SDN'S

SELF-DEFENDINGNETWORKSNetwork Security Evolves to Eradicate Attacks at Their Source 26

Designing the Data CenterAccess Layer 57

Wideband Protocol for DOCSIS 19

CISCO.COM/PACKET

CISCO SYSTEMS USERS MAGAZINE SECOND QUARTER 2005

PA

CK

ET

SE

CO

ND

QU

AR

TE

R2005

VO

L17

NO

2

Reprinted with permission from Packet® magazine (Volume 17, No. 2), copyright © 2005 by Cisco Systems, Inc. All rights reserved.

In Self Defense 26

Network security grows adaptive, reaching inside Web

applications and excising attacks at their source. New

security products from Cisco aim to protect every packet

and every packet flow on a network.

Keeping Voice Confidential 34

The key risks of voice over IP joining the network and how

to mitigate them.

Eradicating Wireless Intruders 39

Multilayered RF monitoring leaves no room at the wireless

LAN table for uninvited guests.

SAN Security: Beyond Zoning 42

Interconnected storage area networks and IP-based

access heighten the urgency of SAN security.

Stopping Bad Behavior at Endpoints 47

Cisco Security Agent prevents attacks on servers and

desktop PCs by enforcing behavioral policies.

26

CISCO SYSTEMS USERS MAGAZINE SECOND QUARTER 2005

VOLUME 17, NO. 2

PACKET

42

ON THE COVER


Safe Metro Aggregation 61

Innovative Catalyst switch security and QoS features bring reliable, resilient,

secure, high performance to the metro aggregation layer.

The Service Exchange Framework 65

Mastering services means comprehending and controlling every packet and

policy in your network. Here’s how to do it.

IP/MPLS Interprovider 69

Extending network infrastructures and services beyond administrative boundaries.

The RFID-Ready Network 53

IP-based network connectivity for RF Identification deployments.

Data Center Networking 57

Designing the server farm access layer.

BROADBAND: Wideband Protocol for DOCSIS 19

Cable operators get ten times the bandwidth at one-tenth the cost of today’s

cable data service—over existing networks.

ROUTING: Who’s Afraid of DUAL-3-SIA? 23

Cisco IOS Software enhancements improve EIGRP active route processing.

Integrated Services Routers in the Small Office 73

Cisco extends integrated services routers with new models and integrated

wireless across the portfolio.

Buying Strategies 76

Purchasing refurbished hardware from a reputable source can pay off long term

for SMBs.

Digital Security 77

Financial institutions manage risk and regulatory compliance proactively, with

Cisco Self-Defending Networks.

From the Editor 1

Security Is as Security Does

User Connection 5

New Cisco Powered Network

Designation • Cisco Connected Car •

Certifications Update

Tech Tips & Training 9

Troubleshooting Cisco IPCC •

Deploying Cisco Security Agent •

Reader Tips

Technically Speaking 83

Trends in cluster and grid

computing

New Product Dispatches 84

What’s new from Cisco over the

past quarter.

NetPro Expert 88

Configuring and troubleshooting

dial-related issues.

Mail 3

Acquisitions 5

Calendar 5

Networkers F

Tech Tips 18

Advertiser Index 89

Cache File 90

The 5th Wave 90

IN EVERY ISSUE

SERVICE PROVIDER SOLUTIONS

ENTERPRISE SOLUTIONS

SMALL AND MIDSIZED BUSINESSES

6

19

73

DEPARTMENTS

TECHNOLOGY


CISCO SYSTEMS SECOND QUARTER 2005 PACKET 1

FROM THE EDITOR

Security Is as Security Does

In the past few months, I’ve downloaded morethan one spyware-combating program on my homePC and become reacquainted with Cisco SecurityAgent on my work laptop. While these are just tworelatively simple security measures I’ve taken as afull-time remote worker and fan of Web surfing,they are important reminders of the pervasive,dynamic role security plays in today’s networks.

Fifteen months ago when we first wrote about Cisco’s Self-Defending Network strategy, we empha-sized the business need for integrated security—thatis, embedding security capabilities into network ele-ments such as routers and switches—and collabora-tive security, whereby those embedded securitycapabilities are linked across the infrastructure andextended to user endpoints. In this issue, we elaborate on the Cisco products and technolo-gies launched over the past year that strengthen these areas of security, as well as addressthe third prong of Cisco’s Self-Defending Network strategy: adaptive threat defense—which aims to protect every packet and every packet flow on a network.

Increasingly, security attacks are being introduced from within Web-enabled applications,which open the door to application abuse as traffic traverses multiple networks. For thisreason alone, networks require distributed security capabilities, networkwide awarenessof the context of endpoint credentials as host behavior and status change, and authenti-cation mechanisms ensuring that those credentials can be trusted. In March, Cisco intro-duced several products that advance a company’s ability to protect every packet andevery packet flow on the network. Among their attributes, the new products protectagainst application abuse, identify and thwart intrusions at Layer 7, and eliminate thesources of attacks—using capabilities such as deep-packet inspection, networkwide eventcorrelation, context-based policies, and policy auditing. Read all about these productsand technologies beginning with the article “In Self Defense,” page 26.

As far as identifying and mitigating security risks for advanced technologies, check out“Keeping Voice Confidential” (page 34) and “Eradicating Wireless Intruders” (page 39).In the article “SAN Security: Beyond Zoning” (page 42), you’ll find best practices forsecuring storage area networks and learn why Gartner awarded the Cisco MDS 9000Series multilayer SAN switches an A++ for Fibre Channel SAN fabric security. “StoppingBad Behavior at Endpoints” (page 47) lays out the latest capabilities in Cisco SecurityAgent Version 4.5 software that use behavioral policies to thwart spyware and adware,among other intrusive network behaviors. Version 4.5 also adds compatibility withoperating systems outside the US, and expands platform support to include Linuxservers and desktops as well as Windows clusters.

Security will always be an evolving process for companies. In addition to hackers, therewill inevitably be more virulent viruses, clever worms, and surreptitious network behav-iors to contend with. Companies with a watchful eye and strategic consideration for thethree primary areas of a Self-Defending Network will be as ready as they can be tothwart the next new security threat.

PACKET MAGAZINEDavid BallPublisher and Editor in Chief

Jennifer RedovianManaging Editor

Susan BortonSenior Editor

Joanie WexlerContributing Editor

Robert J. Smith Sunset Custom PublishingProject Manager

Amy Mackey, Nicole Mazzei, Mark Ryan, Norma TennisSunset Custom PublishingProduction

Jeff BrandArt Director

Emily BurchDesigner

Ellen SokoloffDiagram Illustrator

Bill LittellPrint Production Manager

Valerie MarliacPromotions Manager

Achille BigliardiCover Photograph

Advertising Information:Kristen Bergman, [email protected]

Publisher Information: Packet magazine (ISSN 1535-2439) ispublished quarterly by Cisco Systems anddistributed free of charge to users of Ciscoproducts. Please send address corrections and other corre-spondence direct to [email protected].

Aironet, Catalyst, CCDA, CCIE, CCNA, Cisco, Cisco IOS, CiscoNetworking Academy, Cisco Press, the Cisco Powered Networklogo, the Cisco Systems logo, Cisco Unity, IOS, iQ, Linksys,Packet, and PIX are registered trademarks or trademarks of Cisco Systems, Inc., and/or its affiliates in the USA and certainother countries. All other trademarks mentioned in this publica-tion are the property of their respective owners.

Packet copyright © 2005 by Cisco Systems, Inc. All rightsreserved. Printed in the USA.

No part of this publication may be reproduced in any form, orby any means, without prior written permission from CiscoSystems, Inc.

This publication is distributed on an “as-is” basis, without war-ranty of any kind either express or implied, including but not lim-ited to the implied warranties of merchantability, fitness for a particular purpose, or noninfringement. This publication couldcontain technical inaccuracies or typographical errors. Laterissues may modify or update information provided in this issue.Neither the publisher nor any contributor shall have any liabilityto any person for any loss or damage caused directly or indirectlyby the information contained herein.

This magazine is printed on recycled paper.

10%TOTAL RECOVERED FIBER

Ro

b B

rod

ma

n

David BallEditor in [email protected]


MAIL

Allergic to SpywareWe have Cisco Securi-ty Agent installed onour system but someof our PCs are stillbeing infected withthe Virtual Bouncerand VX2 spyware.Isn’t the CSA productsupposed to help prevent our PCs fromhaving their registries edited by this kindof junk?—Marty Browne, Allergy & AsthmaAssociates, Houston, Texas, USA

Cisco’s Josh Huston, author of the NetProExpert column, “Boosting Network Secu-rity Using Cisco Security Agent,” (FourthQuarter 2004) responds:

Spyware of the types you mention is usu-ally installed along with programs thatend users want to install. Because userswant to install these items, they willlikely choose “yes” to any popups pro-vided that require interaction. There aremany ways you could provide moredirection to your users on these items. Asone example, you could modify yourpolicies to put tighter restrictions on theHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run reg-istry key to stop any writing to that keyunless it is a corporate approvedinstaller. You could also modify the pop-up text to indicate that this looks like apossible spyware program.

Tips and TechniquesRecently, reader Alain Moretti submitteda script to clear a CLI session usingSNMP (“Reader Tips,” First Quarter2005). My organization is using a similarscript but our community string includesa character ($) that the router does notinterpret correctly. How do you modifythe script to use special characters in thecommunity string?—Jeff Lavender, Verizon Federal Net-work Systems, Stuttgart, Germany

The following is a response from Ciscotechnical support:

The problem is that the invoking shellwants to interpret any $xxx string as avariable. To avoid this, put single quotesaround the offending string, for example:script router_id ‘some$string’ 0.

Home NetworkingI have just wired my house for EthernetCategory 5 wiring and have connectedeverything using an eight-port hub. I havebeen told that a router would allow me toaccess the Internet with my network andstill maintain a bit of security. Most all ofthe routers for sale today must use DSLor cable to connect to the Internet, but Iwould like to use my dialup connection.What would your recommendations be?If you could give me a few URLs toresearch, I would be most appreciative.—Charles T. Olinda, Atlantic CountyInstitute of Technology, Mays Landing,New Jersey, USA

You can set up most small, home officerouters to act as a firewall (securitydevice) to protect your computerresources. Cisco has a wide variety ofrouters to choose from. Check out thiseducational site at Linksys, the divisionof Cisco that markets home and smalloffice networking solutions: cisco.com/packet/172_2a1.—Editors

For BeginnersI have been working in networking forthe past year and a half and am a faithfulPacket reader, but it is often difficult todigest the complicated scenarios youdescribe. Please consider publishing morematerial for beginners, specifically onMultiprotocol Label Switching (MPLS),IP Security virtual private networking(IPSec VPN), and IP telephony. —Sumedh Dharwadkar, Tata InternationalLtd., Pune, India

We appreciate your desire to read morearticles in Packet written for beginners,and it’s our goal to strike a balance incontent that satisfies our readers’ rangeof technical experience. Regarding yourtopics of interest (MPLS, IPSec VPN, andIP telephony), following are a few linksthat you may find useful:

■ “MPLS FAQ for Beginners”cisco.com/packet/172_2a2

■ “Cisco IOS Software and Multiproto-col Label Switching” cisco.com/packet/172_2a3

■ “How Virtual Private Networks Work” cisco.com/packet/172_2a4

■ “Decoding IPSec: Understanding theProtocols of Virtual Private Networks”cisco.com/packet/172_2a5

■ “A Primer for Implementing a CiscoVirtual Private Network”cisco.com/packet/172_2a6

■ “Cisco IP Telephony Overview” cisco.com/packet/172_2a7

—Editors

Send your comments to Packet

We welcome your comments and

questions. Reach us through e-mail at

[email protected]. Be sure to

include your name, company affiliation,

and e-mail address. Letters may be

edited for clarity and length.

Note: The Packet editorial staff cannot

provide help-desk services.



A new Cisco Powered Network Quality ofService (QoS) certification helps organiza-tions that are converging voice and datanetworks evaluate providers of managedvirtual private network (VPN) services. Thenew certification verifies that a managed IPVPN service meets Cisco-defined best-prac-tice criteria for delivery of real-time voiceand video services.

The new QoS Certification requires service providers to undergoan annual onsite assessment to validate that the service providerfollows best practices for delivering recommended levels of net-work performance (including latency, jitter, and packet loss) andcustomer support. This assessment includes the following intra-continental performance requirements for delivery of real-timevoice or video packets from customer edge to customer edge:

■ Maximum 150 ms one-way delay for voice/video packets ■ Maximum one-way packet jitter of 30 ms for voice/video traffic ■ Maximum voice/video packet loss of 1.0 percent

For more information, visit cisco.com/packet/172_3a1.

About the Cisco Powered Network ProgramThe Cisco Powered Network program iden-tifies service providers that use Cisco equip-ment in their networks end-to-end and meetCisco standards for service quality and sup-port. Cisco Powered Network programmembers are committed to maintaining high

levels of network quality and providing services that offerunmatched interoperability with enterprise networks built onCisco equipment. These service providers bring businesses spe-cialized expertise, greater efficiency, end-to-end security, cuttingedge technologies and access to global network resources, allow-ing businesses to extend the power of their Cisco network and tofocus on their core business.

Currently, more than 390 service providers worldwide are membersof the Cisco Powered Network program. For more information,visit cisco.com/cpn.

Cisco has announced the acquisition of privately held TopspinCommunications, Inc., of Mountain View, California. Topspin isa leading provider of intelligent server fabric switches, a new classof server networking equipment that promotes resource flexibilityand dramatically reduces equipment and management costs.

With this acquisition, Cisco will be able to provide its customerswith an end-to-end data center switching capability with special-ized networking technology and services that allow them to buildtheir data centers in a flexible, grid-like fashion. Topspin’s Infini-Band-based data center switching solutions complement Cisco’sexisting network and storage switching solutions, including theCatalyst switching platform and the MDS Family switches forstorage area networks. Topspin products and technology are anintegral part of solutions offered by leading system vendorsincluding Dell, HP, IBM, NEC, and Sun.

The server fabric switch market is an emerging market opportu-nity within the data center driven by customers’ need for an intel-ligent, high-performance fabric for server virtualization, clusteredenterprise applications, and grid/utility computing. For moreinformation on cluster and grid computing, see “TechnicallySpeaking,” page 83.

Topspin’s 135 employees in California and Bangalore, India, will join the Cisco Data Center, Switching, and Wireless Technology Group.

USER CONNECTION

New IP VPN Multiservice QoS Certificationfor Service Providers

Cisco Acquires Topspin Communications


June 19–24, 2005July 18–22, 2005

Aug. 29–Sept.1, 2005Sept. 19–22, 2005Oct. 26–28, 2005Nov. 1–3, 2005Nov. 28–Dec.1, 2005

Dec. 19–21, 2005

Networkers, Las Vegas, Nevada, USANetworking Solutions Technical Conference(NSTC), Montreal, Quebec, CanadaVoiceCon, San Diego, California, USANetworkers Australia, Gold Coast, AustraliaNetworkers Japan, Tokyo, JapanNetworkers Korea, Seoul, KoreaCIPTUG Annual Users Conference, Las Vegas,Nevada, USANetworkers China, Beijing, China

CISCO WORLDWIDE EVENTS

cisco.com/warp/public/688/events.html

MARK OF QUALITY The Cisco Powered Network markindicates multiservice IP VPN services that meet Ciscoquality standards for real-time voice, video, and otherbusiness-critical applications.


A technology showroom on wheels, the Cisco Connected Car hasbeen touring Northern Europe for the past several monthsdemonstrating to public safety organizations how wireless com-munications can help police, fire, and ambulance personnelimprove their responses to emergencies and provide more effec-tive citizen services. The car is a Volvo V70 rigged with a Cisco3200 Series Wireless and Mobile Access Router in the trunk,which can roam across wireless LANs, mobile phones, andTETRA networks to provide communication between emergencyheadquarters and the moving vehicle, regardless of physical loca-tion. Also in the car is a notebook computer with connection toexternal networks provided by a General Packet Radio Service(GPRS) modem mounted in the car. A global positioning system(GPS) device allows the car to be traced wherever it goes, and anetwork camera with IP video surveillance software from Mile-stone Systems lets emergency staff film incidents and instantlytransmit the footage to headquarters using the in-vehicle router.

For more information, visit cisco.com/go/connectedcar.

Cisco Connected Car Demonstrates IP Technology on the Move

6 PACKET SECOND QUARTER 2005 CISCO SYSTEMS

USER CONNECTION

CISCO CONNECTED CAR The model car shows how IP technologies make it possible toreact more quickly and effectively to accidents, disasters, riots, or crimes.


USER CONNECTION


Cisco Certifications Roundup

New IP Contact Center Express Specialist CertificationThe new Cisco IP Contact Center Express Specialist certificationis the latest focused certification to be offered by the Cisco CareerCertifications program. The new certification was created inresponse to heightened customer and channel partner demandfor knowledgeable network professionals who can successfullyplan, install, configure, troubleshoot and manage Cisco’s IP Con-tact Center (IPCC) Express Edition.

Cisco’s IP Contact Center Express Edition provides a feature-rich,tightly integrated automatic call distributor (ACD), InteractiveVoice Response (IVR) services, and computer telephony integra-tion (CTI) on a single platform, allowing organizations to signifi-cantly reduce operating costs and improve customer satisfaction.

To earn the IP Contact Center Express Specialist certification,candidates must hold an active Cisco associate-level CCNA certi-fication and pass one additional exam. To help candidates preparefor the exam, the IPCC Express and IP IVR Deployment (CRSD)Version 3.5 course covers planning and designing an IPCCExpress deployment; installing the IPCC Express software; build-ing self-service work flows, call routing and queuing logic; config-uring agent skills and supervisor teams; creating agent screenpops; integrating to CRM databases, setting up silent monitoringand recording; generating reports; and troubleshooting.

Enhanced Recertification Policy for CCSPCisco has enhanced the recertification policy for the CCSPprofessional-level certification. Now, in addition to passing anyCCIE written exam or achieving the CCIE expert-level certifica-tion individuals can be recertified for the CCSP professional-levelcertification by taking the Cisco SAFE Implementation exam.

“In today’s fast paced Internet economy, recertification is a tangi-ble Indication to both IT professionals and the organizations thatemploy them that Cisco certification holders are current on thelatest technology trends,” says Don Field, director of certifica-tions at Cisco.

The CCSP certification indicates training in advanced knowledgeof securing Cisco networks. With a CCSP, a network professionalcan secure and manage network infrastructures to protect pro-ductivity and reduce costs. The content emphasizes topics such asperimeter security, virtual private networks, and intrusion pro-tection, as well as how to combine these technologies in a single,integrated network security solution.

CCSP certifications are valid for three years from the date theyare awarded, and must be renewed prior to their expiration date.To determine the current status of a CCSP certification, visit theCisco Career Certifications Tracking System at cisco.com/go/certifications/login.

For complete details about the training and exam requirementsfor the CCSP and other certifications, visit cisco.com/go/certifications.

Training can be purchased using Cisco Learning Credits, aneasy method of payment for Cisco authorized training,redeemable through participating Cisco Learning Partnersworldwide. For information about Cisco Learning Credits, visitcisco.com/go/learningcredits.

CCIE Sizzles with Hottest Certification for 2005CertCities.com, an online publication for certified IT profession-als, recently awarded Cisco’s CCIE expert-level certification the“Hottest Certification for 2005” and “Most Respected High-Level Certification” awards. The annual CertCities.com Readers’Choice Awards combine information obtained from readers ontheir intent to pursue certifications with survey scores reflectinggeneral enthusiasm for certification programs.

The “Hottest Certification” is awarded to programs that indus-try analysts and professionals expect to grow the fastest.

For the third year in a row, the CCIE program has swept this cate-gory, thanks to the almost mythic difficulty of the CCIE lab exam,a grueling, eight-hour, hands-on practicum. Currently, 8,852 network industry professionals have achieved CCIE certification.

“Customers respect the CCIE certification and they appreciatethe certification process,” says Rami Kandah, content engineerwith Cisco Customer Advocacy. “Four out of ten customer sup-port requests ask for a CCIE.”

Career BuildersCisco offers three levels of career certification—Associate, Pro-fessional and Expert—in areas such as Routing and Switching,Network Security, and Voice over IP. In addition, numerousCisco Qualified Specialist certifications are available in specifictechnologies, solutions or job roles. The CCSP was the secondplace winner for the “Best Security Certification” award and isthe only curriculum accredited by the US National SecurityAgency.

The CCNA certification was a finalist in the “Best Entry-LevelCertification” category and the CCNP was rated second for“Best Mid-Level Networking Certification.”

Cisco Certifications represent three levels of expertise: Associate,Professional, and Expert.

