Cisco has rolled out a new family of switches, software, developer tools and blueprints to meld IoT and industrial networking with intent-based networking and classic IT security, monitoring and application-development support.
To take on the daunting task the company unveiled a new family of industrial-networking Catalyst switches, IoT developer tools and support for Cisco’s DevNet developer program, and it validated IoT network design blueprints customers can work with to build solid IoT environments.
“We have over 40,000 customers with IoT technology in all manner of applications – from connected roadways and cars to healthcare – and many face the same challenges in deploying IoT – project complexity, scale, and end-to-end security,” Vikas Butaney, vice president of product management for IoT at Cisco said. “We are bringing to those customers a manageable, secure network that will let them deploy IoT at a massive scale.”
For the core of this network environment Cisco will bring a family of new ruggedized industrial networking systems. Specifically the Cisco Catalyst IE3x00 series of Gigabit Ethernet switches and IR1101 Integrated Services Routers that Cisco says were purpose-built for IoT environments. The IR1101 are modular so customers can upgrade to new features such as 5G without ripping and replacing.
All IE3x00 and IR1101 systems run IOS XE, the operating system used in Cisco’s existing campus, branch and WAN networking devices. The new platforms can be managed by Cisco’s DNA Center, and Cisco IoT Field Network Director, letting customers fuse their IoT and industrial-network control with their business IT world.
DNA Center is Cisco’s central management tool for enterprise networks, featuring automation capabilities, assurance setting, fabric provisioning and policy-based segmentation. It is also at the center of the company’s Intent Based Networking initiative offering customers the ability to automatically implement network and policy changes on the fly and ensure data delivery. The IoT Field Network Director is software that manages multiservice networks of Cisco industrial, connected grid routers, and endpoints.
Taking DNA Center’s features into an industrial IoT-based network is an important move for customers, analysts said.
“It leverages Cisco’s massive installed base and bridges IT and OT [operational technology traditionally associated with manufacturing and industrial environments] with a common framework,” said Will Townsend a senior analyst with Morr Insights & Strategy.
The industrial IoT rollout has enabled the network edge to extend its natural boundaries into places that traditional IT and network support hasn’t had to have a lot of complexity and innovation, noted Vernon Turner, Principal and Chief Strategist at Causeway Connections.
“Now that there is a lot of application development and deployment being done at the ‘Extended Enterprise,’ it is only natural that a company such as Cisco follows with its capabilities in software, Turner said. “In particular, the ability to drive intent-based network functionality is critical for industrial-based workloads that now demand traditional IT-based attributes such as security, scale and flexibility.”
One of the stumbling blocks for success is the customer experience of end-to-end integration and delivery of services. “For example, there can’t be natural breaks between sensor-based data being generated by a shop-floor robot on a production line and the enterprise back-office systems for parts and material because of either different networks and different data systems – they both need to be delivered in a seamless manner,” Turner said.
In addition to the hardware, Cisco expanded its DevNet developers environment to include an IoT Developer Center where customers can find all manner of IoT and industrial developer tools and support resources.
In addition Cisco rolled out three new Cisco Validated Designs for IoT architectures that customers can use to fast-track IoT deployments. The blueprints are directed at manufacturing, industrial automation and utility designs and define common use cases and security best practices, Cisco said. The company also said it would expand its training resources as part of its IoT Partner Program.
“Industrial apps are a unique blend unto their own, and it is great to see that Cisco is bringing its Developer community to the edge of the network,” Turner said. “Having more apps that are written and supported in a network-based environment can only be good news to both IT and operations management.”
Firewalls been around for three decades, but they’ve evolved drastically to include features that used to be sold as separate appliances and to pull in externally gathered data to make smarter decisions about what network traffic to allow and what traffic to block.
Now just one indespensible element in an ecosystem of network defenses, the latest versions are known as enterprise firewalls or next-generation firewalls (NGFW) to indicate who should use them and that they are continually adding functionality.
What is a firewall?
A firewall is a network device that monitors packets going in and out of networks and blocks or allows them according to rules that have been set up to define what traffic is permissible and what traffic isn’t.
There are several types of firewalls that have developed over the years, becoming progressively more complex and taking more parameters into consideration when determining whether traffic should be allowed to pass. Firewalls started off as packet filters, but the newest do much much more.
