrella management platform.

Central to UNS is vPATH technology that confers the same VSG benefits discussed above to Cisco’s new Virtual WAAS or vWAAS WAN acceleration offering. vPATH is fundamental to UNS as it delivers unification by being the same underlying infrastructure for both VSG and vWAAS. Therefore, by inserting vPATH technology/software into the virtual switch, hypervisors and VM’s traffic is re-directed as needed to deliver network services, such as firewall, WAN acceleration, etc.

vPATH

In the case of VSG, through VNMC, policy is created to define what type of traffic needs to be redirected, and then what action to take upon that traffic once it arrives at the firewall. As traffic reaches a server or Nexus 1000v, it is intercepted as it’s destined for a particular VM by vPATH, which redirects it to VSG for inspection. VSG then performs its network security service then forwards the traffic, if allowed, to its destination just like a firewall appliance operates.

The closest analogy to describe vPATH’s function is network-based application recognition. That is NBAR analyzes traffic and classifies it, and then performs a function such as prioritization. Thus, vPATH intercepts traffic and sends it to VSG while VSG performs its security service and decides if traffic will be forwarded to the destination VM.

Fast Path

vPATH also benefits from a concept called fast path. Fast path is similar to a cut-through method in that once traffic has been forwarded to VSG for firewall services, for example, the remaining traffic flow, it’s routed directly to its VM destination. Note that fast path can be utilized for most network services. Fast path obviates the need to route all traffic through VSG once the first packet of the flow has been processed by the firewall. Therefore, all traffic does not require packet-by-packet inspection, speeding up flows and reducing processing and latency.

For example, if the first packet of a flow passes through VSG without alteration, then the rest of the flow should pass uninspected as the security rules are the same. However, this wouldn’t be the case for an IPS system, where the entire payload is inspected to assure there is no malware residing in the flow. Fast path will evolve to support various traffic scenarios too.

Network Service Chaining

Cisco’s UNS provides a solution to the challenge of providing network services to traffic flows within a virtualized infrastructure that stick to VMs as they move and change physical location in the data center. The next challenge is to provide virtualized network service chaining. Chaining network services is the ability to create a single policy for traffic flows as it ingresses to a VM for multiple network services. For example, a policy may apply firewall, load-balancing, WAN-optimization, etc., to a flow and route that traffic through subsequent services, as opposed to having to create unique policies, intercept each one and route traffic accordingly. Chaining is a huge operational time saver, and it hastens the flow of traffic within the data center. vPATH is one underlying mechanism that can steer traffic to services in the right chain/order.

The UNS Value Proposition

From a data center network design perspective, UNS is developing a set of network service building blocks that brings physical network service appliances and virtual service nodes into virtualized environments along with the tools to apply policies to govern their use. As more and more data centers become virtualized so too will network services. In addition, as physical and virtual data centers will co-exist for many years to come, the ability to offload physical network appliances with virtualized ones as well as pass traffic between them offers a transition path and a means to extend the life of existing appliance investments.

As mentioned above, physical data centers are equipped with stacks of appliances offering load balancing, WAN acceleration, firewalls, IPS, etc. Now with service chaining and vPATH, all of these physical and virtualized appliances can be put to work servicing VMs and their applications. Most importantly though is that UNS offers a way to control network services so that VMs, virtual applications and mobile workloads can be scaled up and down plus moved within a dynamic network that allows provisioning services easily. For all intents and purposes, the industry has not had a multi-service chaining mechanism in the physical world. IT operations have done this manually via provisioning VLANs, policy routing, Web Cache Communications Protocol or WCCP, etc. But the old approach is static, and when servers, applications, appliances, etc., move or change, manual intervention is required. The beauty is that chaining network services in a virtualized infrastructure enables elastic scale-up and scale-down much more seamlessly.

Why Unify Network Services

One of the key strategic elements behind UNS is to change the mindset in which IT leaders deploy network services. Traditionally network service appliances were deployed at the edge of the data center or in front of a specific application server. But servers and application are often moved creating the manual re-configuration problem discussed above. Having common accessible network services in private and public data center clouds could offer huge provisioning benefits. For example, there could be, potentially, a vWAAS instantiation in Amazon EC2, Rackspace, GoGrid, etc, which IT leaders who have deployed WAAS in their branch offices could leverage, meaning their WAN would be accelerated thanks to a common WAAS image in the branch and cloud providing that network service independent upon these two application deployment models. This new network services deployment model attempts to blend the worlds of Cisco’s borderless and data center initiatives to the fullest extent.

What’s the intrinsic value of making a network service virtualization? In the case of vWAAS, Cisco is able to give IT leaders flexibility of placement and IT delivery. vWAAS is easier to scale up, licensed in a “pay as you grow” model, offers fewer devices to manage with less power and cooling cost plus is overall more flexible in its placement. In addition, vWAAS and WAAS can both offer WAN acceleration services to virtualized applications thanks to vPATH increasing the usefulness and value to both. vWAAS may be deployed by cloud providers too, which could offer IT leaders a WAN acceleration option independent upon application hosting.

Distributed Deployment with Centralized Management

Value is gained by being able to deploy network services in a distributed fashion, thanks to UNS. UNS changes network service deployment from a centralized model to distributed. But while virtualized network services are distributed, its management is centralized, offering operational efficiency and deployment flexibility. Distributed network service deployment with centralized management is the only approach that works as virtualized network services tend to be distributed widely. In fact, large data centers and clouds will see their instantiations of a particular service grown from a few hundred to thousands, if not more. Therefore, centralized management of virtualized network services provide the control knobs to provision, develop policy, steer traffic, etc., for thousands of virtualized network services distributed throughout a virtualized infrastructure. For example, in Cisco’s UNS, vWAAS and VSG run in their own VM, either on a single physical server or multiple physical servers, offering a highly distributed network service option.

Other companies, such as A10 and at least five others, are virtualizing their application delivery offering too. And cloud service providers are seeking virtualized network services, which will offer IT business leaders the ability to deploy applications from either private or public clouds with a common set of network services over time. For example, many public cloud providers would like to place load-balancing services on top-of-rack and deploy it in a small-medium-large type format. Further, many would also like to place load-balancing services on a compute platform to give customers the ability to deploy load-balancing pseudo-traditionally. That is to deploy network services where a compute platform would be largely dedicated to that service, or, alternatively, distributed so that it does not necessarily reside top-of-rack, or centralized, but resides “logically” next to a VM or sets of VMs so that as VMs move the network service benefit followings.

UNS: A Product Set or Next Evolution of Networking and Computer Services

Now Cisco isn’t the only IT firm developing a unified network service framework, but it is the only company that has all the components to deliver a comprehensive and thoughtful solution. For example, HP, IBM and Oracle do not develop load balancing, application delivery, WAN acceleration or softswitch network services, placing them at a disadvantage. Oracle, HP and IBM usually partner with others for these services such as F5, Riverbed, VMWare, etc., eliminating the opportunity for this level of virtualization and unification development. In HP’s case, its networking gear is increasingly made in China which lacks the forward-looking foresight to get in front of this opportunity. IBM usually does a really good job here, but it’s limited on these major network service components.

Many of the niche players, such as F5, Riverbed, Infoblox, A10, et al, will and are virtualizing their network service appliances and will do it very well, emerging as feature functional leaders. But these firms’ virtualization strategies will lack the broad view of multiple network services and most importantly, how the network nodes (L2-3 infrastructure) or hypervisor can steer traffic to them. To gain a broader UNS view and solution, these firms could organize a consortium to develop a comprehensive UNS strategy and implementation that matches Cisco’s UNS. But consortium is driven by committee, which usually moves slowly. Cisco’s UNS framework will be emulated by others while key technology layers can be standardized, such as Cisco’s proposed VN-Link for traffic steering to physical devices from a virtual/softswitch. Hopefully, an ecosystem can be created that allows all vendors to participate, because UNS is not just another vision and product line, but it’s the next evolution of networking and computing services.

Tweet

By Cisco Systems

This two-page guide provides information on IPv6 client support without changing applications via using stateless NAT 64.

Learn about IPv6 endpoint support by downloading this guide.

Get the White Paper

Tweet

By Cisco Systems

This two-page guide provides information on dual stack IPv4 and IPv6 implementations and its impact from client to network infrastructure.

Learn about dual stacking IPv4 and IPv6 by downloading this guide.

Get the White Paper

Tweet

In an effort to offer a multi-vendor SIEM (Security Information and Event Management) solution, Cisco is placing its SIEM product, CS-MARS, in end-of-life and in its place, offering the industry its first SIEM ecosystem. Cisco acquired MARS six years ago in December 2004. MARS provided traditional event management and security monitoring along with limited forensic capabilities and compliance reporting. But the market demanded a broader cross-vendor SIEM solution rather than a SIEM focused primarily on Cisco products. In response Cisco has launched a SIEM ecosystem to support deep event monitoring, forensics and compliance reporting across a heterogeneous enterprise network. IT has also expanded the role of its Cisco Security Manager or CSM to support policy management and troubleshooting across a wider range of Cisco products. In this Lippis Report Research Note, we examine the new distribution of security responsibilities that now stretch across Cisco CSM and its new SIEM ecosystem with an eye toward stronger defense of IT assets.

IT business leaders were requesting Cisco develop deeper forensics and compliance across multiple areas within MARS. But the MARS architecture was not designed for such long-term storage, long-term data indexing and look-ups required for conducting forensics and compliance in a manner that IT business leaders are demanding. So in June of 2010, Cisco launched a SIEM ecosystem to provide a scalable and cross-vendor approach for IT business leaders to conduct deep forensics and compliance capabilities. Real-time security monitoring capabilities, which MARS provided, are being blended into the CSM.

CSM started as a policy manager for multiple Cisco devices such as routers, switches, firewalls, VPN, IPS, etc. But Cisco recently announced its 4.1 image for CSM that incorporates security-monitoring capabilities that enable policy troubleshooting. For example, essentially event logs will flow into CSM. CSM will determine if a stream of event logs rise to the level of a security problem or if it needs to make policy changes and execute those changes in real time via a closed-loop system. CSM does not deliver forensics or long-term compliance reporting. This is province of the Cisco SIEM ecosystem.

The SIEM Ecosystem

Both MARS and CSM have been missing the capability to conduct broad multi-vendor security monitoring, compliance reporting and forensics in a heterogeneous vendor environment. In fact, most, if not all, security vendors are guilty of this. Clearly market reality dictates that most enterprise IT organizations utilize multiple devices and/or software that contribute to IT security defense.

Therefore, to align its security products and IT defense approach with the reality of the market, Cisco has started a SIEM ecosystem consisting of the five largest SIEM suppliers. The five vendors in the ecosystem are RSA, ArcSight, LogLogic, Splunk and netForensics. Cisco’s exit of the SIEM market has created the opportunity for it to partner with these top SIEM providers covering 75% +/- of the enterprise market.

The power of a SIEM is to accept logs from multiple devices and make sense of them, meaning it weaves them together by way of correlation. The larger the number of log streams to a SIEM from various security appliances, the greater its ability to correlate. The goal of a SIEM is to gather data from all deployed security appliances, which ends up delivering an exponential lift with respect to the security intelligence gain obtained from correlating large streams of data.

With the Cisco SIEM ecosystem, Cisco is now able to deliver heterogeneous capabilities that cover security monitoring analysis, compliance and forensics capabilities, and some specifically, LogLogic, deliver long-term log management capabilities. To assure confidence that Cisco security and networking equipment interoperate with these five SIEM suppliers, Cisco has conducted extensive interoperability testing with each supplier. This is key for IT business leaders who have an operational SIEM deployed need to be assured that either the introduction of a new SIEM or security device will interoperate with their existing SIEM. This is key for Cisco CS-MARS customers who will be looking to transition to a new SIEM. Note that end-of-life is a multi-year process so co-existence and transition are important attributes for the ecosystem to contain.

Conduit between SIEM and Cisco Security Products

The interface or conduit that enables information transfer between Cisco products and its SIEM partners is device specific. The interface could be SysLog, SDEE or Security Device Event Exchange, and depends upon what conduit the end security device uses, be it an IPS, firewall, switch, router, etc. The conduits have not evolved yet, although at some point in time, they may.

The Interoperability, Validation and Testing Lab

To demonstrate Cisco interoperability, Cisco has created a Cisco-compatible logo, which a partner earns after they have passed through what is called the “IVT Lab” meaning Interoperability, Validation and Testing Lab. One of the key outputs of the IVT Lab is interoperability assurance plus license rights to display the Cisco-compatible logo, and a set of deployment guides to assist a Systems Engineer (SE) or an IT security department to deploy a partner’s SIEM product alongside Cisco’s firewalls, switches, routers or email plus web security products, etc. The detailed deployment guides offer various configurations of the SIEM ecosystem partners and Cisco products.

To gain the Cisco-compatible logo, a partner needs to be tested against Cisco security products, which are approximately eight devices in its latest software versions. These include Cisco Cross-Device, Firewall, IPS, ASA, E-mail Security Appliance (ESA), Web Security Appliance (WSA), etc. The Cisco-compatible logo says that each partner has been tested for that set of core security devices. Over time Cisco plans to test SIEMs across the entire Cisco security product line.

The IVT Lab and associated Cisco-compatible logo essentially level-sets SIEM partners so all have validated and verified support for core Cisco security products. From a support perspective, Cisco’s TAC can take the lead on support. Cisco has developed relationships with its ecosystem partners by tying them into its TAC processes. In the event that SECOPS has an issue with, say, Splunk or RSA, Cisco TAC has a streamlined process that places customers in touch with the right person at RSA, Splunk and its other partners.

Greater Defense through Faster Innovation Absorption

Clearly Cisco products bring value to their ecosystem partners. For example, Cisco’s firewall team produces the number one firewall in the world, developing features or functionality nearly every quarter or at least twice a year.

Before the ecosystem was in place, a lag between Cisco innovation launch and SIEM ability to support new features was common. For example, SIEM vendors may not understand what the new features are meant to do or how they’re used. Therefore, as part of the SIEM ecosystem, Cisco is committing to assure that as new innovations/features are rolling out across its security portfolio, SIEM partners understand how Cisco recommends they be used which will speed SEC OPS innovation absorption.

Pulling It All Together

Cisco’s new approach to heterogeneous network security is based upon an ecosystem of SIEM providers that it provides interoperability testing, new feature training, TAC support and deployment guides. The SIEMs will aggregate event logs from a wide range of Cisco and other company security appliances to deliver cross-vendor IT forensics and compliance reports. Cisco’s CSM is the policy manager and troubleshooting platform going forward and will enjoy expanded support of Cisco’s security products. Therefore, policy management and troubleshooting services will be delivered through CSM, while the SIEM ecosystem delivers broader cross-vendor IT forensics, event monitoring and compliance reports.

IT business leaders are benefited with a broader multi-vendor approach to event monitoring, forensics and compliance reports as well as centralized policy management and troubleshooting of Cisco products. This new approach should increase IT defenses while simplifying the management of their Cisco security products.

Tweet

By Cisco Systems

Key Highlights

• 79% of clicks on “Here You Have” email occurred within the first three hours of the worm’s spread.
• During 3Q10, 7% of all Web malware encounters resulted from Google referrers, followed by Yahoo at 2%, Bing/MSN at 1% and Sina at 0.1%.
• Exploits targeted Sun Java increased from 5% of all Web malware encounters in July 2010 to 7% in September 2010.
• The Rustock Botnet was the highest occurring ROS event in 3Q10, at 21% of events handled during the report period.
• Peak Rustock activity occurred in late August 2010, declining in September 2010.

Download the report here

Get the White Paper

Tweet

By Cisco Systems and Splunk

This document is for the reader who:

-Has read the Cisco Security Information and Event Management and Borderless Networks Enterprise Deployment Guide
-Wants to connect Borderless Networks to a Splunk SIEM solution
-Wants to gain a general understanding of the Splunk SIEM solution
-Has a level of understanding equivalent to a CCNA® certification
-Wants to solve compliance and regulatory reporting problems
-Wants to enhance network security and operations
-Wants to improve IT operational efficiency
-Wants the assurance of a validated solution

Get the White Paper

Tweet

By Cisco Systems and RSA

This document is for the reader who:

-Has read the Cisco Security Information and Event Management and Borderless Networks Enterprise Deployment Guide
-Wants to connect Borderless Networks to a RSA SIEM solution
-Wants to gain a general understanding of the RSA SIEM solution
-Has a level of understanding equivalent to a CCNA® certification
-Wants to solve compliance and regulatory reporting problems
-Wants to enhance network security and operations
-Wants to improve IT operational efficiency
-Wants the assurance of a validated solution

Get the White Paper

Tweet

By Cisco Systems and nFX Cinxi One

This document is for the reader who:

-Has read the Cisco Security Information and Event Management and Borderless Networks Enterprise Deployment -Guide
-Wants to connect Borderless Networks to a nFX Cinxi One SIEM solution
-Wants to gain a general understanding of the nFX Cinxi One SIEM solution
-Has a level of understanding equivalent to a CCNA® certification
-Wants to solve compliance and regulatory reporting problems
-Wants to enhance network security and operations
-Wants to improve IT operational efficiency
-Wants the assurance of a validated solution

Get the White Paper

Tweet

By Cisco Systems and LogLogic

This document is for the reader who:

-Has read the Cisco Security Information and Event Management and Borderless Networks Enterprise Deployment Guide
-Wants to connect Borderless Networks to a LogLogic SIEM solution
-Wants to gain a general understanding of the LogLogic SIEM solution
-Has a level of understanding equivalent to a CCNA® certification
-Wants to solve compliance and regulatory reporting problems
-Wants to enhance network security and operations
-Wants to improve IT operational efficiency
-Wants the assurance of a validated solution

Get the White Paper

Tweet

By Cisco Systems and ArcSight

This document is for the reader who:

-Has read the Cisco Security Information and Event Management and Borderless Networks Enterprise Deployment Guide
-Wants to connect Borderless Networks to the ArcSight SIEM solution
-Wants to gain a general understanding of the ArcSight SIEM solution
-Has a level of understanding equivalent to a CCNA® certification
-Wants to solve compliance and regulatory reporting problems
-Wants to enhance network security and operations
-Wants to improve IT operational efficiency
-Wants the assurance of a validated solution

Download this deployment guide here:

Get the White Paper

Tweet

By Cisco Systems

Over the next few years Wi-Fi networks will transition to 802.11n technology. During this time, many networks will support a mix of 802.11a/g and 802.11n clients. Because they operate at lower data rates, the older clients can reduce the capacity of the entire network. ClientLink technology can help solve problems related to adoption of 802.11n in mixed-client networks by making sure that 802.11a/g clients operate at the best possible rates, especially when they are near cell boundaries.

Find out how by downloading this white paper

Get the White Paper

Tweet

By Cisco Systems

This is a first, while this paper is not “white,” it’s a very cool one- page view of Cisco’s borderless network routers. You have to check this out:

Download Cisco’s Enterprise Routing Portfolio here

Get the White Paper

Tweet

by Cisco Systems

Multisite organizations are reducing the number of servers in their branch offices by moving applications to the data center. Yet, they continue to place a few essential applications locally because of performance, survivability or compliance requirements. By making use of x86 server blades, these lean branch offices can lower equipment and operating costs, right-size and simplify infrastructure, and improve hardware provisioning and remote management.

Find out how by downloading this white paper

Get the White Paper

Tweet

A Comprehensive Approach to Corporate and Government Energy Cost Savings and Carbon Reduction

Being green is increasingly being forced upon IT business leaders from their management, government regulations and societal pressures. Ask a recent college grad what is the number one societal contribution they would like to make with their career and the answer is “make the world greener.” The workforce is changing worldwide with a sense of personal and corporate social responsibility to reduce carbon emissions, and choose sustainable materials and processes to power our lives and deliver products and services. And being green is no longer a luxury that IT leaders can choose as governments, boards of directors and presidential directives issue mandates forcing energy efficiency upon IT executives.

From an IT perspective, much work has been done to reduce data center energy consumption and cooling by virtualizing servers and consolidating data centers. In addition, IT vendors continually work to deliver products with increased feature sets that consume less energy. But one company in particular has taken its core competency and found a way to not only make its own products more energy efficient but everything its products touch, too. That company is Cisco Systems.

A Broader View of Energy Management

Cisco is providing tools and knowledge to IT business leaders to assist them in complying with energy efficiency mandates. And while much attention has been focused on data center energy reduction, a much larger target for energy conservation is IT and non-IT energy consuming assets that are sprawled throughout enterprise and government facilities—this means networks, personal computers, printers, lighting, HVAC, etc. But in addition to energy management of electrical device sprawl, energy consumption can also be avoided by using communication and collaboration tools such as Webex, virtual office teleworking and TelePresence. These collaboration tools allow users to work at home and engage in meetings over the web or via high definition videoconferencing versus traveling, thus avoiding dollar and carbon emission cost of travel. These concepts and initiatives are part of Cisco’s Borderless Networks Green service, one of the key network services within Cisco’s Borderless Networks Architecture.

The key concept of Cisco’s Borderless Networks Architecture is the removal of boundaries or borders that create common trade-offs and compromises IT business leaders and users have come to despise. Cisco’s Borderless Networks Architecture is comprised of five pillars that enable borderless connections of anyone, anytime, anywhere and from any device securely, reliably and seamlessly: 1) Mobility through the Motion service, 2) Green or enabling energy cost savings and carbon reduction through EnergyWise, 3) integrated network Security via TrustSec, 4) Application Performance to increase network and application agility, visibility and control with Application Velocity Network Service and 5) Video/Voice services to offer the best possible video experiences to users via the Medianet technologies. These borderless network services are delivered by core infrastructure including switching, routing, security, wireless and wide area application services (WAAS) infrastructure products. It’s the integration of these services into existing network infrastructure and their control via policy and management that enables a borderless experience to occur. In short, a borderless network eliminates friction points and user plus operational frustration associated with common IT use cases such as application access from desktop, laptop, tablet, smartphone, etc. For example, the Borderless Networks Green service enables IT executives to reduce their carbon emissions, save on energy costs, transform their business while satisfying increased IT demand. In this Lippis Report Research Note, I focus on the Borderless Networks Green service as it offers a comprehensive approach to energy management.

Borderless Networks Green Service

There are three main drivers why organizations are looking for ways to be greener—those being cost reduction, sustainability mandates and corporate responsibility. Being a green, socially-responsible organization improves corporate image, which is usually accompanied by increased revenue opportunities. And many companies are in search for effective ways to achieve operational cost savings through green IT practices, especially during the past three years given economic conditions. That is why corporate executives seek to enhance their firms’ image/brand and comply with energy reduction mandates while reducing operational costs, all through green initiatives.

To help customers achieve their green goals, Cisco’s Borderless Networks Green service exploits the network as a platform to extend green borders. This is done in three ways: 1) transform the workforce by making it more flexible with collaboration applications such as TelePresence, Webex, Virtual Office, etc., 2) enable energy cost savings with innovations such as EnergyWise that measures and manages energy usage, and 3) improve network efficiency through virtualization, consolidation plus product and system life-cycle management. As Cisco EnergyWise is a fundamental and unique green enabler, we focus on this technology first.

