|
|
 Lukas Krattiger and Max Ardica Presented at Tech Field Day Extra at Cisco Live EMEA 2024 |
This Presentation date is February 7, 2024 at 13:00-15:00.
Presenters: Andrew McPhee, Lionel Hercot, Lukas Krattiger, Max Ardica, Shangxin Du
Presentation Schedule
- 13:00-14:00 – NIS2 Compliance with Cisco Industrial Security
- 14:00-14:30 – Secure Interconnection of Heterogeneous Fabrics (ACI and VXLAN EVPN)
- 14:30-15:00 – Event-Driven Automation with Shangxin Du and Lionel Hercot
Follow on Twitter using the following hashtags or usernames: #CiscoLiveEMEA, #CiscoLiveEMEA24, #TFDx
NIS2 Compliance with Cisco Industrial Security
Watch on YouTube
Watch on Vimeo
Andrew McPhee, a solution manager for industrial security at Cisco, discusses how Cisco Cyber Vision and Cisco Secure Equipment Access can assist with NIS2 compliance. NIS2 is a European standard that mandates cybersecurity measures for critical industries. Andrew explains the importance of NIS2 as a forcing factor for industries to implement security measures, which apply to a wide range of industrial verticals.
He highlights the need to understand the risk profile of devices on a network, manage supply chain security, handle vulnerabilities, and implement access control policies, including multi-factor authentication. Andrew emphasizes the role of Cisco Cyber Vision for deep packet inspection and asset visibility in operational technology (OT) environments, which helps assess vulnerabilities and risks. He also discusses Cisco Secure Equipment Access for remote access, moving towards a Zero Trust Network Access (ZTNA) model.
Andrew demonstrates Cisco’s IoT Operations Dashboard, which facilitates secure remote access to network devices and systems. He explains how the dashboard can be used for both clientless and client-based access, with features like session recording and scheduled access for vendors. The demonstration includes an overview of Duo, Cisco’s multi-factor authentication platform, and how it integrates with Secure Equipment Access for identity verification and policy enforcement.
Next, Andrew presents Cisco Cyber Vision, which provides a risk analysis of OT networks through passive monitoring and deep packet inspection. Cyber Vision can detect changes in the network, create baselines, and generate security reports. It can also integrate with Cisco’s Identity Services Engine (ISE) to implement segmentation based on the zones and conduits model from the IEC 62443 standard. He explains how Cyber Vision can share information with ISE to assign devices to security groups and enforce policies.
Throughout the discussion, Andrew addresses questions from the audience regarding the capabilities, integrations, and potential applications of the technologies presented. He clarifies how Cisco’s solutions can be adapted to various network architectures and the benefits of implementing security group tags for macro and micro-segmentation in industrial networks.
Personnel: Andrew McPhee
Cisco Secure Interconnection of Heterogeneous Fabrics (ACI and VXLAN EVPN)
Watch on YouTube
Watch on Vimeo
In this presentation, Lukas Krattiger and Max Ardica from Cisco’s Data Center Business Unit discuss new functionalities for Cisco Data Center networking. They focus on the secure interconnection of heterogeneous fabrics, specifically integrating ACI (Application Centric Infrastructure) and standard VXLAN EVPN (Ethernet VPN) fabrics.
Max introduces the concept of the ACI Border Gateway, which is a device that allows for controlled connectivity between different leaf-spine topologies, enabling the extension of layer 2 and layer 3 connectivity in a controlled manner. The ACI Border Gateway operates in a standard VXLAN EVPN fashion to interconnect with VXLAN EVPN border gateways of other fabrics. This allows for the expansion of a network using either ACI or VXLAN EVPN fabrics within the same multi-fabric domain.
They also introduce the VXLAN Group Policy Option (GPO), which provides secure group segmentation within a VXLAN EVPN fabric, similar to the concept of SGT (Security Group Tag) discussed in a previous session. GPO enables microsegmentation and service chaining, allowing administrators to direct traffic through firewalls or other network services as part of a security policy.
Lukas and Max emphasize the importance of using a control plane to exchange group information, allowing for optimal traffic flow by applying security policies at the ingress leaf. This approach is more efficient as it avoids sending unnecessary traffic across the network only to be dropped at the destination.
The discussion also touches on the need for policy authoring and enforcement, which will be facilitated by software tools like Nexus Dashboard or Ansible playbooks, allowing for consistent policy application across ACI and VXLAN EVPN fabrics.
Throughout the conversation, they address scalability, resource management, and the benefits of using border gateways to abstract network complexity and control inter-fabric connectivity. They also mention the possibility of synchronizing policy across different network domains and the potential integration with third-party security management tools.
Personnel: Lukas Krattiger, Max Ardica
Cisco Event-Driven Automation with Shangxin Du
Watch on YouTube
Watch on Vimeo
Shangxin Du, a technical marketing engineer from Cisco’s data center switching team, discusses Event-Driven Automation (EDA) in network operations. EDA is a method that automates network configuration changes in response to specific events, aiming to streamline repetitive tasks and mitigate risks during network incidents.
Initially, Shangxin outlines how customers currently manage network configuration, using tools like Ansible, Terraform, Python, or SSH to automate tasks individually or through controllers like Cisco’s ACI for more centralized management. He also touches on the concept of Infrastructure as Code (IaC) and CI/CD pipelines for more integrated change management.
Next, he discusses network observability, emphasizing the importance of monitoring the network for operational data, which is vital for understanding the network’s real-time status. He explains how Cisco’s Nexus OS supports streaming telemetry, and how ACI uses a centralized controller (APIC) to manage configurations and operational data.
Shangxin then introduces the concept of Event-Driven Automation, which combines configuration automation with monitoring to automatically respond to network events. This can help in automating low-risk repetitive tasks, remediating incidents, and enriching support tickets with relevant data for quicker resolution.
He provides a demonstration of EDA using Ansible Rulebooks, which define sources, rules, and actions based on network events. The demo includes two use cases:
- Auto-segmentation in ACI, where endpoints are automatically moved to the correct Endpoint Group (EPG) based on MAC address mapping.
- Auto-remediation in Nexus OS, where a leaf switch is removed from the forwarding path if multiple uplinks go down, to prevent it from affecting network traffic.
Shangxin concludes that EDA offers limitless possibilities, allowing any source of events to trigger any automation response, depending on the rules defined. He also answers a question about the possibility of implementing a low-code solution for EDA in the Nexus world, similar to what’s available in other Cisco solutions like DNA Center. He suggests that while it’s a good idea, the current approach is to use existing tools and infrastructure for automation due to the diversity of customer preferences and practices.
Personnel: Shangxin Du