For more information on Cisco career certifications, visitcisco.com/go/certifications. For additional information onCertCities.com’s Third Annual Readers’ Choice Awards, visitcisco.com/packet/172_3b1.


Cisco IP Contact Center (IPCC) Enterprise Edition(formerly Cisco IP Contact Center), delivers intelli-gent contact routing, call treatment, network-to-desktop computer telephony integration (CTI), andmultichannel contact management over an IP infra-structure. By delivering functionality in a unifiedsolution, Cisco IPCC enables companies to rapidlydeploy a distributed contact center infrastructure.

Reducing abandoned contact center calls is a keyfactor in maintaining customer satisfaction, so youshould become familiar with IPCC Call Disposition1 (CD1). A CD1 call is one that is abandoned—ordropped—before terminating at a target devicesuch as an automatic call distributor (ACD) systemor agent desktop. Abandoned calls occur when acaller hangs up while on hold. This article helps you

diagnose the causes of abandoned calls and providestroubleshooting tips.

Before DiagnosisMake sure you are familiar with the five major com-ponents of Cisco IPCC and the system architecture.For details, see the product information for CiscoIPCC at cisco.com/packet/172_4a1.

The system architecture of Cisco IPCC differs con-siderably from Cisco Intelligent Contact Manage-ment (ICM) configurations using legacy ACD, andthese differences affect IPCC reports, which you useto diagnose abandoned calls. For details on thedifferences, see the Cisco IPCC Administration Guideat cisco.com/packet/172_4a2.

Minimizing Abandoned Calls in Cisco IP Contact Center

TECH TIPS & TRAINING


DIAGNOSE ABANDONED CALLS

POTENTIAL CAUSE

The Agent Reservation timer is set too low. The timer is used to set the maximum allow-able time between agent selection and when the agent actually receives the call. Anycall that exceeds the time is reported as CD1.

Agents enable call forwarding to voice mail or to another agent phone. No events arereported to Peripheral Gateway (PG), resulting in CD1 calls.

In each of the following three scenarios, the PG cannot match a call-arrival event with apre-call indicator-event, and the call is reported as CD1:■ Agent goes into Talking state (presses the headset or speaker button) when the ICM

router is about to send a call to that agent. ■ Agent uses the ACD DN (the Directory Number on which the agent receives routed

calls) while in the AVAILABLE state.■ Agent-to-agent calls occur while agents are in the AVAILABLE state.

Caller disconnects/hangs up while the call is being routed to an agent. This rarely hap-pens in complete IP telephony networks, but happens more frequently in the time divi-sion multiplexing (TDM) world, where call setup might take longer. The PG cannot matcha call-arrival event with a pre-call indicator-event, and the call is reported as CD1.

Call is sent to an incorrect label for an agent (device target). IPCC sends the label (orDN) to its PG to route the call to an agent phone or Cisco IP Interactive Voice Response(IP IVR). PG or IP IVR passes this label to Cisco CallManager. If Cisco CallManager isunable to route the call to a device identified by this label, the call does not establishand is reported as CD1.

POSSIBLE FIX

The timer default is 7 seconds. Adjust the timer (up to 12 seconds).Note: The agent is placed in a NOT READY state after two consecutive calls are notreceived.

■ Collect and analyze Termination Call Detail (TCD) and Route Call Detail (RCD) to iden-tify CD1 calls.

■ Identify the label/Directory Number (DN) and check for any call forwarding set on anagent DN. You might see multiple CD1s for this agent DN.

■ Advise agents to not use call forwarding. ■ Set up a phone button template for agent phones; remove the CFwdALL key.

■ Provide each agent with a second line to be used for non-IPCC calls.■ Do not assign the ACD DN to the first line on the agent phone. ■ Block agent-to-agent, internal and PSTN calls from ACD DN by using Calling Search

Space and partition. ■ Use a translation pattern that routes calls to a CTI route point that invokes a script for

agent-to-agent calls.■ Advise agents to enter the NOT READY state when they make non-IPCC calls. IPCC

will not route calls to these agents.

1. Analyze IPCC reports to identify whether the abandoned call rate is within an acceptable range.

2. If the rate is unacceptable, identify a pattern (time of day, day of week, a particularagent or group of agents, call volume changes, and so on).

3. If you suspect the problem, start to capture logs and analyze them.

1. Examine the IPCC configuration (device target labels, routing clients, and translationroutes). IPCC sends a label to a routing client; the client is responsible for routing andcompleting the call.

2. If the labels are set correctly, analyze Cisco CallManager and IP-IVR logs to determinethe cause.

By Sandeep Gupta


Diagnosis and Troubleshooting The table above lists the most common causes ofabandoned calls, along with possible fixes. Beforeattempting these procedures, all agents on your teamshould be properly trained.

Best Practices You can further optimize Cisco IPCC functionalityand provide better stability by following these bestpractices, which are based on successful customerimplementations:

■ Reroute busy/failed calls to voice mail/attendant bysetting up Forward on CTI route points.

■ Ensure that IPCC can pull a call back into the queueand reroute unanswered calls by setting up aForward On No Answer (FONA) timer in CiscoCallManager that is higher than the Redirect On NoAnswer (RONA) in ICM.

■ For best system performance, hard code NIC speedand switch ports to 100 MB full duplex for CiscoCallManager, IP IVR, PG, agent desktops, etc.

■ Avoid or minimize device registration and call pro-cessing on the Cisco CallManager publisher node.Avoid call processing on the Cisco CallManager pub-lisher, and perform configuration changes only on thepublisher while subscribers are processing calls. Anymajor device addition or deletion performed by sub-scribers can cause issues.

■ Set up device pools (using Cisco CallManagerGroups) so that the device weight per CiscoCallManager node is within guidelines defined in theCisco CallManager Solution Reference NetworkDesign Guide (cisco.com/packet/172_4a3).


POTENTIAL CAUSE

You are using Call Pick groups and Call Park on ACD DN. These features are not supported and result in CD1 calls.

You are using ACD DN as a shared line. Call Waiting, Call Park, Call Pickup, and CallManager Pilot Point and Hunt groups are not supported and result in CD1 calls.

Improper Calling Search Space (CSS)/Partition on CTI route point, Gateway, and agentACD DN. Cisco CallManager uses CSS and Partition to provide class of service (COS) tophones, gateways, and applications so that they can call limited, selected, or alldevices. Based on the CSS assigned on the device, it is possible that a call may notcomplete when PG sends the label to Cisco CallManager. The PG cannot match a call-arrival event with a pre-call indicator-event, and the call is reported as CD1.

Improper design and sizing of bandwidth for location (Cisco CallManager configuration)to route calls to remote agents. Cisco CallManager provides Call Admission Control(CAC) using bandwidth to avoid congestion on WAN. If agent calls cannot be completeddue to bandwidth, PG cannot match a call-arrival event with a pre-call indicator-event,and the call is reported as CD1.

Improper Region configuration and lack of transcoders to route calls to agents. CiscoCallManager uses Region to allow different codecs to be assigned to remote devices, aphone, or IP IVR. This saves bandwidth on the WAN by sending G729 calls to agents inremote locations. Transcoders are used by devices that are unable to negotiate codecsdynamically. Lack of transcoding resources result in no events being reported to PG,and calls are reported as CD1.

An Automated Alternate Routing (AAR) configured in Cisco CallManager to route callsin the event of network congestion results in a setup delay to an agent phone. CiscoCallManager uses AAR to route calls via PSTN when it is not possible to route a callbased on CAC (bandwidth defined in location). AAR is not tested and supported to workwith IPCC since there is a strong possibility of delay in call setup via PSTN, resulting inCD1 calls.

Network issues (WAN outage, congestion, latencies, and so on) lead to a delay in callsetup. PG cannot match a call-arrival event with a pre-call indicator-event, and the callis reported as CD1.

POSSIBLE FIX

Do not use Call Pick groups and Call Park on ACD DN.

Do not use ACD DN as a shared line.

1. Collect and analyze TCD and RCD to identify CD1 calls.2. Identify the label/DN and check its partition in Cisco CallManager. This DN partition

may be different than that defined on other working DNs. 3. Change the CSS on the Gateway or CTI route point to include ACD DN partition.

1. Collect and analyze TCD and RCD to identify CD1 calls.2. Identify the label/DN and check if any or all Gateways are using a location. 3. Enable Cisco CallManager tracing for the location (using Service Parameters) and

examine Cisco CallManager logs. 4. If possible, increase bandwidth in location based on WAN bandwidth sizing, and/or

check for bandwidth leaks.

1. Collect and analyze TCD and RCD to identify CD1 calls.2. Identify whether label (DN) is in a different region than that of Gateway or CTI route

point. Region is assigned on Device pool. 3. Ensure that the device pool has a Media Group Resource List that contains a Media

Resource Group with transcoder.

1. Collect and analyze TCD and RCD to identify CD1 calls.2. Identify label and remove AAR from Cisco CallManager configuration.

■ Verify that the network interface card (NIC) speed and switch ports for all devices,servers, and desktops are hard coded to 100 MB full duplex.

■ Provision WAN for outage, glitch, sizing, and any additional bandwidth requirements.

SANDEEP GUPTA is a customer supportengineer at the Cisco Technical Assis-tance Center (TAC) and a technical leaderfor the Cisco IPCC Enterprise team. Hecan be reached at [email protected].


Analyze IPCC Reports and Logs To generate effective reports and logs, set up IPCCtracing to capture as much information as possibleabout calls, call flow, network topology, etc. If youenable tracing for troubleshooting purposes, thismight have an adverse impact on system perform-ance, particularly during peak traffic hours. Fordetailed information about setting up traces, refer tothe following documents:

■ Configuring Cisco CallManager Trace Parameters: cisco.com/packet/172_4a4

■ CTI Manager:cisco.com/packet/172_4a5

■ SDL (Cisco CallManager and CTI):cisco.com/packet/172_4a6

■ IPCC PG:cisco.com/packet/172_4a7

■ IP IVR (enable SS_TEL, LIB_ICM, andLIB_MEDIA debugging bits):cisco.com/packet/172_4a8

■ TCD and RCD from SQL (make these queries assimilar as possible with respect to time):

Select * from Route_Call_Detail where DateTime >=“00:0000/00/0000” and DateTime <= “00:00 00/00/0000”

Select * from Termination_Call_Detail where DateTime >=“00:00 00/00/0000” and DateTime <= “00:00 00/00/0000”

Below are examples of using logs to identify the caus-es of abandoned calls. In general, trace any failed callin the logs and check the call against known causes ofCD1 (ICM configuration, Cisco CallManager, IPIVR, etc.).

■ Insufficient latency set in Agent Reservation timer.Search for “DtAbort” or “ProcessReservedTimeout”in PIM logs. The following errors in EAPIM logs con-firm the problem:

TelephonyDriver::ProcessReservedTimeout: No callarrived to match PreCall message.

MISSED 2 consecutive routed calls. FORCING TO NOT READYSTATE.

■ Wrong label for device target. View EA PIM eventlogs; you should be able to associate theProcessReservedTimeout with a single device target.It is possible that IPCC has a correct label, but CiscoCallManager is still unable to route. Refer to logsfrom IP IVR, PG, and Cisco CallManager, and trackcalls as defined in the call flow. The following errorsin the IP IVR – MIVR logs confirm the problem:

MIVR-SS_TEL-3-REDIRECT_FAILED:Redirect failed: All Call ids=CallID:32

MIVR-SS_TEL-3:EXCEPTION:com.cisco.jtapi.InvalidPartyExceptionImpl: Redirect failed because ofan invalid destination.

■ Lack of transcoders or incorrect region/codec definedin the device pool. Track the mismatch by reviewingsnippets in Cisco CallManager logs. The followingconfirms the problem:

CCM|SPROC - Incompatible Regions or Capabilities

CCM|SPROC - Origination Side: Region=Default|

CCM|SPROC - Origination Side: CapabilitiesMaxFramesPerPacket|

CCM|SPROC - Media_Payload_G711Alaw64k, 20|

CCM|SPROC - Destination Side: Region=Default|

CCM|SPROC - Destination Side: CapabilitiesMaxFramesPerPacket|

CCM|SPROC - Media_Payload_G711Ulaw64k, 160|

■ Insufficient bandwidth. Check snippets in CiscoCallManager logs. Confirm that location tracing isenabled in service parameters. The following con-firms the problem:

cdccPID=(1.14.372335) Orig=1 not enough bw. bw=24curr=18 max=210|

■ CSS/Partition issue. Search for the following patternin Cisco CallManager and block it just before CiscoCallManager performs digit analysis:

StartTone tone=37(ReorderTone)

You can minimize abandoned calls in Cisco IPCC byapplying known fixes in your IPCC solution, usingthe troubleshooting table in this article to identifycauses of abandoned calls, and applying the recom-mended fixes. By following best practices, includingsetting up effective reports and logs, you shouldnotice a significant decrease in dropped calls.


FURTHER READING■ Cisco IPCC Enterprise Administrator Guide

cisco.com/packet/172_4a9

■ Cisco ICM Database Schema


■ Cisco IPCC Enterprise Designing, Sizing, and Planning





Host Intrusion Prevention (HIP) software is fastemerging as a standard for corporate desktops. Likethe antivirus software that preceded them, HIPapplications enable organizations to mitigate thegrowing risks of malware, malicious code, spyware,hacker attacks, and their ilk at a lower cost with lesshuman intervention.

Intrusion prevention applications are the latest insecurity defense software, and several of them movebeyond detection of security threats by signature todetecting threats by their behavior. The natural bene-fit is that organizations can significantly improve theirthreat defense while dramatically reducing their man-agement requirements for patches and signatures.

Formerly the Okena StormWatch product, CiscoSecurity Agent is a leader in the host intrusion pre-vention market and has a place on any desktop. (Fora related article, see “Stopping Bad Behavior at End-points,” page 47.)

Power and Protection Most organizations today include remote offices andremote users, which have special needs that can stressor even break internal support systems. In addition toproviding enhanced security capabilities to remoteusers, Cisco Security Agent is one of those rare prod-ucts that can actually make supporting remote officesand “road warriors” easier in the following ways.

Deployment. Agent deployments can be initiatedusing a link to a Website sent in e-mail for installationof the agents. The user “pull” deployment modelallows end users on low-speed connections to pick thebest time to initiate deployment of the agent. Tradi-tional deployment methods such as group policies orsoftware deployment tools can also be used.

Offline capability. Once deployed, Cisco SecurityAgent is fully functional when disconnected from anorganization’s network, offering complete protectionfor users who connect at airports, hotels, or clientlocations. When remote systems are reconnected tothe home network, logs are transmitted and updates,

if needed, are sent-all with negligible impact on eventhe lowest bandwidth WANs.

Policy tuning. Policies can be tuned to meet specificbusiness or operational conditions. For example,users can be offered options to allow behavior thatCisco Security Agent flags as anomalous to keepfalse positives from preventing legitimate butuncommon activities.

Many organizations value the ability to limit or elim-inate altogether any interaction between Cisco Secu-rity Agent and end users. For example, agents can bedeployed to desktops that limit a user’s ability toinstall or uninstall applications, connect externalperipherals such as USB drives, run file-sharing appli-cations, or even connect to other computers. In a dis-tant location, where onsite IT support is not avail-able, this level of control over an end user’s PC canhelp eliminate a common set of help-desk-intensive,misuse conditions.

Management EnvironmentThe Cisco Security Agent management environmentallows for grouping user-level agents by many profilefactors, including status as a remote-office user orlocation. By creating and enforcing policies in agroup fashion, management adjustments to agentscan be made specifically to suit remote users. A singlechange can be pushed to all group members, relievingsupport staff from having to manage end users asindividual units.

Deployment ChallengesThere are two primary challenges to consider whendeploying Cisco Security Agent into remote officeenvironments. The first is enforcement of agentdeployment. When deploying the agent software,

Deploying CSAA Guide to Successfully Implementing Cisco Security Agent

By Brian Cincera

In addition to providing enhanced

security capabilities to remote

users, Cisco Security Agent is one

of those rare products that can

actually make supporting remote

offices and “road warriors” easier.


organizations have a choice of traditional softwaredistribution capabilities, an end-user “pull” from ane-mail link, or manual installation. For remote usersand offices that are connected by low-speed links, ini-tial agent deployment can be time consuming.Although policy updates and log transmissions arevery small, initial agent deployment files can be 5megabytes (MB) or more. Organizations need to bal-ance the real need to deploy the agent for securitypurposes with the user inconvenience associated witha forced installation at an inopportune moment.

The second challenge is the support tradeoff thatorganizations make when determining desktop poli-cies. Deploying the recommended Common Security,Required Windows System, and Desktop modulesprovides protection against 90 percent of the commonthreats. Policy adjustments made to enhance securityprotections or limit user actions increase the chancesthat end users will encounter false positives or attempta function that Cisco Security Agent prevents.

While such actions prevent a system breach or theinfection of a computer, they will also likely result ina call to the help desk anyway. Thus, organizationsmust consider the balance of protection and supporteffort when considering the optimal remote-officeagent policies.

Sound decision making on these two issues that isappropriate to the environment will help smoothand speed the deployment to remote offices andremote users. The remaining architecture, implemen-tation, and operations decisions for supportingremote offices are the same as they are for any desktopuser community.


BRIAN CINCERA is vice president forsecurity solutions at Greenwich Technol-ogy Partners. He can be reached at [email protected].

ABOUT GREENWICH TECHNOLOGYPARTNERSGreenwich Technology Partners

(greenwichtech.com) is a vendor-independent IT professional serv-ices firm that helps organizations maximize the return on their ITinvestments. GTP delivers strategic business-focused IT solutions inthe practice areas most vital to large and medium enterprises, includ-ing information security, multiservice networks, infrastructure opti-mization, and application resilience.


Lessons LearnedHaving performed many large and small Cisco Secu-rity Agent implementations, Greenwich TechnologyPartners has encountered many different scenariosand learned some important lessons.

Provide reasonable management redundancy. It is agood idea to install two or more management con-soles for Cisco Security Agent, but it is not necessaryto have fault-tolerant redundancy. Agents continue tooperate fully, even when disconnected from the man-agement station. Policy updates and log collection arethe only communications between the agents and themanagement station.

Deploy default agent policies. The default desktopand server protection policies are predefined toaddress roughly 90 percent of likely threats withoutblocking legitimate use. Tuning might still be neces-sary, but using the default is a good starting point.Many organizations tinker with the controls as soonas they install the first agent, but aside from very spe-cific policy enforcement issues, it is best to try thedefault settings first and adjust from there.

Deploy in test mode first. Test mode allows realagents with real protection policies to operate in“detect and log” mode. This allows you to see whatwould be blocked without actually performingblocking. By monitoring log activity, you can easilydetermine the agent policy tuning that will bridge thelast 10 percent of protection without using end usersas your test subjects.

Consider policy enforcement, not just threat preven-tion. Most organizations realize the greatest benefitswhen they begin to use the agents to enforce policy.You can configure Cisco Security Agent to enforcepolicies beyond threat prevention. Functions such aslimiting instant messaging, blocking file-sharingapplications, or preventing users from copying pro-prietary information to removable drives are all pos-sible with Cisco Security Agent. The combination ofthreat prevention and policy enforcement capabilitiesis powerful.

Evaluate the tradeoffs of end-user interaction. Youcan configure Cisco Security Agent to allow or denyend-user interaction with the agent.



In its most interactive form, Cisco Security Agentmomentarily blocks malicious behavior and allowsusers to decide if they want to proceed. However thistends to be problematic, because most users do notunderstand the warning and therefore do not makethe correct choice about whether to proceed.

In its most protective form, Cisco Security Agentimmediately blocks malicious behavior without anywarning to end users. This is also problematic becausein the event they were performing a legitimate actionthat Cisco Security Agent suspects is malicious,users are offered no clues as to why their actionswere unsuccessful.

Most organizations must plan carefully and under-stand the impact on end users and the potentialincrease in help-desk calls that either decision can cre-ate. At Greenwich Technology Partners, we havefound that most organizations try a starting positionsomewhere in the middle and gravitate toward lessuser interaction.

Build a business case. Technology alone can only takeyou so far. The organizations that have been the mostsuccessful in deploying Cisco Security Agent havebeen able to show how it returned more value than itcost in resources to deploy. In the security realm thishas always been difficult to demonstrate.

At Greenwich Technology Partners, we have foundthe best business case arguments are made on a costavoidance model. Easy targets are to calculate costsassociated with common vulnerabilities such asBlaster, SQL Slammer, or I Love You. Each of thesewas the result of vulnerabilities that were ultimatelyresolved by an operating system patch.

If your organization is like most, the emergencyresponse to system recovery or to emergency patchdeployment was staggering. (One of our clientsreports an incremental cost of US$50 per desktop forBlaster remediation.)