Cisco EnergyWise is a system-wide framework for energy management that is integrated into Cisco Catalyst switches, routers and building controllers. Every device that connects into the network can eventually have its energy managed, monitored and optimized by Cisco EnergyWise. This concept of using the network as a system to coordinate activities which provide benefits that aren’t available from a single device is a key principle of the Cisco’s Borderless Networks Architecture. EnergyWise delivers on this principle by adding energy management to Cisco’s Borderless Networks services.

Cisco EnergyWise

Cisco EnergyWise is being released in phases. The first phase was launched in January, 2009, and focused on reducing energy usage of Power over Ethernet (PoE) devices. These devices include IP phones, wireless access points, security cameras, etc. The second phase, launched in March, 2010, added the ability to control PC and laptop power. PC and laptop power control is accomplished with a product called Cisco EnergyWise Orchestrator. Orchestrator is a client-server architecture designed to scale up for large organizations. A small software client runs on each PC, collects energy usage information and allows Cisco EnergyWise Orchestrator to distribute centrally-managed, time-based energy policies to each workstation such as shut down after 6:00 p.m. and power up after 8:00 a.m. In addition, EnergyWise Orchestrator can request “on-demand” power reductions. EnergyWise Orchestrator also receives power usage statistics from PCs distributed throughout an enterprise or government facilities, which can be aggregated and displayed in different variations via its sustainability dashboard. As PCs and laptops are sprawled throughout enterprise and government facilities, Cisco EnergyWise Orchestrator is able to manage up to 60% of power used by IT devices, thus the impact of Cisco’s energy management solution is material.

Cisco is extending the reach of EnergyWise to control power of more IT and non-IT devices. The EnergyWise framework includes open APIs that enable an ecosystem of partners to offer comprehensive energy management solutions to meet customer needs of all kinds. For example, recently Cisco announced partners that allow EnergyWise to manage Smart Power Distribution Units from Schneider APC, WTI (Western Telematic, Inc.), Server Technology, Raritan and CyberSwitching. These partnerships extend energy monitoring and reporting to data centers, and expand energy management capabilities to clientless devices like printers, copy machines and digital media displays. .

Business Transformation Applications that Reduce Energy Consumption

While most, if not all, networking concerns stress energy efficiency of their products, Cisco’s Borderless Networks Green service takes this to an entirely different level through energy efficient collaboration applications that transform how corporations conduct business. Collaboration applications, such as Cisco’s WebEx, TelePresence and Virtual Office, reduce travel needs and improve productivity while achieving great in-person work experiences. Underneath these collaboration applications is Cisco’s Borderless Networks infrastructure that ensures security, availability and performance of these business applications with services such as Medianet and Cisco TrustSec.

Product Power Efficiency Gains

Cisco’s Borderless Networks Green service addresses reduced energy consumption of IT assets, such as PCs, laptops, PoE devices, and networking equipment such as routers and switches, plus collaborative applications. And while offering this broad view and tool set for IT business leaders to manage energy policy, Cisco has not taken its eye off the ball of engineering innovations and improvements in network products to ensure energy efficiency. For example, StackPower is a new innovation for the Cisco Catalyst fixed switching products that distribute power across a stack of switches in a unique and efficient way. Further, Cisco recently introduced a 48-port switch that consumes only 40 watts of power…that’s less power consumption than most light bulbs.

Virtualized Data Center Infrastructure Delivers Energy and Resource Efficiency

In addition to EnergyWise, product energy improvements and collaborative applications, Cisco’s Borderless Networks Green service extends green initiatives to the data center too via virtualization. Data center consolidation and server virtualization are solutions that help IT business leaders maximize the usage of existing resources while contributing to data center efficiency. These solutions include VMware and Cisco’s UCS (Unified Computer System). In addition to server virtualization, firewall and WAAS services have become virtualized as well as bandwidth via Storage Area Networking. Desktops too are being virtualized. All of these initiatives contribute to reduced footprint for rack space, cabling and HVAC requirements. Less power is consumed while the data center is more efficient with improved operations, thanks to more flexible use of resources and bandwidth.

Some text to space apart the download boxes

The benefits of Borderless Networks Green service are workforce flexibility and improved productivity, energy cost savings and network efficiency. While some of these improvements are difficult to measure, there are solid ROI examples. GE, for example—a Fortune 500 company that adopted Cisco’s TelePresence—reduced its travel and lodging expenses by 40% while reducing executive management wear and tear. Parque Escolar works with the Portugal Ministry of Education and was able to reduce Portugal schools’ energy consumption by more than 33% by implementing Cisco EnergyWise Orchestrator. Brunel University is saving $143,908 per year thanks to energy control of power usage through EnergyWise.

Cisco’s Borderless Networks Green service offers a range of options to manage corporate and government energy consumption, and the value/cost savings that EnergyWise brings to IT business leaders today will continue to multiply as Cisco delivers more platforms and partner devices that can be monitored and managed from centralized management applications such as Cisco EnergyWise Orchestrator or LMS. While IT executives are implementing virtualization and collaboration applications based upon their own merit, much can be gained by viewing these IT projects through a green prism. For it’s the totality of device energy management along with business transformation collaborative applications and virtualization that may very well define a modern green business.

Tweet

By Cisco Systems

National security, environmental and resource supply issues will encourage governments to implement green initiatives and incentives. There will be business ramifications as a result of policies implemented by local, state and federal governments around the world. As traditional energy supplies decrease and newer, but more costly, renewable supplies are brought online, organizations will be forced to look for more efficient ways to deploy their data networks to meet stricter government regulations and prevent overall negative effects.

Cisco has recognized this impending effect on the IT community for some time, and has been building products and developing new technologies to assist organizations in this transition. This white paper describes the energy sustainability characteristics of the Cisco® Catalyst® 6500 Series Switch. The Cisco Catalyst 6500 Series Switch offers the latest technologies to enable organizations to meet the green requirements of today while providing a flexible architecture to address the necessities of tomorrow. This paper covers Energy savings, Operational efficiency and Innovative business practices.

Find out how by downloading this white paper

Get the White Paper

Tweet

One significant trend that has emerged during the current business/economic cycle is that IT projects that reduce cost are winners. This savings trend is as strong as I have experienced in my twenty-five years within the IT industry. In particular, it’s propelling data center consolidation, server virtualization and mobile computing projects. As enterprises consolidate data centers and miniaturize them with virtualization, cloud-computing providers are busy offering a new lower cost IT delivery economic model. In short, a new tier of computing has emerged were endpoint devices are mobile and applications are delivered via corporate data centers and cloud computing facilities. This new model of computing that also increases convenience and productivity is lacking in one important area; network security for both mobile endpoints and the ability of data center security appliances to keep up with application demand.

And keeping up with application demand is one of the most challenging tasks IT business leaders are encountering. Not only has information demand skyrocketed during this business cycle but content in the form of web pages has become dynamic, where a single page request opens a multitude of connections pulling content from various sources to satisfy user expectations of real time information access. For example, a single web page request can easily spawn more than fifty network connections over physical and virtual infrastructure placing extraordinary demands on network speed, latency, reliability and security. For the uninitiated, just point your browser to any of these sites—disney.com, cnn.com, nytimes.com, et al—and notice rich content in action. As the page is presented, it serves up video, photos, audio, rich text and more, all of which are pulled from various sources within a data center fabric over virtual and physical infrastructure. The calculus IT leaders are seeking to solve includes massive growth in information demand plus Brownian motion traffic flows, thanks to dynamic content plus densely packed data centers, thanks to virtualization. Even with consolidation and virtualization information/application, demand is forcing the overall data center market size to expand from 108 million sq. ft. in 2009 to a projected 117 million sq. ft. by year end 2010, according to Frost & Sullivan. Part of the solution to IT leaders’ calculus problem is found in a data center network fabric that supports millions of connections/session of east-west and north-south traffic flows securely.

To put the mobility trend into perspective, Apple sold over 3.3 million iPads in its first 3 months; the highest uptake of any endpoint device. Google activates 100,000 Android-based phones per day. Cisco recently announced its CIUS android-based table for business use with tight links to its unified communications (UC) and videoconference systems. Every major UC provider will be offering similar devices while traditional computer vendors serve up android-based tablets over the next few quarters. The iPad and Android tablet is a new tier of computing, which are driving users to access applications over mobile and wireless networks in addition to their wired and VPN networks.

And therein lays the rub. In today’s modern IT world, applications are being extended over multiple networks, e.g., wired, wireless, mobile and remote, where users shift their application access back and forth between these different network access methods and expect the same or consistent experience. Security is paramount to user experience and IT asset protection. While IT security executives have fortified their defenses of IT assets within corporate boundaries or perimeters, exponentially growing numbers of mobile endpoints being connected into corporate networks and data centers present significant security challenges that are unfortunately outside the control of IT.

The nature of mobile smart phone endpoints is to combine personal and business IT services, thereby creating a unique user experience. Part of that experience includes information access from a plethora of online destinations, such as public WIFI hotspots, SaaS applications, e.g., Salesforce.com, workday.com, netsuite.com, etc, corporate VPN, and a wide range of personal sites for social networking, banking, music, videos, news, communications, etc. Therefore, for every employee equipped with a mobile endpoint, security vulnerabilities and threats are opened unless IT mitigates with network security. Clearly mobile devices are becoming ubiquitous, and there are security solutions available, such as VPN support, data wipe after loss, cloud-based security services, etc. But mobile devices need a security solution that works in real time, meaning it’s always-on protection and provides comprehensive coverage.

For example, mobile endpoints, and thus corporate assets, need to be protected from users accessing the corporate network from insecure home WIFI networks and hackers. Internal applications need to be secured against attacks such as SQL injection/data leakage, request forgery/impersonation, cross site scripting/phishing, etc. SaaS access needs to be secure against unauthorized access, exposure from password reuse, layer 7 attacks and more. Also the same level of reporting for mobile users as wired users needs to be supported to assure activity/audit trail, regulatory compliance plus governance and reporting. In short, IT needs the same level of control over mobile endpoints as it does over devices within the corporate perimeter without ruining the mobile experience.

Mobile Endpoint Policy and Enforcement

The most important aspect of real-time mobile security is policy enforcement as it places control of corporate asset and SaaS access back into the hands of IT. Not only does policy and enforcement mitigate threats from being transmitted from mobile endpoints onto corporate networks, it makes them safer devices, too, by providing a means to adhere to corporate policy as corporate devices, even though they are used for business and pleasure. This is important as many mobile devices are purchased by employees, part of the huge consumerization trend that has been building over the last five years. With IT able to administer policy with a means of enforcement, mobile devices can deliver personal and business IT services. Employees may purchase mobile devices but if they require access to corporate IT, then the endpoint has to comply with corporate policy and IT needs a means to enforce such policy. In short, policy and enforcement enables IT to extend the corporate perimeter around mobile devices to creating a virtual perimeter around IT assets.

Consider the following example of policy and enforcement creating a virtual perimeter… A user may be accessing an SaaS application while at his/her desktop. This flow traverses the corporate firewall with associated policy and enforcement. When this user is outside the corporate perimeter, he/she could access the SaaS application directly without corporate policy or enforcement opening vulnerabilities. However, with mobile policy and enforcement, this same user could access the SaaS application with the same policy, enforcement and protections as available when within the corporate perimeter mitigating any vulnerability. Solutions to this usually require the mobile device to first pass through the corporate firewall or a security cloud service where IT controls policy before the user connects to the SaaS application.

New Security Performance Demands

With mobile endpoints under corporate IT policy and enforcement, this huge security vulnerability can now be managed and mitigated. At the same time that mobile devices are becoming ubiquitous, data center security appliances are failing to keep up with the huge demand for information and application access. As more compute power is concentrated into smaller spaces, traffic volume increases exponentially, and security appliances need to adjust accordingly.
Consider how web sites serve up a rich media web page. Every time a user requests a webpage, its server typically needs to request 50 to 100 different objects just to display the one webpage requested. Now consider a data center with thousands of servers and five-thousand connections per second of requests each spawning 50 to 100 server requests. The backend east-to-west traffic flows between servers are one to two orders of magnitude larger than the north-to-south user request flows with the combination of both flows being immense.

New Firewall/IPS Performance Metrics Needed

From a security point of view, not only is firewall throughput an important performance metric, but “connections per second” is becoming more important. A high number of “connections per second” supported assures IT that backend server flows are being screened without delaying user experience. In addition to the number of connections per second, another performance measurement is “maximum connections” supported per second to assure that the number of server-to-server flows to deliver a webpage can be securely delivered. The combination of throughout, connections per second and maximum number of connections can be defined as “true scale performance.” Typically a firewall can deliver hundreds of thousands of connections per second, but this is too slow for most demanding data centers by at least a factor of 2 to 3. Typical maximum number of simultaneous connections supported per firewall is around a few million, which is too low by at least a factor of 4 to 6. Also consider a more realistic throughput measurement other than a range of UDP packet sizes, which is common in the industry. Real world throughput performance numbers that represent a mixture of traffic profiles is a better measurement to assure throughout quoted is throughput experienced.
In addition to raw security performance, data center rack space too needs to be carefully managed as IT executives quickly start running out of rack space as they consolidate. Security appliances need to reduce their footprint as many appliances occupy 16 to 24 RU or a half rack of space and more consuming footprint, energy and cooling resources. Expect security appliances to start delivering on the above performance metrics at up to an 8th of their size or 2 RU high if not smaller.

Threat Protection

To assure this security infrastructure protects IT assets at the rate in which cybercriminals and hackers wish to penetrate it, the industry is serving up cloud-based threat protection. A few suppliers have launched cloud-based security services, which collect anomalistic data throughout the internet and corporate networks via sensors, analyze/correlate the anomalies with reputation scores and when a new exploit’s signature is detected, the cloud transmits mitigation code/signature updates to corporate IPSs. The speed in which this process takes place is a competitive differentiation. Those that send updates every five or so minutes have the best chance of mitigating exploits from cybercriminals which tend to change IP address every hour to avoid detection. IT business leaders will know when cloud-based threat protection becomes highly reliable. It’s at that point that suppliers will start offering “guaranteed protection” that incorporate penalties to suppliers if protection is penetrated.
Policy and enforcement of mobile devices creates a virtual perimeter while true scale performance enables security appliances to keep up with application demand and new traffic flow realities. Smaller security appliance footprint allows IT executives to maximize data center space while minimizing energy and cooling. Cloud-based threat protection keeps the security infrastructure updated in near real time with signatures to mitigate threats throughout the corporate and virtual perimeter. In short, IT business leaders gain control and manage mobile security vulnerabilities while delivering applications to users securely at speed with small footprint consumption. Mobile, data center consolidation and virtualization plus cloud computing are powerful trends rooted in economic efficiency and increased information demand. To maximize the value of these investments, a new security model is needed.

Tweet

With energy efficiency and sustainability mandates being issued by government officials and corporation boards, IT vendors have focused engineering resources to deliver products with increased feature sets that consume less energy. But one company in particular has taken its core competency and found a way to not only make its own business more energy efficient but everything it touches too. That company is Cisco Systems. Laura Finkelstein, Senior Director of Switching Marketing at Cisco Systems, is my guest as we discuss Cisco’s Borderless Green service and the value it delivers to both IT business and government leaders.

Listen to the Podcast

Tweet

By Nicholas John Lippis III

Network access has evolved rapidly as IT business leaders have embraced new network technology. Access methods such as wired, Wireless Local Area Networks (WLANs), and mobile plus Virtual Private Network (VPN) methods have flourished over the past business cycle. In addition, a plethora of new endpoint devices have emerged using multiple access methods. But all of these network access approaches have evolved at different rates resulting in siloed networks that do not interact with each other, thus increasing IT operational cost and decreasing application portability and flexibility with user experience suffering. In this paper, we offer a new unified approach to network access that is based upon a thoughtful five-phase method to enable IT business leaders to simplify management, increase user experience and decrease operational cost.

Find out how to eliminate network silos by downloading this white paper:

Get the White Paper

Tweet

By Nicholas John Lippis III

Information flow precedes cash flow, and in the Global economy, networks and applications deliver intrinsic value to both. The huge investment in corporate application portfolios has never been optimized in a holistic manner, rather each application or suite of applications is optimized via specialized management tools. In today’s corporate world, IT business leaders are faced with increasing application performance demands for both legacy and new cloud-based applications to deliver excellent user experience while contributing to corporate agility. In this paper, we offer a new holistic network service approach to application performance optimization called Application Velocity.

Find out how to increase application performance by downloading this white paper:

Get the White Paper

Tweet

Major IT Delivery Transitions IT Business Leaders Are Managing
Application owners and developers have been deploying and writing applications as if networks had no boundaries or were borderless. By “application owners” I mean IT departments chartered with IT application delivery and management. By “application developers” I mean in-house corporate software developers, independent software vendors (or ISVs) and software companies. There has always been a disconnect between applications and network architects where developers write applications to run over a network as long as there is connectivity. In addition, service-oriented architecture (SOA) based applications call for greater application componentization, which increases messaging between application components, resulting in the network having a direct impact on application performance. In essence, application owners, developers and application standard bodies assume that networks are borderless as the industry is organized around the OSI model where knowledge and skills at one layer, e.g., the network is not necessarily taken into account at another layer, i.e., the application. Therefore, the normal state of affairs is that network designers have been tasked to optimize applications to improve user experience especially when the application was not written to run over a particular kind of network. This status quo does not scale and needs to be re-thought.

Business Drives Applications that Drive Computing that Drive Networking

Every cycle of computing has brought with it this discontinuity between applications and networks with the possible exception of mainframe computing and SNA. Minicomputer applications designed for local ASCII terminal connections were extended over the Wide Area Network (WAN) and via virtual terminals. Client-server computing applications designed to run over Local Area Networks (LANs) were extended over the WAN. At first the internet was text based until the mid 1990s when the web was developed, bringing graphics, audio and video to a network that needed a massive upgrade to support new media rich applications.

IT today is no different. Application developers are writing mobile applications at a frenzied pace thanks to Apple’s iPhone and iPad, Google’s Android, RIM’s Blackberry and now Cisco’s CIUS plus Avaya’s Flare, etc. Legacy enterprise applications are being extended to mobile platforms too with the assumption of a suitable network for delivery. At the same time, applications are being increasingly centralized into consolidated data centers creating greater distance between users and their applications plus data. Some estimate that over 80% of enterprises have undergone a data center consolidation process, which is significant, but we are just at the beginning of the centralization trend.

Thanks to the economics and performance offered by server virtualization, much more consolidation will occur with associated challenges. For example, IT leaders require application tracking as applications are moved from Virtual Machine (VM) to VM as they tune/optimize their virtual infrastructure or respond to peak loads as well as manage VM failovers. In addition to virtualization, massive data centers we call cloud-computing facilities are being built to host applications at scale plus offer infrastructure, platform and other IT services. According to the Yankee Group, 56% of IT business leaders seek to take advantage of cloud-computing technology and build their own private cloud center while 24% seek a fully-managed cloud-computing facility. In the same study, 32% of IT business leaders will seek a hybrid cloud approach that is, connect their private cloud to a service provider’s public cloud. While these market numbers are impressive, they could be much higher as IT leaders express that their top three concerns as they consider cloud services is application performance issues, according to IDC.

In addition to increased mobile and cloud-computing trends, video communications, both on-demand and real-time, have become the largest percentage of internet traffic type. In fact, Cisco Systems recently predicted that by 2014 video traffic will be greater than 94% of all global internet traffic!

This disconnect between applications and network architects will more than likely continue as application owners/developers/standards continue to view networks without borders and boundaries. However, for most network architects, there is no single network, but a wired network, wireless, campus, wide area, data center, branch office network, telecommuting network, mobile network, etc. In fact, most enterprises have a diverse infrastructure in which they are tasked to delivery applications over and for those applications to perform at high standards. The good news is that network designers and architects are starting to build borderless networks that anticipate unforeseen application changes, are equipped with a portfolio of application performance features and simplify deployment and management of IT services…more on this below.

Application Performance Challenges

From the above discussion, it’s clear that enterprise-computing applications are being demanded and stretched over increasingly borderless networks. Consider that the number of small or remote offices and mobile employees are increasing significantly. It’s impossible to argue the mobile computing surge with over 3.3 million iPads shipped in the first three months of its launch, and new entrants such as Cisco and Avaya offering CIUS and Flare tablets, respectively, for business users. In addition, data centers are being consolidated with cloud computing, offering further consolidation and centralization of applications. Applications are changing too as developers add rich media features, and video becomes a dominate application type. Employees, customers, partners and suppliers will be accessing applications over ever-larger distances, via a plethora of endpoints and different networks.

To assure applications perform their task and deliver an excellent user experience, network architects and designers will be increasingly challenged with network capacity being taxed as a wider application portfolio competes for network resources. Today’s model of application performance optimization is to implement appliances within remote sites and data centers, which increases certain application performance, but at the high capital and operational expense of increased network complexity. In addition to network capacity and complexity issues, latency or application transaction delay and how to efficiently utilize data center resources are challenges faced by network architects as they seek to maintain high application performance over a borderless network. Relating specific application transaction problems to network behavior to ascertain if a correlation exists is yet another challenge.

Application Performance Creates Corporate Value

At the center of application performance is corporate performance. The ability of IT leaders to respond to executive management directives is directly linked to corporate performance. Executive management may be challenged with a competitive threat or a new market opportunity, etc., requiring fast corporate response. IT leaders who can execute directives quickly have built an agile business capable of changing when markets or customers shift under them, placing their corporation in a better competitive position to serve its customers and prospects. For example, consider a retail store under competitive pricing pressure where executive management decides to respond with an alternative offer. IT may be able to display the new offer via digital signage quickly allowing the business to respond.

Key to business agility is the IT attribute of rapid innovation absorption–that is, the capability to deploy new applications and technologies at the speed of business opportunity. Most IT infrastructures consist of innovation and features which are already in place, but IT organizations require knowledge, skills and tools to put them to work when needed.

A borderless network that is capable of application performance delivers these attributes of innovation absorption and business agility. In addition, IT resource utilization can be optimized, and most important to users is that they gain an excellent IT experience independent of geographic location, endpoint device or application, which in the end improves productivity.

As an example of optimal resource utilization, consider Cisco’s ISR G2 branch office router that integrates unified communications, wide area application optimization, network security, LAN/WAN networking plus supports its AXP (or Application eXtension Platform), which run applications at the branch office router. In one branch office, an IT manager can deliver networking, security, voice and video communications and host applications while gaining visibility to applications. This type of resource utilization not only saves on capital cost and energy spend, but offers IT operational efficiency, rapid application deployment and innovation absorption.