Initially placed at the boundaries between trusted and untrusted networks, firewalls are now also deployed to protect internal segments of networks, such as data centers, from other segments of organizations’ networks.
They are commonly deployed as appliances built by individual vendors, but they can also be bought as virtual appliances – software that customers install on their own hardware.
Here are the major types of firewalls.
These firewalls act as a gateway between end users who request data and the source of that data. Host devices connect to the proxy, and the proxy makes a separate connection to the source of the data. In response, source devices make connections to the proxy, and the proxy make a separate connection to the host device. Before passing on packets to a destination address, the proxy can filter them to enforce policies and mask the location of the recipient’s device, but also to protect the recipient’s device and network.
The upside of proxy-based firewalls is that machines outside the network being protected can gather only limited information about the network because they are never directly connected to it.
The major downside of proxy-based firewalls is that terminating incoming connections and creating outgoing connections plus filtering causes delays that can degrade performance. In turn, that can eliminate using some applications across the firewall because response times become too slow.
A performance improvement over proxy-based firewalls came in the form of stateful firewalls, which keep track of a realm of information about connections and make it unnecessary for the firewall to inspect every packet. This greatly reduces delay introduced by the firewall.
By maintaining the state of connections, these firewalls can, for example, forego inspecting incoming packets that they identify as responses to legitimate outgoing connections that have already been inspected. The initial inspection establishes that the connection is allowable, and by preserving that state in its memory, the firewall can pass through subsequent traffic that is part of that same conversation without inspecting every packet.
Web application firewalls
Web application firewalls sit logically between servers that support Web applications and the internet, protecting them from specific HTML attacks such as cross-site scripting, SQL injection and others. They can be hardware- or cloud-based or they can be baked into applications themselves to determine whether each client trying to reach the server should be allowed access.
Packets can be filtered using more than the state of connections and source and destination addresses. This is where NGFWs come into play. They incorporate rules for what individual applications and users are allowed to do, and blend in data gathered from other technologies in order to make better informed decisions about what traffic to allow and what traffic to drop.
For example, some of these NGFWs perform URL filtering, can terminate secure sockets layer (SSL) and transport layer security (TLS) connections, and support software-defined wide area networking (SD-WAN) to improve the efficiency of how dynamic SD-WAN decisions about connectivity are enforced.
Firewalls are not enough
Features that historically were handled by separate devices are now included in many NGFWs and include:
Intrusion Prevention Systems (IPS)
Whereas basic firewall technologies identify and block certain types of network traffic, IPSes use more granular security such as signature tracing and anomaly detection to prevent threats from entering networks. Once separate platforms, IPS functionality is more and more a standard firewall feature.
Deep packet inspection (DPI)
Deep packet inspection is a type of packet filtering that looks beyond where packets are coming from and going to and inspects their content, revealing, for example, what application is being accessed or what type of data is being transmitted. This information can make possible more intelligent and granular policies for the firewall to enforce. DPI could be used to block or allow traffic, but also restrict the amount of bandwidth particular applications are allowed to use. It could also be a tool for protecting intellectual property or sensitive data from leaving a secure network
SSL-encrypted traffic is immune to deep-packet inspection because its content cannot be read. Some NGFWs can terminate SSL traffic, inspect it, then create a second SSL connection to the intended destination address. This can be used to prevent, for instance, malicious employees from sending proprietary information outside the secure network while also allowing legitimate traffic to flow through. While it’s good from a data-protection point of view, DPI can raise privacy concerns. With the advent of transport layer security (TLS) as an improvement on SSL, this termination and proxying can apply to TLS as well.
Incoming attachments or communications with outside sources can contain malicious code. Using sandboxing, some NGFWs can isolate these attachments and whatever code they contain, execute it and find out whether it’s malicious. The downside of this process is this can consume a lot of CPU cycles and introduce noticeable delay in traffic flowing through the firewall.
There are other features that could be incorporated in NGFWs. They can support taking in data gathered by other platforms an using it to make firewall decisions. For example, if a new malware signature has been identified by researchers, the firewall can take in that information and start filtering out traffic that contains the signature.
Gartner, which once used the term NGFW, now says that previous incarnations of firewalls are outmoded and that they now call NGFWs simply enterprise firewalls.