While products such as Cisco Security Agent do noteliminate the need to patch, they do eliminate the needfor emergency patches, at the same time that they pre-vent these types of threats from damaging computers.Many clients can build a business case for intrusionprevention with payback in less than two years.

Improving Business ResilienceIntrusion prevention technologies are an importantstep toward improved resilience in the face of grow-ing threats. These technologies also support stepstoward policy enforcement that are often mandate bygovernment regulation.

Cisco Security Agent provides intrusion preventioncapabilities that can meet needs in both areas. Inaddition, the application makes a great choice inremote office and remote user settings where local ITsupport is minimal or nonexistent.

As with any important desktop application deploy-ment, sound decision making during the design stageand taking advantage of lessons learned by others canhelp make the implementation process easier andmore successful.


■ Cisco Security Agent

cisco.com/packet/172_4b1

■ Cisco Self-Defending Networks

cisco.com/go/sdn

■ Cisco Security and VPN

cisco.com/go/security

FURTHER READING

Intrusion prevention technologies

are an important step toward

improved resilience in the face of

growing threats.


Reader Tips

ConfigurationReconfiguring Layer 2 Switch Addresses

Here is a suggestion for changing Layer 2 switchadministrative addresses on the fly. We had the addi-tional problem that console access was out of thequestion because of the geographical distancesbetween the switches. The crucial points that made itpossible were: We had Layer 2 connectivity from aLayer 3 device to the switch, and we had remoteaccess to the Layer 3 device via Telnet, and we keptthe virtual LAN (VLAN) containing the new addressundefined during the configuration actions.

We were faced with the problem of rearranging Layer 2 switches in a different topology. Distancesbetween the switches are up to tens of kilometers,using Ethernet tunneling over a provider network.Rearranging switches involves requesting additionalEthernet tunnels before the rearrangement andrequesting terminating superfluous tunnels after therearrangement.

We wanted to align the administrative addresses of theswitches with the new Layer 2 ring topology that theywould be part of. In preparation, we wanted to changethe administrative addresses of the switches prior toactually changing the topology. Links between theLayer 2 switches and from a Layer 2 switch to a Layer3 device are all (802.1Q) trunk links.

We used the following procedure:

1. Prepare a new VLAN (VLAN-new) with an IPaddress on the Layer 3 device. This acts as thegateway for the switches.

2. Include this VLAN in the trunk from the Layer 3device to the concerned Layer 2 device(s).

3. Define the new VLAN in all the switches in thesame Layer 2 structure(s) in the current topology asthe switches needing new IP addresses. This is doneto ensure that all the trunks allow the new VLAN.If there are VLAN restrictions on trunks, you mayhave to change them to accept the new VLAN.

TIP

Repeat the following procedure for each switch:

1. Connect from a Layer 3 device within the currentsubnet of the switch concerned to the switch (weused Telnet).

2. Schedule a reload in 30 minutes (to avoid perma-nent loss of connectivity to the switch in case ofmishaps during reconfiguration).

3. Make sure the new VLAN (VLAN-new) is notdefined in the switch:

no vlan <VLAN-new> (if necessary)

4. Change the administrative VLAN and IP addressin the switch:

interface vlan <VLAN-new> no shut ip address <new address> <new mask> exit ip default-gateway <address of Layer 3 device in thenew VLAN>

5. Define the new VLAN on the switch to make theconnection effective:

vlan <VLAN-new> (optional) name <description of VLAN> exit

The connection is now lost. After the spanning treereconverges, you can reach the switch again by ping-ing the new address. Connect to the switch againusing the new address.

6. Optionally, delete the former administrativeVLAN in the switch (no interface <old-administra-tive-VLAN).

7. Check that the conversation with the switch con-tinues functioning.

8. Save the configuration.

9. Cancel the scheduled reload.

—Paul De Valck, Imtech Telecom NV, Brussels, Belgium

Saving Very Large Configuration FilesWhen trying to load a very large configuration(approximately 2 MB) into a Cisco 3725 Router (Cisco IOS Software Release 12.3.9b with the

TIP



Packet® thanks all of the readers who have submitted

technical tips. Each quarter we receive many more

tips than we have space to include. While every

effort has been made to verify the following reader

tips, Packet magazine and Cisco Systems cannot

guarantee their accuracy or completeness, or be

held responsible for their use.


SSH/3DES feature) it is impossible to store the con-figuration in the machine’s NVRAM in plain orcompressed form. The Cisco 3725 does not recog-nize the IOS command boot config flash. Maybe theflash file system on the 3700 Series Router cannotread the flash devices at boot time.

The standard recommendation is to load the configu-ration from an external TFTP server using the bootnetwork or boot host command.

To avoid relying on an external host, use this procedure:

1. Perform basic configuration tasks on the router.

2. Configure the two network load commands intothe normal NVRAM startup configuration:

service configboot network tftp://10.10.10.10/host-configboot host tftp://10.10.10.10/startup-config

The 10.10.10.10 IP address is the Fast Ethernetaddress.

3. Configure the following command in the NVRAMstartup configuration:

tftp-server flash:/startup-config alias startup-configtftp-server flash:/host-config alias host-config

The host-config file is a placeholder (it containsremarks, but no IOS instructions) but is necessarybecause the router attempts to load it sending a localbroadcast TFTP packet.

4. Save the configuration into NVRAM.

5. Load the big configuration into the router. If yourimage supports scp you can load the file from yourworkstation using the scp command:

scp big-file [email protected]:flash:/startup-config

Alternatively, you can use a perl script that loads theconfiguration using SNMP. In this case I used the scpmethod because the configuration is a large group ofrtr commands that another engineer has generatedusing an external perl program.

At the next reload your router will load the largeconfiguration from the flash file using the local

activated TFTP server. From here you can save theconfiguration:

copy running-config flash:startup-config

—Andrea Montefusco, Kyneste S.p.A., Rome, Italy

TroubleshootingHandling Mistyped Commands

Mistyping commands is a common and annoyingproblem that causes the router to respond as if youtyped a hostname. For example:

MyRouter#shwoTranslating “shwo”...domain server (10.1.1.2)% Unknown command or computer name, or unable to findcomputer addressMyRouter#

In this example, the word show is mistyped. To correctthis problem, change the preferred transport method:

! Console portline con 0transport preferred none! VTY Portsline vty 0 5transport preferred none

The output shows the lack of a failed connectionbased on the mistyped keyword:

MyRouter#shwo^% Invalid input detected at ‘^’ marker.

—Shahzad Rana, ORIX Leasing Pakistan Limited,Karachi, Pakistan

Determining the Committed Information Rate ina Frame Relay Network

Recently, our service provider changed a FrameRelay port to the remote office from a 256k port to512k. Unfortunately, we assumed that the providerwould automatically change the 128k CommittedInformation Rate (CIR) to 256k. After many troubletickets for an unusually high rate of “Discard Eligi-bles” error messages before we ever came near ourCIR, we learned that the provider never adjusted theCIR and it was still set at 128k.We also discoveredthat it was maladjusted at several other sites. How-ever, the following Cisco IOS Software commandwill effectively give you a reading on your CIR.

TIP

TIP



Controller E1 0 Profile default : Test Never Ran Controller E1 0 Profile 1 : Test passed with BER of 10^(-2) ---> [wow Media is OK till the looped end]

Controller E1 1 Profile default : Test Never Ran Controller E1 1 Profile 1 : Test Never Ran Controller E1 2 Profile default : Test Never Ran Controller E1 2 Profile 1 : Test Never Ran Controller E1 3 Profile default : Test Never Ran Controller E1 3 Profile 1 : Test Never Ran Controller E1 4 Profile default : Test Never Ran Controller E1 4 Profile 1 : Test Never Ran Controller E1 5 Profile default : Test Never Ran Controller E1 5 Profile 1 : Test Never Ran Controller E1 6 Profile default : Test Never Ran Controller E1 6 Profile 1 : Test Never Ran Controller E1 7 Profile default : Test Never Ran Controller E1 7 Profile 1 : Test Never Ran

—Sheeraz Ahmed, Supernet Ltd, Karachi, Pakistan


New-Chester> show frame-relay map

Serial0/0.102 (up): point-to-point dlci, dlci102(0x66,0x1860), broadcast, BW =

128000

—A.G. Teslicko, Amscan, Inc., Chester, New York, USA

Monitoring Link QualityCisco Bit Error Rate Testing (BERT) is a very help-ful utility for monitoring link quality. Just loop thesuspected media at its far end, configure a BERTprofile, and run a test of any duration. The userprofiles are stored as part of the configuration inthe NVRAM. We can define a maximum of 15 pro-files on the system and get pass or fail results. Thetool enables you to remotely verify your mediafrom a remote command line interface and isolateproblems quickly.

! <Define BERT Profile> bert profile 1 pattern 211-O.152 threshold 10^-2 error-injection none duration 60!

<Run The Test>Router#bert controller e1 0 profile 1

<Output> Router#show controllers e1 bert

TIP

Help your fellow IT professionals by submitting

your most ingenious technical tip to

[email protected]. When submitting a tip,

please tell us your name, company, city, and

country. Tips may be edited for clarity and length.

SUBMIT A TIP

Visit the new Cisco Technical Support & Documentationwebsite. Cisco’s online technical support and productdocumentation has been integrated in a new Website onCisco.com, enabling users to find product, support, andtechnical information in the same place.cisco.com/packet/172_4e1

Identify jitter and typical voice quality symptoms. Thisnew TAC Case Collection item describes how to get a gen-eral determination of jitter in the network by using the IOScommand show call active voice.cisco.com/packet/172_4e2

Best practices for administration of Cisco Secure ACS for

UNIX. These practical guidelines are culled from actual designand deployment experiences of development engineers.cisco.com/packet/172_4e3

New Q&A for Cisco Traffic Anomaly Detector and Cisco

Guard. This new question-and-answer format documentprovides specific detailed answers to common questionsabout configuring these two security products. cisco.com/packet/172_4e4

Detect disconnected calls in Cisco IP IVR. This documentdescribes a script for detecting disconnected calls in theCisco IP Interactive Voice Response (IP IVR) software. cisco.com/packet/172_4e5

Receive the latest product information with Cisco Prod-

uct Alert Tool. Set up a profile in this tool and you willreceive automatic e-mail updates about reliability, safety,network security, and end-of-sale issues for the Ciscoproducts you are interested in (available to registeredusers only). cisco.com/packet/172_4e6

Tech Tips



TECHNOLOGY

How can cable operators leapfrog fiber to the home (FTTH) anddeliver 50 or 100 Mbit/s both up and downstream to each resi-dence (or business) on their hybrid fiber-coaxial (HFC) networks?By simply rearranging equipment that’s already in place, thanksto Wideband Protocol for DOCSIS, a new technology from Ciscothat frees up bandwidth already in that fiber and coax.

Lindsay Schroth, senior analyst for broadband access technologiesat the Yankee Group, calls Wideband Protocol for DOCSIS“absolutely a disruptive technology, especially in Europe and Asiawhere telcos are competing now with very-high-bandwidth DSL.”The technology will become just as important in the US, she adds,but because DSL speeds are currently much lower, most US cableproviders will likely wait until the release of the DOCSIS 3.0standard, which will incorporate it. (DOCSIS—Data over CableService Interface Specification—is a set of CableLabs standardsthat govern delivery of data over cable networks.)

In Europe and Asia, where housing is often very dense, installingFTTH is cost effective, and telcos are delivering 10- or 100-Mbit/sEthernet in urban areas; several have 1 Gbit/s in sight. In somecountries and cities, customer demand is reinforced by governmen-tal mandates requiring telecom carriers to provide very high band-width. So, there is already intense interest in the new technologyfrom Asian and European providers. Even in the US, where cablecompanies serve about two-thirds of broadband homes, there’sincentive now. “Users of bandwidth-hungry applications will gowith whatever carrier gives them the quality of service they want,”says John Mattson, director of marketing for cable products atCisco. “If interactive gamers, for instance, can’t get the bandwidthfor good graphic resolution or the low latency they want on theircurrent service, they’ll switch to another provider.”

One of the next big applications is going to be downloadingmovies, adds Mattson. “High-definition streaming video canconsume 20 Mbit/s, or with compression, perhaps 10 to 12Mbit/s. Downloading to storage will take a few seconds on a50-Mbit/s link compared to much longer times on a traditionalhigh-speed Internet connection, or even several hours on alower speed link. Wideband DOCSIS will let cable companiesget in on the ground floor.”

Blows Away Speed and Capacity LimitationsWideband Protocol for DOCSIS offers higher throughput down-stream pipes at significantly lower cost, by allowing downstreamchannels to be added independent of upstream ones, notes JohnChapman, the Cisco Distinguished Engineer who created thisnew wideband technology. “Yet it works with today’s DOCSIS

1.x and 2.0 cable modem termination systems, and it takesadvantage of the decline in prices for external QAM [quadratureamplitude modulation] devices,” he says. There’s a terabit ofcapacity in the HFC serving a typical 100,000-person city, addsChapman, “and only 1.9 percent of it is being used.”

Decoupling downstream and upstream channels gets away fromthe ratio of one down to four or six up, so cable operators caneconomically offer whatever bandwidth a subscriber wants bygrouping together down or upstream channels as needed to forma larger “wideband” channel. The techniques in WidebandDOCSIS for combining channels up and downstream differsomewhat, but both are consonant with current DOCSIS proto-cols and very economical.

Downstream wideband channels can use external (edge)QAMs, which, because they have less functionality than a cablemodem termination system (CMTS), cost less per port. CMTShandles both DOCSIS (all-digital) and non-DOCSIS (analog)traffic such as video on demand and regular broadcasting. Edge

Wideband Protocol for DOCSISCable operators get ten times the bandwidth at one-tenth the cost of today’scable data service—over existing networks.

By Janet Kreiling


QAMs couple the downstream digital channel ontothe analog HFC network.

The core of Wideband DOCSIS is the formatting ofDOCSIS frames into 188-byte MPEG-TS packets; thepackets are broken into pieces that are transmittedsimultaneously by up to 24 or 48 QAM channels.Chapman calls this technique “striping” the packetacross the parallel channels. Transmitting these largepackets in multiple chunks simultaneously ensures thatwideband doesn’t introduce latency. A sequence num-ber embedded in each packet enables the transmitframer to stripe packets on channels as needed, and thereceive framer to reassemble them. The QAM channelsdo not need to be adjacent. If certain QAM chan-nels have already been assigned to non-DOCSIS uses,Wideband DOCSIS uses what’s available.

MPEG-TS packets were chosen as the carrier mediumrather than bytes or ordinary packets, Chapman says,because they permit bonding of channels at the trans-mission convergence layer, above the physical layerand below the MAC layer. Because it does not affecteither layer, Wideband DOCSIS is transparent to tra-ditional DOCSIS protocols. “This is very powerful asit has the potential to maximize re-use of the existingDOCSIS environment,” he points out.

Downstream signaling takes place via the standardDOCSIS downstream signaling channel, so bothwideband and present-day cable modems can co-existin the network.

Upstream and downstream transport are different,because the equipment originating signals is differentat each end; the CMTS and edge QAM transmitdownstream, and the cable modem upstream.Upstream, data does not travel in MPEG-TS packets.Rather, IP packets are placed into a Packet StreamingQueue service flow, which is then chunked and trans-mitted to the CMTS over a wideband channel that isdynamically allocated to different upstream QAMsas resources are available.

The Packet Streaming Queue is a construct of thePacket Streaming Protocol, a new concept also intro-duced by Chapman. Packets may be sorted intoqueues according to quality of service (QoS) level orother policies and travel on service flows dedicated tothe different service requirements; the CMTS managesQoS at the cable modem, as in the current DOCSISrelease, and prevents head-of-line blocking (where ahigher-priority packet might get stuck behind a lowerpriority one). This is the major difference betweenWideband DOCSIS and the earlier versions of the


New!

Packet Magazine Digital Edition

The digital edition of Packet will be delivered directly to your PC every quarter.

■ Read online or download to read anytime, anywhere

■ Click on live “Further Reading” links and e-mail addresses

■ Print individual articles or the entire issue (.pdf format)

■ E-mail articles to colleagues

■ Keyword search the entire magazine

Check it out at www.cisco.com/packet/digital


standard. Otherwise, transport adheres to DOCSISpractices for signaling between the cable modem andCMTS regarding bandwidth—launching requestsfrom the cable modem to the CMTS and receivingallocation grants—and is compatible with DOCSIS2.0 concatenation and fragmentation.

Putting Wideband DOCSIS into Your NetworkInstalling Wideband DOCSIS in your network islargely a matter of installing new WAN interfacecards in your CMTS. These cards will implement theMAC and framing tasks, initially managing up to 24or 48 upstream and downstream QAM carriers.External QAMs couple the signal onto the HFC. Inaddition to the MPEG-TS packets, they can also sup-port DOCSIS-based IP services. Both upstream anddownstream channels are inherently highly available.Downstream, if one of the QAMs in the widebandchannel is down, the Wideband DOCSIS protocolsimply doesn’t stripe across it. If more availability isneeded, the protocol can invoke an RF switch and aredundant QAM. Upstream, if one of the line cardsbearing a service flow fails, the wideband channel canbe dynamically reconfigured around it.

DOCSIS supports a variety of load-balancing fea-tures through Dynamic Channel Change (alsoinvented by Chapman), which was devised primarilyfor voice traffic. But these techniques work best whenused with a group of two to four channels. WidebandDOCSIS, which creates one large channel, betterserves large numbers of QAMs and bandwidth-hungrytraffic such as video and gaming.

Upstream and downstream wideband channels canbe dynamically configured, making the new protocolespecially responsive to the customers’ need forshort-term high bandwidth. “Cable operators canoffer a ‘turbo button’ subscribers can use when gam-ing or doing peer-to-peer file transfers,” says Schrothof the Yankee Group.

Wideband DOCSIS is en route to becoming part ofDOCSIS 3.0. This is partially in response to themany cable operators who would like to evolve to awideband service within the DOCSIS framework toreuse their current DOCSIS infrastructure, mix wide-band and traditional services on common down-streams during the transition to wideband, and saveoperating costs by avoiding rewiring and moving cus-tomers to new systems.

Moreover, DOCSIS offers very definite benefits, saysAndy Page, product manager in Cisco’s BroadbandEdge and Midrange Routing Business Unit. “WidebandDOCSIS leverages excellent features in provisioning,billing, security, and other areas. For example, theDOCSIS protocol is very hard to hack and makesstealing service very difficult. Cable providers canchoose the billing paradigm—flat rate, time-based, or volume-based. Its provisioning is much more

streamlined than DSL, and it makes offering differentflavors easy, which helps providers differentiate theirofferings and tailor them to subscribers.”

Says Page, “Cisco plans to offer the technology to theindustry via DOCSIS 3.0 rather than locking in theintellectual property, as part of our philosophy ofopen systems.” Wideband DOCSIS, he adds, “is thelogical migration path for cable operators to offer allservices over a common IP infrastructure.” US trialswill take place in the second half of this year, andproducts should be available in the first half of 2006.

Optimizing Revenue per UserMattson cites a DFC study from July 2005 that proj-ects worldwide gaming revenues will increase fromUS$1.96 billion in 2003 to $5.2 billion in 2006 to$9.8 billion in 2009. DFC also predicts that cus-tomers for on-demand movies over the Internet willincrease from under 3 percent of US households in2005 to upward of 16 percent by 2008. A recentMDR/Instat survey reveals that 64.6 percent of UShomes are now sharing files via broadband; 43.9 per-cent view pictures; 42.1 percent listen to music; 30.6percent watch videos; and 29.9 percent do some IPtelephony. With Wideband DOCSIS, says Mattson,“You can let video-Napster happen without losingsleep, and in fact you can profit handsomely from it.”

“The driver for all of this is optimizing the averagerevenue per user,” Chapman notes. “Having a highlyadaptive, cost-effective architecture that accommo-dates changing traffic patterns, services, and customerneeds is immensely valuable. The cable industry has anobvious advantage in DOCSIS, which has a historicfocus on service bundling and compelling content andwhich can now standardize a very wide pipe.”

He proposes a five-year goal of at least 1-Gbit/sdownstream data capacity and 100-Mbit/s upstreamcapacity. Are you up to the challenge?


Himawari Network, Inc. is testing Wideband Protocol for DOCSIS at the ToyotaDream Home at Aichi prefecture in Japan. Based on the Cisco uBR10012 CMTSplatform, the trial showcases the ability to converge video and data traffic onto asingle IP-based, high-speed service offering. Himawari will use the technologyin parallel with existing modem deployments to provide a migration path to addi-tional high-speed service offerings such as video on demand and online gaming.For more, see cisco.com/packet/172_5c1.