To gain the full value of corporate applications, their performance must deliver excellent user experience. An excellent experience should not only occur while working in the office or at home, but anywhere in between, even while talking on a mobile endpoint. Independent of geographic location, a user accessing his/her business services and/or personal services should be the same seamless experience. Application performance is key to excellent experience and should be consistently good whether sitting at a desktop watching a video or engaged in a Web conference, and then immediately transitioning to an iPhone for example. The user should have an excellent experience at the highest level afforded by his/her endpoint. To deliver this seamless user experience, application performance technology needs to be incorporated in corporate IT infrastructure, endpoint devices or a combination of both.

That is, networking silos need to become an integrated network without borders. For applications to offer the best possible user experience, then the use of application acceleration technology as appliances or an overlay needs to be integrated into the network fabric and into network operating systems. This technology, which has improved application delivery for specific applications, needs to become systemic and fully distributed throughout the network fabric. The integration or pervasiveness of application acceleration technology within networks and endpoints is its natural evolutionary next step. Over the next few months we’ll see vendors such as Cisco, HP Networking, Juniper, Riverbed, Citrix, Blue Coat, et al, start to deliver on this vision.

Tweet

Networking is entering a new phase or era. During the 1990s, new networking markets opened up, creating multi-billion dollar opportunities for the vendor community and corporate cost savings for IT business leaders. First, it was shared LANs and routing, then switched LANs, then Frame Relay to speed up WANs, then SNA over IP, then remote access via dial-up and VPN, then MPLS, then IP telephony, then Wireless LANs etc… and now, it’s video and cloud networking. You get the picture. But what we didn’t realize as we build these networks is that they are silos with disparate management systems and unique access methods resulting in operational cost overlap and, most importantly, user frustration as they transition application use from desktop, to mobile end point, to remote endpoint. In short, we built boundaries around applications in the form of networks and it is the dismantling of these borders that vendors are now starting to deliver and differentiate upon. It’s not just Cisco that communicates borderless networks, but HP Networking, Juniper, Brocade, Extreme, Avaya, Force10 and others too. Why is the industry entering a new age of borderless networking and what’s in it for IT business leaders, is explained in this Lippis Report Research Note.

As each new wave of computing entered corporate IT departments, a new set of networking requirements arose. To connect remote 3270 terminals via SNA to mainframes, IT implemented an analog multipoint wide area network or WAN. To connect remote ANSI terminals to minicomputers, IT departments implemented pools of dial-up modems and private line WANs. To connect personal computers (PCs) via Client-Server computing, IT departments implemented Local Area Networks or LANs via LAN switches, which we now call wired connections. To connect multiprotocol LANs over the corporate WAN, IT departments implemented routed networks. To gain access to LAN based applications while remote, IT departments implemented Virtual Private Networks or VPNs. And, as computing and applications go mobile, IT has been implementing Wireless Local Area Networks or WLANs. In short, each network was deployed to service a certain computing style and application set. These networks are silos, and with advances in technology, IT business leaders can now design one borderless network to provide a broad array of common access methods to support a plethora of endpoints and applications.

Siloed networking frustrates users, as each access network performs differently depending upon its access method. Siloed networking also frustrates IT, as each siloed network has its own management system creating inefficient IT operations. In addition, siloed networking does not meet today’s IT “any access” requirements.

There are boundaries or silos that need to be broken down in many places of the network. In today’s modern IT world, applications are being extended over multiple networks e.g., wired, wireless, cellular, remote, virtual, etc where users need to shift their application access back and forth between these different network access methods and expect the same or consistent experience. In short, networks need to be borderless so that applications can be accessed independent upon network entry point and IT operations efficient. This “any access” trend is accelerating as IT business leaders seek to connect not only traditional desktops and laptops, but smartphones, notebooks, tablets, iPads, cameras and building control systems into a common general purpose network that support multiple logical network topologies.

Crossing purpose-built silos is difficult for applications, as bandwidth and quality of service issues limit application portability thus their usefulness. These different access methods offer limited consistency resulting in user frustration when they shift application access from desktop to mobile smartphone to VPN and back again.

And this shifting of application access between different networks and endpoints is only going to increase. Apple sold over 3.3 million iPads in its first 3 months, the highest uptake of any endpoint device. Google activates 100,000 Android based phones a day. Cisco recently announced its CIUS android-based table for business use with tight links to its unified communications (UC) and videoconference systems. Every major UC provider will be offering similar devices while traditional computer vendors serve up android-based tablets over the next few quarters. The iPad and Android tablet is a new tier of computing which will drive users to access their applications over mobile and wireless networks in addition to their desktop and VPN networks.

If IT business leaders are unable to get ahead of this curve and think of network access from an architected and unified design point of view, than unfortunately, their users and IT cost will be more frustrated and expensive, respectively, than others. Siloed networks are friction points as they create boundaries between network access types degrading user experience, which results in decreased productivity and increased IT operational cost. The result is a high total cost of ownership and less then optimal user experience, and thus decreased corporate productivity. The status quo of siloed networking is about to change.

Cisco’s Borderless Network Architecture

From a design point of view, borderless networking requires three core attributes: 1) reliability, 2) security and 3) seamlessness. Cisco was the first to articulate a vision for borderless networks, which has resonated with IT business leaders as it represents a solution to their pain. For example, Cisco’s borderless network architecture is built upon five services: 1) mobility or users in motion, 2) Energy efficiency called EnergyWise, 3) integrated network security via its TrustSec architecture, 4) application performance and 5) video management, control and distribution via its MediaNet. These borderless network services are built within switching, routing, security, wireless and wide area application services or WAAS infrastructure products. It’s the integration of these services into existing network infrastructure and their control via policy and management that enable a borderless experience to occur.

Juniper’s New Network

But Cisco is not the only supplier to grasp the problem siloed networks create. Juniper Networks is working to a similar end, albeit it hasn’t articulated it well. It provides VPN, LAN Switching, mobile security through its acquisition of SMobile and is working toward a flat cloud Ethernet fabric through its project Stratus and New Network initiatives. For example, Juniper plans to integrate SMobile security into its JUNOS Pulse endpoint software for network connectivity and acceleration breaking down the boundary between LAN based and mobile network access.

HP Networking’s Converged Infrastructure

When HP Networking launched its comprehensive network portfolio in April of this year it emphasized the elimination of network silos. The HP Networking portfolio strives to eliminate redundant equipment by integrating wired and wireless environments with security from edge to core. From an IT operations perspective, this translates into a “single pane of glass” for management, configuration, deployment and monitoring these networks as if one. HP Networking hopes to implement a common policy management to reduce human error of network operations while creating a consistent user experience across access mediums.

Brocade One

Brocade has jumped on the borderless bandwagon also in June of this year with the introduction of its “Brocade One”. Brocade One emphasizes the convergence of wired, wireless and cellular networking to offer a seamless user experience. In addition, Brocade One describes its view of a simplified virtualized data center network fabric that scales to cloud spec. In essence, Brocade One is about eliminating the boundaries around wired, wireless and data center networking.

Arista Network’s VM Tracer

Arista Networks doesn’t use the terminology of borderless networking either, but its recent VM Tracer strives to eliminate the boundaries between physical and virtual networking environments. VM Tracer does this by being integrated into Arista’s EOS linking Arista switches to VMware’s vCenter. This linkage creates an adaptive infrastructure in which the network responds to changes in the VM network while also providing complete visibility into the virtual machine network.

Extreme’s DirectAttach

Extreme Networks has focused on removing two network boundaries; the wired and wireless boundary and the physical to virtual network boundary. For the latter, Extreme has introduced its Direct Attach approach to data center networking that eliminates the virtual switch layer, simplifying the network and improving performance.

Force10’s Open Automation

Force10’s focus in eliminating boundaries is in the data center between physical and virtual networks. Force 10′s Open Automation initiative seeks to align dynamic data center changes with network configuration and policies, a huge barrier to virtualized data center management and scale.

While each of the above suppliers are at different points in their borderless network initiatives, the direction is clear. The boundaries between siloed networking are coming down be it in the data center, campus, branch office or home. For IT business leaders this means simplified operations and management as a key attribute is the “single pane of glass” approach to network management for siloed networks. The big surprise and delight will be found in enhanced user experience, as borderless networking strives to deliver a common access method for all networking types while enabling applications to be extended across a plethora of different endpoints, depending upon endpoint capabilities and network resources.

In essence, borderless networking’s value proposition is that it enables a corporation to be more adaptive or agile while increasing user experience and reducing operational cost. With the majority of IT business leaders trading off reductions in operational spend for an increase in capital expenditure, borderless networking is the right solution at the right time.

Tweet

By Infonetics

In this white paper, Matthias Machowinski of Infonectics Research describes how network borders came to be. He then describes Borderless Networking and its associated attributes plus benefits. A checklist to aid in the implementation of a borderless network is then provided.

Download this white paper now and learn how to get started with borderless networking.

Get the White Paper

Tweet

It hasn’t been since the mid 1990s that the networking industry was focused on multi-protocol integration or convergence. But the industry is gearing up for a major innovation and competitive cycle fueled by the multi-billion dollar addressable market for data center network fabrics. Over the last eighteen months, every major Ethernet infrastructure provider has been talking about two and three tier network fabrics for high-end data centers.

Companies such as Cisco, Arista Networks, HP/3Com, Force10, Voltaire, Extreme, Brocade, Juniper et al have announced network fabrics for data centers with five thousand and more servers with and without storage enablement. Juniper talks of a one-tier fabric through their Project Stratus work with IBM to be available some time in the future. Brocade recently introduced its Brocade One, which is a converged data center fabric. Extreme Networks launched its DirectAttachTM that eliminates virtual plus blade switch layers. HP has FlexFabric, a virtualized fabric for the data center. Cisco launched its FabricPath Switching System or FSS for the Nexus 7000 that enables massive scale of a two-tier fabric.

In this Lippis Report Research Note, we review the architectural attributes of two tier network fabrics.

The IT industry is at an inflection point as service delivery is becoming more and more centralized thanks to data center consolidation, virtualization, cloud and mobile computing. It is estimated that a third of all IT spend is concentrated in the data center, and this trend is only building thanks to favorable economics, motivating IT business leaders to centralize IT delivery.

The impact of this trend is more and more dense data centers made up of servers in the thousands to tens of thousands and higher. It is at the scale of 5,000 plus servers that a new network fabric is required for high-end data centers. High-end data center design is challenged with increasing complexity, the need for greater workload mobility and reduced energy consumption. Traffic patterns have also shifted significantly, from primarily client-server or as commonly referred to as north-to-south flows, to a combination of client-server and server-server or east-to-west plus north-to-south streams. These shifts have wreaked havoc on application response time and end user experience, since the network is not designed for these Brownian motion type flows.

The main requirements for high-end data center network fabric are low latency, large flat layer 2 domains to enable workload mobility, low power consumption, simplicity of design and significant bandwidth. Storage enablement, meaning consolidated I/O or virtualized I/O, is a growing priority and a new fabric that can support FiberChannel over Ethernet, iSCSI over Ethernet, iWARP over Ethernet or Infiniband over Ethernet, is a major plus. One salient observation is that it’s pretty clear that Ethernet is the network fabric of choice, as it is the only network protocol that enjoys continual innovation such as TRILL, Data Center Bridging, IEEE’s 802.1AQ, link aggregation, multi-pathing, and as recently ratified by the IEEE 40 Gbs and 100 Gbs speeds.

With the above requirements in mind, let us review data center network design options.

Three Tier Data Center Fabric

A three-tier network architecture is the dominant structure in data centers today and will likely continue as the optimal design for many networks. For most network architects and administrators, this type of design provides the best balance of asset utilization, layer 3 routing for segmentation, scaling and services, plus efficient physical design for cabling and fiber runs. By three tiers we mean, access switches/Top-of-Rack (ToR) switches, or modular/End-of-Row (EoR) switches that connect to servers and IP based storage. These access switches are connected via Ethernet to aggregation switches. The aggregation switches are connected into a set of core switches or routers that forward traffic flows from servers to an intranet and internet, and between the aggregation switches. It’s common in this structure to over-subscribe bandwidth in the access tier, and to a lesser degree, in the aggregation tier, which can increase latency and reduce performance. Inherent in this structure is the placement of layer 2 versus layer 3 forwarding that is Virtual Local Area Networking or VLANs and IP routing. Also common, is that VLANs are constructed within access and aggregation switches, while layer 3 capabilities in the aggregation or core switches route between them.

But within the high-end data center market, where the number of servers is in the thousands to tens of thousands plus and where north-south plus east-west traffic is significant, is where a new structure is needed. It is within these data centers where applications need a single layer 2 domain.

Two-tiers of network fabric

A two-tier fabric is designed with two kinds of switches: one that connects servers, and the second that connect switches creating a non-blocking, low latency fabric. In short, there are server facing and fabric facing switches. We use the terms ‘leaf’ switch to denote server facing or connecting switches and ‘spine’ to denote fabric facing or switches that connect leaf switches into the fabric. Together, leaf and spine switches create the fabric.

Many IT leaders in Global 2000 firms will have deployed both two and three tier network structure, as different deployment models are used for different applications. For these leaders, a network equipment supplier that possesses product architecture flexibility, meaning an end-to-end product solution that accommodates tier two and three fabrics would be advantageous. This flexibility is found in product that supports layer 2 and layer 3 forwarding, as well as, a variety of line cards to offer design options.

A common network Operating System (OS) of products configured for two and three tier structure is important as IT operations gain efficiency to manage fabrics, as configuration and management are consistent. In addition, a common network OS offers rapid absorption of innovation to IT operations, as new OS features are available at the same time to all fabrics. The benefit of using a common product set to build tier two or three fabrics offers value around operational efficiency, training, sparing and ease of evolution between fabric deployments. In short, the network fabric needs to be simple and general purpose versus purpose built, which a common set of products creating tier two or three fabrics offer.

A Unified/Converged Fabric

The concept of a unified fabric is to virtualize data center resources and connect them through a high bandwidth network that is very scalable, high performance and enables the convergence of multiple protocols onto a single physical network. These IT resources are compute, storage and applications, which are connected via a network fabric. In short, the network is the unified fabric and the network is Ethernet.

The industry tends to focus on storage transport over Ethernet as the main concept behind a unified/converged fabric with technologies such as Fiber Channel over Ethernet or FCoE, iSCSI over Ethernet, iWARP over Ethernet and even Infiniband over Ethernet. But this is a narrow view of a unified/converged fabric which is being expanded, thanks to continual innovation of Ethernet by the vendor community and standards organizations such as the IEEE and IETF.

Ethernet innovations such as FCoE, Data Center Bridging or DCB, IETF’s Transparent Interconnection of Lots of Links or TRILL, CEE or Converged Enhanced Ethernet, link aggregation, IEEE’s 802.1AQ have enhanced Ethernet networking to support a wide range of new data center fabric design options. In addition to these protocol enhancements, the IEEE has ratified its work on defining 40Gb and 100Gb Ethernet, significantly increasing Ethernet’s ability to scale bandwidth. To demonstrate how Ethernet is evolving to be the unified fabric for high-end data centers, we explore Cisco’s new FabricPath Switching System innovation in this white paper.

The decision to implement a two or three tier network structure comes down to scale. For high-end data centers, a two-tier structure meets the requirements of low latency, movable workloads, scale, simplicity, etc. Many global 2000 concerns will have deployed both a two and three tier network fabric for their high end and less dense data centers.

When shopping for network equipment to construct two and three tier network fabrics, look for suppliers that support both rich Layer 3 routing services and scalable Layer 2 Ethernet capabilities to ensure choice and flexibility of three tier and scalable two tier fabric implementations. Such suppliers offer products that can be configured in multiple use cases and topologies where modules are inter-changeable, skills transferable and operations common between both fabric approaches.

But make no mistake about it, it’s a two-tier network fabric that IT business leaders and data center architects have gravitated toward for high performance computing, cloud scale data centers and just plain high end data centers of 5,000 and above servers.

Tweet

By Cisco Systems

Traditional security techniques are unable to respond to threats that can arise from anywhere. To protect today’s borderless networks, IT managers must adapt by implementing faster, smarter security measures that monitor the constantly changing global landscape. This white paper, written for IT managers and executives, examines the security risks and needs of borderless networks, details a systematic plan of action, and describes how Cisco can help implement threat defenses that will serve you today and for years to come.

Find out how by downloading this white paper

Get the White Paper

Tweet

In Lippis Report 151: A Two or Three Tier High-End Data Center Ethernet Fabric Architecture? we detailed the new two tier data center Ethernet fabric that is becoming conventional wisdom amongst business leaders of high end data centers and cloud computing service providers. The networking industry is headed for a major innovation and competitive cycle fueled by a multi-billion dollar addressable market for data center network fabrics. Over the last eighteen months, every major Ethernet infrastructure provider has announced or taken a position on two tier network fabrics for high-end data centers. Companies such as Cisco, Arista Networks, Force10, Voltaire, HP/3Com, Juniper, Extreme, Brocade, BLADE Network Technology, et al have announced network fabrics for data centers with two thousand and more servers that either support storage enablement or not. In this Lippis Report Research Note, we review why it is Ethernet that will be the network fabric of high performance computing or HPC and cloud computing deployments.

For high-end data centers, HPC plus private and public cloud computing networks connecting thousands of servers, a new set of requirements have emerged. Low latency and high performance are the two driving requirements. Yes, there are more, especially when the fabric needs to enable converged storage, but let’s focus on latency and performance for now. Traditional three tier (server access, distribution and core) fabrics designed primarily for north-south traffic flows, that is client-server computing utilized spanning tree protocol (STP) and slower speed Ethernet (100Mbs to 1Gbs). Thanks to web 2.0, mash-ups and social networking sites east-to-west or server-server traffic flows have spiked requiring networks to support both north-south and east-west flows.

As most network engineers know, STP was designed to avoid loops that confused Ethernet as it was designed as a bus topology. STP shuts down redundant links between common switches to maintain the bus. Therefore, connecting access switches to distribution switches utilizing STP would require that network engineers over-subscribe the links between switches as only half of the bandwidth could be used. Oversubscription would also create blocking of packets between points too. To avoid this design, nearly every major switch manufacturer offered link aggregation that is the ability to shut off STP and aggregate links between switches. While this was and is a benefit, the down side has been that vendors only offered the ability to aggregate two links, which still drove oversubscription and blocking.

Recently, industry players such as Cisco and Arista Networks have offered the ability to scale up aggregation of links from 16 to 32, while at the same time delivering multipathing that allows packets to be forwarded across multiple links to arrive at its intended destination. Switch-processing capacity to support these massive inter-switch links have been increased too. These design changes, along with Ethernet’s innovation march, has ushered in the two-tier network design fabric option.

A two-tier fabric is designed with two kinds of switches; one that connects servers and the second that connect switches creating a non-blocking, low latency fabric. We use the terms ‘leaf’ switch to denote server connecting switches and ‘spine’ to denote switches that connect leaf switches. Together a leaf and spin architecture create the network fabric.

In late June 2010, Cisco announced its’ FabricPatch Switching System or FSS and its’ F-Series modules that support 32 ports of 10GbE of auto-sensing 1/10GbE and is essentially for server access and aggregation. FabricPath provides a new level of bandwidth scale to connect Nexus switches and delivers a new fabric design option with unique attributes for IT architects and designers. FabricPath is a NX-OS innovation, meaning that its’ capabilities are embedded within the NX-OS network OS for the data center. FabricPath essentially is multipath Ethernet; a scheme that provides high-throughput, reduced and more deterministic latency, and greater resiliency compared to traditional Ethernet.

FabricPath combines today’s layer 2 or Ethernet networking attributes and enhances it with layer 3 capabilities. In short, FabricPath brings some of the capabilities available in routing into a traditional switching context. For example, FabricPath offers the benefits of layer 2 switching such as low cost, easy configuration and workload flexibility. What this means is that when IT needs to move VMs and/or applications around the data center to different physical locations, it can do so in a simple and straightforward manner without requiring VLAN, IP address and other network reconfiguration. In essence, FabricPath delivers plug and play capability, which has been an early design attribute of Ethernet. Further, large broadcast domains and storms inherent in layer 2 networks that occurred during the mid 1990s have been mitigated with technologies such as VLAN pruning, Reverse Path Forwarding, Time-to-Live, etc.

The layer 3 capabilities added to FabricPath deliver scalable bandwidth allowing IT architects to build much larger layer 2 networks with very high cross-sectional bandwidth eliminating the need for oversubscription. In addition, FabricPath affords high availability as it eliminates STP, which only allows one path and blocks all others, and replaces it with multiple paths between endpoints within the data center. This offers increased redundancy as traffic has multiple paths in which to reach its final destination.

FabricPath employs routing techniques such as building a route table of different nodes in a network. It possesses a routing protocol, which calculates paths that packets can traverse through the network. What is being added to FabricPath is the ability for the control plane or the routing protocols to know the topology of the network and choose different routes for traffic to flow. Not only can FabricPath choose different routes, it can use multiple routes simultaneously so traffic can span across multiple routes at once. These layer 3 features enable FabricPath to use all links between switches to pass traffic as STP is no longer used and would shut down redundant links to eliminate loops. Therefore, this would yield incremental levels of resiliency and bandwidth capacity, which is paramount as compute and virtualization density continue to raise driving scale requirements up.

Designing A 160 Tbps Data Center Fabric

As an example to how multi link aggregation, the elimination of STP, high switching capacity and 10GbE connections create a highly scalable two-tier layer 2 Ethernet fabric, we use Cisco’s FSS and its’ F-Series module in the Nexus 7000. The following details the design of a 160 Tbps switching fabric with FabricPath and the F-Series module for high performance data centers using Cisco’s Nexus 7000 switches. This architecture can support over 8,000 servers connected at 10GbE or 4,000 servers dual homed at 10GbE with attributes of being non-blocking, low latency (5 microseconds), high bandwidth, reliability, plus simplicity of workload movement.

To build a 160 Tbps two-tier fabric, thirty-two Nexus 7018 switches populated with F-Series 10GbE modules would connect servers. These thirty switches are leaf switches. Each leaf chassis provides 256 10GbE ports to connect servers and another 256 10GbE ports to connect into spine switches. Therefore, each leaf is directly connected to each spine with sixteen FabricPath ports at 10GbE equaling a total of 256 10GbE ports for each leaf switch. There are sixteen spine switches each accepting 512 10GbE FabricPath ports. A single leaf chassis connects 256 10GbE ports into a spine equaling approximately 2.5Tbs. Multiplying each thirty-two leaf’s contribution into the fabric yields 80Tbs. As Ethernet is full-duplex, the total fabric switching capacity is 160
Tbps. Therefore, 160Tbps of switching fabric is available across all thirty-two leaf chassis. As 256 10GbE equals 2.5 Tbs, which also equals 16 FabricPath links to each one of sixteen spine switches, yields 2.5 Tbs, the fabric is non-blocking.

