The Mindset One of the current trends in IT security that gets a lot of press and discussion is the idea of zero trust. Zero trust, however, is really a philosophy, not a plan of action. Specifically, zero trust is the philosophy that all IT resources, whether internal or external, should be treated as untrusted or even potentially compromised. While this philosophy is simple, applying it to a live environment can be anything but simple! Adopting a zero trust mindset requires a holistic approach to security and good cooperation between all stakeholders in the organization in order to execute on this philosophy. This even extends beyond the technology infrastructure and onto the employees and even organizational policies themselves. It’s important to keep in mind that the threat landscape is always changing – what may have been good practice five years ago may not be so today. This is what drove
Zero Trust in the Datacenter – Protecting Your Servers from Your Users For the first part of our explorations of the zero trust philosophy, we’re going to look at the datacenter. It’s All in the Flow When we look at the datacenter we have two types of traffic flows, each of which needs to be looked at from a security perspective. First is user to machine security. Protecting one’s datacenter resources from the users has always been a necessity, however the types of threats and what we consider a user have changed a lot over the years. Second is machine to machine security. This area of datacenter security is much newer and has historically been challenging and expensive to implement. We’ll be focusing on user to machine security for now – machine to machine security will be discussed in a future post. Note: What we discuss here can easily be
A common topic of conversation with our Cisco Call Manager (“CUCM”) customers has been whether or not Microsoft Teams can act as a softphone for CUCM.The answer is … sort of. Let’s look at the process of getting this working. First and foremost, at the time of this writing, calling from CUCM to MS Teams directly is not supported by Cisco – so don’t expect to call TAC if you have problems. Best we can tell, Microsoft doesn’t seem to care what 3rd-party PBX you’re using as long as you’re using a supported Session Border Controller (SBC).What Cisco does support is using their SBC – the Cisco Unified Border Element (“CUBE”) – as an intermediary between a PSTN provider (ex: a SIP carrier) and MS Teams (Microsoft refers to this as “Direct Routing”). The CUBE/Microsoft configuration is documented here.Aside from being quite a long read and somewhat difficult to re-type,
Navigating RESTCONF for Cisco Network Engineers In both my personal education and in work projects, there’s been a slow but steady move into network automation. This document is written from the angle of a network engineer, and as such, the document approaches the topic from the angle of moving from the CLI to a true programmatic interface in an efficient manner. What you can expect to gain from reading: The ‘cliff notes’ version of RESTCONFThe ‘cliff notes’ version of YANGThe ‘cliff notes’ version of the pyang toolBasic use of PostmanA quick & dirty way to implement working RESTCONF on a Cisco deviceAn elegant way to implement RESTCONF on a Cisco device What you should not expect: Any Python (or any other programming language) education. There are countless trainings for Python elsewhere on the web.A deep dive of REST. This article assumes the reader has familiarity already.Much detail on NETCONF. While
What other applications does DNA have?Cisco’s DNA Center appliance is generally talked about in the context of SD-Access (SDA), but SDA is a complex technology that involves significant planning and re-architecture to deploy. DNA Center is not just SDA, though – it has multiple features that can be used on day 1 that can cut down on administrative tasks and reduce the likelihood of errors or omissions. From conversations with our customers, the most asked-for capability is software image management and automatic deployment, and that is something that DNA Center handles extremely well compared to many other solutions out there. Wait…I can manage software updates with DNA?Managing software on network devices can be a substantial time burden, especially in businesses that have a substantial compliance burden and require regular software updates. Add to this the increasing size of network device images – pretty much all the major switch and router
Two of the lesser known yet extremely useful features present in the Catalyst 9000 and many other route/switch products in Cisco’s lineup are Guest Shell and Application Hosting. Both of these features rely on Cisco’s use of Linux as an underpinning of their various network OSes and the use of x86 CPUs for their devices as well. As the Catalyst 9000 switches are the most common and accessible, we’ll focus on this platform for now. Guest Shell Guest shell allows the switch operator access to two alternate CLI environments – a Bash shell and a Python 3 interpreter. From these environments, scripts can be written and executed. Further, IOS features like EEM can call Python or Bash scripts, and conversely, these scripts can call into the IOS CLI or the NETCONF API to allow for a significant boost in automation capability. Application Hosting Application hosting is the next step beyond