Cable Operator Trials Wideband Protocol in Japan



Cisco’s Enhanced Interior Gateway Routing Protocol(EIGRP) is widely deployed in large-scale networks,particularly in enterprise financial and retail organi-zations. EIGRP is also well known for somethingelse—Stuck in Active routes (SIAs)—and yelling“Stuck in Active” in a network operations center islikely to gain a reaction similar to the one you wouldget if you yelled “Fire” in a crowded theater. When anEIGRP route is in SIA state the DUAL-3-SIA errormessage occurs.

To reduce the problems with SIAs, Cisco has changedhow EIGRP handles the active route process in CiscoIOS Software Release 12.1(5). With the help of thesechanges in the EIGRP code, you can greatly reducethe scope and number of SIAs, although they still willnot be completely eradicated.

This article examines EIGRP’s active process anddiscusses the recent modifications that almost elimi-nate the situations in which you will see SIAs in yournetwork.

Network ExampleThe figure on this page illustrates an example of asmall network running EIGRP as a routing protocol.

In the simple network in the figure, Router B prefers thepath through Router C to reach the IP address10.1.1.0/24. Router A receives two routes to10.1.1.0/24, one through Router B and one throughRouter C. Assume that Router A chooses the paththrough Router B as its best path, and the path throughRouter C is not marked as a loop-free path because ofthe metric differentials in the two paths.

If the link between Routers B and C fails for somereason the following sequence of events occurs:

■ Router B examines its local EIGRP topology table forother loop-free paths toward 10.1.1.0/24.

■ Failing to find any alternate loop-free paths, Router Bqueries each of its remaining EIGRP neighbors to deter-mine if it can find a new loop-free path to 10.1.1.0/24.At this point, Router B sets a three-minute active timerand sends a query to Router A, asking if another pathto 10.1.1.0/24 exists.

■ Router A, which used Router B as its best path,examines its local topology table and finds it has noother loop-free path. Router A sets a three-minuteactive timer and sends a query to Router C.

At this point, the route to 10.1.1.0/24 is active atRouters A and B. Usually, Router C examines its localrouting table, determines it has a path toward10.1.1.0/24 that is still loop free, and replies toRouter A with this information. Router A theninstalls the route back into its local routing table,takes the route out of active state, and stops the three-minute active timer. Router A, in turn, replies toRouter B and Router B follows the same steps.

But what happens if for some reason Router C neverresponds to Router A? The A to C link could be verydirty, causing most of the packets on the link to belost, although enough packets make it through for theEIGRP neighbor relationship to stay up, for instance.The entire time that Router C is trying to transmit itsreply about an alternate route to Router A, Router B’sactive timer is still running. Eventually, Router B’sactive timer will expire and Router B will reset itsneighbor adjacency with Router A.

But wait—the problem is not between Routers A andB. The active process, while bringing the network

TECHNOLOGY: Routing

Who’s Afraid of DUAL-3-SIA?Cisco IOS Software enhancements improve EIGRP active route processing.

By Russ White

BEST PATH In the activestate, a router sendsqueries out to its neigh-bors requesting a path tothe lost route.

SMALL EIGRP NETWORK

A

T1

Gigabit Ethernet

Gigab

it Eth

ernet

B C D 10.1

.1.0

/24


back into a known state from which to work (theactive timer essentially limits the amount of time thenetwork can take to converge), has also caused anetwork failure where none previously existed:between Routers A and B.

New Active ProcessThe enhancements to EIGRP in Cisco IOS SoftwareRelease 12.1(5) allow the active process to respond tothis correctly, by pushing the neighbor reset down to where the actual problem exists. Instead of settinga three-minute timer when a route is marked active,the router sets a one-minute timer. When the activetimer expires, instead of resetting the neighbor adja-cency, the router sends another query to make certainthat the neighbor it is waiting for is still working toresolve the active route.

To illustrate, let’s walk through the process using thesame network example as before.

■ The link between Routers B and C fails. Router Bexamines its local topology table and discovers it hasno alternate loop-free paths to 10.1.1.0/24. RouterB marks the route active, starts a one-minute activetimer, and sends a query to Router A.

■ Router A receives this query, examines its localtopology table, and discovers it has no alternate loop-free paths to 10.1.1.0/24. Router A marks the routeactive, sets a one-minute timer, and sends a query toRouter C.

■ Router C acknowledges this query but fails torespond to it.

■ When Router B’s one-minute timer expires, it sendsanother query to Router A. Router A acknowledgesthis query, so Router B resets its one-minute activetimer.

■ Router A continues to wait for Router C to answerthe query. Its one-minute timer expires, so it sendsanother query to Router C.

■ Router C’s acknowledgement to this second querydoes not get through, so Router A resets its neighborrelationship with Router C.

■ Router A, on resetting its neighbor relationshipwith Router C, examines its local topology tableand finds that Router B is waiting for a reply for anearlier query. Router A notes that it is not waitingfor any of its neighbors for a reply to this query andit has no alternate loop-free path, so it responds toRouter B.

Routers A and C now reset their neighbor relation-ship, rather than Routers A and B, putting the symp-tom (a neighbor reset) where the problem is.

Since the change in EIGRP’s active processing, thenumber of Technical Assistance Center (TAC) casesinvolving EIGRP SIAs has plummeted, along with thenumber of network managers calling for developmentsupport to deal with networks with large numbers ofSIAs. EIGRP’s new active process means no longerdoes anyone need to fear SIAs.


■ Cisco EIGRP


■ Cisco IOS Software


■ Cisco IP Routing


■ Cisco Internet Protocol Journal

cisco.com/ipj

RUSS WHITE, CCIE No. 2635, is a techni-cal leader in the Cisco IP TechnologiesGroup, where he specializes in designingand implementing routing protocols andscalable networks. He can be reached [email protected].

FURTHER READING



A FEW SHORT YEARS AGO, network security wasbuilt on standalone products at the physical perimeter ofa network, where the LAN met the WAN and corporatenetworks hooked up to the Internet. Operating systempatching and continuous antivirus software updatesrounded out the typical corporate security strategy.

However, the concept of a definable network boundaryis evaporating. User devices often connect to multiplenetworks, rendering the perimeter a moving target.Communications among customer and partnerextranets is common, for example. The productivitygains afforded by wireless, mobile, and remote-accessnetworks are also fueling the multi-network connec-tivity phenomenon.

The security challenge is that user laptops link to othernetworks and the Internet from home offices, publichotspots, and hotel rooms, for example, and pick up aninfection. Then, a user might return to the office andreconnect directly to the corporate network via anEthernet port or by associating with a wireless LANaccess point, inadvertently passing along the bad code.Meanwhile, there is a rapidly shrinking window oftime between when that network anomaly arrives andpropagates across the corporate network to cause seriousconsequences. By the time networking personnel detecta virus, worm, Trojan horse, or other unwelcomeintruder and attempt remediation, it’s often too late toavoid network downtime and losses in productivityor sales.

DefenseNetwork security grows adaptive— reaching inside Web applications and excising attacks at their source.

SECURITY

In Self


“This is why security has evolved into a strategic systems issue,”says Kevin Flynn, security products and systems group managerin Cisco’s Products and Technology Marketing Group. “Secu-rity has now become indistinguishable from other IT and net-work operations.”

Networks have grown too complex for a single mechanism toreliably keep them secure. Modern networks require distributedsecurity capabilities, networkwide awareness of the context of end-point credentials as host behavior and status change, and authen-tication mechanisms ensuring that those credentials can be trusted.

Protecting Every Packet, Every FlowCisco’s Self-Defending Network strategy, which comprises threephases, has been rapidly gaining new components to fulfill theserequirements. The third phase, called Adaptive Threat Defense,for example, got underway with several important productannouncements in March of this year, many of which aredescribed in this article. Adaptive Threat Defense aims to protectevery packet and every packet flow on a network.

The first phase of the Self-Defending Network strategy involvesintegrating security capabilities directly into network elements,such as routers, switches, wireless access points, and standalonenetwork appliances. The second phase, which includes the industry-wide Cisco Network Admission Control (NAC) effort, involvessecurity-enabled network elements communicating with oneanother in a collaborative manner, such as an intrusion preven-tion system (IPS) telling an access control list (ACL) to denyaccess to a connection. It also extends the security capabilities tothe user endpoint devices that connect to other networks andmight infect the corporate network.

Why has it now grown necessary to protect every packet andflow? One reason is that, increasingly, security attacks are beingintroduced from within Web-enabled applications, which useHTTP’s port 80 to communicate.

“Web applications, while empowering users, open the door toapplication abuse as traffic traverses multiple networks andpotentially picks up virulent code,” says Jayshree Ullal, seniorvice president of Cisco’s Security Technology Group.

A slew of new Cisco products protect against application abuse,identify and thwart intrusions at Layer 7, and even eliminate thesources of attacks. To do so, they leverage capabilities such asdeep-packet inspection, networkwide event correlation, context-based policies, and policy auditing. To combat application abuse,for example, application inspection firewalls have been added tothe Cisco PIX 7.0 Firewall appliance and to the Cisco IOS Soft-ware firewall in Cisco IOS Software Release 12.3(14)T, as well asto a new, next-generation appliance that combines several Cisco-leading security technologies: the Cisco ASA 5500 Series AdaptiveSecurity Appliance.

Application inspection firewalls now check port compliance forHTTP (port 80) and e-mail (port 25). In other words, the enginesinspect traffic on these Layer 4 ports to make sure that it is, indeed,the type of traffic intended for that port. “This helps network oper-ators control port misuse by rogue applications that hide trafficinside Web and e-mail applications to avoid detection,” says Ullal.

Overarching Security Monitoring and Response SystemA pivotal advancement in Cisco’s ability to protect every packetand every flow is its recent introduction of a networkwide securitymanagement system called the Cisco Security Monitoring Analy-sis and Response System (CS-MARS).

“CS-MARS basically enables, for the first time, the comprehen-sive, centralized management of a Cisco Defense-in-Depth net-work,” says Greg Simmons, customer solution manager in theNetwork Management Technology Group at Cisco.

The system, a fruit of Cisco’s recent acquisition of Protego Net-works, Inc., collects security event data from every networkelement configuration, host log, and TCP and UDP session(packet flow) in real time. It then correlates them all with oneanother and with corporate security policies to determinewhether each event is legitimate.

“You could shut down one offending laptop centrally using CS-MARS,” explains Simmons.

All security capabilities integrated into Cisco routers, switches,firewalls, appliances, and Cisco IOS Software—including manynew features described herein—continue to act as “soldiers,”each defending against individual attacks on a particular end-point, explains Timothy Smith, technical marketing engineer inCisco’s Network Management Technology Group. These devices,in addition to some non-Cisco devices, continually feed eventdata to CS-MARS.

The CS-MARS system, by contrast, behaves as the “general” byoverseeing the entire security battlefield. It cross-relates all the secu-rity activity, creating and unleashing a top-down combat strategy.All devices in a given TCP or UDP session between any two hosts,both Cisco and non-Cisco devices, report data up to CS-MARS,which can identify every device in the path of that session.

Having this information allows network managers to identify anattack, alert the user, and shut down the source of the attack, saysSmith. CS-MARS will send the network administrator the appro-priate command to execute an action to excise the problem fromthe network at its source. By contrast, the job of the soldiers—thevarious individual security products—is to act on the immediate


FIGURE 1 Security is an infinite, ever evolving process that encompasses all three phasesof the Cisco Self-Defending Network strategy.

PHASE 1:Integrated SecurityLaunch 2000

Security capabilities areembedded into network elements such as switches and routers

PHASE 2:Collaborative SecurityLaunch 2003

Embedded security capabilities are linkedacross the network andextended to user endpoints

PHASE 3:Adaptive Threat DefenseLaunch March 2005

The network gains the ability to protect everypacket and every flow anderadicate attacks at theirsource

CISCO SELF-DEFENDING NETWORK STRATEGY

SECURITY


Sec

urit

yeffect of the attack at its point of potential impact at the variouslayers of the network.

Additionally, by knowing the full path an attacker has traversed,CS-MARS can protect the network in other ways. For example, itmight anticipate that the CPU or memory in a given router, accessswitch, or application server might be on the verge of maxing outbecause of a flood of packets.

“CS-MARS would then take action, delivering a command, say,to leverage another network element in the path of the failingdevice to save it and prevent denial of service,” says Smith.

CS-MARS also serves as a Cisco NetFlow collection engine.NetFlow is a Cisco IOS Software capability for counting thepackets in individual traffic flows, helping network operatorsquickly spot traffic patterns and account for usage of networkresources. “CS-MARS might use NetFlow counts to determinethat a port is experiencing a sharp rise in traffic, which is onevariable,” explains Smith. Then CS-MARS will determine, basedon other data—such as intrusion protection signatures and fire-wall logs—if an attack is occurring on a particular device, forexample, in Building 6, Floor 2, Conference Room B (displayed onthe CS-MARS console in these easily understandable parameters).

“Not only do I learn which devices are causing the anomaloustraffic, CS-MARS gives me the command to shut those devicesdown,” Smith says.

At the high end, the CS-MARS family includes the CS-MARS 200,which processes 10,000 events per second or 300,000 NetFlowsper second, and scales down to the CS-MARS 20, whichprocesses 500 events per second. From a configuration stand-point, a CS-MARS 200 could serve a single large site; alterna-tively, multiple smaller devices could be distributed at remotesites and report up to a CS-MARS Global Controller, explainsSmith.

Multifunction Security ApplianceA new “soldier” to the Cisco security portfolio is an integrateddevice that addresses the Adaptive Threat Defense landscape bycombining multiple Cisco security technologies into a single,extensible appliance:

■ Firewall technology

■ VPN capabilities—both IP Security (IPSec) and Secure SocketsLayer (SSL) technologies

■ Inline IPS technology

The Cisco ASA 5500 Series includes the Cisco ASA 5540 at thehigh end (650 Mbit/s of firewall throughput, even as new servicesare added), the Cisco ASA 5520 for mid-range performance, andthe Cisco ASA 5510 at the low end. Each platform providesapplication firewall services and flexible IPSec and SSL VPN con-nectivity. The optional Advanced Inspection and PreventionSecurity Services Module (AIP-SSM) supports IPS and network-based antivirus, worm, and spyware protection, according toMichael Jones, product line manager at Cisco.

A unique, extensible services architecture, called AdaptiveIdentification and Mitigation (AIM), is at the heart of the CiscoASA 5500 Series design. This architecture allows network opera-tors to apply specific security and network services on a per trafficflow basis, providing extensive policy control. Furthermore, theAIM services architecture enables the integration of future threatidentification and mitigation services—further extending invest-ment protection and allowing businesses to defend their networksagainst new threats as they arise.

The Cisco ASA 5500 Series’ ability to satisfy a broad range ofsecurity roles yields reduced deployment and operations costs.“For example, you can standardize on this single appliance formany of your security needs, including firewalling, VPN connec-tivity, and intrusion prevention,” says Jones. In addition, a uni-fied, Web-based user interface for all ASA functions decreasesmanagement complexity and lowers overall operational costs.

“For folks designing new networks, the adaptive securityappliances are a great solution for putting all services in onelocation,” says Jones, “or for refreshing an existing site withadditional services.”

VRF-Aware FirewallingAs mentioned, the new base firewall code is also included in CiscoIOS Software Release 12.3(14)T. This step has rendered theCisco IOS Firewall virtual routing and forwarding (VRF)-aware.


FIGURE 2 By aggregating, correlating, and analyzing security data from devices network-wide, the CS-MARS security and management system helps users readily identify andeliminate valid network attacks at their source.

CS-MARS: DEFENSE-IN-DEPTH CENTRAL MANAGEMENT

Sessions

Isolated Events

Rules

Verify

Valid SecurityIncidents

RemedialAction

Firewall Log

Switch Log

Switch Configuration Router Configuration

IDS Event

Firewall Configuration NATConfiguration

NetFlow

Server Log

Antivirus Alert

Application Log

Vulnerability Analyzer

Enterprise Network

Correlation Redu

ctio

n

Continued on page 32


In other words, a router that is running multiple routing instances(functioning, in effect, as multiple routers within a single chassis),can now also run multiple Cisco IOS firewalls within that chassisto match, explains Tom Guerrette, product manager in Cisco’sIOS and Router Security Marketing Group.

The new software release applies Cisco IOS Firewall functionalityto each VRF interface, allowing customers to configure per-VRFfirewalls. The firewall inspects IP packets that are sent andreceived within a VRF. A few noteworthy capabilities about theVRF-aware IOS firewall:

■ It supports overlapping IP address space, thereby allowing traf-fic from nonintersecting VRFs to have the same IP address.

■ It supports per-VRF (rather than global) firewall commandparameters and denial-of-service (DoS) parameters. In the caseof a service provider managed service, for example, the VRF-aware firewall can run as multiple instances allocated to variousVPN customers.

■ It performs per-VRF URL filtering.

■ The VRF-specific syslog messages it generates can be seen only bya particular VPN, allowing network administrators to managethe firewall.

■ It supports the ability to limit the number of firewall sessions perVRF.

The same capabilities apply to the Cisco PIX 7.0 Firewall andCisco Adaptive Security Appliances, as well.

Checking Conformance to Policy, Best Practices The Cisco Security Auditor is a new component of Cisco’s securitymanagement suite that enables customers to cost effectively audittheir network security infrastructure postures. With the tool, they

can automatically check for conformance to their corporate secu-rity policies and, simultaneously, check against multiple industrybest practices such as those set by Cisco, the US National SecurityAgency (NSA), and the Center for Internet Security (CIS).

“Having the ability to measure, compare, and report on the secu-rity status of a dynamic network helps efficiently manage net-working security risks and meet government security mandates,”says Flynn.

The software allows automated auditing of thousands of devices,significantly reducing the time required to audit a network. TheCisco Security Auditor also provides easily understood securityimprovement recommendations, including those required to correctdeviations from security policy, which would have previouslyrequired time consuming manual analysis and the use of scarceexperienced staff.

Cisco NAC InitiativeThe industrywide Cisco NAC initiative embeds endpoint scanningtechnology directly into Cisco network elements, such as switches,routers, and, now, Cisco VPN 3000 Series concentrators, frompartners such as antivirus developers McAfee, Symantec, andTrend Micro. Combined with Cisco Trust Agent software—whichuses IEEE 802.1X and RADIUS authentication technology—itresides on client endpoints to keep all connections to the corpo-rate network free of infection.

NAC APIs have been opened up to independent software vendors(ISVs), who have joined the NAC initiative for automatically hav-ing their Cisco network infrastructures check for patch manage-ment or to handle authentication or software management viatheir own software management systems. Among the ISVs ship-ping NAC-enabled products are IBM (the IBM Tivoli Security andIdentity Management Product Suite); Computer Associates(eTrust AntiVirus and eTrust PestPatrol), and InfoExpress (Cyber-Gatekeeper Server 3.1 & CyberGatekeeper Policy Manager 3.1).


SERVICES CONVERGENCE FOR THOROUGH PROTECTION

Wormsand Viruses

PublicInternet

Spywareand Adware

Corporate Site

Cisco ASA5500 Series

Cisco ASA 5500 Series Security Services: • Integrated Firewall • VPN • Intrusion Prevention • DoS Mitigation

IPSec andSSL VPNConnections

FIGURE 3 The Cisco Adaptive Services Appliances’ integration among security functions allows different per-user policies based on IPSec or SSL credentials.

SECURITY

Self-Defending Network, Continued from page 29


Cisco Clean Access: NAC in Appliance FormCisco now also offers Cisco Clean Access, an all-in-one NACappliance option, resulting from its recent acquisition of Perfigo,Inc. Falling beneath the NAC umbrella, Clean Access is a self-con-tained solution for conducting posture assessment and automaticchecks for the latest antivirus updates and critical OS patches. Inrecent deployments of Cisco Clean Access, the number of comput-ers requiring intervention by IT staff due to viruses and wormsreduced dramatically. At Arizona State University, for example,the number of computers requiring IT staff intervention plungedfrom 6000 to 50 after Clean Access was deployed.

Clean Access doesn’t require 802.1X authentication or clientsoftware. Client software is available, however, and deeper scan-ning capabilities and simplified remediation are possible bydownloading the agent, says Irene Sandler, Clean Access market-ing manager at Cisco.

In the in-band product, all hosts attempting to gain access to thenetwork traverse the Clean Access server. In the out-of-band con-figuration, which began shipping in April, Clean Access workstogether with Cisco switches to provide Layer 2-based quarantin-ing for non-compliant machines, which are then repaired by theClean Access server. After properly remediated, the now-complianthost is placed back on the network, “out of band,” to the CleanAccess server.

The out-of-band Clean Access version also allows networkadministrators to create and enforce policies through a centralinterface. Policies can be defined on a per-role basis.