As for layer 2 and layer 3 forwarding, the job of the spine is to forward packets from leaf switches at layer 2, creating a single tier fabric. A key attribute of this architecture is that each 16-way FabricPath links are Equal Cost Multipathing or ECMP. What 16-way FabricPath ECMP provides are two benefits: 1) It delivers more paths for traffic to flow, which increases available bandwidth in the fabric and 2) as they’re distributed across all switches, diversity of routes is enabled to distribute packet forwarding. In essence what 16-way FabricPath ECMP provides is a very low latency, high bandwidth approach to supporting both north-to-south and east-to-west traffic flows simultaneously.

While the above is a Cisco deployment example Arista’s new 7500 series of Ethernet switches support 6 Billion packets per second at wire speed. The 7500s can be configured into a massive two-tier network fabric thanks to it support of 32 port MLAG (Multi-Chassis Link Aggregation) affording the connection of 18,000 to 30,000 servers.

Ethernet continues to evolve. The IEEE recently ratified the 40 and 100 GbE standard with vendors such as Force 10, Cisco, Arista, Extreme, BLADE, Brocade, Voltaire, HP et al announcing support and scheduling product delivery. While the above two-tier network example provides the perspective from the large switch provider, below is BLADE Network Technologies perspective, a company focused on server connectivity.

BLADE Network Technologies believes that as Ethernet delivers new levels of speed and intelligence, it will be the dominant two-tier network fabric for high-end next-generation data centers.
For many applications, low latency is a key requirement, and latency is an area where two-tier networks excel. Studies of stock trading exchanges have shown that tens of milliseconds of delay in data delivery can represent a ten percent drop in revenues, and delays of even five microseconds per trade can cost hundreds of thousands of dollars. Industry-specific requirements for uncompressed data and end-to-end deterministic latency within tens of microseconds make attaining such performance even more difficult. These factors have combined to make raw switching speed a top priority, and today’s best-of-breed 10 Gigabit Ethernet switches achieve can operate with under 700 nanoseconds of port-to-port latency while consuming a miniscule amount of power equivalent to that of standard light bulbs.

As next-generation networks get flatter – driven by latency and bandwidth requirements – emerging Layer 2 technologies such as the IETF’s Transparent Interconnection of Lots of Links or TRILL, enable this trend. The idea behind TRILL is to replace spanning tree as a mechanism to find loop free trees within Layer 2 broadcast domains. Using a routing protocol to build forwarding trees within a Layer 2 broadcast domain enables the flexibility and efficiency to route Layer 2 traffic, just like one would Layer 3 traffic, without the overhead associated with Layer 3 packet processing. TRILL will offer important features, such as support for both broadcast and multicast, load splitting along multiples paths, support for multiple points of attachment, and no tangible delay in service after attachment.

In the data center, bottlenecks are moving from the CPU and memory access to the I/O of the servers. Today’s multi-core servers are now able to sustain a great amount of traffic, requiring fast, flat networks, especially now that virtualization is widely deployed. Analysts have predicted that the 10G market will double year-to-year in 2010 and 2011. More servers using 10G increases the requirement for 40G and 100G in upstream networks. With 10G widely available and 40G coming online, Ethernet networks can enable data and storage traffic to use a single wire, using FCoE or iSCSI for example, and provide the raw speed that makes Ethernet with its economies of scale, to supplant InfiniBand for HPC requirements.

The reason Ethernet will be the network fabric for high-end data center networks is that the vendor community continues to innovate and build upon this protocol. Ethernet innovations are many and are beyond bandwidth increases from 10Mbs, 100Mbs, 1Gbs, 10Gbs, 40Gbs and 100Gbs, which are obvious. Link aggregation, multi-pathing and so much more propel Ethernet’s relevance and suitability to new challenging networking requirements.

Tweet

By Cisco Systems

Spanning-Tree Protocol (STP) can be easily compromised by eavesdropping in a switched corporate environment, but this vulnerability can be mitigated using L2 security features that are available on the Cisco® Catalyst® 6500. STP Man in The Middle (MiTM) attack compromises the STP “Root Bridge” election process and allows a hacker to use their PC to masquerade as a “Root Bridge,” thus controlling the flow of L2 traffic. To understand the attack, the reader must have a basic understanding of the “Root Bridge” Election process and the initial STP operations that build the loop free topology. This paper provides an overview of the STP Root Bridge Election Process, STP MiTM Attack Guide and Mitigation Techniques for STP attacks.

Find out how by downloading this white paper

Get the White Paper

Tweet

In the Lippis Report Research Note 150, we discussed the new industry group called Unified Communications Interoperability Forum or UNIF and compared it to other industry consortium charted to deliver interoperable solutions. While interoperability is sorely needed in the UC industry, it looks like Microsoft killed its changes of broad industry success before it started. What I hear from both UCIF members and non-members is that UCIF is controlled by Microsoft, and thus, lacks a large cross section of industry players as well as major UC providers. With its current structure, UCIF will make limited headway on its charter. In this Lippis Report Research Note, we review UCIF and its’ opportunities.

There is no doubt that the unified communications and collaboration industry needs interoperable solutions. Video traffic, in particular, is growing exponentially, which will not abate anytime soon. Driving growth is the new mobile video market with devices being equipped with real time video applications from companies such as Apple with its’ iPhone 4.0 FaceTime feature and Cisco’s Cius tablet. There is a real-time mobile video chat for Android too via the Movicha client application. In addition, every major UC supplier will launch a tablet based, end user device this year with tight links into its UC and video collaboration infrastructure. In short, the next generation office phone is a tablet. The combination of consumer and business mobile video device options will drive demand for interoperability, not only between mobile end points, but into corporate video conferencing systems too.

There needs to be a base line of interoperability standards for presence and call management also. Yes SIP or session initiation protocol does provide a base line, but many have built proprietary extensions minimizing interoperability options.

Now is a great time for an industry wide consortium of suppliers, service providers, IT executives and analysts to contribute to a set of interoperability standards with associated certification testing. Before UCIF was established Microsoft drove the initiative with limited to no input or invitation from its competitors. This approach has alienated nearly every major UC supplier from participating in UCIF, and therefore, don’t expect to see Cisco, Avaya, ShoreTel, Mitel, NEC et al to contribute. From this point of view, Microsoft killed UCIF before it even started.

But UCIF can make a contribution especially in the area of real time video collaboration between mobile, desktop and video conferencing system end points. For example, Microsoft could open up its’ Real Time Video (RTV) and Real Time Audio (RTA) codec protocols so that mixed vendor video endpoints can communicate with Office Communicator endpoints natively. With LifeSize, Polycom, HP and Microsoft being the UCIF founding members, their contribution to video collaboration interoperability could have a large impact on the real time video conferencing market.

For example, I use a LifeSize Express 220 video conferencing system, and as a standalone device that connects to other video conferencing systems via IP, H.323 or SIP, it’s magnificent. It would be great to connect with clients that have video enabled their desktop and mobile endpoints too. The larger the universe of potential video endpoints that one can connect to, the greater the value a real time video system provides. This would be a great charter for UCIF, which is to contribute open standards and certification testing that enable mobile, desktop and corporate video conferencing systems to interoperable.

However, for UCIF to deliver on its charter, it would have to dissolve and restart with Cisco, Avaya, Mitel, ShoreTel, and a larger role for Siemens, plus service providers, analysts and IT executives all being stake holders. You cannot have a closed group defining open standards. It just does not work that way.

Tweet

By Cisco Systems

The Cisco® Unified Communications Manager Session Management Edition integrates multivendor private branch exchanges into one network and centralizes applications. The Cisco Unified Border Element works with it to route traffic on secure cost-saving Session Initiation Protocol trunks. Together they help workers around the world achieve higher productivity through high-performance collaboration tools.

Find out how by downloading this white paper

Get the White Paper

Tweet

By Nick Lippis, the Lippis Report

A number of independent trends are driving a new age of massively scalable data centers. One of these trends include a new IT delivery model based upon cloud computing, where large hosting facilities provide a range of IT services to corporations and governments. Further, high performance computing (HPC) facilities built via server clusters on the order of thousands to tens of thousands of servers and more has ushered in new favorable economics, thanks to its use of x86 commodity hardware. The growth of public hosting and HPC facilities will only continue as efficient data center economics point to a fewer number of highly dense sites. It is this data center market segment, where the number of servers per facility is greater than 5,000, that we focus this white paper from a perspective of fabric, connecting servers and storage to internet/intranet via high performance Ethernet networking. For IT architects and designers of high-end data centers, this is the most important network design paper you will read this year.

Download this white paper now

Get the White Paper

Tweet

Massively scalable data centers have unique requirements such as low latency, high performance, non-stop operation, simplicity of design, workload mobility and storage transport support. To address these requirements Cisco launched FabricPath, which is a scalable multi-link and multipath technology allowing 2 to 48 Nexus 7000s to be configured in a large, non-blocking Ethernet switch fabric. This fabric, called a FabricPath Switching System or FSS, eliminates oversubscription and creates a two-tier fabric. In addition to FabricPath, Cisco launched its’ F-Series 10GbE module for the Nexus 7000, which offers 32 ports of auto-sensing 1/10GbE targeted at server access, aggregation and FCoE implementations solutions. Craig Griffin, Senior Director of Product Management for Cisco’s Nexus 7000 discusses new Ethernet innovations for the age of massively scalable data centers.

A white paper on the topic is available here:

Listen to the Podcast

Tweet

It hasn’t been since the mid 1990s that the networking industry was focused on multi-protocol integration or convergence. The industry is gearing up for a major innovation and competitive cycle fueled by the multi-billion dollar addressable market for data center network fabrics. Over the last eighteen months, every major Ethernet infrastructure provider has been talking about two and three tier network fabrics for high-end data centers. Companies such as Cisco, Arista Networks, HP/3Com, Force10, Voltaire, Extreme, Brocade, Juniper et al have announced network fabrics for data centers with five thousand and more servers with and without storage enablement. Juniper talks of a one-tier fabric through their Project Stratus work with IBM to be available some time in the future. Brocade recently introduced its’ Brocade One, which is a converged data center fabric. Cisco just launched its’ FabricPath Switching System or FSS for the Nexus 7000 that enables massive scale of a two-tier fabric. In this Lippis Report Research Note, we review the architectural attributes of two and three tier network fabrics and review FSS and its accompanying F-Series 10GbE module.

The IT industry is at an inflection point as service delivery is becoming more and more centralized thanks to data center consolidation, virtualization, cloud and mobile computing. It is estimated that a third of all IT spend is concentrated in the data center and this trend is only building thanks to favorable economics, motivating IT business leaders to centralize IT delivery.

The impact of this trend is more and more dense data centers made up of servers in the thousands to tens of thousands and higher. It is at the scale of 5,000 plus servers that a new network fabric is required for high-end data centers. High-end data center design is challenged with increasing complexity, the need for greater workload mobility and reduced energy consumption. Traffic patterns have also shifted significantly, from primarily client-server or as commonly referred to as north-to-south flows, to a combination of client-server and server-server or east-to-west plus north-to-south streams. These shifts have wreaked havoc on application response time and end user experience, since the network is not designed for these Brownian motion type flows.

The main requirements for high-end data center network fabric are low latency, large flat layer 2 domains to enable workload mobility, low power consumption, simplicity of design and significant bandwidth. Storage enablement, meaning consolidated I/O or virtualized I/O, is a growing priority and a new fabric that can support FiberChannel over Ethernet, iSCSI over Ethernet, iWARP over Ethernet or Infiniband over Ethernet is a major plus. One salient observation is that it’s pretty clear that Ethernet is the network fabric of choice as it is the only network protocol that enjoys continual innovation such as TRILL, Data Center Bridging, link aggregation, multi-pathing, and soon, 40 Gbs and 100 Gbs speeds. With the above requirements in mind, let us review data center network design options.

Two and Three Tier Fabrics

A three-tier network architecture is the dominant structure in data centers today and will likely continue as the optimal design for many networks. For most network architects and administrators, this type of design provides the best balance of asset utilization, layer 3 routing for segmentation, scaling and services, plus efficient physical design for cabling and fiber runs. By three tiers, we mean access switches/Top-of-Rack (ToR) switches, or modular/End-of-Row (EoR) switches that connect to servers and IP based storage. These access switches are connected via Ethernet to aggregation switches. The aggregation switches are connected into a set of core switches or routers that forward traffic flows from servers to an intranet and internet, and between the aggregation switches. It’s common in this structure to over-subscribe bandwidth in the access tier, and to a lesser degree, in the aggregation tier, which can increase latency and reduce performance. Inherent in this structure is the placement of layer 2 versus layer 3 forwarding that is Virtual Local Area Networking or VLANs and IP routing. Also common, is that VLANs are constructed within access and aggregation switches, while layer 3 capabilities in the aggregation or core switches route between them.

But within the high-end data center market, where the number of servers is in the thousands to tens of thousands plus and east-west bandwidth is significant, is where a new structure is needed. It is within these data centers where applications need a single layer 2 domain.

Two-tiers of network fabric

A two-tier fabric is designed with two kinds of switches: one that connects servers, and the second that connect switches creating a non-blocking, low latency fabric. In short, there are server facing and fabric facing switches. We use the terms ‘leaf’ switch to denote server facing or connecting switches and ‘spine’ to denote fabric facing or switches that connect leaf switches into the fabric. Together, a leaf and spine architecture create the fabric.

Many IT leaders in Global 2000 firms will have deployed both two and three tier network structure, as different deployment models are used for different applications. For these leaders, a network equipment supplier is needed that possesses product architecture flexibility, meaning an end-to-end product solution that accommodates tier two and three fabrics. This flexibility is found in product that supports layer 2 and layer 3 forwarding, as well as, a variety of line cards to offer design options.

A common network Operating System (OS) of products configured for two and three tier structure is important as IT operations gain efficiency to manage fabrics, as configuration and management are consistent. In addition, a common network OS offers rapid absorption of innovation to IT operations, as new OS features are available at the same time to all fabrics. The benefit of using a common product set to build tier two or three fabrics offers value around operational efficiency, training, sparing and ease of evolution between fabric deployments. In short, the network fabric needs to be simple and general purpose versus purpose built, which a common set of products creating tier two or three fabrics offer. This type of flexibility will enable IT leaders to address the challenges of scale outlined above.

In addition to product flexibility, some networking suppliers take a systems approach to their fabric design, meaning that a solution is built and pre-tested before it arrives on site. This ensures that IT does not have to perform system integration. With the increased concentration of computing and IT dollars into data centers, it’s only obvious that data centers are long-term corporate commitments. Therefore, it is only appropriate that the networking supplier of choice also has a proven long-term commitment to their product architecture.

Perhaps the best example of this is Cisco’s Catalyst 6000 switching architecture and its’ two-year-old Nexus product line. The Catalyst investment protection is well documented as it has been in operation for over a decade, which Cisco customers enjoy continued innovation and value added to this platform. Competitors view its’ longevity as a weakness. The Nexus product line has a similar investment protection philosophy with a fifteen-year plus lifespan expectation. Common to both Catalyst and Nexus is the fact that these products are built on silicon, developed at Cisco, affording investment protection from one generation of the hardware to the next.

A Unified Fabric

The concept of a unified fabric is to virtualize data center resources and connect them through a high bandwidth network that is very scalable, high performance and enables the convergence of multiple protocols onto a single physical network. These IT resources are compute, storage and applications, which are connected via a network fabric. In short, the network is the unified fabric and the network is Ethernet.

The industry tends to focus on storage transport over Ethernet as the main concept behind a unified fabric with technologies such as Fiber Channel over Ethernet or FCoE, iSCSI over Ethernet, iWARP over Ethernet and even Infiniband over Ethernet. But this is a narrow view of a unified fabric, which is being expanded thanks to continual innovation of Ethernet by the vendor community and standards organizations such as the IEEE and IETF. Ethernet innovations such as FCoE, Data Center Bridging or DCB, link aggregation, Cisco’s VN-Link, FEX-Link and virtual PortChannel or vPC have enhanced Ethernet networking to support a wide range of new data center fabric design options. In addition to these protocol enhancements, the IEEE is scheduled to complete its’ work on defining 40Gb and 100Gb Ethernet during the summer of 2010, significantly increasing Ethernet’s ability to scale bandwidth. To demonstrate how Ethernet is evolving to be the unified fabric for high-end data centers, we explore Cisco’s new FabricPath Switching System innovation in this white paper.

The decision to implement a two or three tier network structure comes down to scale. For high-end data centers, a two-tier structure meets the requirements of low latency, movable workloads, scale, simplicity, etc. Many global 2000 concerns will have deployed both a two and three tier network fabric for their high end and less dense data centers.

When shopping for network equipment to construct two and three tier network fabrics, look for suppliers that support both rich Layer 3 routing services and scalable Layer 2 Ethernet capabilities to ensure choice and flexibility of three tier and scalable two tier fabric implementations. Such suppliers offer products that can be configured in multiple use cases and topologies where modules are inter-changeable, skills transferable and operations common between both fabric approaches.

Tweet

By Cisco Systems

We work, live, play, and learn in a world that has no boundaries and knows no borders. We expect to connect to anyone, anywhere, using any device, to any resource—securely, reliably, transparently. That is the promise of borderless networks. To fully deliver on this promise, Cisco is advancing along three critical fronts: workplace transformation, technology leadership, and operational excellence.

Get the White Paper

Tweet

In mid May of this year HP, Juniper Networks, Microsoft, Logitech / LifeSize and Polycom established a forum to develop a set of interoperability test methodologies and certification programs along with specifications and guidelines that enable mixed vendor Unified Communications UC solutions to work with each other. In short, the UC Interoperability Forum or UCIF is trying to define what it means for multi-vendor UC implementations to interoperate. Since its establishment, membership has grown by thirteen vendors, but blaringly obvious is the omission of Cisco, Avaya, Mitel, ShoreTel and other major UC providers. This begs the question of motivation. Is the UCIF interested in interoperability or changing the market landscape to gain advantage on the established leaders? In this Lippis Report Research Note we explore this question.

UC interoperability is a very big deal. In fact, back in early April of this year, Zeus Kerravala, SVP of the Yankee Group and I addressed this issue in a Lippis Report podcast titled What is Holding UC Back?. Our answer was lack of interoperability standards and the vendor community’s minimal interest of embracing the ones we have. The UC market has evolved in a peculiar way as it brings together traditional voice communication companies, data networking firms, computing corporations and software concerns. UC is now at the epicenter of video communications, social networking and mobile computing too. UC represents one of the largest cross sections of disparate markets second only to the Internet. It’s here, within this cross section, that UC gains its enormous value.

UC offers to control real time communications and collaboration. Put another way, all real time business processes will be accessed and control by UC over time. Need to call a colleague? It’s via your UC client. Need to schedule a meeting? It’s via your UC calendar client. Need to video chat with a customer? It’s via your UC video client. Need to bring a group of people together for an emergency meeting? Yes, you guessed it! It is via your UC collaboration client. And common to all those UC clients is presence enabled directory to you, so you can find someone and know if they are available, a communications management system that sets up and tears down connections over intranet, internet and mobile nets. To make UC work ubiquitously, like the public telephone network or the Internet, the vendor community needs a forum or place where it can work out interoperability standards. In addition, for this next evolution in human communications to live up to its promise, it needs motivated vendors to allow their equipment to work together.

Yes, UC does have key interoperability standards such as SIP or Session Initiation Protocol that offer both end-point and communications manager interoperability, but many vendors add proprietary extensions to SIP reducing its value in multi-vendor networks. So the UCIF is to be applauded for taking the first step in creating an organization among the vendor community to usher in an era of interoperable UC. But the problem with UCIF is which companies established its formation. Clearly suppliers are businesses looking for sustainable competitive advantage that comes with large market share and innovative, albeit proprietary technologies. It’s no surprise then that when UCIF is established by firms with limited UC market share one’s mind jumps to the obvious assumption that the founding members of the UCIF are perhaps more interested in market share re-distribution than interoperability.

I’ve observed many industry forums and consortiums in the past that used interoperability as a convenient cause to hide a group’s true intentions. For example, Bay Networks, 3Com and IBM established the Network Interoperability Alliance or NIA in May of 1996 to foster interoperability between Local Area Network (LAN) switch vendors. NIA had limited success in competing with Cisco’s increasing market share gains of the enterprise router and switch market.

UCIF feels a lot like NIA to me. The shear fact that it’s mission statement, board and legal structure was done without any of the UC market leaders input and participation is unfortunate, as it has alienated them. It’s also unfortunate that Polycom and LifeSize are founding UCIF partners, but Cisco/Tandberg is not involved as this has a hint of Polycom/LifeSize fear of Cisco breaking away with the Telepresence market; UCIF seems like a way of mitigating this threat. The timing is very close with Cisco closing the Tandberg acquisition in April and UCIF being launched in May.

If UCIF is not able to entice and recruit Cisco, Avaya, Mitel, and ShoreTel et al in a meaningful and authoritative way, then its fate may very well be the same as NIA. What the industry does need is true interoperability standards so that a Cisco, Avaya, Microsoft, Siemens, HP et al UC implementations are able to work with each other in the same way that multi-vendor email systems work with each other. But without full industry participation, it seems that UCIF may be doomed and not able to deliver on its promise of interoperability. For UCIF to be meaningful it needs the UC market leaders full participation as well as Enterprise IT architects and planners plus service providers too, for without them, UCIF is NIA.

Tweet

By Cisco Systems

This paper provides a brief introduction to common security threats on IPv6 campus access networks and will explain the value of using First Hop Security (FHS) technology in mitigating these threats. An overview of the operational principle of FHS is provided together with some examples on how to enable FHS on Catalyst® 6500, 4500, and 3750 Series Switches. The target audience for this paper are network architects and network operation engineers.

Find out about FHS by downloading this Cisco whitepaper.

Get the White Paper

Tweet

In Lippis Report 148 we reviewed the major drivers and trends that are propelling the high-end data center Ethernet switch market to well over a $1B annual run rate. In this Lippis Report Research Note, we review the major suppliers of these switches. We review Cisco, Arista Networks Force10 Networks, BLADE Network Technologies, HP/3Com/H3C, Voltaire, Avaya, Brocade, and Juniper and identify their unique positions and offerings to participants in the burgeoning market. Our focus is the high-end, high density 10GbE switches that are enabling virtualized cloud computing data centers thanks to Terabits per second of back plane switching capacity, billions of packets per second of layer 2/3 forwarding, hundreds of 10GbE port connectivity per chassis, a new two-tier architecture, microsecond level latency, low power consumption, non-stop operation and software hooks that eliminate network barriers to large scale server virtualization. The engineering in these switches should be celebrated, as they represent the state-of-the-art in computer and network design. In short, they represent the fundamental building block of a new generation of IT delivery based upon cloud computing and virtualization. This Research Note is a must read for any IT executive designing a data center.

After finishing this Research Note, it became evident that this market needs a set of industry neural 10GbE switch test to independently verify vendor claims. We hope to make such a contribution this Fall.