Most popular firewall vendors
According to the latest Gartner ranking of enterprise firewalls, the vendors designated leaders are Checkpoint, Cisco, Fortinet and Palo Alto Networks. Sophos is on the verge of the leader quadrant but falls just shy in both ability to execute and completeness of its vision.
The four leaders in the Gartner Magic Quadrant are also tops when measured by the amount of revenue their products generate, according to IDC. Combined, they controlled more than half the firewall market share in the first quarter of last year, IDC said.
Five years ago, the Gartner firewall leaders included just Checkpoint and Palo Alto, but in 2017 Fortinet broke through, and in 2018 Cisco joined the top category.
Of those vendors, Gartner also awarded Cisco, Fortinet and Palo Alto its Customer Choice Awards, which are based on customer reviews of their products. In all, the customers reviewed 17 vendors and submitted a total of 3,406 reviews, of which 2,943 were about the vendors ranked as leaders.
The other 12 vendors not already mentioned here are AhnLab, Barracuda Networks, Forcepoint, GreyHeller, Hillstone Networks, Huawei, Juniper Networks, New H3C, Sangfor, Sonic Wall, Stormshield and Watchguard.
By contrast, Forrester ranks many of the top firewall vendors not only on their firewalls, but on a framework it designed called Zero Trust, which takes into account all the security components vendors provide and how well they are integrated. Reliance on firewalls alone is history, according to its report “The Forrester Wave: Zero Trust eXtended (ZTX) Ecosystem Providers, Q4 2018.” In it, Forrester gives its top ranking to just two vendors, Palo Alto and Symantec.
This story, “What is a firewall? How they work and how they fit into enterprise security” was originally published by Network World.
Networking tools for Windows are typically command-line programs or desktop applications. Under Windows 10, there’s a third format: apps that you download from the online Microsoft Store.
Here we’re highlighting 10 networking tools that are available in the Microsoft Store and can be pinned as tile icons on the Windows 10 Start menu for convenient access. They’re all useful, and they’re all free.
All My LAN
All My LAN lists your network’s IP address, its profile name, and its maximum upload and download speeds. The amount of data that has been sent and received over the network is depicted in two line charts. By moving a slider, you can adjust the charts to represent the amount of data that was transmitted throughout the current day or up to the last 30 days. The charts can be combined to view as one chart.
This app can also scan for any multicast DNS services or UPnP devices that are connected to your network. Clicking the name of a found device or service pulls up information about it, such as its IP address, manufacturer, and product name and model.
This app can audit a Windows 10 desktop or laptop and report all the mobile data or Wi-Fi networks it’s been connected to. When you run Data Usage for the first time, it may take a while – anywhere from several seconds to a minute or so – as it scours your computer for its record of network connections.
Data Usage presents the amount of data that the computer has consumed on networks as line and pie charts. The line chart tallies the total amount of data for each network your computer connected to over the current month. (This can be changed to show the previous month, the last 7 days or a range between two days you select.) The pie chart breaks down by percentage how much data was used on each network over the selected range of dates. Reports can be exported as CSV files, which break down the amount of data that was used by day.
Data Usage is free but comes with banner ads. The pro version ($1.49) removes them.
This app is comprised of tools that scan information about nearby network signals, including Wi-Fi ones, but its purpose has an emphasis on Bluetooth. When its Bluetooth Watcher tool is activated, Network Inspector continuously updates a list of Bluetooth devices that are within range. The app has a search box you can use to find a Bluetooth device that’s transmitting by entering its device ID into it.
Another tool, an HTTP inspector, scans for and lists any HTTP servers on the local subnet of the network on which your Windows 10 computer runs. You can view the pages that are found, and other information about them, such as their headers.
The developer has made the Network Inspector source available, which can be examined within the app itself. Network Inspector is free but comes with banner ads. To remove them, you’ll have to pay $20. But the price includes full access to the app’s source code for you to use and modify.
Developer: Shipwreck Software
Network Port Scanner
Network Port Scanner is a standard port scanner for checking your network for any ports that are open and revealing the IP addresses they are open to. You can enter a range of IPs and ports for this app to scan, as well as setting a timeout in milliseconds.
Termius is a full SSH client that lets you connect multiple times to a host, or multitask by connecting to several hosts at once and switching among them. It supports port-forwarding. You can organize your servers under group categories, and pair credentials and servers for quicker access. Source