“This makes it extremely easy for an administrator to assign acertain level of permission or compliance requirements toemployees, for example, while applying a separate level of com-pliance for guests,” Sandler says.

Intrusion Prevention ImprovementsCisco IOS IPS, introduced in Cisco IOS Software Release12.3(8)T, delivers a new level of inline accuracy to identify andhalt more threats businesses face without impacting legitimatetraffic. Cisco IOS IPS goes beyond traditional IPS products byusing risk-based analysis and real-time correlation to improveprevention accuracy, says Guerrette. The system divides sup-ported signatures into signature micro engines (SMEs). In CiscoIOS Software Release 12.3(14)T, three new SMEs were addedthat represent “where most of the new attacks seem to be going,”according to Guerrette. “As a result, new attacks will be discov-ered and stopped more rapidly,” he says.

Meantime, Cisco Security Agent Version 4.5 host-based IPS soft-ware adds compatibility with operating systems outside the USand expands platform support to include RedHat, Inc.-basedLinux servers and desktops and Windows clusters. Managementscalability for large enterprises has been increased to 100,000agents from a single Cisco Security Agent Management Center.Advanced integration with NAC allows policies to be dynami-cally changed based on the NAC security posture, logged-on user,or location of the end device.

21st Century SecurityWith the addition of the Cisco Adaptive Threat Defense phase tothe Self-Defending Network strategy, multiple layers of built-innetwork security now reach from an Ethernet port to the interiorof a Web application. With this phase comes a much improvedsecurity paradigm for the 21st century.

“Protection is no longer dependent on just antivirus software andsignatures,” says Ullal. “It is built on behavioral and trustedclients that work closely and collaboratively with the network.”

With the disappearance of a definable network perimeter andsecurity threats coming at networks from every angle, pointproducts alone no longer are an adequate defense. An integratedand proactive multilayered system makes the Self-DefendingNetwork—now a requirement to ward off the consequences ofrapid-propagating attacks—possible. And security will be anongoing process that will likely be forever evolving as networks,applications, and threats themselves change.


■ Cisco Security Product Reference Sheet


■ Cisco Self-Defending Network

cisco.com/go/security

The form factor in which you choose to deploy security likely willdepend on your organizational structure, the state of your existingequipment, and your technology preference and philosophy. Hereare some considerations:

Are your network operations and security operations handled sepa-rately within your organization? If so, it might be simpler to have theseparate groups administer policies using separate devices.

Are you in an upgrade cycle with your router software andresources? If so, now may be the time to add security features. If not,it might be simpler and less expensive to go the appliance route.

Similarly, if you have maxed out the number of slots in your router,yet aren’t considering an upgrade for a while, you might consideran appliance.

If you are considering products for a branch office, you mightprefer integrating your capabilities in an all-in-one software-based router/switch approach to reduce capital expenditures(CapEx) and to conserve real estate. You might prefer to put yourresources instead into a discrete appliance at your headquartersand other very large sites.

APPLIANCES VERSUS INTEGRATED SOFTWARE

FURTHER READING


KeepingVoiceConfidential


IP VOICE PACKETS are rapidly spillingover from converged WAN services andonto enterprise LANs. In the US alone, IPphone extensions are expected to morethan triple from about 14 million in 2004to about 45 million in 2008, according tothe Insight Research Corporation inBoonton, New Jersey.

As installations grow, so do user worriesabout security ramifications. Indeed, busi-nesses will certainly want to continue tak-ing precautions to prevent “stolen” long-distance phone service and to ensure thataccess to voice resources, such as voicemail, remains private.

The integrated, systems approach used tosecure IP networks today already protectsa large number of business-critical applica-tions, and there is a great deal of experi-ence protecting separate circuit-switchedPBX systems in the traditional voice com-munity. So the remaining question is: Howdo we best leverage the strengths of bothgroups to deliver advanced IP communica-tions voice services that are as secure, ormore secure, than the legacy systems theyare replacing?

Identifying the ThreatsLet’s start with identifying the threats tothe voice network components and serv-ice, then discuss the ways to mitigatethem. Some risks threaten the availabilityand quality of the voice service itself andthe privacy of voice conversations. Otherscome in the form of using the voice net-work as a catalyst to penetrate the datanetwork, which is where the most valu-able assets for theft generally reside.

The most common threats in a premises-based voice-over-IP (VoIP) environmentare in the following primary categories:

■ Theft of service, or toll fraud

■ Unauthorized access to voice resources,such as voice mail

■ Compromise of the data network usingvoice devices and infrastructure as anentry point

■ Downtime/denial of service (DoS) andassociated loss of productivity

■ Invasion of call privacy (eavesdropping)


The Key Risks of VoIP Joining the Network and How to Mitigate Them


As in the case of the data network, mostsusceptibilities can be thwarted by apply-ing standard network design and configu-ration best practices to voice network elements in a multilayered, or defense-in-depth, manner.

The first two threats are handled in an IPenvironment in the same way they wouldbe in a circuit-switched environment. Pre-venting hackers from dialing into yourPBX and back out onto a long-distancenetwork is usually a matter of disallow-ing extension transfers to outbound ports,for example.

Keeping access to voice resourcesrestricted to intended recipients is impor-tant so that outsiders don’t gain insightas to who is communicating with whomand learn about potential business part-nerships, acquisitions and mergers, confi-dential R&D information, etc. Strong access codes, passwords, and encryptionassist here.

The remaining threats—data theft (avoice-assisted network break-in), denialor degradation of service, and eavesdrop-ping are more closely related to voice anddata packets sharing a common infra-structure. Among the defenses againstthese remaining vulnerabilities:

■ Voice virtual LANs (VLANs), or logicalnetwork segmentation

■ Disablement of certain features on cer-tain phones, depending on their locationand use

■ Use of application-layer firewalls andaccess control lists (ACLs)

■ Use of resource-limiting to tame theimpact of DoS attacks

■ Media and link encryption

Let’s take a look at how to apply each.

Segmentation Lowers RiskAssigning voice traffic to specific VLANsto logically segment voice and data trafficis an industrywide accepted best practice.As much as possible, devices identified as

voice devices should be restricted to dedi-cated voice VLANs. And, as such, theycould communicate only with other voiceresources. More importantly, explainsRoger Farnsworth, senior systems mar-keting manager in Cisco’s IP Communica-tions Security Group, the voice traffic iskept away from the general data networkwhere it might more easily be interceptedor tampered with.

“VLANs help prevent rogue devices fromplugging into the network. VLANs havespecific membership criteria, and devicesjoining a VLAN must meet the criteria inorder to authenticate to them,” Farnsworthexplains. “Nontelephony devices wouldideally be kicked off a VLAN configured tocarry voice traffic only.”

From a DoS perspective, segmenting voiceinto their own logical VLANs will limitthe probability of an attack, says GregMoore, a technical marketing engineer inCisco’s IP Communications SecurityGroup. Hackers tend to write viruses forthe most popular software, which, todate, have been general-purpose dataserver operating systems.

“The scope of responsibility for call-processing components such as a CiscoCallManager server is more limited thanthat of a general-purpose data server,”Moore notes. “So keeping voice logicallyseparate reduces voice’s susceptibility tothese intrusions.”

Voice VLANs, by the way, carry a strongquality-of-service (QoS) side benefit; theycan be prioritized over data VLANs in aswitch/router’s priority queue to consis-tently reduce VoIP latency.

When building VLANs, Farnsworth rec-ommends not using the default VLANaddress, so that the VLAN number isn’teasy for a hacker to guess. “And use non-contiguous-numbered VLANs for thesame reason,” he adds.

Authentication and Security of IP PhonesAn important component of a securevoice network is that IP phones—hand-sets and softphones—are authenticatedas legitimate participants in the IPtelephony network by registering withthe call server (Cisco CallManager orCallManager Express).

“Management of identity is a crucial com-ponent of voice security,” says Farnsworth.

Moore also recommends some physicalbest practices for IP phones. One is dis-abling phone ports to which downstreamPCs connect in environments where peo-ple other than employees could gain net-work access, such as in a lobby, cafeteria,loading dock, and guard shack. Similarly,he advises disabling Web access to IPphones in such public areas.

“You can potentially learn a whole lotabout a network by compromising anunprotected phone,” he explains. “TheXML applications on the phone use thesame HTTP port 80 that Web applica-tions do.”

Though voice and data might be logicallyseparated, port 80 might be open to IPphones, allowing an intruder from theWeb onto the phone and, from there,onto the voice network.

“ACLs should be written so that onlyXML servers can get to phones, andphone-to-Web access over port 80 shouldbe disabled,” he advises. “You can config-ure all this using Cisco CallManager.”


EXTENDING ITSELF As IP telephony grows, so will security worries.

NUMBER OF US IP PBX PHONE EXTENSIONS INSTALLED (IN MILLIONS)

2004

13.6

2005

19.4

2006*

26.6

2007*

35.3

2008*

45.2

Source: Insight Research Corp., Boonton, N.J.

*Projected

VOICE SECURITY


Voi

ceDoS and Resource-LimitingUsing rate limiting and QoS tools can alsohelp secure voice networks against down-time caused by DoS attacks and othertypes of packet flooding, says Farnsworth.Limiting the amount of processor and linkresources that can be consumed by a givenprotocol, for example, curbs the impactthat a DoS attack can have, he explains.

Moore adds that LAN Microflow Polic-ing, a Cisco QoS capability, handles thisfunction on a per-flow basis, allowingusers to limit one IP address, or session, toa certain amount of bandwidth, for exam-ple. Doing this would prevent an attackemanating from a particular IP sourceaddress from consuming more than themaximum amount bandwidth specified(always leaving some capacity left overfor production traffic).

In addition, a suite of features called Cat-alyst Integrated Security (CIS) foils theseattacks before they happen. Among thesetools is Dynamic ARP Inspection, whichwatches ARP requests for contradictionsin the binding table at Layer 2, and IPSource Guard, which watches for Layer 3contradictions. Both features are availablein the Catalyst and Cisco IOS Softwareoperating systems. Upon finding any suchcontradictions, these features can be pro-grammed to drop associated packets ordisable the associated port, Moore says.

Access Control and OS ProtectionFirst-generation firewalls looked only atIP address information and matched itwith ACLs for a permit/deny decision.However, application-layer firewalls cannow inspect port-layer and Layer 7 appli-cation information in IP headers to makemore informed decisions about whethertraffic is indeed legitimate.

Because VoIP signaling protocols canoften hop across many ports, for exam-ple, application-layer firewalls are neces-sary to follow the session and open andclose ports as needed, rather than leavinga range of ports open and potentially vul-nerable to intruders.

Firewalls and associated ACLs , then,must be configured uniquely for VoIP toallow signaling to take place between IPhandsets or softphones and Cisco Call-Manager or CallManager Express callservers (and Real-time Transfer Protocol[RTP] media servers, in the case ofstreaming applications). Also, certainapplications are uniquely aligned withVoIP, such as Cisco’s Attendant Consoleautomated call-routing application andWeb Dialer click-to-dial application. TheLayer 4 session ports used by these appli-cations must be known and configured togrant privilege for them to work throughthe firewall.

As is part of any network security bestpractice, operating systems must be keptup to date with patches. Also, host-basedintrusion prevention in the form of CiscoSecurity Agent software and network-based intrusion detection and preventionavailable in several form factors (see coverstory, page 26) help protect the operatingsystems on servers and the integrity of thenetwork. Appropriately configured ver-sions of Cisco Security Agent are currentlysupplied for for Cisco CallManager, CiscoContact Center, and Cisco Unity hostoperating systems, as well.

Traffic Interception and Media Encryption Intercepting traffic is not a trivial exercise,says Moore. “If all the other security lay-ers described have been covered, encryp-tion is not a necessity for everyone.”However, media and link encryption areavailable as yet another layer of protec-tion that some organizations require.

Cisco enables encryption end to end,between IP phones, using the SecureReal-Time Protocol (SRTP). Designedspecifically for voice packets, SRTP sup-ports the Advanced Encryption Standard(AES) and is an Internet Engineering TaskForce (IETF) standard (RFC 3711).Media encryption using SRTP is morebandwidth-efficient than IPSec, an impor-tant consideration for latency-sensitiveVoIP transmissions.

Cisco supports media encryption on awide range of Cisco IP phones, includingthe Cisco IP Phone 7940G, 7960G, and7970G. These phones also come with sup-port for industry-standard X.509 digitalcertificates capable of authenticating the

end device for encryption as opposed torelying on manual entry of encryption keydata, easing scalability in large installations.

Media encryption is also available on awide range of Cisco media gatewaysincluding the Cisco 1800, 2800, and 3800Series Integrated Services Routers. Inaddition to supporting SRTP mediaencryption, these Cisco gateway productssupport encryption of call setup informa-tion using IPSec.

The privacy protection of encryption canalso be applied to voice messages viasecure private messaging feature for theCisco Unity unified messaging system.Messages can be marked private andsecure such that only the intended recipi-ent can decrypt and listen to messages.

Rise to the ChallengeIP telephony deployments, now quickly onthe rise, expose the enterprise to new butmanageable risks. Having an understand-ing of those risks is the first step toward asuccessful defense. And because the IPtelephony service interacts with the IP datainfrastructure, mapping defensive measuresto the overall networkwide security frame-work and strategy is critical. Many of thesteps used to protect the data network areimperative for also protecting the voice net-work; likewise, many of the same risks tothe circuit-switched voice network needmitigation in the IP network.

From there, running voice VLANs, con-figuring application-aware firewalls andACLs to be voice-aware, disabling cer-tain features on phones in public places,and using encryption for privacy are someof the measures that keep the voice net-work functioning and prevent it frombeing a conduit to hacking corporatedata resources.


FURTHER READING

■ Media Authentication and Encryption

Using Secure RTP

cisco.com/packet/172_6c1

■ “Securing your Network for IP

Telephony” White Paper




EradicatingWireless

IntrudersWIRELESS NETWORKS offer tremendous mobility,flexibility, and productivity improvements to cus-tomers worldwide. Unfortunately, from a securitystandpoint, they also mean that you are about tobecome a network broadcaster and introduce newsecurity threat vectors into your network. In fact, a whole new breed of wireless-specific intrusion detection and denial-of-service (DoS) attacks are challenging wireless LAN (WLAN) vendors to createnew levels of detection and prevention services in theirWLAN intrusion detection system (IDS) offerings.

Multilayered RF monitoring andwireless intrusion prevention systemsleave no room at thewireless LAN table for uninvited guests.


Wire

Compounding some of the challenges ofbroadcasting data over the air is the factthat most wireless-enabled laptops runningWindows 2000 or XP, by default, areactively seeking out any and all Wi-Ficapable connections with any access point—regardless of whether that access point isauthorized or unauthorized. So the chal-lenge becomes not only ensuring safe “airspace,” but also safe and secure connec-tions from your computers.

To help guard against these securitybreaches through rogue devices and intru-sion attempts, Cisco offers several wire-less best practices to advise networkadministrators on how to install intrusiondetection and protection safeguards tocounteract the security ramifications ofthis situation.

“We can’t simply create systems that popup lots of alarms and alerts and call it the‘bells and whistles’ approach to IDS thatwe saw on wired networks over the last 10years. Our WLAN customers are reallylooking for wireless intrusion detection andnow, wireless intrusion prevention and pro-tection capabilities,” says Bruce McMurdo,product marketing manager in Cisco’sWireless Networking Business Unit.

Now, detection and remedial action takeplace in a protective model that is bothdistributed and hierarchical and in whicheach network layer, from client to datacenter, plays a role in defending againstnetwork threats (see figure). To protectagainst intrusions, Cisco’s wireless archi-tecture offers the following capabilities:

■ Access point authentication■ Disablement of unauthorized access

points■ Client containment■ Client policy enforcement■ Location-based intrusion detection

In the Cisco architecture, Cisco clients andCisco Compatible Extensions clients, inaddition to Cisco Aironet Series accesspoints and Cisco lightweight accesspoints, serve as network intrusion preven-tion system (IPS) sensors. While allWLAN IDS vendors rely on access pointsfor rogue device detection, Cisco is uniquein its ability to extend rogue detection toclients—allowing the Cisco solution toprovide more comprehensive detectivecapabilities as these clients move through-out the WLAN environment.

Identifying and Disabling RoguesCisco access points, acting as IPS sensors,report the discovery of rogues to Ciscowireless control and management devices.Then, based on the network administra-tor’s policy, these devices automaticallysuppress the unauthorized, or rogue,devices that are connected to the network.

Cisco’s solution supports both an inte-grated and overlay intrusion preventionsystem. An overlay intrusion preventionsystem monitors the air space using sepa-rate distributed radio sensors. In this case,

IT staffs usually must choose between costand effectiveness: Mapping radio sensorsto active WLAN access points at a 1:1ratio ensures the best network coveragebut can be cost prohibitive; using fewersensors can ease the cost but could resultin monitoring coverage holes.

“Having a common infrastructure for bothyour monitoring and your wireless datanetwork gives enterprises better visibilityinto their networks,” says McMurdo.“Therefore, we recommend an integratedintrusion prevention system in mostinstances—where access points act as sen-sors while simultaneously supportingclient transmissions.”

Sensors will discover many rogues. “Thekey is to correctly identify neighboringnetworks that are friendly and pay vigor-ous attention only to those actually con-nected to the corporate network thatshouldn’t be connected or access pointsplaced in locations in your environmentthat shouldn’t be there,” says McMurdo.

With rogue access point suppression, thesensors detect wireless-device information,aggregate it, and pass it up to elements inthe network that can correlate it and act

upon it. When a wireless access point isdetected on the network, the WLAN intru-sion prevention system sends RF manage-ment frames that disassociate any clientsthat connect to it and attempt to trace andshut down the switch port to which therogue is connected.

With Cisco, customers can deploy anintrusion prevention system using a dis-tributed solution or a lightweight solu-tion. The distributed solution uses CiscoAironet 1230, 1200, 1130, or 1100 seriesaccess points deployed with a Cisco

Wireless LAN Solution Engine (WLSE)Release 2.9 and higher and Cisco Cata-lyst 6500 Series Ethernet switch with aWireless LAN Services Module (WLSM).With this solution, all legitimate Ciscoand Cisco Compatible wireless clientdevices, as well as Cisco Aironet accesspoints, gather information about all wire-less devices in their immediate vicinity.

The lightweight solution, based on therecently acquired Airespace product port-folio, uses Cisco 1000 Series lightweightaccess points with a Cisco Wireless LANController and Cisco Wireless ControlSystem (WCS).

Both solutions can be deployed as an IPSwhere the access point serves the dualpurpose of forwarding Layer 2 packetsand also acting as a monitoring sensor onthe network.

What Are the Threats?The intrusion-oriented threats of wirelessLANs are caused by the difficulty in con-taining airborne transmissions withinphysical boundaries of a given organiza-tion’s walls and the nature of wirelessclient devices to automatically connect tothe strongest signal they can find.

“When it comes to theft of data and net-work break-ins, deploying the encryptionand authentication measures in 802.11i—


WIRELESS SECURITY

“We recommend an integrated intrusion prevention system

in most instances—where access points act as sensors

while simultaneously supporting client transmissions.”

—Bruce McMurdo, Product Marketing Manager, Cisco Wireless Networking


less

the latest extension to the IEEE 802.11suite of wireless LAN security standards—is the best protection,” says Jake Wood-hams, a technical marketing engineer atCisco. “However, for thwarting datahijacking and service disruptions enabledby the widespread existence of roguedevices, scanning the airwaves to identifyand shut down unauthorized devices is animportant practice,” he says.

Specifically, here’s what intrusion detec-tion and prevention seek to mitigate:

■ Impact of rogue infrastructure accesspoints. These radios, which plug directlyinto Ethernet switch ports or wirelessLAN controller ports, might be mali-ciously installed by intruders for corpo-rate hacking. More often, though, theyare naively deployed by employees foreasy wireless access. Because of the self-deploying nature of client devices,clients in a nearby office, parking lot, orcoffee shop might connect with theserogues by intent or by happenstance.Because most enterprises currently haveopen Layer 2 ports on their Ethernetswitches, plugging the rogues into thewired LAN infrastructure gives allclients associating with them access to atleast some corporate resources.

■ WLAN traffic “attack” signatures. Vol-umes of undesirable traffic can maketheir way onto the wireless transportpath, flooding legitimate wireless deviceswith management frames, authentica-tion requests, and many other types ofpackets, depending on the type of attack.

■ Ad-hoc networks. When clients associ-ate directly with one another, they formad-hoc networks. These peer-to-peerconnections can pose a risk if an unau-thorized client(s) should automaticallyassociate with a legitimate client storingsensitive data, because it could gainaccess to that device’s hard drive. Inaddition, the association could result inone client piggybacking onto the other’sconnection to internal wired networkresources.