Cisco Systems Nexus Family of Switches

Cisco’s approach to data center Ethernet switching is rooted in its Data Center 3.0 strategy which seeks to scale server virtualization while introducing a platform to enable a unified fabric or converged network and storage running on one physical Ethernet network. Cisco’s data center Ethernet switch portfolio is primarily the Nexus family of switches including the 7000, 5000, 2000 and 1000v. NX-OS is a purpose built data center operating system that runs across the entire Nexus family. NX-OS integrates a number of higher system availability functionalities such as virtual port- channel (vPC), and the capability to upgrade software without disrupting traffic. The Nexus 1000v is a softswitch that resides in a VM hypervisor. The Nexus 1000v’s main job is to eliminate network configuration barriers that exist when moving a VM from one physical machine to another. To accomplish this, the 1000v creates a port profile including VLAN, ACL, policy, security, etc. with persistence, which moves with a VM as a virtualization administer moves a VM from one physical machine to another.

The Nexus 2000 family of Fabric Extenders (FEX) introduces the concept of a remote line card of the parent Nexus 5000 switches and sits on the top-of-rack connecting servers to the switch fabric. The extender concept allows the 2000 and 5000 to be managed as one switch. This configuration reduces cabling requirements and offers an economical approach to server connection, thus providing the benefits of both end-of-row and top-of-rack deployments. The Nexus 5000 Series is 10 Gb Ethernet and Unified Fabric capable switches, connecting Nexus 2000s and servers directly at 100/1/10GbE/FCoE, while providing layer 2 forwarding. Providing layer 3 forwarding, dense 1/10GbE connectivity is the Nexus 7000 Series. The Nexus 7000 Series is available in a 10 and 18 slot chassis and is Cisco’s flagship data center Ethernet switch series. As a point of reference, the Nexus 7000 is now on an annualized run rate of $1B for Cisco, which is more than 10 times greater than any other switch supplier in the data center switch market. The high end 7000 connects 512 10GbE ports with 128 line-rate 10 Gigabit Ethernet ports. The Nexus 7000 Series switches can be segmented into virtual devices, delivering true segmentation of network traffic, context-level fault isolation, and management through the creation of independent hardware and software partitions. Overlay Virtualization Transport (OTV) provides customers a simplified DCI solution by extending layer 2 VLANs over existing IP networks. We have profiled the Nexus 7000 when first released and is available here. The Nexus switches can create a two-tier architecture with the 2000/5000, providing server connectivity and layer 2 forwarding between servers. The Nexus 7000 connects the 2000/5000 to each other and the internet/intranet with high density, high reliability layer 2/3 forwarding.

Arista Networks 7500 Family of Modular Switches

Arista Networks is a new comer to the data center Ethernet market, but its management team is seasoned and customer base growing. It provides six fixed 10GbE switches; five 1/10GbE 7100 and the 1GbE 7048 along with the new Best of Interop awarding winning 7500 modular switch. The 7100/7048 switches connect servers in a Top-of-Rack configuration while the 7500 aggregates these switches and connects them to the internet and intranet. This is a two-tier, “leaf-spine” architecture. The 7500 boasts ultra high performance layer 2/3 1/10 Gb Ethernet switching for high performance computing and cloud computing data centers. The 7500 supports 384 10GbE ports, 5.7Bpps at layer 2 or 3, high packet buffers 18GB deep, ultra low port-port latency of 4.5 microseconds and 10Terabit loss less switch fabric connecting modules.

The 7500 is 10GbE port dense, compact, cloud spec fast, green and prepared for 40 and 100GbE, with a price tag 50% below competitive offerings, according to Arista. While the 7500’s hardware architecture is impressive, its operating system EOS, Extensible Operating System, offers another set of uniqueness. For example, all Arista switches run the same binary image of EOS, easing administration while hastening switch feature upgrades. EOS is a modular OS that allows partners to run their software in the Arista switch, consolidating the number of management and network appliances required, thus increasing performance while reducing energy consumption and physical space. Arista’s EOS modularity was designed as a unique state sharing architecture that separates switch state from protocol processing and application logic. EOS is built on top of a standard Linux kernel. All EOS processes run in their own protected memory space and exchange state through an in-memory database. This multi-process state sharing architecture provides the foundation for in-service-software updates and self-healing resiliency. You can listen to a podcast interview with Douglas Gourlay, VP Marketing and Anshul Sadana, VP Customer & Systems Engineering from Arista on the introduction of the 7500 Series of Ethernet switches here

HP/3Com/H3C’s A12500 Core Data Center Switches

HP has spent 25 years building and selling networking products to its worldwide client base and is currently #2 in the market, with a 21% port count share and the fastest growing networking company in the industry. The combined HP/3COM acquisition brings core switching products, the #1 market share position in China, TippingPoint Intrusion Prevention System and ProCurve edge switches, representing a new choice for clients who are frustrated by today’s current offerings. HP will combine these two entities and operate under the banner of “HP Networking.”

The HP Converged Infrastructure Architecture and FlexFabric blueprint approach the modern data center with a vision that places networking at the center of an integrated data center solution and accelerates deployment of enterprise services and applications. It is designed to drive simplicity through streamlined network designs and centralized management, enhance agility with high performance security, and accelerated provisioning, and reduce cost with energy efficiency and low total cost of ownership. Central to HP FlexFabric is policy-driven network provisioning tightly integrated with server and storage management in an end-to-end data center converged infrastructure.

HP data center solutions are purpose built, using the latest advanced systems and ASIC technologies. “A” family data center networking platforms leverage a common operating system, Comware™ and are managed with a single-pane manager, Intelligent Management Center (IMC). HP switches make use of an HP-developed technology – Intelligent Resilient Framework (IRF) – to create a resilient virtual switching fabric. IRF delivers geographic independence, distributed high-availability, resiliency and millisecond re-convergence across layer 2 and layer 3 protocols. These innovations allow customers to build a simplified, high performing, highly resilient and flat (two-tier) data center network design. They overcome the limitations of low performance/scale, high cost/latency inherent in legacy solutions, which rely on multi-tier network designs, disjointed platform operating systems and complex resiliency protocols.

A key enabler of this transformational design flexibly is the HP next-generation data center switching architecture. This starts with the flagship HP A12500 core data center switch – which is based on a 100G design that uses a multi-level, multi-plane, non-blocking switching architecture to provide high performance and scalability. The A12500 supports 6.66 Tbps of high-performance switching capacity (future support for 13.32 Tbps) and scales to 2.2 billion packets per second of forwarding performance. The A12518 supports 512 10 Gigabit Ethernet or 864 Gigabit Ethernet ports in a single chassis. Its future-proof design accommodates 40/100 Gigabit Ethernet and emerging unified network requirements such as end-to-end FCoE/Data Center Ethernet.

Force10 Networks ExaScale E Series

Force10 Networks was one, if not the first company to offer 1 and 10Gb switching solutions for high-performance computing and data center markets in Fortune 100 companies, Internet portals, global carriers, leading research laboratories and government organizations. It offers a wide range of Ethernet switching and routing products that deliver high port density and resiliency to help customers deploy a high-availability, agile and standards-based GbE and 10 GbE network fabric, while reducing power and cooling costs. Its Ethernet switching products are designed to leverage virtualized data center environments and automate Ethernet networking. For example, its VirtualScale enables management of virtual chassis. Its VirtualControl enables virtualizing logical switching and routing boundaries. For automation, Force10 has developed an architecture, which automates network resource allocation as applications and services spin up and down. This architecture is built upon its HyperLink and SwitchLink technology, two new software features implemented within its Force10 Operating System (FTOS). HyperLink provides real-time communication between Force10 switches and hypervisors or virtual switches to enable automatic provisioning of one or many virtual LANs (VLANs) across multiple switches simultaneously. The SwitchLink feature provides real-time communication with middleware orchestration tools to enable automatic provisioning and management of virtual devices anywhere in the network.

Force10’s modular Ethernet switch data center product portfolio includes the ExaScale E-Series, optimized for core deployments in large-scale, high-performance 10GbE data centers, and the C-Series, optimized for mid-range data centers. Both the E-Series and C-Series come in multiple form factors, run FTOS and are dense high performance switching platforms equipped with redundancy, availability, fault-tolerant operations and many line card options. In addition, Force10 offers the fixed configuration S-Series product line for GbE and 10 GbE ToR configurations. Force10 promotes a vision of simplified data center topologies, using integrated switching and routing in the core, using chassis based E-Series or C-Series products, and fixed configuration ToR access products allowing both 1 tier and 2 tier designs. One tier can be achieved with high density E-Series platform for server aggregation, switching at the server edge, and routing off the same platform to the Internet / WAN. The two-tier architecture can be achieved leveraging ToR switching for server aggregation along with Force10’s chassis based systems in the core. In addition to a large direct sales force, IBM OEM’s Force10’s ExaScale platform as part of IBM’s iDataPlex clustering solution. You can listen to a podcast interview with Steve Garrison, VP Marketing of Force10 on their 40 GbE offering here.

BLADE Network Technologies RackSwitch Family of Ethernet Switches

BLADE Network Technologies (BNT) has been working in the data center switch market since 2006 with much success providing 1/10Gb Ethernet switches for blade servers and top-of-rack configurations. BLADE was launched from Nortel and made up of the successful Alteon Networks group. Their success stems from their ability to identify the top-of-rack and blade switch market in ’06, along with an OEM go to market strategy that included all of the top tier blade server providers such as HP, IBM and NEC. The result is that BLADE has shipped over 8m ports, achieved 25% growth from 2008 to 2009 (in a down economy), owns 50+ % of the blade switch market, is number 3 in the Fixed 10GbE market according to Dell’Oro Group, and has demonstrated scale with at least one customer installing over 16,000 of its switches.

BLADE offers the RackSwitch family of Ethernet switches, which are ToR, 1U high switches. They include the 24-port 360ns latency RackSwitch G8100 10GbE, 48-port RackSwitch G8000 1/10 GbE aggregation and the 24-port 700ns latency RackSwitch G8124 10GbE. Over a year ago, BLADE released its virtualization software called VMready that automates network settings for VM movement ensuring that network settings migrate when a VM is moved from one physical server to another. VMready scales to a 1000 virtual port switch, is based on standards and works with most popular hypervisors.

In addition to VMready, RackSwitch’s unique attributes are found in the fact that they were designed for the data center versus being a wiring closet switch re-formatted for the data center. For example, the RackSwitch BLADEOS supports CEE for unified fabrics, uplink failure detection, virtualization, dual homing for servers, low (80-170Watts) power consumption, back-to-front or front-to-back airflow and very low latency in the 700-360 nanosecond range.

Voltaire’s Vantage 8500

Voltaire has a long history in high performance computing and data center networking as it is one of the key leaders in the InfiniBand market. Voltaire enjoys distribution relationships with HP and IBM, as well as Bull, Fujitsu, NEC, SGI and Oracle. The result is a 100% + year over year revenue growth for Q1 as reported on May 5th. Last October, Voltaire entered the 10 GbE market with the introduction of its Vantage 8500 Ethernet layer 2-core switch. The Vantage 8500 boasts less than 1 microsecond of latency, a low 10 watts per port power consumption and 288 wire speed 10GbE ports in a 15U high chassis. The Vantage 8500’s unique industry contribution is that it’s based on converged enhanced Ethernet (CEE) technology providing InfiniBand-like capabilities to the Ethernet data center. In fact, Voltaire has ported many of InfiniBand’s key characteristics to the Vantage 8500 such as a lossless switching fabric, multi-pathing, virtualization, fabric-wide congestion management and QoS.

From a network design point of view, Voltaire supports a two tier network architecture that enables a simplified, ‘flat’ data center network and puts an end to the era of the over-provisioned network. Voltaire’s design centered on the Vantage 8500 is to support a two-tier data center network that scales from hundreds to a few thousand core ports, which requires high capacity, non-blocking 10 Gigabit Ethernet core switches. By clustering up to twelve Vantage 8500 switches together, IT business leaders can expand their data center to many thousands of servers while preserving the efficiency and price-per-port, without degrading performance or latency which occurs in traditional hierarchical network designs. To support ToR implementations, Voltaire and BLADE Network Technologies announced recently a partnership where BLADE ToR RackSwitches are aggregated by Voltaire’s Vantage 8500, rounding out the two-tier data center Ethernet network architecture.

The Vantage 8500 also features software-based capabilities to address virtualized and converged data center environments. Voltaire’s Unified Fabric Manager™ (UFM) software, application acceleration software and management OS (VT-OS) provide management and performance enhancement tools. These tools were developed and optimized in InfiniBand environments and are now available for Ethernet-based data centers. Voltaire’s recently introduced Unified Fabric Manager™ (UFM™) 3.0 software orchestrates physical and virtual switches delivering guaranteed levels of service per application. It’s the first and only Ethernet fabric management software that dynamically orchestrates end-to-end virtual machine connectivity for multi-vendor, scale-out data center networks.

Avaya’s VSP 9000

During the April 2009 Las Vegas Interop trade show, Nortel committed to the data center Ethernet market with the announcement of its Virtual Services Platform or VSP 9000 switch, which supports up to 27 Terabits per second (Tbps) of backplane switching and 240 10GbE ports per chassis at first release. Avaya announced their commitment to the VSP 9000 and said that it will be generally available in the second half of 2010 while already in controlled availability. The VSP 9000 is built upon the Ethernet Routing Switch 8600/8800 software providing a proven software foundation, mid-plane architecture, a fully programmable network processor unit for flexible data forwarding and carrier-grade Linux.

The VSP 9000 is designed to deliver high-density 10GbE, 40GbE and 100GbE. Its design center is rooted in highly dense connectivity environments that are all mission critical, by definition. Early testing validation of the VSP 9000 promises to provide ultra-high reliability and availability delivering below 50ms failover support, which is critical to eliminate application disruption thanks to its patented hardware failure detection differentiation. The VSP 9000 switch fabrics are lossless Ethernet capable and therefore well positioned to support the next generation Data Center requirements for convergence of storage onto the Ethernet infrastructure.

The VSP 9000’s unique network architecture is found in its ability to cluster four switches together, in that the total architecture exceeds 100 Tbs, with the number of 10GbE ports per rack being up to 720. Avaya continues to invest in Switch Clustering technology (Active/Active resiliency model) such as SMLT (split multi-link trunking) and RSMLT (routed-SMLT), which provides link, switch and router redundancy mechanisms. Three modules are being introduced in the first VSP 9000 release, a 24 port SFP+ for 1 GbE and 10 GbE connectivity, a 48-port of SFP module in addition to a 48-port 10/100/1000 TX module. Future plans include 40GbE and 100GbE interfaces, and even higher-capacity Switch Fabric modules.

Juniper Networks’s EX8200 & EX4500

In January of 2008, Juniper Networks launched its much-anticipated entry into the enterprise Ethernet switch market. Juniper’s focus is on the enterprise data center, campus and branch, as well as the service provider market. Juniper provides a suite of Ethernet switch products, including the EX4200 with Virtual Chassis technology for GbE Top-of-Rack (ToR) and End-of-Row (EoR) data center access, the EX2500 24-port and new EX4500 48-port 10GbE ToR switches, and the EX8200 high-density, high-performance line of modular Ethernet switches.

According to Juniper, it simplifies customer enterprise LAN architectures and advances the economics of networking via its most recently launched initiative called the “new network” for data centers. Juniper’s “new network” promises critical innovations in automation, virtualization and fabric technologies. These innovations are to reduce time to operation by up to 50 percent and eliminate up to 35 percent of data center networking capital expenditures. One aspect of the “new network” is a simplified two-tier network architecture, which may be reduced to one when “Project Stratus” is completed with IBM. The reduction of a three-tier architecture to two is accomplished by utilizing Juniper’s Virtual Chassis fabric technology in the access layer, in conjunction with its high-density, high-performance platforms such as EX8200 and EX4500 in the LAN core, thus eliminating the aggregation or distribution layer. According to Juniper, collapsing the distribution layer reduces complexity in the data center as well as campus networks by reducing the number of managed devices by up to 89%, providing up to 39% savings in space, 44% savings in power and reducing the number of switch interactions by up to 99% compared to three-layer networks. According to Juniper, this approach improves application performance by also reducing latency up to 77% compared to three-layer networks. Note that these claims and numbers are Juniper’s and not mine.

At the core of Juniper’s data center Ethernet product family is the EX8200 line of modular switches. The EX8208 and EX8216 are eight and sixteen-slot modular switches. The EX8216 sports a maximum of 640 10GbE ports and 1.92Bpps and 6.2Tbps backplane speed. The EX8200 is said to support 40GbE and 100GbE interfaces in the future. The EX8200s connect either EX4200 GbE or EX2500 and EX4500 10GbE ToR switches together while providing access to internet/intranet. All Juniper switches run Junos, the network operating system that provides reliability and availability features, developed for the high-performance enterprise and service provider market.

Brocade’s NetIron MLX Series of Switches

In July of 2008, Brocade had purchased Foundry Networks, catapulting them into the Ethernet switch market as one of the top five Ethernet switch/router vendors by revenue. Brocade, with its long history of data center storage, saw that converged I/O was going to happen and prepared the company to participate in this market. At the high end of Brocade’s data center Ethernet switch products is the NetIron MLX-4, MLX-8, MLX-16 and MLX-32 routers, which support 4, 8, 16 and 32 I/O module slots, respectively. We’ll focus on the high end NetIron MLX-32 here, which has been in production since August 2006.

The NetIron MLX-32 boasts a total of fully redundant non-blocking 7.68 Tbps switch fabric capacity. Brocade says that the MLX-32 can forward some 2.284 Bpps of Layer 2/3 packets and support 1,536 and 256 non-blocking 1 GbE and 10 GbE ports, respectively. Note that the new high density 10 GbE was announced the same day as this Research Note was made public. All four NetIron MLX systems are designed for non-stop operation, supporting 1:1 management module redundancy, N+1 switch module redundancy, M+N power module redundancy and N+1 fan redundancy. The NetIron MLX architecture is an adaptive self-routing Clos switch fabric with a virtual output queue (VOQ) design. This non-blocking architecture is optimized for maximum throughput and low latency for all packet sizes.

Tweet

By Cisco Systems

Typically, data centers have been built over time, with servers added as they are needed. This process has resulted in server sprawl, increasing power and cooling costs, and created challenges in management and security. To meet their requirements, organizations are employing virtualization on a broad scale on servers centralized in the data center. However, server platform and virtualization address only one part of the problem for the global organization. Not only does application complexity put a burden on the server resources, but applications increase the burden on the WAN. With a widely distributed user base, organizations must address the challenge of WAN performance if they are to deliver applications to remote users with an acceptable user experience. To meet this challenge, Cisco provides a solution to host applications and deliver them over the WAN while helping ensure the highest levels of scale and performance, enabling organizations to achieve their business initiatives.
Find out how by downloading this Cisco whitepaper.

Get the White Paper

Tweet

During last week’s Cisco Q3 FY10 quarterly financial conference call, John Chambers, Cisco’s CEO, said something that impressed and shocked me. The company has been quiet about the growth rates for its Nexus line of data center switches until this call. What shocked me was that the Nexus 7000 is now on an annualized run rate of $1B, yes that’s Billion with a B! I remember being interviewed by John Markoff of the NY Times in Jan ’08 about the Cisco’s Nexus and Juniper’s yet to be announced Ethernet switches. In just 27 short months, the Nexus product line including the 7000, 5000 and 2000 represents a $1.4 B run rate of revenue to Cisco. Another insight gained from this ramp up is that the data center networking trends that we’ve discussed here in various Lippis Report Research Notes are powerful demand drivers for Cisco and other companies participating in this lucrative emerging market and its just starting! Companies such as Arista Networks, Force10 Networks, Blade Network Technologies, HP/3Com/H3C, Voltaire, Avaya, Brocade, Juniper, et al, have unique positions and offerings to participants in the burgeoning market. In this Lippis Report Research Note, we review the mega trends driving high market growth. We save a product review of each of the suppliers for our next Lippis Report Research Note.

In addition to the run rate numbers above, Cisco also posted a milestone of 1 million 10 GbE ports shipped, providing a strong indicator that the 10GbE market is nearing a tipping point to high volume, as pricing drops and its use accelerates. The following are mega trends driving this tremendous market growth. Traffic demand drives bandwidth and that’s the first mega trend.

Traffic Profile Changes: Gone are the days when data center networks primarily shuffle asymmetric email messages and low bandwidth client-server computing applications between endpoints and servers. Best effort data delivery, where latency was secondary to delivering data accurately, has changed to being a paramount design element where 10 milliseconds means the difference between losing a customer or capturing revenue. Traffic is now highly mixed, moving around a data center in near Brownian motion between servers, storage, internet and intranet thanks to a plethora of old and new applications such as mash-ups, VoIP, search, backups, storage access, emerging converged I/O etc. In addition to Brownian motion traffic flows and low latency requirements, the volume of traffic continues to skyrocket and shows no sign of abating. Remember when the Dow dropped by 1000 points in early May of this year? Financial services firms saw an average of 40 times the amount of traffic in their data centers as traders responded to the drop. There is no better driver for traffic volume as financial markets in turmoil. The traditional model of over subscribing data center bandwidth by as much as 80:1 is the norm, and IT business leaders are looking for a more efficient model.

Workload Mobility: With the advent of server virtualization IT leaders are able to decouple an operating system from its underlying server hardware and increase the number of instances an operating system can be replicated on a single server. Server virtualization reduced the number of physical servers needed and in the process reduced energy and cooling requirements. Now that an operating system only needs to know which hypervisor it’s running on, that operating system instance and the applications it services can be moved from one physical server to another in near real-time with the click of a mouse, thus providing workload mobility or portability as well as a rapid application procurement tool.

So what does all of this have to do with networking? A lot, first moving these workloads around a data center consumes huge bandwidth and has low latency requirements to driving raw bandwidth requirements. Secondary, and most importantly to the industry, is that networking or should I say the rigid structure of IP addressing/VLANs, etc are impeding the automation of these workload moves. In short, the data center network needs to be reconfigured when VMs are moved from one physical server to the next in the same data center and it simply does not work if a VM is moved between data centers separated over distance, between a data center and a cloud provider and between cloud providers. This is the area of the infrastructure 2.0 working group.

Doug Goulay said it best in his recent Network World post.

“When moving VMs between machines there is a caveat:  if you want your TCP connections and IP addressing to stay intact the receiving physical host must be capable of supporting the same IP address that the VM moving to it is actively using.  This means that both physical hosts have to be in the same subnet or in the same VLAN depending which layer of the network you are looking at.  Since the largest number of physical servers that can be supported doing this is around 64 it doesn’t change the addressing architecture too much, unless the servers are in different data centers, or are connected to different access layer switches that talk to different aggregation layer switches.  If this is the case the network architecture all of a sudden starts dramatically impeding the movement of VMs:  either VM mobility is impeded, or the network is redesigned. 

Some people often ask me, “can’t I do this with DNS?’  In short, no.  DNS is cached at many client sites, ignoring your TTL.  Additionally, DNS is cached on many PCs for the life of an application session.  If you try to change the IP address of your backup server while you are in the middle of a 2GB backup do not expect the connection to continue.  TCP doesn’t work this way.”

Increased Density: It’s no secret that data centers are bursting from the seams as the economic down turn kicked large IT capital outlays down the road until economic conditions improved. Business leaders have been postponing increasing data centers space, that is square footage, while power density has grown exponentially, until very recently, as cooling requirements increase unabated. Power and cooling capacity are the primary constraints to data center expansion. To deal with these realities, IT business leaders are left with only one option, appropriate capital to either upgrade power and cooling systems or build a new data center. The impact of high energy densities is that server hardware is no longer the primary cost component of a data center. The purchase price of a new (1U) server is now exceeded by the capital cost of power and cooling infrastructure to support that server and will soon be exceeded by the lifetime energy costs alone for that server. In short, energy costs are on their way to dominate data center economics.

To help mitigate these trends, the new data center switches offer increased server connection density at lower energy consumption levels. In addition, their own energy consumption to shuffle packets around has been reduced, for some by as much as 50%. To connect an every increasing dense set of servers, new generation of data center switches boast a two tier network architecture to support thousands to tens of thousands to hundreds of thousands of servers. To deal with high server density connectivity, server access is via a leaf switch, while leaf switches and storage connect to a modular spine switch. The two-tier approach offers efficient connectivity density, low latency albeit this depends highly upon the internal switch design, and is ready to support consolidated I/O.

Consolidated I/O while early in its adoption cycle will go a long way in reducing power consumption of servers as they will have a single network interface for both storage and networking. In addition, consolidated I/O promises to reduce the need for a separate storage switch too again reducing capital, energy and cooling cost.

Back to server density. Server density will only get, well, more dense. If the industry trajectory of cloud computing is realized any where near what the conventional wisdom dictates, then there will be more and more highly dense cloud computing sites supporting an ever increasing number of enterprise, government and consumer applications. How many cloud computing sites does the US need to support all IT applications? With nearly 16 million servers installed nation wide, according to IDC, and with each cloud computing site supporting hundreds of thousands of servers, then perhaps the number of cloud computing sites would be in the hundreds. While its unrealistic that all US enterprises and governments will be hollowed out of their data centers and applications via cloud computing with today’s technology and business control believes; the trend line is clear, there will be a smaller number of very large cloud providers delivering applications to a wide range of customers. Almost like a supernova transforms into a black hole, applications will not be able to escape the gravitational pull of the scale and economics of cloud computing if the industry gets anywhere near this size scale.

The networking industry has been busy adapting to these powerful trends with new internal switching architectures, data center network architecture and automation. Internal switching architectures are being designed with high internal switching capacity in the terabit rage, lower energy consumption in the 10W/port range, low latency and of course high port density. The data center network architecture most are progressing toward is a two –tier leaf-spin approach mentioned above. These switches possess the highest levels of reliability, serviceability and redundancy, as networking is at the center of this massive server connectivity density.

Network automation is another area of investment where VMs can be moved within and between data centers, as well as between data centers and cloud providers, plus between cloud providers. A few companies are addressing network automation, but this is a huge issue that the industry needs to wrap its arms around and provide a scalable solution.

In the next Lippis Report Reseach note, we’ll review Cisco, Arista Networks, Force10 Networks, Blade Network Technologies, HP/3Com/H3C, Voltaire, Avaya, Brocade, Juniper, et al, and highlight their unique positions and offerings to participants in the burgeoning market.

Tweet

By Cisco Systems

Virtualization is rapidly becoming an essential tool for more fully harnessing and managing the power of today’s data center servers. In only a few years, standard x86 server technology has increased in performance and density so that today, multisocket, quad-core systems with 32 or more gigabytes of memory, are the norm. The combination of multicore computing and virtualization software such as VMware Virtual Infrastructure has enabled IT departments to bring server sprawl under control by running multiple independent workloads on a smaller number of servers. Today, fewer servers are required to do the same work, and their utilization levels have increased — both factors that contribute to greater energy efficiency and lower power and cooling costs.

As IT departments have discovered the benefits of server consolidation, they have also found that virtualization solves an even broader set of problems. Business continuity plans based on virtualization can make disaster-recovery solutions simple, reliable, and more cost effective. Virtual desktop environments can use centralized servers and thin clients to support large numbers of users with standard PC configurations that help to lower both capital and operating costs. Virtualization allows development, test, and production environments to coexist on the same servers, and it helps decouple application deployment from server purchasing decisions. New applications can be deployed in virtual environments and scaled on demand to accommodate the evolving needs of
the business.

Get the White Paper

Tweet

This past Interop in Las Vegas was one of the best I have attended, since even before the economy took a noise dive in 2008. The tone and level of excitement of the industry’s growth potential was refreshingly up beat from the hundreds of IT and vendor executives I talked with. While the size of Interop is a small fraction of what it was in the late 1990s, (70k attendees with over 600 exhibitors to ~ 15K attendees with ~ 200 exhibitors) it still provides a pulse of the networking industry. In fact, Interop has come full circle, back to being a networking event even though it has added other topics. You have to give Dan Lynch credit for creating such a long lasting venue for our industry. Congratulations to Cisco, Arista Networks, HP/3Com, Mallonx for winning best of show in their respective categories and for Arista for winning Best of Interop. In this Lippis Report Research Note I provide the key industry themes that were evident at Interop this year.

The following are my observations of Interop 2010 in LV.

Network Infrastructure Takes Center Stage: Even though Interop provided attendees with thirteen educational content areas including cloud computing, IT security, Enterprise 2.0, etc., it’s the changes taking place in the network infrastructure business that was front and center, loud and clear. The following was the topic of conversations throughout Interop:

• Cisco’s introduction of its Best of Show winning Aironet 3500 Series Access Point with CleanAir technology,
• Arista Networks’ introduction of and winning Best of Show and Best of Interop for its Arista 7500 10Gb modular Ethernet cloud computing switch,
• HP’s closing of its acquisition of 3Com and winning Best of Show for its TippingPoint Virtual Controller,
• HP’s planned acquisition of Palm,
• Avaya’s reassertion in the network business with the introduction of its Ethernet Routing Switch 8800, WLAN 8100 and Advanced Gateway 2330,
• Voltaire’s new Vantage™ 8500, 10 GbE Layer 2 core Ethernet switch,
• Force10’s open network automation demonstrations and 40GbE module

With the above announcements and accomplishments, two thoughts come to mind. First is that Interop is finally back to core networking issues, and second, the above announcements provide a window into the huge changes that are taking place in our industry.

New Industry Structure Emerges: The networking industry has been consolidating for some time now and will only continue. Corporations have some $2T in cash and equivalents on their books, which will be put to work acquiring companies and investing in growth markets. The big growth market in our industry is the fundamental change IT is starting to progress through. HP’s actions last week provided a preview of what’s to come.

HP stole the headlines last week with their shorter then expected closing of their 3Com acquisition, in addition to their intent to purchase Palm. HP realizes that the IT industry is structurally changing away from fixed desktop computing accessing corporate applications hosted in data centers, to mobile computing accessing applications hosted in corporate data centers and cloud computing facilities. The big winner in this transition is networking, as without it, cloud and mobile computing will not happen. Palm gives HP a smartphone platform to participate in the mobile computing market while 3Com expands its corporate networking portfolio significantly.

HP vs Cisco: The buzz at Interop around HP was how it will compete with Cisco. The HP executives and booth personnel were the most energized I have ever seen. HP views their competitive advantage along the lines of innovation, open network architecture and economics. Thinking it through however, HP’s focus will be more on supply chain efficiencies to drive down their cost of producing networking gear close to server economics while leveraging their massive and productive channel to gain market share.

The supply chain efficiency is a great idea, but will take at least a year if not more to deliver. The thinking here is that a 40 Watt power supply is the same, independent of its final designation, as long as it powers a server, router, etc. So can HP redesign their product lines for common components where they gain huge cost efficiency thanks to volume purchasing? Perhaps, but this will take time. Their channel strength should deliver results in the short term. If HP executives are correct and that the market wants a strong number two networking provider, then its channel should produce fairly quickly. If it doesn’t, then this premise is questionable. HP networking is about $5B now; if it doesn’t grow faster then the industry by a significant amount next year, then something is wrong.

Remember HP is competing with a $40B powerhouse that is Cisco Systems, which has a massive and productive channel too that are energized to sell, not only networking gear, but also unified communications, Cisco’s new server platform UCS and video equipment. As for innovation, HP is a great operational company therefore expect them to take cost out of their products. Nevertheless, Cisco is the innovation king, thanks to its systemic incorporation of innovation in product development, plus its ability to integrate acquisitions quickly and materially. Cisco does not only innovate in its products, but around them, offering architected solutions. Examples of this are everywhere, including its borderless network architecture, EnergyWise, UCS, the new 3000 series stackables, Power over Ethernet Plus, its’ ISR G2, the Nexus line of data center switches, its’ approach to integrated network security, etc.

Here’s an example of the power of innovation. A client and Lippis Report subscriber has funded a new $20M data center. During their due diligence, they visited Dell, HP, IBM and Cisco. This CIO will go with Cisco’s UCS. The reason is that during the customer visit, Cisco first described the major direction and trends in data center virtualization and cloud computing in such a way that my client said “Cisco looked into the future and designed UCS to exploit these changes while all the other vendors were selling their old blade systems”. Now this is significant, as this CIO only purchased equipment from market share leaders, that is, he would buy from HP for servers, Dell for desktop systems, Cisco for networking, Avaya for communications etc. Cisco’s innovation in UCS changed his long-standing principal of buying only from market share leaders and will buy UCS for this new data center. So the basis of competition between Cisco and HP will fall into three categories; innovation, supply chain management and channel productivity.

A Mobile and Cloud Computing IT Model Is Disrupting The Status Quo

The Interop announcements above were aligned with this new world order of IT. For example, Arista Networks delivers a massively powerful 10GE switch for cloud spec data centers and high performance data center environments. Clearly investment in cloud infrastructure is a growth market which motivated Voltaire to enter the Ethernet market and leverage its Infiniband experience to deliver converged I/O for both Infiniband and Fiber Channel Over Ethernet (FCoE). As computing is in a rapid technology innovation stage thanks to server virtualization, networking has lagged in its ability to automate network changes brought on by VM moves. This has motivated Force10, F5 and Infoblox to demonstrate innovative approaches to automating network changes so that network administrators do not have to be involved in the process of VM moves and/or the provisioning of new IT services as demand is increased and/or decreased.

It’s clear that HP networking products has gained awareness and will receive consideration. As HP opens the consideration door, Avaya wishes to enter too with its refreshed and new data networking products. Avaya is now lead by experienced IP networking executives that understand voice and data. The Nortel channel also understands voice and data. Ever since Avaya closed its acquisition of Nortel, those channel partners that put selling Nortel gear on hold, have started to come back. They are comfortable now as stability, R&D funding and a strong financially viable company has emerged.

The networking industry is an upside down pyramid with Cisco at the top followed by a few others in the billion-dollar range. Then there are a number of $100M sized firms followed by a few start-ups. The successful firms will be the ones that embrace the new world order of IT that is being brought on as IT leaders de-emphasizes desktop computing and invest in mobile plus cloud computing.

Tweet

During a podcast with Zeus Kerravala of the Yankee Group, we came to the conclusion that the unified communications market is in a funk and the only way out is for suppliers to adhere to industry standards that allow interoperability. To demonstrate this achievement, UC providers would be well advised to participate in industry wide interoperability testing. In this Lippis Report, we discuss the issues that are holding back UC and video conferencing adoption.

It’s important to understand that standards and interoperability mean different things. A supplier can be open, but not standards based. A supplier can be standards based, and not open. And then a supplier can be standards based and build a range of extensions to the standard, which then makes their implementation nonstandard. And this is where the UC industry is right now. Nearly every supplier will tout how open they are; that is how standards based they are, but what it all comes down to is we really don’t have a common standard UC that allows IT business leaders to deploy UC solutions and work in a mixed vendor and service provider environment. This is the single most important issue to IT business leaders that is creating pause in their UC deployments and extending sales cycles.

It’s disappointing. Our industry has been developing UC since 1996. It seems as if UC suppliers are not ready to implement standards based UC solutions, as they haven’t figured out how to maneuver as the basis of competition changes toward interoperable UC. The question is if a UC supplier makes their offering open and interoperable will they lose important functionality and compete on features above standard UC services?

The UC market is built primarily off of a telecom heritage in which none of the PBX phone system vendors had interest in interoperable solutions, and as a result, the PBX market was frozen with 30% share each going to Lucent/Avaya, Nortel and Siemens for decades. Voice over IP or VoIP thawed that market by radically changing it with a new approach to voice and based upon the openness of IP.

It’s because of this PBX heritage that many of the suppliers view being open and truly standards based as a threat. Thinking this way masks the bigger picture. UC suppliers are missing the larger picture, which is this. If UC endpoints truly worked as plug-n-play, and IT business leaders knew that whatever UC systems they deployed would interact and work with different UC suppliers, then UC usage would go through the roof. The market would expand and service providers could offer standard UC services too.

The big picture of plug and play universal UC would change market share. Perhaps large suppliers would have a lower percentage of share, but of a much bigger addressable market and associated dollar value. In short, the pie would get much bigger. In addition, the big picture would create a much larger UC ecosystem, with more winners than the current industry structure, and that is healthy.

Point in case. Most IT business leaders have relationships and large investment with both Cisco and Microsoft. Many Lippis Report subscribers voice concern that they can’t get their Cisco and Microsoft UC solutions to work properly together. If two of the largest vendors in the UC space don’t work together, than what hope do most IT leaders have of actually getting their UC investments to work in a mixed vendor environment?

This is systemic, because without adherence to basic UC standards overall market size, growth rates, adoption rates and adjacent markets will be limited. A closely aligned UC adjacent market is video communications. While there are companies promoting various different standards, there’s no interoperability within the three-tier enterprise video communications structure. The three-tiers are 1) desktop video, 2) a pedestrian video conferencing system and 3) Telepresence rooms. There are little to no standards that would allow different vendors to be providing each of the three-tiers and offer users the same simple set-up that allows video communications to work between the three tiers. Today’s solution is to buy a single vendor, but no video conferencing supplier offers all three-tiers. Cisco may soon offer all three tiers thanks to their Tandberg acquisition, but Microsoft still owns the desktop and they are not opening up their RTA/RTE protocol any time soon.

Another closely aligned UC adjacent market are smartphones, such as the iPhone, Android, blackberry, the Palm Pre etc. There are only limited UC extensions being offered to mobile endpoints but they lack standards, presence, directory and fixed mobile convergence

In short, the biggest drawback is that it’s too hard to get systems, sometimes-even systems from the same vendor to talk to each other. Getting different systems from different vendors to talk to each other is nearly non-existent today. The directory problem is a huge industry problem, because it’s very different to know who has video communications and who doesn’t. Think of it in terms of telephony. I know you’ve got a phone and a phone number that I can call you on. I know you’ve got an email address. However, I don’t know if you have video, and if I do, I don’t know how to connect to you. So, if that barrier doesn’t fall, video will remain a niche application with relatively low utilization even though high definition video and Telepresence utilization has increased substantially during the downturn.

We are calling the telecos to task on this. The telecos hold a lot of the keys to success because video conferencing systems are connect over teleco networks, which is the perfect place to apply interoperability standards. And while a number of telecos now support inter-company Telepresence on their own backbone, they need to step that up and provide inter-company video cross-backbone, and be willing to work with all video conferencing providers.

Again, here’s the case where the telecos probably look at this interoperable video service as threatening, in that they don’t want to open their network up and allow other provides to provide service with our network. Yet if they did, usage would go up and everybody would benefit. So the network operators really need to step up here.

The big picture plug and play model of UC will change business models. As the industry becomes open and standards based, truly standards based, an innovative ecosystem will flourish. Money flows will shift as the big picture UC market becomes much more ISV (independent software vendor) driven. In this model, from a vendor perspective, what’s important is less about the tools you have or the applications you provide, and more about your willingness to support the ecosystem that surrounds you and the development tools you provide them. In essence, the developer community winds up leading your organization.

This is a big shift. In the world of applications, the platform is the important asset and how a company supports its ecosystem will become a key basis of competition and a barrier of entry, as there are only a limited number of ISVs. The open UC market will move the value proposition to one of a platform delivering innovative UC applications. In this model, revenue generation shifts where money comes from and how vendors get it. Avaya understands it very well, with its Dev Connect community, Cisco with its CDN and Siemens with its UC Server 2010 UC platform, but all suppliers need to put much more energy into open standards and going to market through a developer ecosystem.

To accelerate the industry to the big picture UC market expansion, the industry needs to embrace a public semi-annual interoperability testing and demonstration event. It was this public testing that drove TCP/IP into the success of the Internet with the industry trade show and conference called Interop. We need a UC Interop to move this technology to mainstream.

Tweet

By Cisco Systems

The last decade has witnessed a rapid development of data and voice convergence over a common IP infrastructure. Now video is converging with data and voice traffic over a common IP network. Converging video with data and voice is more complex than converging data and voice: it demands more considerations, and it imposes stricter requirements on the underlying IP network. This paper reviews high-level requirements of a media-ready network and presents a high-level framework and systematic methodology to perform Medianet Readiness Assessment (MRA) on your enterprise network. It goes into detail on the methodology and process it takes to perform the assessment.

Find out how by downloading this paper

Get the White Paper

Tweet

This is the question that Zeus Kerravala, SVP of the Yankee Group and I address in the Lippis Report podcast. Here’s a hint, lack of standards and the vendor community’s lack of interest of embracing the ones we have. Post your ideas on twitter with the following hash mark #UCINTEROP.

Listen to the Podcast

Tweet

Many IT leaders are striving to understand who is on their network and what they are doing. These are two simple questions and yet, in many cases, IT business leaders do not have a good way to answer them. And once IT leaders are able to obtain this information the question then becomes what else I can do with the data: obtain a history report, perform statistics for analysis and planning, generate compliance reports and much more. To tightly link business processes with networked applications, IT leaders need to wrap policy, identity and security around users and IT assets.

This is the essence of Cisco’s TrustSec; that TrustSec provides security services as its primary value proposition but the data and insight it generates assist IT business leaders with network design to meet future growth. Cisco’s TrustSec organizes and simplifies existing authentication and policy schema allowing administrators to configure and maintain identity-based access to IT resources while identifying and applying policy based on a user’s role in the organization. TrustSec also provides encrypted links between end-points and servers. TrustSec is an architecture which builds upon existing network services embedded into network infrastructure, addressing not only security issues but delivering certain business services too.

A key pillar of strength for TrustSec is its ability to create a consistent and unified set of policies across the entire network. Its second pillar is the ability to identify users; from the moment a user accesses the network, everything about this user is known and it follows them wherever they go. TrustSec identity is embedded in the traffic that the user generates, which goes well beyond initial Network Access Control (NAC) and offers unique design capabilities that we’ll discuss below. The third pillar is security, which is reflected in a number of areas such as NAC, encryption, etc.

TrustSec is an architecture delivering network access control, policy, identity and encryption. Policy is the glue that ties business processes to network behavior and thus TrustSec has expanded its role in policy creation. TrustSec policy is segmented into three areas:

Authentication: The foundation of the technologies is authentication as it defines user identity. Authentication is how TrustSec understands users; who they are, what roles they have in the organization and what type of credentials they possess as well as confirmation of these attributes. TrustSec provides multiple authentication approaches, such as 802.1x, web authentication and MAC authentication bypass (MAB). All three approaches are implemented and supported on Cisco Catalyst or Cisco Nexus switches. Cisco uses the term “Flexible Authentication” to represent these three methods. What’s unique about Cisco’s TrustSec authentication approach is that it is providing all three methods together and they are completely adjustable. What this means is that IT administrators can configure these authenticating methods in any sequence of their choice, in one place, to host all authentication configurations, greatly simplifying the process of configuration and change management. There is yet another TrustSec authentication method, namely appliance-based network authentication provided by the Cisco NAC Appliance. This method expands beyond LAN switches to include wireless and remote access as well.

A powerful feature is that once authentication is configured on a centralized policy server all switches receive this data, easing deployment while providing consistency and scale. No more authentication configuration on a per switch basis but rather a consistent policy is realized. For IT leaders not ready to implement Catalyst or Nexus switch policy enforcement but who would rather use an appliance there is an in- and out-of-band NAC appliance approach to policy enforcement.

Authorization: Once a user has been authenticated and their organizational role confirmed then services could be designed specifically for them, implemented via control mechanisms. It’s common in the industry to typically assign a VLAN or ACL for the user depending upon a layer 2 or 3 construct. TrustSec supports both VLAN and ACL implementations. What’s unique about TrustSec is that it allows IT administrators to create a security group tag or SGT. SGT essentially allows every single packet to be tracked throughout the entire infrastructure so user control is not relegated to the initial network entry point that VLAN and ACLs dictate. SGT enables user control and support deep down in the interior of the network. For example, to strictly control access to a critical file server, an IT administrator can enable SGT to filter network egress to that server for only those allowed access. The control point is on the switch so that when traffic leaves the switch trying to reach the file server, authorized users via SGT are able to egress.

Value-Added Services: With user authentication and authorization configured along with control, IT administrators can now design specified user services that are linked to business processes. Services such as IP telephony integration and IP phone end-points that need to be authenticated and authorized but are non-user devices, meaning that they don’t possess an 802.1x supplicant and there is no human behind the device. TrustSec utilizes aspects of 802.1x to authenticate and authorize the IP phone’s user taking into account various scenarios such as when the IP phone is powered down or its behind a PC, etc. Other services are guest access, device profiling, device posture and link encryption via MACSec, an IEEE standard that specifies how encryption may be used to secure links within local area networks.

TrustSec’s MACSec implementation is supported on the Nexus switches and on the new Cisco Catalyst 3560-X and 3750-X series switches that connect desktops, WLAN access points and laptops. In short, with MACSec supported on Nexus 7000 and Catalyst 3560-X and 3750-X switches Cisco is working towards full native layer 2 encryption as the Nexus switches are located in the data center while the Catalyst 3000s are closet switches connecting desktops. This is a welcome development for high security environments such as government agencies, certain research and development laboratories and other environments that require a higher level of security.

TrustSec Innovations
Cisco is announcing a set of new TrustSec features and innovations such as Security Group Access Control List that allows IT administrators to control group access based upon MACSec key technology. Security group Tag Exchange Protocol (SXP) is useful for Catalyst switches that do not have the processing power to support SGT today. So Cisco developed SXP to insure Cisco customers can use their existing Catalyst switches to participate in the overall SGT implementation. Flexible Authentication is another innovation for scenarios when end-points do not have an 802.1x supplicant and require access to an 802.1x network. Flexible Authentication offers web authentication which is useful for printers, guest access, etc.

Open Mode offers additional options or modes to being simply denied network access, a dramatic event when it occurs. Cisco TrustSec designed multiple modes to ease this transition. For example, monitor mode is like an audit mode. IT is able to monitor all users and their traffic thus allowing IT to view network dynamics before turning on 802.1x.