■ Accidental associations. These takeplace when a neighboring access point’scoverage area bleeds into the legitimateorganization’s air space, triggering the

organization’s legitimate wireless clientdevices to connect to the neighboringaccess point. Once the connection ismade, a client device on the neighboringnetwork can fairly easily gain accessinto the legitimate client and the organi-zation’s resources, unless the legitimateclient device is protected by softwaresuch as a personal firewall or CiscoSecurity Agent. Cisco Security Agent hasrecently been enhanced to detect if aclient has connected to an invalid sub-net range, such as that in an unautho-rized network.

To contain the behavior of unauthorizedclients connected to rogue access points,Cisco access points in sensor mode cansend a deauthentication packet to theclient so it will disassociate and find a legit-imate access point to which to connect,says Woodhams.

■ Unwanted Spanning-Tree Bridge Loops.In addition to the open-access threat,Windows XP laptops contain a zero-con-figuration default setting. “This can causea spanning-tree bridged loop with olderEthernet switches that can paralyze theentire network,” explains Woodhams.

If spanning-tree protocol information isleaked outside the walls of the organiza-tion, for example, freeware tools can sniffit and launch a spanning-tree attack that,in effect, results in denial of service for thenetwork backbone, he says.

“Wireless monitoring systems, by detect-ing any network protocols leaking intothe air outside of corporate borders, armsnetwork managers with the knowledge totake corrective action.”

Best Practices and ToolsThe most failsafe monitoring solutioninvolves deploying networks sensors thatcan detect the presence of all wirelessLAN devices and their activities. Amongthe key practices and tools:


WIRELESS INTRUSION PROTECTION IS BOTH CENTRALIZED AND DISTRIBUTED

Full RF Management,Location Tracking

Data CenterCatalyst Switch

Cisco WirelessLAN SolutionsEngine (WLSE)

Cisco WirelessControl System

Rogue Device Detectionand Suppression Cisco

CatalystSwitch Wireless

Controller

Local Signature Analysis

WirelessAccessPoints

IDS Data Is Collected,Aggregated, and Forwarded

IDS Data Is Collectedand Forwarded

IDS Data Is Aggregatedand Forwarded

LAYERS OF PROTECTION Each layer in the network helps protect corporate resources from data hijacking and denial ofservice attacks.



NOT LONG AGO, the security of storagearea network (SAN) solutions was consid-ered secondary to performance, connectiv-ity, and port count. Today, SAN securityhas moved to center stage. One reason isthat more companies are extending theirSANs outside the data center to providebusiness resilience (e.g., disaster recovery),partly in response to US security regula-tions such as the Gramm-Leach-Bliley Act,HIPPA, and the Sarbanes-Oxley Act, andthe European Privacy Directive. These reg-ulations compel organizations to protectprivate company and customer data as ittravels between SANs.

The ever-increasing presence of TrojanHorses, worms, and denial of service(DoS) attacks has increased device secu-rity awareness. “A single compromisedSAN-attached host has the potential todisrupt other hosts attached to the SAN,access unauthorized data within the SAN,or bypass existing firewalls and intrusiondetection systems,” says Lincoln Dale,technical marketing engineer in Cisco’sStorage Group. The myth that FibreChannel is inherently more secure than IPor Ethernet has been debunked, addsDale. “Most of us don’t hear about FibreChannel security problems, but that’s notbecause they don’t exist,” he says. “It’ssimply that attacks on SANs aren’t main-stream due to the relative size of SANscompared to that of IP-based networks.”

Another reason for heightened attentionto SAN security is the growing trendtoward using IP to transport storage traf-fic. “Using a common IP infrastructureand FCIP [Fibre Channel over IP] for SANextension between data centers for disas-ter recovery and business continuance

provides a lower-cost alternative to dedi-cated connectivity,” says Dale. “Mostreplication solutions transfer data unen-crypted, so there is certainly a requirementto protect sensitive data if it’s going overan unsecured network.” Similarly, there isan increasing trend toward providinglower-cost access to storage using SCSIover IP (iSCSI). “iSCSI is popular becausehosts and servers can connect to the net-work using their built-in Ethernet card,eliminating the costs of a host bus adapter[HBA] and Fibre Channel port on theswitch,” says Dale. “However, if the stor-age data is sensitive, both iSCSI and FCIPintroduce the need to protect SAN traffictraveling over IP networks.”

Finally, it is just as important for SANsecurity to prevent accidental data lossand corruption as it is to protect againstintruders. “A zoning configuration errorcan cause as much devastation as if anintentional breach occurred,” notes Dale.

These factors have spurred IT groups toattend to SAN security with the samethoroughness long paid to LAN andWAN security. Until now, one of the fewwidespread SAN security practices hasbeen zoning, or enforcing access controlswithin Fibre Channel. “Zoning is betterthan nothing, but there are relatively easyways to defeat it,” explains Dale. “Softzoning provides ‘security through obscu-rity.’ It’s analogous to keeping a secretmilitary center off a map, but not provid-ing any guards to protect it if found. Hardzoning is better—every frame is checkedas it passes through the switch. But evenhard zoning cannot provide protectionagainst spoofed addresses.”

Many established LAN and WAN securitytechnologies can be applied effectively toSANs, as well. These and SAN securitytechnologies from Cisco provide compa-nies with the economies of IP-based accessand the confidence that their data issecurely protected end to end. “The mostcritical attribute of a data center securityplan is that it is end to end,” says Dale. “ASAN cannot be secured independentlyfrom the LAN or WAN used to access it.”

End-to-End Approach Earns A++Within the Cisco MDS 9000 Family, Cisco has applied its expertise in LANand WAN security measures to the uniquechallenges of SANs. In 2004, Gartnerawarded the Cisco MDS 9000 Series multilayer SAN switches an “A++” forFibre Channel SAN fabric security. Whatdifferentiates the Cisco MDS 9000 is itsattention to all six areas of SAN securityrequirements (see Figure 1, page 44):

Fabric access—secure fabric access to fab-ric services

Target access—secure access to targetsand logical unit numbers (LUNs)

SAN fabric protocol—secure communica-tion and authorization for switch-to-switchFibre Channel protocol communication

IP storage access—secure FCIP, used tointerconnect SANs in two data centers fordisaster recovery or application resilience,as well as secure iSCSI services, used forlow-cost access to lower-end servers

Data integrity and secrecy—encryption ofdata in transit

SAN management access—secure accessto management services


SANSecurity:Beyond Zoning

By Rhonda Raider


“You can’t have an effective solution ifeven one of these six elements is missing,”says Dale. “If management security iscompromised, for example, an intrudercould simply turn off other security mech-anisms or make configuration changes tobypass them.”

Also unique in Cisco’s approach to SANsecurity is that most of the security fea-tures are built into the Cisco MDS 9000Series Switch and do not require purchas-ing optional licenses (see table, “SANSecurity Techniques,” page 44).

Fabric and Target Access SecurityUnauthorized fabric and target access can compromise application data, LUNintegrity, and application performance.The Cisco MDS 9000 Series multilayerswitches provide the following securityfeatures to protect against these risks:

Fibre Channel zoning—Zoning restrictscommunication between devices within thesame Fibre Channel fabric, preventing ahost from gaining access to a disk used byanother host and corrupting its data. CiscoMDS 9000 Series switches support bothsoftware-based zoning (soft zoning) andhardware-based zoning (hard zoning) forup to 2000 zones and 20,000 zone mem-bers. The switches enforce hard zoning by

applying hardware access control lists(ACLs) to every Fibre Channel frame as itis switched.

LUN Zoning and Read-Only Zoning—LUN Zoning, a capability unique to CiscoMDS 9000 Series switches, blends deepframe inspection and hard zoning. ITadministrators can restrict access toexplicit LUNs within a storage array.Read-Only Zoning is useful for systemssuch as multimedia servers that do notrequire write access to storage.

VSANs—VSANs increase the securityand stability of the Fibre Channel fabricby logically isolating devices that arephysically connected to the same set ofswitches. “Faults within one fabric arecontained within a single VSAN and are not propagated to other VSANs,”explains Dale. No communication ispossible between devices in differentVSANs except where explicitly allowedthrough the use of the Cisco MDS 9000Inter-VSAN Routing feature.

Port security—If an IT administratorenables port security for a particular port,devices can connect to that port only ifthey are listed as bound to the given portin the port security database.

Port mode security—This mode restrictsthe function of a port, for example, toprevent edge ports from inadvertentlybeing used for inter-switch links (ISLs).

FC-SP DH-CHAP—FC-SP DH-CHAPhelps ensure data integrity and authenti-cation for host-to-switch and switch-to-switch communication. All major HBAvendors and some SAN switch vendorssupport FC-SP DH-CHAP. Authentica-tion can either be performed locally in theswitch or remotely through a centralizedRADIUS or TACACS+ server. FC-SP DH-CHAP is the only technology availabletoday that provides complete protectionagainst spoofed addresses.

SAN Fabric Protocol SecurityMany of the same features of the CiscoMDS 9000 Series switches used for fabricand target access security also help ensureSAN protocol security. Additional SANprotocol security capabilities include:

Disruptive Reconfigure Fabric Rejection—This feature protects against human errors by rejecting fabric reconfigurationrequests that could cause an outage. Theserequests might come from misconfiguredor new unconfigured switches when theyare attached to an existing fabric.

Interconnected SANs and IP-based access heighten the urgency of SAN security.


IBM Fiber Connection (FICON) FabricBinding—Cisco MDS 9000 switches canrestrict participation in a FICON fabricbased on the switch and domain ID.

Fibre Channel ID Caching, Persistent FibreChannel ID Allocation, and Static FibreChannel ID Assignment—These featuresprovide persistency to Fibre Channel IDsthat are assigned to worldwide portnames (pWWNs), regardless of switchrestarts and physical port.

IP Storage SecurityiSCSI provides SAN access at lower pricepoint than that of Fibre Channel. Whenequipped with optional IP service modulesor multiprotocol service modules, CiscoMDS 9000 switches can be configured toaccept incoming iSCSI connections fromhosts (iSCSI initiators), as well as use FCIPfor IP SAN extension. Security features inthe Cisco MDS 9000 switches include:

iSCSI authentication—Before establishingan iSCSI session, the switch authenticatesthe iSCSI initiator using CHAP.

iSCSI initiator persistent dynamic WWNand static WWN allocation—The switchcan dynamically or statically map iSCSIinitiators to virtual Fibre Channel initia-tors, enabling midrange and enterprise-class storage arrays to uniquely identifyhosts connected via iSCSI in the same waythey can identify hosts connected viaFibre Channel HBA.

iSCSI access controls—IT administratorscan apply access controls to iSCSI initiatorsbased on the target, VSAN, storage device,or interface. “In the latter case, individualiSCSI targets can be advertised on all orsome Gigabit Ethernet interfaces, on subin-terfaces, or VLANs,” says Dale.

FCIP—Cisco MDS 9000 switches also sup-port FCIP, generally used for SAN-to-SANtraffic. “While FCIP itself does not haveany explicit security, it can use all existingsecurity mechanisms available to nativeFibre Channel,” says Dale. “These includeport security and FC-SP DH-CHAP switch-to-switch authentication.”

Data Integrity and SecrecyNeither iSCSI nor FCIP protect data tra-versing IP networks. “If a rogue device inthe path were able to eavesdrop, it couldview storage data as it traveled across the link,” Dale warns. To protect data in


SAN VULNERABILITIES REQUIRING SECURITY MEASURES

Data Integrity and Secrecy

Fabric Access Security

Target Access Security

SAN Management Security

IP Storage Security (iSCSI/FCIP)

SAN Fabric Protocol Security

SAN Fabric

1

2 3

4

5

6

FIGURE 1 The Cisco MDS 9000 Series Switch addresses all six key areas of SAN security earning it the top grade fromGartner for Fibre Channel SAN fabric security.

SAN SECURITY TECHNIQUE

Segregation of traffic destined for different server farms

Authentication and integrity for switch-to-switch communication

Encryption, to prevent data theft

Traffic monitoring to identifymalicious activity

Secure management, to limit the risk of an attacker gaining control of SAN devices

VULNERABILITY IT ADDRESSES

Fabric and Target Access Security

Fabric and Target Access Security

SAN Fabric ProtocolSecurity

Fibre Channel PortSecurity

Data Integrity and Secrecy

SAN Management Security

SAN ManagementSecurity

CISCO MDS 9000 SERIES SWITCH FEATURES

Virtual SANs (VSANs)

Hard zoning

Fibre Channel port security

Fibre Channel Security Protocol (FC-SP) Diffie-Hellman Challenge Handshake Authentication Protocol (DH-CHAP)

Integrated IP Security (IPSec) support

SPAN

RSPAN

Fibre Channel flow statistics

Call Home

RMON threshold alarms

Authentication, Authorization, and Accounting (AAA)

Secure Shell Protocol version 2 (SSHv2)

Simple Network Management Protocol version 3 (SNMPv3)

Syslog

Network Time Protocol version 3 (NTPv3)

Role-Based Access Control (RBAC)

SAN SECURITY TECHNIQUES

SAN SECURITY


flight, the Cisco Multiprotocol Switching14+2 (MPS 14+2) line card and CiscoMDS 9216i Multilayer Fabric Switch offerintegrated hardware-based IPSec support,providing wire-rate IPSec encryption anddecryption with Advanced EncryptionStandard (AES) and Triple Data Encryp-tion Standard (3DES).

SAN Management SecurityUnauthorized SAN management access isrisky, because without effective safe-guards, a malicious user could alter thenetwork configuration. The three mainareas of vulnerability in SAN managementaccess are disruption of switch processing,compromised fabric stability, and compro-mised data integrity and secrecy. TheCisco MDS 9000 mitigates these risks:

AAA—Either TACACS+ or RADIUS canbe used to provide both authentication andaccounting for management access on acentralized basis. If no AAA server is used,a username/password database local to theCisco MDS 9000 Switch may be used.

RBAC—RBAC allows each user to beassigned to a specific role, with manage-ment capabilities and restrictions poten-tially on a per-VSAN basis. “This approachallows companies to consolidate storage

while restricting administrators’ access tothe fabric ‘island’ that they managedbefore consolidation,” says Dale.

SSHv2—An alternative to insecure proto-cols such as Telnet, rlogin, and FTP, SSHv2provides secure remote access throughauthentication and encryption. It can beused with TACACS+ and RADIUS.

SSL Version 2 and TLS 1.0—Cisco MDS9000 switches support the Storage Man-agement Initiative Specification (SMI-S),the set of common interfaces based onCommon Information Model (CIM) thatallows multiple-vendor interoperability ina SAN environment. Management accessvia SMI-S is protected through SSL.

SNMPv3—An application-layer protocol,SNMP facilitates the exchange of man-agement information between networkdevices. All Cisco MDS 9000 switchessupport SNMPv1, v2c, and v3. SNMPv3(RFC 2271-2275) provides authentica-tion and integrity using an MD5 MAC orSHA HMAC algorithm, and encryptionwith DES. The Cisco MDS 9000 also sup-ports stronger AES 128-based encryptionwith SNMPv3 (RFC 3826).

Syslog—Syslog messages are unsolicitednotifications that a network device can

save in a log file and/or direct to a serversuch as CiscoWorks Resource ManagerEssentials (RME). Syslog messagesinclude a timestamp from the syslogserver, a device name, a sequence num-ber, the timestamp from the networkdevice, and the message itself.

Accounting log—Cisco MDS 9000switches maintain an accounting audit trailof configuration commands. Commandscan also be logged to centralized syslogand AAA servers through RADIUS orTACACS+ accounting messages. Criticalaudit logs are stored in NVRAM and arepersistent across restarts and power loss.

Call Home—This feature can be used tosend e-mail or pager notification to IT per-sonnel when critical system events occur. Itcan also initiate Cisco AutoNotify servicesfor direct case generation with the CiscoTechnical Assistance Center (TAC).

Fabric Consistency Checker—Embeddedwithin the Cisco MDS 9000 managementsuite, Fabric Consistency Checker high-lights configuration deviations from themaster policy switch and provides amechanism to resolve the differences.

ACLs—Administrators can limit man-agement and IP access to a subset of IPaddresses by applying ACLs to variousmanagement and Gigabit Ethernetinterfaces.

How Much Security Is Enough?The degree of SAN security a companyneeds depends on its risks. “Ask yourselfwhat would be the cost if a competitor orhacker got hold of the information,”advises Dale. “Usually it’s a combinationof hard costs, such as a bank having toissue new credit cards, and soft costs, suchas loss of customer trust. It’s important tounderstand the threats so you know thepotential worth of the investment.”

When it comes to protecting againstexternal, internal, and unintentionalthreats, Cisco recommends the practicesshown in the table above.


AREA OF VULNERABILITY

Fabric access

Target access

SAN fabric protocol

SAN management security

RECOMMENDED BEST PRACTICE

Use VSANs to isolate departments

Use port security features everywhere

Use FC-SP DH-CHAP authentication for switch-to-switch fabric access

Hard-fix switch port administrative modes to assigned port function

Use zoning services for isolation where required

Consider only allowing zoning configuration from one or two switches, to minimize access

Use VSANs to divide and manage individual fabric configuration and resilience

Use WWN-based zoning for convenience and use port security features to hardenswitch access and limit zoning access to 1 or 2 SAN administrators

Secure access to control protocol configuration using Cisco RBAC

Enable port-security for locking of ISL ports

Use FC-SP DH-CHAP for switch-to-switch authentication to block rogue ISLs

Consider using static configuration (Domain_ID and Principal switch) for greatersecurity than plug-and-play fabric protocol configuration

Use RBAC to grant adequate—not excessive—privilege to SAN administrators

Use RADIUS or TACACS+ for centralized user account administration and auditing

Use secure forms of management protocols (SSH, SFTP, SCP, SNMPv3, SSL) and disable others

Enable NTP across all switches for consistent time stamping of events

Log and archive all events, including syslog, configuration, and Call Home

BEST PRACTICES FOR SAN SECURITY

FURTHER READING

■ Cisco Storage Networking Solutions

cisco.com/go/storagenetworking



LIKE A NATURAL DISASTER, when the Sapphire Worm, betterknown as “Slammer,” was unleashed in December 2003, it shutdown Websites, disabled automated teller machines (ATMs),flooded networks, and resulted in a massive loss of productivity,money, and peace of mind for numerous businesses and IT staffs.Meanwhile, however, some enterprise networks, including theUniversity of California, Berkeley, remained uninfected, eventhough their servers and desktop PCs had yet to be patched toprevent Slammer from being transmitted and exploiting bufferoverflow vulnerability in computers running Microsoft’s SQLServer or Microsoft SQL Server Desktop Engine 2000.

Cisco SecurityAgent preventsattacks on serversand desktop PCsby enforcingbehavioral policies.

By Gene Knauer

Stopping Bad Behavior at

Endpoints


CSA & SPYWARE

These networks were protected by an end-point security product from the smallintrusion prevention software companyOkena, which that same year was acquiredby Cisco and the product rebranded asCisco Security Agent.

Behavior-Based Endpoint SecurityCisco Security Agent software is consid-ered an intrusion prevention tool. Workingfrom network endpoints such as desktopsand servers, it is designed to correlateappropriate and suspicious behavior andprevent new attacks, even before a securitypatch or “signature” can update the net-work’s antivirus or other security soft-ware. In sum, Cisco Security Agentintercepts system calls between applica-tions and the operating system, correlatesthem, compares the correlated systemcalls with a set of behavioral rules, andmakes an “allow” or “deny” decisionbased on the comparison results. Thisprocess is called INCORE, which standsfor “intercept, correlate, rules engine”(see Figure 1).

According to Ted Doty, product managerfor Cisco Security Agent, the basic mecha-nisms behind keeping viruses and wormsin check have not changed much overtime. “I like to think of it as catchingthieves in the bank before they can robit,” he says. “We’re looking for maliciousbehavior based on system calls to files,network registry sources, or to dynamic,run-time resources.”

Cisco Security Agent includes a manage-ment console that resides on a MicrosoftWindows 2000 server and host-basedagents deployed on desktops and servers.The agents use HTTP and 128-bit SecureSockets Layer (SSL) for the managementinterface and agent-to-management con-sole communications. Running betweennetwork applications and operating systemkernels, Cisco Security Agent checks appli-cations against their security policies andeither allows or denies the operation. Suchreal-time prevention is based on enforcingsecurity policies combined from distrib-uted firewalls, operating systems, antivirussoftware, and audit event collection.

“Correlating events with policies to allowor shut down activity is what makes CiscoSecurity Agent unique on the market,”says Doty. “Other solutions for viruses,worms, and spyware and adware detectionrely on applying the latest security patches.From a couple of hundred patches issuedper year in the mid-1990s, now there areabout 4000 patches a year. Getting themtested and deployed on every server anddesktop in a network has been bleedingcustomers dry in time and resources.”