In addition to monitor mode there is ‘low impact’ mode. In this case 802.1x authentication is engaged but allows certain types of traffic to pass onto the network even if authentication denies access. This is useful for DNS or maintenance related network traffic; for example, allowing this specific traffic to pass even if it didn’t pass authentication. There are configurable options for “low impact” mode. There is also a “high security” mode where only authenticated users/devices are granted access.

Value-Added Services:

There are tools to automate the process of adding value-added services such as device profiling which recognizes defined end-points such as a printer which is very handy when the printer is moved, replaced or a new one is added, thus saving IT operations configuration time. Automated device profiling tracks devices by monitoring these end-points as they boot up on the network. TrustSec identifies that the new device is a printer, and then loads the printer policy placing the printer in the right VLAN, ACL or SGT; then it updates the device database, saving IT a lot of effort.

Guest services are now integrated with the Cisco NAC appliance guest server, streamlining guest account creation and user notification. The integration of guest services into the NAC Appliance allows report creation; for example, history tracking. Guest services now works in both 802.1x and NAC environments offering IT choice, convenience and simplified operations, an industry first. Thus any worker with authorization can create a guest account, reducing dependence on IT or the helpdesk which often fielded guest access requests.

Posture assessment provides device compliance status, such as which version of Anti-Virus, spyware scan, network configuration assessment, etc., which is added to authentication services.

Cisco has enhanced end-to-end troubleshooting and monitoring capabilities into TrustSec for 802.1x environments. When an 802.1x end-point attempts to access the network a string of exchanges occur between that end-point and the network. There is a protocol exchange to obtain user information while the authenticator or network switch transfers the information to the authentication policy server. During this protocol exchange between the three entities there could be a number of reasons why things do not work. Typically when things went wrong there was limited information available to IT administrators to troubleshoot and resolve the issue. To fix this problem TrustSec collects user supplicant information from the network, the policy server and switch as a log message, which is passed through certain algorithms or scripts to isolate the problem. This increased visibility enables quick problem identification and resolution, pin pointing the trouble to the switch configuration, supplicant issue or determining whether it’s simply a wrong password. These scripts are not only useful with troubleshooting, but also compliance as collected information can generate reports. These scripts are available in Cisco’s ACS 5.1 policy server.

Implementing TrustSec

There are currently two TrustSec deployment scenarios: 1) 802.1x and 2) Appliance based. In 802.1x environments ACS server is the policy server with Catalyst and Nexus switches providing enforcement with Radius as the control plane. In the appliance-based approach Catalyst switches provide enforcement, NAC Manager is the policy server while SNMP is the control plane. The appliance-based approach does not support SGT but it provides posture assessment which 802.1x does not.

TrustSec features and attributes are implemented across many Cisco products such as the Cisco Catalyst and Nexus switches providing policy enforcement and encryption services. Policy is defined in the Cisco ACS (Access Control System) while its key authentication and authorization are implemented in the NAC Manager, Server, Profiler and Guest Server. There are two TrustSec end-point clients, those being Cisco’s or any 802.1x supplicant and its NAC client. It’s not a stretch to see that Cisco will consolidate the end-point clients and policy components over time to minimize the number of appliances needed to fully utilize TrustSec. ACS already works with the NAC Profiler and Guest Server plus directory services such as active directory or LDAP. Knowing Cisco the NAC manager may also hold all this functionality for those who choose to deploy TrustSec in an appliance form factor. Over time these two TrustSec approaches will consolidate to one, allowing 802.1x and NAC users and devices connect to the network with one policy server, and either switch or appliance enforcement method leaving choice to IT departments. The end-point clients would fit nicely into Cisco’s AnyConnect client offering both LAN and remote security services in one client.

TrustSec has expanded to include 802.1x and NAC environments offering customer choice to either proceed with one approach or a combination of the two. TrustSec’s attributes are based on policy, identity and security. Over time we expect that many of the TrustSec attributes will be integrated into the network allowing its services to be ubiquitous throughout the corporate network fabric, significantly adding to corporate security architecture.

To make TrustSec truly successful Cisco should add more support for mobile and remote access end-points in addition to LAN-based end-points to the architecture. In addition video end-points will require TrustSec services too and will have to be supported. There are slight tradeoffs between 802.1x and NAC clients such as posture assessment and SGT support. These two client features should blend over time and converge into one to simplify TrustSec client software.

Tweet

A panel of IT business leaders discusses their experience with Network Virtualization as we dive into motivations, design options, economics and business outcomes. On the panel is Marilyn Hay, Manager of the Network Management Centre at the University of British Columbia, Frank Hoonhout, Senior Lead Network Engineer at the State of Oregon’s State Data Center and Hasan Siraj, Director of Product Marketing at Cisco Systems. This is a podcast you surely want to listen to.

Find out the real world value and business outcome of investing in Network Virtualization by listening to this podcast.

Listen to the Podcast

Tweet

With all the investment in IT security over the years, one would think that threats would have subsided; but they have only increased and largely increased with exploits and iframes (redirection on a reputable website to infect its visitors) up nearly by a factor of 2000 over the past two years. This has resulted in an increase in data theft Trojans over the same period by a factor of 6000, according to the 2009 ScanSafe Global Threat Report, enriching hackers and cybercriminals. What’s driving this exploit growth is that hackers and cybercriminals are automating successful techniques for mass website infection. In addition, hackers increasingly collaborate, sharing best practices to infect websites for personal gain. In short, IT and business leaders are not confronting individual hackers, but a community of cybercriminals working together to steal corporate data that is increasingly organized as a traditional business with suppliers, resellers and end users. And this community’s opportunities to attack individuals and corporations have only increased with the huge growth in mobile access and deep corporate reliance of web-based applications to automate business processes.

IT leaders, especially those in small- to medium-sized companies are at a disadvantage with limited and even decreased IT staff and capital budgets, making it difficult for them to keep up with an ever-increasing volume of threats and complex exploit profiles. To mitigate these fears and concerns IT leaders have been turning to Cloud Web Security offerings by Cisco, BlueCoat, Websense, McAfee and others. While limited at first to URL filtering, Cloud Web Security is becoming sophisticated enough to identify threats by analyzing content in a contextual basis. Further, Cloud Web Security is in essence a SaaS offering affording on premises and mobile threat defense by extending a corporate perimeter around its mobile workforce.

The Web has become fundamental to business and the overall economy. The use of the internet has evolved from a static research tool to a dynamic communication platform, with corporate revenue directly linked to Web availability. Second, Web access is wide and varied in terms of end-points used, be it desktops, laptops, netbooks, smartphones, kiosks, etc., and networks providing access such as corporate networks, broadband, WLAN, hotspots. From a security point of view exploits infect corporate IT assets primarily through malicious content on web sites, email and blended email/web combinations. The Web will be used increasingly as the threat vector of choice by hackers and cybercriminals to distribute malware and perpetuate identity theft, financial fraud, and corporate espionage. As networks have become borderless, security vulnerabilities have increased by opening up doors or entry points that hackers can exploit, be those doors end-point devices, web sites, bad sections of web sites, applications, email, etc.

To mitigate these vulnerabilities IT leaders have deployed Web Security services in their enterprises in an effort to control which web sites employees’ access. But with the huge growth of laptops and smartphones, Cloud Web Security has been introduced beyond the corporate perimeter to protect all users and mobile devices too. Cloud Web Security threat prevention is getting much smarter by incorporating both content analysis with context offering, a powerful defense against zero-day exploits for all users regardless of location.

Cisco ScanSafe

To make these points, I focus on Cisco’s Cloud Web Security offering through their acquisition of ScanSafe. Prior to Cisco’s acquisition of ScanSafe, IDC’s “Worldwide Web Security 2009-2013 Forecast and 2008 Vendor Shares” ranked it as the worldwide market leader with over 30% share with Websense in second place at 7%. ScanSafe’s suite of services includes Web Malware Scanning, Web Filtering and Anywhere+ for roaming user protection. Unlike other solutions, which rely on URL databases and signatures to filter and identify malicious sites, ScanSafe, through its Outbreak Intelligence engine scans all Web requests in real time, so IT leaders receive comprehensive protection from all threats, including threats that appear before an anti-virus signature is available – and that’s a huge advantage.

What’s unique about Cisco ScanSafe is the sheer volume of data – billions of web requests daily – it processes for threat identification. The visibility gained from ScanSafe is also fed into Cisco’s Security Intelligence Operations (SIO) that incorporates data from IntelliShield, SensorBase and the huge footprint from participating Cisco customers who have opted into send their IPS appliance security data to SIO, creating the largest threat collection network on the planet. SIO’s broad threat collection and exploit mitigation dissemination will only increase the accuracy of the entire Cisco security portfolio, including ScanSafe.

Since ScanSafe is a Cloud Web Security service consisting of over 15 data centers deployed across the world, access is independent of geographic location. In essence a user connecting to the Web will have their traffic pass through one of ScanSafe’s data centers. In the ScanSafe data center the requested Web page is split into its basic components such as Java, PDF, Windows EXE, etc., and scanned within an analysis engine called Outbreak Intelligence for zero-day exploits via twenty-six specialized scanlets. The output of the scanlets is processed by a meta scanner that processes contextual information to decide if the content should be blocked or allowed to pass. This process of content scanning takes less than 5ms assuring user performance is not impeded. What’s impressive about ScanSafe is its scale. It sees billions of web requests per day and all of this scanning and filtering of traffic is captured within Outbreak Intelligence that provides real time harvesting of data that allows it to identify and stop an exploit well before anti-virus vendors can produce a signature and propagate it to their customers.

Signatures Defense Is Not An Effective Zero Day Threat Mitigation Technique

For example, during the Zeus Botnet and Gumblar exploit ScanSafe was blocking these exploits from propagating to clients well before anti-virus firms developed and distributed a signature. This lapse of time between exploit identification, signature development and mitigation is reduced to zero in ScanSafe’s Outbreak Intelligence, offering a much better approach to defense. Consider Gumblar, which first spiked near the 16th of April 2009 and took anti-virus vendors nearly a week to develop a signature, all the while ScanSafe was blocking it from clients. After anti-virus vendors released a Gumblar signature Gumblar traffic did indeed decline, but the hacker modified his/her exploit and near the 23rd of April Gumblar spiked again forcing the anti-virus vendors to identify it, analyze it, write a new signature and finally distribute it. During this time ScanSafe had been blocking the mutated Gumblar from its clients. This cycle continued for nearly six weeks starting from threat outbreak and included four hacker mutations and subsequent signatures until the anti-virus vendors delivered consistent protection.

The above is an example of ScanSafe’s ability to detect and block exploits in scale. The more content ScanSafe’s data centers scan the smarter its Outbreak Intelligence gets. This is important for two reasons. First in this market the suppliers with the largest market share are rewarded with the greatest visibility into exploits and thus offer the quickest and most potent defenses. Thus with its dominant share ScanSafe has a level of threat visibility that allows it to accurately and quickly mitigate exploits. Second since ScanSafe is a cloud-based service it can deliver a solution for on-premise and mobile users quickly and easily. This combination is not only powerful for large enterprises but for small- to medium-sized business as well, where IT skills and capital constraints had precluded them from offering the same protections as larger firms, until now. In fact the small to medium enterprise (SME) market can offer its employees the same level of protection as large enterprises when using ScanSafe.

ScanSafe’s data centers not only offer scale of processing but fault tolerance and redundancy are built into their design so that in the case of a data center outage, the data center that’s nearest in proximity is equipped with enough capacity to support all users without negatively impacting performance. ScanSafe has a track record of 100% availability over the past 7 years. For traveling mobile users their protection follows them anywhere in the world. For example a traveling mobile worker may deplane in Singapore connecting to the ScanSafe Singapore data center, but upon arrival in the U.K. the London data center will service this mobile user so that his/her policy is consistent worldwide while performance is maximized.

Reporting Is A Key ScanSafe Differentiator

ScanSafe reporting is arguably the most detailed in the market at analyzing web security threats and offers depth unattainable by enterprise system thanks to its position in the cloud. There are over 5000 customizable reports with 75 reporting attributes and 11 categories with comprehensive drill downs. This reporting flexibility allows administrators to define important data too. There are virtually no report design restraints offering great insight and visibility into web activity. The reports are based on a data warehouse infrastructure providing cumulative, trending and forensic reports being processed and maintained by ScanSafe’s storage, compute and network infrastructure. Its reporting is SaaS-based, meaning that IT leaders do not need to purchase or run reporting software on-premise. Reporting is key as IT leaders are provided with visibility for both on-premise and off-premises Web usage, offering them tools for charge back, forensics, application planning, etc.

Consistent or Different Policy

Policy is an enabler for IT leaders to gain control over Web use by in office and mobile workers. ScanSafe delivers IT leaders control knobs over content such as URL filtering, dynamic classifications of websites, end-user education through threat labeling of search engine results before employees click on links plus other traditional policy settings. In addition, ScanSafe’s Anywhere+ allows IT Security leaders to set flexible on- and off- premises policy. For example, in-office employees may have policy set for both acceptable use and malware prevention; however, off-premises employees may have policy set for malware prevention. As Anywhere+ becomes integrated with Cisco’s AnyConnect client, this capability will be pushed to the millions of users that use the AnyConnect client. Providing a consistent policy framework for on- and off-premises is a work in progress at Cisco, but they do have the product breadth to deliver on its implementation.

Cloud Web Security has primarily been focused on URL filtering as its primary control. But URL filtering has become less effective as a control or security technique due to large quantities of dynamic content delivered over the internet. URL filtering schemes are unable to identify different types of content within pages especially within Web 2.0 sites. This is where content analysis has blossomed as an accurate approach to identify every component of web page content that is attempting to traverse a corporate firewall or reach a mobile end-point independent of website categorization.

Cloud Web Security offerings are delivering a network approach to zero-day exploit mitigation that is faster and more accurate than traditional client-based anti-virus signature approaches. Cloud Web Security offerings that are based upon content analysis with a contextual basis are best positioned to mitigate exploits. As these offerings are cloud-based their use is naturally extended to static and mobile locations offering protection to both desktop and mobile users with consistent reporting and customizable policy creation. Another large benefit is that Cloud Web Security solutions are well within the reach of small- to medium-sized businesses, offering these firms an effective way to close the gap between effective defense and budget plus staff limitations. Cloud Web Security should be considered as part of IT’s overall arsenal to defend workers and corporate assets from hacker and cybercriminal threats.

Tweet

The Web Malware Pandemic

Just as the Internet, the Web, and the information age have revolutionized our businesses and our lives, these developments have also radically changed the face of crime. Computer and Internet crime are no exception. Today, computers factor in nearly every form of crime – from crimes facilitated by computers (credit card theft, for example), to crimes, which are specifically computer-to-computer (malware, for example), and to crimes in which computers play an incidental supporting role (i.e. an illegal gambling bookie that keeps computerized records). This paper addresses one single facet of cybercrime – the manipulation of Web content and Web technologies for criminal and/or for illicit gains

Find out how to defend Web traffic from cybercrime by downloading this paper

Get the White Paper

Tweet

THE WORLD’S LARGEST SECURITY ANALYSIS OF REAL-WORLD WEB TRAFFIC
By Cisco Systems

The ScanSafe Global Threat Report is an analysis of more than a trillion Web requests processed in 2009 by the ScanSafe Threat Center on behalf of the company’s corporate clients in over 80 countries across five continents. Our leading position of providing security in-the-cloud provides unparalleled insight in the real-world Web threats faced by the today’s enterprise; this report represents the world’s largest security analysis of real- world Web traffic.

Download it now here.

Get the White Paper

Tweet

In addition to desktop connectivity wiring closet switches now connect wireless access points, laptops, kiosks, netbooks, IP phones, printers, video desktop systems and more while also managing electrical power of the devices they connect. New PoE Plus standard 802.3at allow 30W per port to be delivered which has driven a change in wiring closet power management. I talk with Berna Devrim, Sr. Manager, Access Switching Marketing at Cisco Systems about the dynamics forcing a change in wiring closet switching and the new Cisco X and S series of edge switching products which represent progressive thinking in this space. Enjoy, Nick.

Listen to the Podcast

Tweet

By Cisco Systems

The traditional network and physical perimeter is no longer the only borderline to defend information security. Collaboration, IT consumerization, mobility, and new computing technologies are driving productivity gains while presenting renewed security requirements. There is greater pressure on IT to meet the demands of a dynamic workforce, both in terms of service delivery and security challenges. New solutions are needed to protect borderless networks and to help further improve business efficiencies in the mean time. Cisco® TrustSec is such a solution.

To find out how to protect your network with TrustSec download this white paper now

Get the White Paper

Tweet

Cisco’s TrustSec is architecture with its implementation spread across client software, infrastructure (Catalyst & Nexus) and policy (Access Control System and NAC appliance). Cisco has expanded TrustSec to incorporate 802.1x clients allowing IT leaders to mix and match NAC and 802.1x endpoints. TrustSec organizes and simplifies authentication and policy schema allowing administrators to configure and maintain identity-based access to IT resources while identifying and applying policy based on a user roles in the organization. TrustSec also provides encrypted links at the switch port level. Steven Song Security Business Manager in the Network Systems & Security group at Cisco Systems joins me to discuss TrustSec and how Cisco is expanding its services and importance for IT business leaders.

Listen to the Podcast

Tweet

By Cisco

As the Internet transforms from a static resource to a utility platform enabling two-way communications, malicious threats have increased in volume and shifted their focus toward the Web. Hackers are exploiting the vulnerabilities of an open and dynamic Web to distribute their malware rather than creating their own malicious websites. Web malware infection from reputable websites that have been compromised is now not only a reality, but is now the preferred route to infect victims. This change has made traditional methods of control such as anti-virus less effective and requires an alternative approach to security. This alternative approach is Cloud Web Security.

To understand Cloud Web Security download this white paper

Get the White Paper

Tweet

The Web is increasingly being used as the threat vector of choice by hackers and cybercriminals to distribute malware and perpetuate identity theft, financial fraud, and corporate espionage. Is exploit sophistication and complexity evolving beyond traditional end-point anti-virus mitigation? Is a network centric model a faster and more accurate approach to zero day threat defense where massive cloud computing resources are put to work identifying and mitigating complex, polymorphic threats designed to evade anti-virus software and are mitigated before they reach desktop or mobile end-points? Mark Guntrip, Product Manager at Cisco Systems joins me to discuss Cisco ScanSafe, a Cloud Web Security Offering and debate client- versus network-based zero day threat defense.

Listen to the Podcast

Tweet

No matter where you look today the structure of IT is fundamentally changing. Applications are increasingly being accessed from mobile devices along with traditional laptop, desktop and even kiosk machines. SaaS has taken off and is far more prevalent than most executives realize as they are acquired by line of business and divisional budgets, leaving many IT leaders blind-sided and out of control with their relevance coming into question. As a result corporate application portfolios are shifting in their mix under IT leaders from one of total control to partial control to none. In short, IT leaders are finding that the largest application growth in their corporation is coming from outside of their traditional perimeter and with no control knobs. In essence applications and networks are becoming borderless.

While borderless networks offer productivity improvements allowing work to follow individuals, IT leaders are concerned about its security implications, that being are corporate assets secure when applications are being accessed and used within and outside of corporate perimeter? Can IT leaders deliver the ease of use afforded by borderless networks securely? In this Lippis Report Research Note we review Cisco’s New AnyConnect approach to securing mobile devices, which promises invisible use along with safeguards, visibility, control and relevance for IT security leaders.

With mobility comes productivity. As users work anywhere through a wide range of devices or end-points business productivity accelerates. This has been the case with every cycle of computing, from mainframes, minis, PCs, internet-connected PCs to now mobility; a correlated significant jump in productivity at a macro-economic level occurred and the mobile computing cycle will be no different. But to cease this productivity IT leaders need to be comfortable with mobile computing security. And they do have a lot to be concerned about as securing a plethora of different devices accessing both corporate and Web/SaaS applications from a vast array of locations and network access methods is a challenge.

Three major mobile computing themes stand out:

Theme one: Increase Productivity: IT business leaders need employees to be productive, so they provide access to information, making that access as seamless as possible so employees obtain the tools they need and information they require to do their jobs. A central component to this is providing consistency between out-of-office and in-office IT experience.

Theme two: Deliver Mobile Security: Many IT leaders feel this way: “I built all of this infrastructure to protect my users when they’re sitting within the organization. When they leave and are remote what is protecting them and corporate assets? I protect them eight hours a day, then they go home with their laptop and get infected for 16 hours.” In short a disproportionate amount of security investment has been made within the corporate perimeter that needs to be extended to remote and mobile access.

Theme three: End-point Agnostic: Consumerization of the enterprise is forcing IT business leaders to not only support traditional remote devices such as laptops, but also IPhones, Android, Blackberry, netbooks and other end-points that are on the horizon such as the iPad. Consumerization is focusing IT business leaders to deliver seamless network access with always-on security and protection across a broad array of devices to enable business productivity.

Securing Mobile End-points With Existing Defense Techniques
From a security point of view, IT defense for mobile devices share many of the same concerns as securing fixed end-points. Unique to mobility is the security issue of lost mobile devices/end-points. To address this concern IT leaders typically need complementary product that can enforce PIN locks/encryption and support remote data wipe. Common to mobile and desktop security are concerns with acceptable use and threat protection. Malware plus web-based threats have spiked over the past 18 months, increasing threat awareness as business press coverage of exploits have expanded. IT leaders have data security on the top of their minds too. Therefore, access control, threat protection, data security, etc., are common security concerns to fixed and mobile computing with IT leaders and vendors seeking to expand/extend existing defenses to this new wave of computing.

Legacy VPNs Too Cumbersome: A New Generation of Remote Access Emerges
Clearly existing technologies such as Virtual Private Networks (VPN) is a remote access approach that seeks to provide a solution to mobile computing, but it falls short. The challenge with legacy VPNs is its cumbersome use model with multiple boxes to check, tokens and keys to exchange plus certificates to obtain. The process is not transparent and as a result is too painful to use resulting in legacy VPNs use only when absolutely necessary. This use difficulty is both a lost productivity opportunity and security vulnerability.

The vast majority of time a user is outside the corporate network its end-point is unconnected to that network and thus largely unprotected and invisible to IT. Laptops in essence have no security except perhaps a desktop anti-virus (AV) client, which is becoming less and less effective over time due to signature-based defenses lagging exploit propagation. Connectivity may even be so rare that end-points spend much of their time out-of-compliance on patch levels. SaaS makes the problem even worse. Many use SaaS applications such as Salesforce.com, et al., to conduct business-critical or business-relevant tasks by simply accessing these sites over the internet where IT doesn’t have visibility let alone control over these sessions. Most don’t use VPNs to access SaaS applications, which would route traffic through the corporate network, due to the use hassle.

With corporate applications having moved rapidly to both HTTP/Web/SaaS web security is an increasing threat breeding ground that requires a new defense model. There are web security solutions in the market such as Websense and BlueCoat, but their current models are limited to URL-filtering clients, which enforce approved URLs to each end-point. Further, their current operating system support for clients is limited to Windows XP omitting MAC OS X and smartphone mobile platforms. And while URL-filtering does provide limited acceptable use and malware security it does not address data loss, access control and thus full threat prevention, particularly given the nature and mechanism used by hackers to propagate threats today.

Enter Cisco AnyConnect Secure Mobility

To address mobile computing, Cisco has announced its Cisco AnyConnect Secure Mobility to combine access control and web security, which in essence creates a flexible perimeter around a corporation’s mobile end-points providing them the safeguards and security that desktop systems enjoy behind the corporate firewall. AnyConnect Secure Mobility combines Cisco’s AnyConnect client, Cisco’s ASA (VPN, Firewall, IPS, content switch appliance), IronPort (Web security), ScanSafe (Cloud Web Security), and SIO (Security Intelligence Operation) to deliver the next generation of remote access and security for mobile end-points.

While AnyConnect utilizes and integrates much of Cisco’s security technology, the real innovation is how the mobile client captures ease of use and simplicity, allowing users to access both corporate and Web/SaaS applications without the hassle of traditional VPNs for any type of end-point, be it laptop, smartphone, netbook, etc., while protecting corporate assets. In many cases the user experience will be far superior to existing remote access solutions as they don’t need to be concerned with network access type, be it VPN, internet, 3G, WLAN, 4G, etc. The hope is that AnyConnect will provide IT leaders with the assurances they need to enable employees to embrace mobile computing allowing their corporations to exploit its productivity advantages.

Making Remote Access Secure and Invisible

AnyConnect is a pervasive end-point controlling network access and security. The idea is that it fades away into the background, versus the very manual VPN configuration of today. AnyConnect decides where to connect and establishes the connection when the end-point needs to network. If a laptop or iPhone moves from WiFi to the 3G network, AnyConnect figures out what it needs to establish the connections. In addition, AnyConnect provides persistence, keeping all session state. The more intelligent AnyConnect gets over time the more it will fade into the background, being invisible to the user. Cisco is committing to a broad range of device support. Support for Windows XP, Vista, Windows 7, MAC OS X laptops has been made. Smartphones from Apple’s iPhone, Android and Windows Mobile are rapidly changing the enterprise mobility landscape which has been dominated by BlackBerry thus far and it seems logical that these end-points will be supported by Cisco at some point.

Flexible Policy Creation

For web security clients AnyConnect delivers an innovation around policy so that specific policies for remote workers can be distinguished and reported differently than desktop policies. This is important from a compliance point of view as IT leaders often set policy for workers within the network perimeter around “acceptable use” and from a compliance and liability standpoint IT leaders need to be concerned with “where” users go on the web. However, when an employee is home on their own time using their laptop to browse the internet, IT Security leaders don’t care “as much” about which web sites they visit, only that they are secure and protected from propagating threats. Therefore, AnyConnect allows IT Security leaders to set flexible on- and off-premises policy. For example, in-office employees may have policy set for both acceptable use and malware prevention; however, off-premises employees may have policy set for malware prevention.
Device Collaboration Takes Complexity Away From Mobile End-point

AnyConnect promises to deliver an end-to-end user experience, thanks to the engineering that Cisco has done to enable the above mentioned security products to collaborate between each other. One example of this value is during AnyConnect user authentication via the ASA configured for remote access VPN headend. The ASA authentication information along with the fact that the user is mobile is passed to the web security appliance so that both can apply the right policy without delivering another prompt to the user; thus allowing mobile-specific policy to be applied to the remote access session. For the mobile user this process streamlines their access as he/she is not greeted with two different screens (ASA and Web security) during authentication, just one.

Hybrid Hosting: The Way We Work

Backhauling internet destined traffic from remote sites over the corporate network is unfortunately more often done for security reasons. As many security leaders are requiring remote or mobile users to pass through the corporate perimeter to access SaaS applications and other Web content, application performance may suffer. AnyConnect performs performance optimization between VPN and Web access scenarios to significantly lower latency improving user experience even during backhaul scenarios. But as internet video traffic has skyrocketed there’s increased pressure and demand to maintain high user experience by allowing these flows to bypass backhauling and go straight to internet, or “enforcement points” such as a ScanSafe cloud. AnyConnect promises to seamlessly find the closest network attach point and optimal enforcement point, whether that’s the backhaul path, a ScanSafe cloud or even a Cisco ISR G2 running in a branch office equipped with web security capabilities. It’s logical that Cisco will release these capabilities over time.

Securing mobile/remote users via cloud-based services and desktop users with on premise security appliances have emerged as an important security design approach. Security services delivered to mobile and desktop users via on premises and cloud solutions respectively are what some call “hybrid hosting”. Policy consistency is important to a successful hybrid hosting implementation. That is the ability to define user access policy on one policy server and propagate it to on-premises and cloud providers, providing common enforcement, single consolidated reporting and a better user experience.

Key to hybrid hosting is the mobile client. Cisco has built connection intelligence into the Cisco AnyConnect Secure Mobility Client. AnyConnect manages connections by finding a trusted network, meaning assessing if the connection is a secure enforcement point. If an end-point is currently connected to an unsecured public internet link, but the user application requires a secure connection, Secure Mobility Client will find it without operator intervention. Optimal gateway detection is another feature that automatically finds the fastest gateway for VPN access and connects to it.

Security For Thin Client End-points: Full Context Awareness

As end-point devices become thinner and thinner, meaning devices with less processing power and memory, the harder it is to enforce security on the end-point. Laptops can run sophisticated AV and scanning software to protect the end-point, but this software will not run on iPhones, BlackBerries, Android, etc., as they don’t possess adequate resources to run the code. Therefore as end-points become thinner and their numbers balloon while threats continue to be more sophisticated and web-based the question is how to protect these devices and corporate IT assets from them if they become infected? The answer is to leverage the processing power that resides within the network. With the network providing security services on behalf of thin client mobile end-points, a consistency across devices is gained that is independent of end-point type. Malware or exploits are identified along with web site destinations, policy can be enforced, reporting is captured and in the process IT Security leaders gain visibility.

For web security AnyConnect has integrated Cisco’s Web Security Appliance, which provides malware security, acceptable use, access control, and data security for web traffic. By performing this in the network rather than the end-point it’s possible to obtain powerful security capabilities such as multiple layers of malware defense and web application controls which are very difficult to deliver, especially across a breadth of end-points via an end-point solution.

Malware defense includes Web reputation, which is delivered by Cisco’s Security Intelligence Operation (SIO), and is effectively a risk rating for how likely a specific Web object is to be hosting malware. Additionally, multiple AV signature sets are run in parallel on suspicious traffic providing better coverage than any single engine. Currently Cisco offers Webroot and McAfee, and is planning to offer Sophos in the near future.

For acceptable use, Cisco offers standard URL filtering. But URL filtering has become less effective as the number of pages on the Web is exploding, making it impossible for URL lists to keep up. To address this, Cisco dynamically categorizes web sites in real-time. In addition, Web 2.0 sites and tunneling applications mean that a URL filter is not enough to protect users or create meaningful policy. Enter application control. What Cisco has done to expose web traffic is build an engine that understands web traffic and applications that traverse within it. That is to be able to identify if the traffic is IM, WebEX, Facebook, Facebook chat, an application running on Facebook such as Mafia Wars, Twitter, streaming media, etc. With all traffic being distinguished Web Security Appliance’s application control can “block” or “allow” the traffic but more importantly provide greater policy granularity.

Consider this. An IT leader can develop a policy that allows chat on IM, but it’s a data security violation if a user attempts to send a file via IM. Or a user can participate in a WebEx session but he/she can’t relinquish remote control of his/her desktop because it’s a security violation. A user may be allowed to go to Facebook and read, but not post as this may be a potential DLP risk. Cisco’s AnyConnect Web Security Appliance offers this deep application control thanks to its parsing of web traffic and subsequent policy granularity.
It’s difficult if not impossible to obtain this level of security and policy enforcement even on a traditional mobile end-point like a laptop. Imagine trying to make it possible for all of those smartphones that are flooding into the enterprise; virtually impossible. This is the value of Cisco’s network-based approach.

With SaaS Growth, IT Managers May Become Less Relevant

With the large number of mobile devices that access SaaS applications that are out of an IT leader’s control and visibility, IT leaders have become concerned with their own relevance. Most SaaS purchases are in fact not from IT departments but from business unit or line of business managers. Therefore, IT becomes less relevant as IT leaders don’t see this surge in SaaS application use, how to secure it and protect existing IT assets from potential threats. As SaaS use grows so does this challenge to IT.

To address this challenge, Cisco is building in SAML (Security Assertion Markup Language) assertion into the Cisco IronPort Web Security Appliance, in addition to authenticating web traffic as it egresses the enterprise. IronPort already works with AD (Active Directory) and LDAP to authenticate users. Therefore, Cisco is adding the capability to create a SAML token, which will offer a better user experience by delivering single sign-on into SalesForce, WebEx, Concur, Google Docs, and all SaaS applications that support SAML.

SaaS Access Control

What this does for IT leaders is provide control back as IT can demand that their SaaS providers support SAML token, meaning that users can’t access the SaaS application directly but through the corporate network. So if a user is at home he/she can’t go directly to SalesForce.com and download a customer list onto his/her home PC or onto an unmanaged end-point. Users have to come back through the corporate infrastructure via AnyConnect to obtain their token. This provides IT leaders with both control and visibility independent upon where applications are hosted; be it in their data center or the cloud. With this link to all applications IT leaders can apply access control policy, data security policy and in the event of data loss or theft IT leaders now have granular forensic evidence too. With SAML token in IronPort, IT leaders have both control and great visibility that gives them the confidence to enable SaaS applications for workers and remain relevant. This is a huge point as many companies don’t know how many SaaS applications are being used. Cisco for example has over 350 SaaS application in use throughout their corporation, which is more than likely the rule rather than the exception.

One critical challenge SaaS presents is when employees leave or are terminated from their employer. How does IT remove access to these SaaS applications? It’s easy if there are only a few SaaS applications in use, but when the number of SaaS applications grows to the tens and hundreds the process becomes daunting and DLP vulnerabilities increase. With Cisco’s Web Application Controls IT can simply implement a zero day revocation; that is pull the terminated employee’s credential out of the AD and all access to every SaaS application is terminated.

What AnyConnect is offering IT leaders is the assurances and safeguards to say yes to employees to use the IT tools they desire, be it a laptop, iPhone, SaaS applications, Android, Blackberry, etc. For users, they get a simplified way to connect to applications independent upon where they are hosted along with the protections and safeguards once only available to them while in their offices behind the corporate perimeter. From a security leader perspective they get increased control and more security as AnyConnect extends out to that entire mobile workforce. Cisco’s AnyConnect promises to successfully thread the needle to avoid the typical tradeoffs that accompany security products such as security versus business process or security versus user experience. With AnyConnect IT leaders will be able to enable business mobility, increased user experience, and protect corporate assets through strong security services. In short the AnyConnect Secure Mobility Client offers a simple use model for mobile workers that leverages Cisco’s ASA, IronPort Web Security Appliance, SIO, and more then likely in the future ScanSafe, to wrap a corporate perimeter around its mobile workforce.

For existing Cisco customers that utilize ASA and WSA their implementation of AnyConnect is straightforward and the ability to absorb this innovation fast. These IT organizations would install AnyConnect Secure Mobility Client on end-points with required configuration changes to ASA and WSA. AnyConnect can be implemented piece meal too starting with AnyConnect Secure Mobility Client and ASA adding other security defenses when appropriate.

But to make AnyConnect a success Cisco needs to expand its smartphone support and prove that its AnyConnect Secure Mobility Client is indeed as simple and invisible as it claims. Also IT leaders will have to get comfortable with and trust the various enforcement points and its policy granularity. AnyConnect will have to work in conjunction with other security technology such as anti-malware engines, PIN locks and data encryption, plus remote data wipe to protect against lost devices. Look for Cisco to partner with others to deliver these aspects of mobile security. The key value proposition of AnyConnect is a simple yet powerful user experience. The success of AnyConnect rests upon Cisco’s ability to deliver on the promise of an exceptional user experience with an always-connected remote access and security architecture.

Tweet

IT leaders are not comfortable with mobile computing security. And they do have a lot to be concerned about as securing a plethora of different devices accessing both corporate and SaaS applications from a vast array of locations and network access methods is a challenge. Traditional VPN methods are too cumbersome for users and don’t factor the huge growth in SaaS application use. A new model for securing remote and mobile access is needed and Cisco has delivered one. Cisco just launched AnyConnect Secure Mobility Client that offers a simple use model for mobile workers that leverages Cisco’s ASA, IronPort Web Security Appliance, ScanSafe, and SIO to wrap a corporate perimeter around its mobile workforce. Kevin Kennedy, Product Marketing Manager at Cisco Systems discusses a new approach to securing mobile computing.

Listen to the Podcast

Tweet

Hear how virtualization has spread beyond the data center into the core network to increase utilization, security, and functionality.

Listen to the podcast here

Visit the Link

Tweet

Info-Tech Research Group found that in each case, the five- year TCO of 3Com’s H3C portfolio is lower than its comparable Cisco products, across 1000-, 3000-, and 5000-user campus LAN scenarios. Cisco charges a price premium of 34% to 40% over H3C solutions, which fluctuates depending on the design. These percentages translate into thousands of dollars in cost-savings for customers who choose H3C and H3C infrastructure. Given the turbulent economic climate, this can mean more money for other projects, fewer job cuts, or even a stronger bottom line.

Download Info-Tech Research Group’s campus TCO analysis here.

Get the White Paper

Tweet

By Cisco

The adoption of cloud-based computing and applications promises to improve the agility, efficiency, and cost effectiveness of IT operations required to provision, scale, and deliver applications to the enterprise. However, as with other new technology trends, delivering applications from the cloud to the remote sites creates additional challenges in application performance, availability, and security. This document discusses some cloud deployment scenarios and shows how Cisco WAAS solves application-delivery challenges for customers.
To understand how cloud-based application-delivery challenges can be overcome download this white paper.

Get the White Paper

Tweet

No matter where you look today the structure of IT is fundamentally changing. Applications are being increasingly accessed from mobile devices along with traditional laptop, desktop and even kiosk machines. Applications are downloaded for free or a few dollars on mobile devices, while cloud computing and anything as a service offers a new approach to application delivery. As a result corporate application portfolios are shifting in their mix under IT leaders from one of total control to partial to none. In short, IT leaders are finding that the largest application growth in their corporation is coming from outside of their traditional perimeter and with no control knobs. In essence applications and networks are becoming borderless.

While borderless networks offer productivity improvements allowing work to follow individuals, IT leaders are concerned about its security implications, that being how do I secure corporate assets when applications are being accessed and used within and outside of corporate perimeters? Can IT leaders deliver the ease of use afforded by borderless networks securely? In this Lippis Report Research Note we offer an approach to securing networks without borders.

Traditionally security has taken the form of a perimeter environment where IT assets are housed in the data center under tight corporate control. This environment offers the ability to protect and control these assets. For example, remote access via VPN for employees, customers, suppliers and partners access can be managed as security is managed via firewall perimeter. This approach is the traditional security model and it will stay in place for a long time to come.

But IT is fundamentally changing. There is tremendous diversity in network access from a device, network type and geographic independence points of view. The explosion in device diversity accessing networks, be it smart mobile phones such as the iPhone, blackberry, Nexus One, Android or laptops, notebooks, desktop, readers and kiosk is challenging traditional IT security norms. Not too long ago IT leaders would distribute a corporate-approved computer with a locked corporate standard software image to employees as their IT tools. Not any longer; legitimate business applications have arrived for mobile devices and cloud computing scenarios offer new approaches to application development and delivery. In addition a richness and increased velocity of applications tunneling through Port 80 further challenges perimeter security and IT control. The new world of IT is device diversity, network access point diversity and application diversity, changing how IT leaders mitigate threats while enabling users freedom of access to applications without boundaries.

As device and application diversity flourish, data too is increasingly being distributed. This is very different from the early 2000s IT model and before that as data was centralized in data centers. What used to be stored in a data center and locked behind a firewall is shifting out into clouds. Salesforce.com offers a good example of how proprietary information such as sales leads and prospects are now outside a corporate perimeter and into a public cloud. Further, most corporations don’t know how much their employees are using clouds or SaaS offerings for mission critical business functions. One client conducted an internal survey asking business and IT leaders “how many kinds of SaaS cloud-based applications do you use?” The initial answer was “probably a dozen or so.” After an audit, the real answer was well over 300 SaaS applications were being used from ADP, engineering to Salesforce. The bottom line is that there are a tremendous number of applications already moving outside the data center and the question now being asked is how to protect corporate assets in this new IT environment.

The New World IT Order

With device, network access and application diversity booming along with distributed data, more and more of IT is happening outside the traditional corporate boundary or perimeter. The diversity trend while small in terms of overall corporate application use will only grow and may very well dominate typical corporate application portfolio mixes in the next five years. But in the mean time the traditional perimeter does not go away but needs to be a pillar in a more expansive overall approach to securing borderless networks.

Borders by nature define trust and create trust boundaries. The European Union has eliminated many borders such as walls, physical access, currency differences, etc., but what remains are rules, regulations, passports, etc. The EU reconfigured their boundaries to allow greater freedom of movement and trade. Networking is undergoing a similar transition as corporate defense shifts from a single perimeter to a set of pervasive fungible perimeters or trust boundaries where protection is pushed out to follow users around based on what application they are using, how network access is gained and on what device. Security services have to move in this direction as forcing the new world order of IT into an old world IT security model will not scale and defend corporate IT assets.

For example, IT leaders could choose to back haul all their internet connections to a central site but this will clog their enterprise network, drive up internet access bandwidth and routing requirements plus slow application performance. In addition with more and more devices such as mobile end-points, notebooks, etc., readers connect to the network differently than laptops, IP phones, desktops, etc., and thus don’t lend themselves to back hauling. Therefore, IT and business leaders are thinking about a need to provide IT delivery in the cloud, or maybe perhaps a virtual environment. A much more dynamic approach is needed for applying security in the new IT world order.

An Approach to Borderless Security

One approach is to utilize a family of existing security appliances including firewalls, IPS, web filtering, web security, email security, VPN, etc., as a security enforcement array. These appliances could be put to work to enforce existing and create new trust boundaries such as cloud security, the enterprise perimeter, mobile security, etc. The enforcement array can be segmented into four architecture components. Cisco is the only large IT company to embrace this approach thus far. Cisco breaks down a secure borderless network into 1) Borderless End Zone; 2) Borderless Internet; 3) Borderless Data Center; and 4) Borderless Policy.

The Borderless End Zone provides security services to end-point devices such as securing the end-point and obtaining secure network access. End-point security is increasingly important as a plethora of new mobile and innovative end points have emerged and are consumed in mass. One significant trend is that end-points are thin with little footprint or storage/memory for large security agent software. In addition mobile end-points access networks and IT assets differently than traditional laptops and desktops, requiring a different approach to protecting today’s powerful mobile devices that preserve the ease of user experience. A transparent VPN connection that is able to select an appropriate persistent network connection and apply the right kind of security independent of end point device without user intervention will go a long way to securing new thin and mobile end-points.

The second component is the Borderless Internet which plays a large enforcement array role by delivering real time threat protection, signatures, etc., to existing gateways, appliances and network infrastructure to make enforcement decisions. For example, even though users may be accessing cloud-based applications as simple as email and not even traversing back to their corporate premise, a borderless internet applies some of the same security policies and protections afforded to them within their enterprise to enforce what users can do and then protect them from exploits and threats. Expect to see large security portfolio moves into this enforcement array as the borderless internet develops.

The third security component of a secure borderless network architecture is a Borderless Data Center. Data center network security has become more critical, particularly as servers and soon I/O becomes virtualized. Data center security services such as firewalls, et al., are becoming virtualized, affording a wide range of threat protection without additional hardware. There is a new dynamic security model needed in the data center that allows security services to move without operational intervention when VM workloads are moved. To address dynamic security more security services are required in the hypervisor such as moving firewall features closer to the virtualization layer.

The fourth and last security component of a secure borderless network architecture is Borderless Policy including access control, acceptable use, data security and exploit mitigation. Policy has traditionally been focused on permissions and access control of resources within the corporate perimeter, but policy now needs to be pushed out across enterprise, internet and mobile networks to follow users and afford them policy enforcement. In other words, as users traverse outside their corporation using different devices, network access and a mix of applications how do IT leaders provide the same policy enforcement across a global network and ensure that access and data usage is appropriate while protecting users and corporate assets from exploits, threats and malicious websites, avoiding back haul into the corporate perimeter?

The main point of borderless policy is to enable IT leaders to make greater policy decisions that are pushed out across a global network that factors who, what, when, where and how a user accesses networked resources. Borderless policy will strive to provide ubiquitous control over how users are using IT assets across different devices. To achieve this, policy needs to be translated into code that a machine understands, can enforce, and then monitor.

Securing networks without borders needs to provide protections and enforce policy in a new set of use scenarios that are growing rapidly in their adoption and use within corporations. This is not to say that existing IT security is not critically important. None of today’s security appliances will be displaced or removed any time soon. Private data centers will be with us for decades as will the need for effective corporate perimeters. IT leaders want to leverage existing security investments to protect corporate IT assets when users access applications on mobile end-points, across and behind the perimeter. The Secure Borderless Network offers an approach of providing security, protection by setting new boundaries for a different IT use and delivery model that will only accelerate as the global economy continues its recovery.

Tweet

Garter has moved Cisco up to the Leaders Quadrant in its Magic Quadrant for 2009 Secure Web Gateways. Gartner reflected in their analysis that Cisco’s long-term focus on innovation and quality has resulted in market leadership. Garter identifies the following Cisco strengths.

On-Premise
* On-box malware prevention
* Performance & scalability
* DLP
* Real-time categorization

Cloud
* Simple management interface
* Reporting
* Ease-of-deployment
* Real-time categorization

Visit the Link

Tweet

Gartner has recognized Cisco as a Leader in the 2009 Magic Quadrant for SSL VPNs. Cisco has made the move from Visionary Quadrant last year to the Leaders Quadrant on the strength of its innovative AnyConnect VPN technology and direction. Here are a few items Gartner highlights in the report:

* Cisco is the only vendor to move from a non-leader position into
the Leaders’ Quadrant

* Cisco is forging the path as 10 of the surveyed vendors consider
Cisco a major competitive threat

* Cisco exceeded all other vendors in the number of new concurrent
SSL VPN seats in the period

* Gartner clients report that feedback and satisfaction with the
Cisco SSL VPN product have improved significantly

Visit the Link

Tweet

By Cisco Systems

The Cisco Annual Security Report provides an overview of the combined security intelligence of the entire Cisco organization. The report encompasses threat information and trends collected between January and December 2009. It also provides a snapshot of the state of security for that period, with special attention paid to key security trends expected for 2010.

Get the White Paper