Defense in Depth for Siemens and IFFFor Kathy Taylor, information securityofficer at Siemens Energy and Automationin Alpharetta, Georgia, deploying CiscoSecurity Agent was like acquiring a staffof new security administrators to watchthe 250 servers and 7000 desktops on thecompany’s highly distributed network serv-ing users throughout the US and Mexico.

“We had previously been hit hard by theW32/Blaster Worm in the summer of2003 and soon after got the approval toinstall Cisco Security Agent,” says Taylor.“The following spring, there was anotherglobal virus outbreak, but this time wehad no issues.” Taylor and her colleaguescould see viruses trying to attack theircomputers, but none of these networkoperations were allowed to proceed.

“Cisco Security Agent gives us time to dothe antivirus updates and test the newOS security patches before installation,”she says.

With facilities in 32 countries, Interna-tional Flavors & Fragrances Inc. (IFF), acreator and manufacturer of flavors andfragrances used in a wide variety of prod-ucts, had a similar sobering experiencebefore investing in endpoint prevention.The Welchia virus of early 2003 sweptacross the company’s network globalwide.


CISCO SECURITY AGENT INCORE PROCESS

FileInterceptor

NetworkInterceptor

ConfigurationInterceptor

Execution SpaceInterceptor

Kernel

RulesEngine

Real-TimeDecision

Rules andPolicies

CorrelationEngine

State

Application

DenyAllow

FIGURE 1 Cisco Security Agent applies an “intercept, correlate, rules engine” process—INCORE—that compares correlatedsystem calls with a set of behavioral rules.


“Welchia hit in our offices in China first,”recalls Michael Wasielewski, senior man-ager for network systems at IFF, which isbased in Union Beach, New Jersey. “Bythe time we realized we were dealing witha virus, two hours later it had spread toEurope and Asia, only because the west-ern world wasn’t yet awake. The antivirussignatures weren’t available for anothereight hours.”

Though IFF squelched the Welchia viruswithout any serious disruptions,Wasielewski says, “We saw the agonyother companies went through, and wemade the decision to buy an endpointsecurity system.” There were alternativesto Cisco Security Agent, and Wasielewskiresearched them. They included devicesthat would block network access tounpatched systems and others that wouldinspect systems to determine whether theywere at the proper virus patch level.

“We still couldn’t get around the factthat we had to deploy these patches,”Wasielewski says. “And the process ofgetting them, and testing and deployingthem was too slow. The viruses were com-ing too fast. Back then, Microsoft waspatching patches. We decided that weneeded ‘Day Zero’ protection, a solutionthat didn’t depend on catching up to analready-detected new intrusion event.”

Wasielewski and his network colleaguesat IFF found Cisco Security Agent to befurther ahead in its behavioral approachto preventive security than any otherproduct they researched. They have sincedeployed Cisco Security Agent on 4500desktop computers throughout IFF.

“It’s the first product we’ve seen that reallydelivers this extra layer of endpoint secu-rity, which we now see as the first layer ofprotection even before antivirus or anti-spyware tools,” says Wasielewski.

Thwarting Spyware and AdwareAmong the intrusive network behaviorstargeted by Cisco Security Agent Version4.5, the latest release introduced in Febru-ary, are spyware (programs that installthemselves on computers without a user’sconsent and read and relay private infor-mation, including passwords and creditcard numbers) and adware (marketingprograms bundled with freeware thatsprout pop-up ads and links). CiscoSecurity Agent 4.5 protects against spy-ware and adware infections by preventingthese programs from initially installingand, if already installed, by preventingthem from executing.

Cisco Security Agent is aptly suited tothwarting spyware and adware becausethese programs are rarely deliveredthrough e-mail, which is subject toantivirus screening. This software is alsoan improvement over spyware detection

FIGURE 2 Cisco Security Agent Version 4.5 detects anattempted keystroke capture and alerts the user withcourses of action.

FIGURE 3 A network status “Events” view summaryreport generated using the CSA MC Web-based interface.

“We decided that we needed ‘Day Zero’ protection, a solution that didn’t depend on catching up to an already-detected new intrusion event.”Michael Wasielewski, senior manager for network systems, IFF


“We decided that we needed ‘Day Zero’ protection, a solution that didn’t depend on catching up to an already-detected new intrusion event.”Michael Wasielewski, senior manager for network systems, IFF


CSA & SPYWARE

tools because, like antivirus and otherforms of security software, these tools arepassive and reactive, with patches laggingbehind new and mutating spywareattacks. Instead, Cisco Security Agent 4.5hardens the Windows operating systemwith its behavior correlation engine, pre-venting spyware from executing.

In Figure 2 (page 49), for example, CiscoSecurity Agent detects the problem Silent-Log.exe, a “keystroke logger” programthat quietly captures all keyboard inputand logs it to a file. Spyware often installssuch keystroke loggers to capture pass-words entered by users.

In response to stealthily downloaded spy-ware or adware attempting to execute,Cisco Security Agent alerts the user with amessage screen and will default to termi-nating the application unless the userallows the process to continue (by click-ing “Yes”). Administrators can configureCisco Security Agent to automaticallystop the application from executing with-out user intervention. If the spywareattempts to swamp users with repeatedrequests to download—a form of social

engineering intended to trick or frustrateusers into selecting “Yes”—they needonly select “Don’t ask me again” to stopthe requests.

Cisco Security Agent does not require cryp-tographic analysis of file system contents,so its impact on performance is negligible.

Other Benefits of Cisco Security AgentBesides detecting, analyzing, and actingon network behavior, Cisco SecurityAgent can track which applications areinstalled on a single computer or work-group; which applications use the net-work; the identity of all remote IPaddresses with whom a server or desktopcomputer communicates; and the state ofall applications on remote systems,including user-specific installation infor-mation and whether undesired applica-tions are attempting to run.

Administrators can perform detailedforensics of any application on any com-puter, collect information about the appli-cation’s behavior, and create a controlpolicy based on that application’s “nor-mal” behavior. All Cisco Security Agentpolicies are configured and deployed viathe Cisco Security Agent Management


Center (CSA MC) Web-based user inter-face. CSA MC also provides a reportingtool, allowing administrators to generatereports with various views of their net-work’s health and status (see Figure 3,page 49).

Cisco Security Agent Version 4.5 alsoadds compatibility with internationaloperating systems and expands platformsupport to include Linux servers anddesktops and Windows clusters. It shipsat no additional charge with all Cisco IPtelephony products, including CiscoCallManager and Cisco Unity.

“Now we’re considered the most robust IPtelephony solution from a security perspec-tive,” says Doty, adding that more thantwo million desktop PCs and servers haveinstalled Cisco Security Agent since 2001.

Frontline of the Self-Defending Network“Cisco Security Agent complements Cisco’sSelf-Defending Network strategy. In addi-tion to providing a first line of real-timeintrusion prevention, its presence on end-points allow them to acquire state infor-mation that might not be available at thenetwork edge,” says Joshua Huston, atechnical marketing engineer in Cisco’sVPN and Security Business Unit specializ-ing in Cisco Security Agent marketing.“This capability provides a feedback loopbetween the endpoints and the network,so the network can readily adapt toemerging threats.” (For more on the Self-Defending Network strategy and newsecurity products from Cisco, see “In SelfDefense,” page 26.)

Cisco Security Agent embodies otherattributes of a Self-Defending Network,adds Huston: It’s flexible, future-proof,and highly effective whether a user is atwork, at home, or on the road.

Cisco Security Agent can be considered a first-order dampener to the effects of virus andworm propagation. Making sure endpoints are compliant with OS patches and antivirus soft-ware updates is an effective second-order dampener to such propagation. Enter Cisco’sNetwork Admission Control (NAC) program. The NAC industrywide initiative was created tohelp ensure that every endpoint complies with network security policies before being grantedaccess to curtail damage caused by viruses and worms.

NAC technologies control access by interrogating devices connecting to the network to deter-mine whether they comply with network security policy. For example, NAC can determine ifCisco Security Agent or antivirus software is installed and current, along with the current OSand patch level. NAC uses this information to determine appropriate network admission policyenforcement for every endpoint based on the security state of the OS and associated applica-tions rather than simply on who is requesting access. In addition to controlling access, NACgives IT administrators the means to automatically quarantine and remediate noncompliantendpoints. Launched in June 2004, NAC is supported on routers running Cisco IOS SoftwareRelease 12.3(8)T and higher.

The Cisco NAC program is open to vendors who design and sell third-party client and serverapplications that incorporate features compatible with the NAC infrastructure. To date, morethan 30 vendors are actively integrating their technologies into the network. For more information on this program, visit cisco.com/packet/172_6d1.

ENDPOINT SECURITY AND NETWORK ADMISSION CONTROL

FURTHER READING

■ White paper: Cisco Security Agent—

an Enterprise Solution for Protection

Against Spyware and Adware

cisco.com/packet/172_6d2

■ Cisco Security Agent home page

cisco.com/go/csa

Endpoint Security, Continued from page 49


The adoption of Radio Frequency Identification (RFID) is steadilygrowing across industries and applications. It is driven not only byretail and government mandates, but also by organizations thatare beginning to recognize the potential for RFID to increase pro-ductivity, improve customer satisfaction, and strengthen competi-tive advantage. As the number and scale of these deploymentsgrows from small internal pilots to larger multisite installationswith data shared across companies, it is increasingly important tounderstand that tags and readers are only a portion of what isrequired for a working RFID system.

IP networks are critical to fulfilling the promise of RFID, byproviding the foundation of services that allow the coexistenceand communication between multiple systems required to reli-ably deliver RFID data when and where needed. The combinednetwork intelligence that secures, stores, and shares Internetinformation remains the key to enabling real-time event datagenerated by RFID that will improve efficiencies and automatedecision making.

Customers who have started to look beyond their short-term test-ing are beginning to appreciate the value of their existing IP net-works in the context of RFID applications. IP networks are avital way to help increase efficiency by providing an open, stan-dard framework for real-time product information exchange.Network managers who are thinking about the addition of RFIDto their networks are also considering how to best use existingresources, as well as evaluating what additional services might beuseful to them.

Role of the IP Network Within the EPC ArchitectureWhile the practices described here can be applied to manywireless identification and tracking systems, this article uses

EPCglobal passive tag systems as an example. Figure 1 is a sim-plified view of the EPC network architecture.

In this example, the RFID reader, filtering and collection middle-ware, EPC Information Service (EPCIS) server, and EPCIS-enabledapplication are deployed as separate physical entities, with trafficflowing across the IP network infrastructure between these com-ponents. In reality, multiple functions can be standalone devices orcombined into a single physical device or devices.

RFID-Ready Network Architectural FrameworkThe Cisco RFID-Ready Network is based on a set of services thatthe network infrastructure can provide to facilitate the implementa-tion of RFID deployments on top of the existing IP-based networkinfrastructure. Its purpose is to ensure that EPC and RFID trafficand devices can coexist with other devices and traffic on a single,converged, and open-systems IP-based infrastructure (Figure 2).

The network can provide the following services to facilitate theimplementation of RFID deployments:

Connectivity services provide basic wired and wireless Ethernetconnectivity for RFID devices on the network. Also included are

The RFID-Ready NetworkIP-Based Network Connectivity for RFID Deployments


By Roland Saville and Dennis Vogel


EPC NETWORK ARCHITECTURE

NetworkInfrastructure

Infrastructure Servers (Management Systems)

EPCIS-Enabled Application

EPC Edge Server (Filtering and Collection Middleware)

EPCIS Server

RFID Reader

Tag

ObjectNameService

FIGURE 1 The IP network infrastructure is the enabling technology that facilitates thecommunication flows between the individual architecture components.

EPCglobal (www.epcglobalus.com) is a not-for-profit organizationmade up of industry leaders whose mission is to establish globalstandards for the development, implementation, and adoption ofElectronic Product Code (EPC) and RFID. The architecture designedby EPCglobal enables identification and sharing of information ofitems in various supply chains. The supporting technical standardsdeveloped through EPCglobal are meant to ensure that the variouscomponents and technologies of the EPCglobal architecture worktogether, on a global scale.

EPCglobal Network Standards


such features as IEEE 802.3af Power over Ethernet(PoE), which can help reduce deployment costs.

Provisioning and configuration services includeDynamic Host Control Protocol (DHCP), DomainName Service (DNS), Trivial File Transfer Protocol(TFTP), and Network Transfer Protocol (NTP),among others, which assist in the deployment of RFIDdevices onto the network. This layer also includesservices such as Cisco SmartPorts macros, which assistin provisioning the network infrastructure rapidly andmore easily to support RFID devices.

Network forwarding path services ensure that RFIDtraffic has the necessary quality of service (QoS)parameters assigned to it and that the network hasprovisioned the necessary bandwidth and prioritiza-tion of RFID traffic for proper operation and coexis-tence with other traffic on the network.

Management services assist network operationsstaff in identifying network outages and correlatingsuch information with the resulting application-level outages.

Device security services assist network operation staffin ensuring only authorized RFID devices exist on thenetwork, and in determining and locating potentialrogue devices on the network.

Network security services mitigate the spread of mali-cious activity, and limit the potential of denial-of-service attacks, man-in-the-middle attacks, etc.,across the network. Such attacks could result in a lossor degradation of service or sacrifice confidentiality ofinformation across the RFID deployment.

Application networking services identify and facili-tate the movement of RFID data across the networkfrom an application perspective.

The layers represent increasing intelligence built intothe network that facilitates RFID deployments, fromconnectivity services up through application net-working services. In addition, each of these layersmust also scale from very small RFID deployments upto large RFID deployments and have the ability to bedeployed in nonresilient and resilient designs forthose who require high availability. This articlefocuses on the bottom layer: connectivity services.

Connectivity Services for RFID DeploymentsThe following recommendations represent guidelinesand technology designed to enhance the ability of thenetwork infrastructure to support an RFID imple-mentation. They focus on the connectivity services aLAN infrastructure can provide for an RFID deploy-ment, including physical connectivity of RFID readersand printers, RFID middleware edge servers, andapplication servers to the network.

Connectivity for Wired RFID DevicesPhysical connectivity for wired RFID readers is typi-cally provided by dedicated 10/100-Mbit/s Ethernetconnections for each RFID reader or printer. Given theamount of traffic produced or consumed, Gigabit Eth-ernet connectivity is not expected to be necessary forwired RFID readers and printers in the near future.Shared 10 or 100 Mbit/s hub technology is not consid-ered desirable for an RFID deployment, because everyRFID reader and printer must contend with each otherfor access to the network. In a large deployment, thiscould easily lead to congestion and lost data within theLAN. Given the real-time nature of cases or palletsmoving along a high-speed conveyor or through adock door portal; any data loss is undesirable.

IEEE 802.3af Power over EthernetWhen deploying hundreds of RFID readers around alarge distribution center, eliminating the need to runAC power to each reader can result in significant costbenefits. Therefore, the ability of an RFID reader tosupport IEEE 802.3af Power over Ethernet (PoE) isconsidered desirable. A small but growing number ofRFID readers support IEEE 802.3af PoE. Whenupgrading an existing infrastructure or deploying a

CISCO RFID-READY NETWORK

Application Networking Eventing, Data Replication, and Virtualization

Network SecurityVirus Protection, Intrusion Detection, Attack Management

Device SecurityAuthentication, Rogue Detection, Encryption

ManagementDiscovery, Diagnostics, Inventory, Fault Isolation

Network Forwarding PathFiltering, QoS, Traffic Engineering

Provisioning and ConfigurationDevice Identification, Location, and Personalities

Connectivity802.3, 802.3af, and 802.11

Scalab

ility, Availab

ility

Intellig

ence in

the N

etwo

rk

FIGURE 2 The network’sbuilt-in intelligence facili-tates RFID deployments.

ROLAND SAVILLE is a technical lead for the Enterprise SystemsEngineering group within Cisco’s Internet Technologies Division. Hehas more than nine years experience as a systems engineer, con-sulting systems engineer, technical marketing engineer, and techni-cal lead at Cisco. He can be reached at [email protected].

DENNIS VOGEL is part of the Multiservice Customer Edge BusinessUnit (MCEBU) advanced technologies team, focused on RFID productand technology development for Cisco’s Chief Development Organi-zation. Previously, he was product line manager of firewall and VPNproducts as well as an advocate for IPv6 security offerings. He canbe reached at [email protected].



new LAN infrastructure to support current and futureRFID deployment requirements, select IEEE 802.3afPoE-capable LAN switches. In addition to RFID read-ers, PoE-capable LAN switches can significantlyreduce the costs of 802.11a/b/g access point and IPtelephony deployments as well.

For EPC edge servers and application servers, physicalconnectivity services are typically provided by dedi-cated 10/100-Mbit/s Ethernet or Gigabit Ethernetswitch ports.

Wireless ConnectivityMultiple RFID reader deployment models rely uponwireless connectivity, including the following examples:

■ A fixed-position wireless reader that can be used inplace of a fixed-position wired reader. Physical con-nectivity services in such a model are provided to theRFID reader itself.

■ Deployment of an RFID reader on a mobile vehicle,such as a forklift, within a distribution center. TheRFID reader is serially attached to a mobile industrialPC mounted on a forklift. EPC data, in the form oftag reads, enters the network via the serially attachedRFID reader and is converted to application datawithin the industrial PC. The industrial PC thentransmits and receives this information to a localserver running inventory management, warehousemanagement, enterprise resource planning (ERP), orother enterprise applications. Physical connectivityservices in such a model are provided to the industrialPC, rather than the RFID reader itself.

■ Deployment of an RFID reader in a handheld mobilecomputer within a store. The existing barcode scanneris either augmented or replaced with an RFID reader.EPC data in the form of a tag reads enters the networkvia the RFID reader and is converted to applicationdata within the handheld computer. The industrial PCthen transmits and receives this information to a localserver running inventory management, warehousemanagement, ERP, or other enterprise applications.Physical connectivity services in such a model are pro-vided to the mobile handheld computer with theRFID reader attachment or PC card.

In each of these models IEEE 802.11g, 802.11b, or802.11a, wireless connectivity can be provided byCisco Aironet access points, which are themselvesconnected to Cisco Catalyst switch ports using10/100-Mbit/s PoE connections (Figure 3).

Because wireless connectivity is a shared medium, indi-vidual RFID readers and printers must contend witheach other and other non-RFID devices for access to thenetwork. In large deployments or very busy networkstemporary congestion could result in data loss withinthe LAN, particularly as RFID tagging reaches the itemlevel in the future. These concerns are not as great for

mobile wireless RFID devices, because the number ofsuch devices deployed is not expected to be great. How-ever, the number of fixed-position wireless devicesaround dock doors and conveyors in a large distribu-tion center could be in the hundreds. The networkdesign engineer needs to closely monitor the number ofwireless RFID devices per access point and the amountof aggregate traffic generated by those devices. Addi-tional technologies, such as applying QoS to the wire-less traffic, might need to be considered over time.

IEEE 802.11b provides a shared-access medium with amaximum throughput of 11 Mbit/s. However, due tocommunications overhead, the effective maximumthroughput is approximately 5.5 Mbit/s. IEEE 802.11boperates in the 2.4-GHz frequency spectrum.

IEEE 802.11a provides a shared-access medium thatoperates at a raw speed of 54 Mbit/s. However, effec-tive throughput is typically in the mid 20 Mbit/srange. IEEE 802.11a operates in the 5-GHz fre-quency spectrum and is not backward compatiblewith IEEE 802.11b.

Similar to IEEE 802.11a, IEEE 802.11g provides ashared-access medium that operates at a raw speed of54 Mbit/s. Effective maximum throughput is around24.5 Mbit/s. However, IEE 802.11g operates in the2.4-GHz frequency spectrum and is backward com-patible with IEEE 802.11b.

RFID systems will extend existing IP networks throughthe installation of new devices like RFID readers as wellas integration with larger supply-chain systems. It isessential that those deploying RFID understand therequirements of this application and how it will coexistwith other services. Now is the time for networkadministrators to plan for RFID installations and learnhow to maximize the services available to them in theirIP network infrastructures.

FURTHER READING■ Cisco RFID Website

cisco.com/go/rfid

■ EPCglobal

www.epcglobalus.com/Network/how_works.html

FIGURE 3 IEEE wirelessstandards are supportedin several Cisco Aironetplatforms.

PLATFORM

Cisco Aironet 1100 SeriesAccess Point

Cisco Aironet 1130 AGSeries Access Point

Cisco Aironet 1200 SeriesAccess Point

Cisco Aironet 1230 AGSeries Access Point

RADIO

802.11b or g

802.11a and g

802.11g

802.11a and g

RAW BANDWIDTH

10 Mbit/s or 54 Mbit/s

54 Mbit/s and 54 Mbit/s

54 Mbit/s

54 Mbit/s and 54 Mbit/s

CISCO AIRONET ACCESS POINT PRODUCT LINE




The central repository of both computing capacityand data storage, the data center is a highly criticalcomponent of today’s enterprise network architec-ture. Because of this, the data center requires thehighest levels of resilience, performance, and flexibil-ity to meet business requirements and support accel-erated growth. The access layer of the data centerprovides the port density and connectivity to theenterprise server farm. Determining proper accesslayer design is critical in providing a flexible, scalable,secure, high-performance architecture that supports amix of existing application requirements while easilyadapting to changing conditions.

This article helps you prepare for the next-generationserver farm by discussing how PCI-X, 10 Gigabit

Ethernet, and port density influence your design con-siderations. It does not cover other important topicssuch as data center services, high availability, storageinterconnect (that is, Fibre Channel) or server inter-connect (that is, Infiniband), as these are the subjectof future articles.

Access Layer ConsiderationsThe access layer provides physical connectivity to theserver farm. The applications hosted by the serverfarm have many different requirements; some arebusiness-critical applications requiring dual-homedservers, while others require server clustering for highavailability and scalability. Some applications resideon a mainframe that may run a Layer 3 protocol,


Data Center NetworkingDesigning the Server Farm Access Layer

By Mark Noe and Mauricio Arregoces

FIGURE 1 The enterprisedata center topologyincludes multiple accesslayer configurations andaggregation modules,which are repeatable forscaling the server farm.

DATA CENTER TOPOLOGY

DC AggregationModule 2



DC Core

Campus Core

DC Aggregation

DC Access

Layer 2 Accesswith Clusteringand NIC Teaming

Blade Chassiswith Pass-ThruModules

Blade Chassiswith IntegratedSwitch

Mainframewith OpenSystemsAdapter(OSA) Layer 3 Access with

Small BroadcastDomains andIsolated Servers

10 Gigabit EthernetGigabit Ethernet or EtherChannelBackup


while others are hosted on multiple 1RU serverswhich may have Layer 2 adjacency requirements(Figure 1).

Layer 2 Access Model DefinitionThe Layer 2 access model is defined as an access switchthat is connected to the aggregation layer through anIEEE 802.1Q trunk. The first point of Layer 3 process-ing is at the aggregation switch. Layer 3 routing is notperformed in the access layer switch. Blade-serverchassis that use integrated Layer 2 Cisco switches suchas in the IBM BladeCenter and the HP BladeSystemalso appear in Figure 1. Because these are Layer 2switches, they connect directly to the aggregation layerin the same manner as an external access switch. Later,this article describes network interface card (NIC)teaming and clustering, which influence the require-ment for the Layer 2 access model.

The Layer 2 model provides significant flexibility bysupporting virtual LAN (VLAN) instances throughthe entire set of access layer switches that are con-nected to the same aggregation layer. This allows newservers to be “racked” in any available rack yet stillreside in the particular subnet (VLAN) in which allother application-related servers are located.

Layer 3 Access Model DefinitionThe Layer 3 access model is defined as an accessswitch connected to the aggregation layer through aLayer 3 link (instead of an 802.1Q trunk as in theLayer 2 model) on its own subnet. Layer 3 routing isperformed at the access switch. The access switch con-tains a route processor that provides all requiredLayer 3 processing functions. Despite the SpanningTree Protocol being active, there are no blocked ports,thus all uplinks are actively forwarding because thismodel does not have a looped topology.

The Layer 3 access switch also provides Layer 2 con-nectivity to the server farm. Unlike the Layer 2 accessmodel, the STP domain is confined strictly to theaccess switch or to a very small group of accessswitches, as shown by the Layer 2 links between theLayer 3 access switches in Figure 1. Layer 3 access isused when there is a requirement for multiple activeuplinks or to segment groups of servers into smallerbroadcast domains to address server stability con-cerns or to isolate different application environments.

Layer 2 Adjacency DriversWhen Layer 2 adjacency exists between servers theservers are in the same broadcast domain. Whenservers are Layer 2 adjacent, each server receives allbroadcasts and multicast packets from another server.If two servers are in the same VLAN, they are Layer 2adjacent. However, certain features, such as privateVLANs (PVLANs), allow groups of Layer 2 adjacentservers to be isolated from each other but still be inthe same subnet.

Frequently, the requirement for Layer 2 adjacency isunexpected or overlooked. High availability cluster-ing, and NIC teaming are primary examples of whenLayer 2 adjacency is required.

ClusteringServer clustering implementations vary from highavailability clusters such as the Microsoft WindowsServer 2003 Cluster Service (MSCS) to high-performance parallel processing clusters as in theBeowulf Linux cluster operating system.

The common goal of clustering is to combine multipleservers to operate as a unified system through special-ized software and network interconnections, improv-ing scalability, performance, and resiliency. Clusteringtechnology, initially used in university and scientificenvironments, is now popular in enterprise data cen-ters primarily for high availability reasons.

Some high availability clusters use mechanisms thatrequire Layer 2 adjacency because the cluster proto-col packets are not routable. An example of this iswith MSCS cluster environments that use Layer 2multicast packets to enable all hosts in the cluster tolisten to incoming network traffic and pass heartbeatsbetween nodes to determine availability.

NIC TeamingThere are always mission-critical applications that can-not tolerate downtime. To eliminate server and switchsingle points of failure, servers are dual-homed to twodifferent access switches and use NIC teaming driversand software for the failover mechanisms. NIC team-ing features are provided by a NIC vendor and arebecoming widely used in enterprise data centers.

NIC teaming options generally come in three com-mon configurations: Adapter Fault Tolerance (AFT);Switch Fault Tolerance (SFT), also sometimes knownas Network Fault Tolerance (NFT); and AdaptiveLoad Balancing (ALB) (see Figure 2).

The basic objective of NIC teaming is to use two ormore Ethernet ports connected to two different accessswitches. In some cases, two Ethernet ports connect toa single switch using different line cards. The standbyNIC port in a server configured for NIC teaming usesthe same IP and MAC address of a failed primaryserver NIC, which results in the requirement for Layer2 adjacency. An optional signaling protocol is also usedbetween active and standby NIC ports. The protocol


MARK NOE AND MAURICIO ARREGOCES, CCIE No. 1331 and CCIE No. 3285, are members of the Data Center Design and Architectureteam at Cisco. They can be reached at [email protected], [email protected] respectively.


heartbeats are used to detect a NIC failure. The fre-quency of heartbeats is tunable between 1-3 seconds.These heartbeats are multicasted or broadcasted andtherefore require Layer 2 adjacency.

Density and Scalability ImplicationsEnterprise data centers traditionally use a modularaccess switch with line cards, which can support hun-dreds of server ports. This type of access switch isstrategically placed within or at the end of the servercabinet row and the servers in the row are cabled toit. This scenario permits flexible oversubscriptioncapacity and reduces the ratio of managed networkdevices to servers.

A simpler option is to place small 1RU access layerswitches in each server cabinet with the cablingremaining in the cabinet. These 1RU switch uplinksare cabled directly to the aggregation switches. Thissimplifies cabling infrastructure by reducing cablebulk and can provide more rack and stack flexibility.

Because there may be different requirements in build-ing a scalable access layer environment, you shouldcarefully consider the connectivity scheme. Whenselecting which access layer model to use keep inmind the following criteria.

Server density: Consider the most effective way of scal-ing to the maximum server density and the requirednumber of network connections per server such asclient-to-server, server-to-server, server-to-storage, andintegrated Lights Out (iLO) out-of-band management.

Network management: How many network devicesare managed in the network? Determine the networkdevice-to-server ratio as a guideline to understandingthe total cost of ownership (TCO) of the network.

Oversubscription: What is the oversubscription ratioper uplink? Keep in mind the current or future trueserver capacity (PCI, PCI-X, PCI-Express) and thetype of uplinks (Gigabit EtherChannel, 10 GigabitEthernet, 10 Gigabit EtherChannel) that can be sup-ported on the access switch. A server that is limitedby older PCI bus technology can increase the applica-tion traffic dramatically after a platform replacement.

Equipment sparing: Consider how equipment sparingstandards decrease skill set requirements and the timeto resolution.

Device-level redundancy: Determine the failure expo-sure level for each application and whether serversrequire CPU or power redundancy to avoid a singlepoint of failure.

Cabling: Consider the cabling structure design and airflow issues related to cable density through the rackfloor entry.

Spanning Tree Protocol scalability: Understand howSpanning Tree scales and behaves based on the num-ber of uplinks, VLANs per uplink (logical port limits,number of EtherChannels), and VLANs acrossswitches (STP diameter).

In general, it is important to closely examine the envi-ronment and ensure that it has the flexibility to sup-port emerging requirements that can push scalabilityand performance. The particular areas most affectedin the access layer are spanning-tree scalability,cabling, 10 Gigabit Ethernet support, port density,and redundant CPU or power.

Scaling Bandwidth with Gigabit EtherChannel and 10 Gigabit Ethernet UplinksNetwork designers must choose between GigabitEtherChannel or 10 Gigabit Ethernet uplinks on theaccess layer switches. EtherChannel technology per-mits bundling together of up to eight Gigabit Ethernetports to provide a single logical high-speed uplink.When determining the correct access layer uplinkstrategy, take into account the following areas.

EtherChannel Hashing AlgorithmEtherChannel provides different hashing algorithmsto determine how to balance packets across the portsin the channel group. The most common hashingalgorithm used is based on IP source/destination pairsor Layer 4 port number source/destination pairs. Thenumber of servers behind the switch that use theGigabit EtherChannel uplink and how the IP proto-cols are used greatly influence how well traffic is bal-anced across the EtherChannel. If the algorithm


FIGURE 2 Adaptive LoadBalancing, a popular NICteaming solution, permitsmultiple NIC cards to balance outbound clienttraffic while providingswitch fault tolerance.

NIC TEAMING WITH ADAPTIVE LOAD BALANCING

One Port Receives and All Ports Transmit Using One IP Address and Multiple MAC Addresses. ALB Incorporates Fault Tolerance.

Default GW10.2.1.1HSRP

Eth0: Active Eth1-n: Active

IP=10.2.1.14MAC=0007.e910.ce0f

IP=10.2.1.14MAC=0007.e910.ce0e

Heartbeats



cannot balance traffic evenly across all ports in thechannel, aggregate throughput is degraded. Examinetraffic characteristics and determine the proper hash-ing algorithm to use. If proper load distribution can-not be achieved, 10 Gigabit Ethernet likely provides abetter solution than Gigabit EtherChannel.

PCI-X, PCI-Express, and 10 Gigabit Ethernet NICsWhen determining the proper oversubscription ratioto use in the access layer, consider the particular tech-nologies that have a dramatic impact on networkusage. PCI-X bus-based NICs are common on today’sserver platforms. Compared to PCI-based NIC cards,PCI-X increases the amount of traffic many times onits interface(s) with less CPU overhead. The next-gen-eration PCI-Express bus interface continues this trendwith 4X performance over PCI-X and introducesother improvements, such as Remote Direct MemoryAccess (RDMA), that reduce CPU overhead. Com-bined with these bus technology improvements is theability to tune TCP with larger window sizes, jumboframes, and TCP offload engines that further improvethroughput and lower CPU overhead.

The overall bursting capacity increases as a result ofservers using the most current bus architecture (PCI-Xor PCI-Express) and newer NIC (10/100/1000 or 10Gigabit Ethernet) technology. The overall server farmthroughput is higher.

10 Gigabit Ethernet NIC cards are available todaywith driver support across almost all operating sys-tems. These NICs are showing up to a 7X improve-ment over Gigabit Ethernet with lower latency andless CPU overhead. As the requirements for lowlatency fabrics increase for clustering, storage, andspecialized applications, 10 Gigabit Ethernet NICsare becoming more common. 10 Gigabit Ethernet isalso useful when consolidating servers in the datacenter. By using 10 Gigabit Ethernet NICs in higher-end servers, a reduction in the number of server com-ponents can be realized, lowering overall TCO.

As these trends become mainstream, their impacttranslates into higher strain on access layer uplinks.The ability to migrate from a Gigabit Ethernet Ether-Channel uplink to a 10 Gigabit Ethernet or 10 GigabitEthernet EtherChannel uplink is an important consid-eration in choosing the correct access layer platform.

Environmental ConcernsAn industry trend is to decrease the amount of rackspace used by server and network components bycompacting them into smaller platforms. Examples ofthis are blade-server technology, 1RU servers, andhigher density switches. This trend is placing stress onother critical areas in the data center, including cool-ing, power, weight, and cabling, so be aware of thefollowing general environmental concerns.

Cabling: Examine the network connection require-ments of the server farm (iLO, front end, back end,storage) cable routing and the cable bulk at the entryto each cabinet.

Cooling: Consider the cooling capacity per rack andthe heat dissipation of the components in each rack.Although rack space may be conserved with denserplatforms, cooling capacity limits the density achieved.Cable bulk can also block air flow to the cabinet.

Weight: Consider that the floor tile and subfloor con-struction might not have the weight support ratingthat racks loaded with newer high density productsare now reaching.

Power: Check the power requirements of newer high-density products and determine whether the currentamount of power provided to the cabinet is enough.For example, you might need to retrofit the existingpower to include support for 220V or 30A service.

When building a new data center or scaling an existingone, your key considerations should include whetherto use the Layer 2 or Layer 3 access models based oneither adjacency requirements or a need to createsmaller broadcast domains. You also want to considerserver density, oversubscription, and management fac-tors when determining whether to use a modular or1RU access switch. Other considerations includeunderstanding the impact of new server technologysuch as PCI-X and PCI-Express on the data networkarchitecture and specifically the access layer.


Data Centers, Continued from page 59

FURTHER READING■ Data Center Fundamentals by Mauricio Arregoces and

Maurizio Portolani (Cisco Press, ISBN: 1587050234)

ciscopress.com/datacenterfundamentals

■ Build the Best Data Center Facility for Your Business,

by Douglas Alger (Cisco Press, ISBN: 1587051826)

ciscopress.com/title/1587051826

■ PCI Bus Technology

pcisig.com/specifications/pciexpress

■ Data Center Best Practices

cisco.com/go/datacenter


The Metro Ethernet market is undergoing explosive growth, andsecurity is extremely important at the metro network’s entry loca-tion. Modular Cisco Catalyst switches are used to terminate mul-tiple DSL access multiplexers (DSLAMs) at the aggregation layer.DSLAMs are intelligent devices and support multicast InternetGroup Management Protocol (IGMP) snooping for triple-playvoice, video, and data services. They also support Dynamic HostControl Protocol (DHCP) interface tracking (Option 82) and iso-lation for end subscribers.

DSLAMs, however, do not offer security features such as dynam-ic protection from man-in-the-middle attacks, IP spoofing, andDHCP denial-of-service (DoS) attacks. These functions withinnovative quality-of-service (QoS) features are performed at themetro aggregation switching layer. Generally, in this topologyeach DSLAM connects to a Cisco Catalyst switch using twoGigabit Ethernet interfaces (see Figure 2, page 62).

Catalyst 4500 with Supervisor Engine V-10GEA wirespeed 10 Gigabit Ethernet-enabled Cisco Catalyst switch isa de facto choice for service providers, because it allows them tooffer high-bandwidth, rich services that will satisfy customersand keep the service providers competitive. Performance of up to136-Gbit/s switch capacity and 102 million packets per second(pps) of wirespeed forwarding are supported on a single CiscoCatalyst 4500 Series Switch with a Supervisor Engine V-10GE.Modular supervisors support a full range of 4096 active virtualLANs (VLANs) in accordance with IEEE 802.1q. In addition,none of the services suffer a performance penalty, because theyare performed in hardware—allowing providers to offer a greaternumber of Metro Ethernet point-to-point or point-to-multipointEthernet services.

The bidirectional Ethernet (100BaseBX, 1000BaseBX) interfacesin the Catalyst 4500 Series Switch implement full duplex, wire-speed, Fast or Gigabit Ethernet point-to-point services on a sin-gle fiber cable. The GLC-BX-U (upstream, customer end) andGLC-BX-D (downstream, service provider) Small Form-factorPluggable (SFP) interfaces are supported on the switch’s GigabitEthernet ports. These interfaces provide additional return oninvestment (ROI), decreasing the cost of underground dark fiberby half. The new bidirectional SFPs are installed in pairs (blue +purple on each end), and each SFP carries a different wavelength.Common deployments include the bidirectional SFPs terminatingsubscribers on switch downlink connections and 2x10GE line rateuplinks to the Cisco 7600 Series Router in the Metro Ethernet core.

New Security and QoS Features in Catalyst Switch Several new security and QoS features for the modular CiscoCatalyst switches bring a comprehensive security portfolio tometro aggregation deployments and allow network managersto dynamically control security threats at their inception. Thesetightly integrated software and hardware features work togetherand can be simultaneously deployed on a switch.

Safe Metro AggregationInnovative Catalyst switch and QoS features bring security, reliability,resilience, and high performance to the metro aggregation layer.

By Rupa Kaur



GLC-BX-U (Blue)Customer1310 nm

X2 10-GE Optics

SFP Gigabit uplinks

GLC-BX-D (Purple)Service Provider1490 nm

Catalyst 4500 Supervisor Engine V-10GE (WS-X4516-10GE)

FIGURE 1 New security and quality-of-service features supported by the Cisco Catalyst4500 Series Switch bring greater performance and protection to metro aggregationdeployments. Bidirectional Gigabit Ethernet interfaces can lower the cost of undergrounddark fiber by half.


■ Private VLAN (PVLAN) trunk ports allow contentand media (data, voice, video) distribution to homesfrom different service providers over the same infra-structure. The trunk ports can carry multiple isolatedand regular VLANs and also provide isolationbetween different ports on downlink connections.This feature simplifies IP address management bykeeping all clients on the same IP subnet. PVLANtrunk ports enhance security by providing isolationbetween the ports and eliminating spoofing attemptsof services across subscribers.

■ Promiscuous PVLAN trunks carry multiple VLANson uplink trunk ports connected to the router. Thissecurity feature also maintains isolation betweensubscribers carried over the same trunk and simpli-fies network implementation across the wirespeed10 Gigabit Ethernet uplink ports.

■ Trunk port security mitigates MAC spoofingattempts on an inter-switch link (ISL) or 802.1q trunkport. A Catalyst switch can be configured to limitMAC addresses with a per port per VLAN emphasis.This approach prevents various MAC table exhaus-tion attacks.

■ Per port per VLAN QoS (PVQoS) is a new featurefor input and output QoS. Prior to this feature, aCatalyst switch could only be used for either portlevel or VLAN level QoS, but not both. This featureallows a metro service provider to customize its owngranular QoS service policy per VLAN on any portto better differentiate service offer levels. Multipleservice policies for each VLAN are also supported onany given port.

■ 8000 input and 8000 output policers are supportedfor concurrent input and output policing withPVQoS. This feature allows a service provider to finetune traffic traversing ingress and egress ports tothousands of subscribers.

■ Aggregation DHCP Snooping, Dynamic ARPInspection, and IP Source Guard to dynamicallyprevent DHCP, man-in-the-middle, and IP spoofingattacks, respectively. These re-engineered securityfeatures now allow providers to enable security policieson a DHCP packet even when DHCP interface track-ing (Option 82) is performed at the DSLAM level. Priorto this enhancement, these dynamic Layer 2 securityfeatures could only be used for metro access deploy-ments, e.g., in a building basement without DSLAMs.

■ Hardware Ternary CAM 3 (TCAM) is used to lookup one or more matching bits in the incoming pack-ets and classify them for different features, such assecurity ACLs and QoS classification. The set of bitsand its value to match is programmed in a TCAMentry, and the set of bits to be considered for match-ing is programmed in a TCAM mask. In TCAM3,there is one-to-one correspondence between a TCAMentry and TCAM mask, whereas in earlier versions,there are eight TCAM entries for a given mask.Because the new TCAM has more TCAM entries uti-lization than previous TCAMs, it allows for moresecurity and QoS classification rules.

In addition, with the TCAM3 hardware interface,packet lookup is performed at wirespeed by theswitching engine ASIC. These TCAMs also make itpossible for Catalyst switches to process security serv-ices on any range of IP address in hardware. Becauseof the one-to-one correspondence between a TCAMentry and its mask, the TCAM3 is amply equipped tomeet the future needs of metro aggregation securityand QoS features. Even when classifying flows from6000 different IP addresses and all dynamic aggrega-tion security features, the TCAM entry utilization isonly 10 percent.

Figure 3 shows the applicability of these new fea-tures within a metro aggregation network. Thetopology is included to the extent that specific secu-rity features should be requested to mitigate theeffects of certain attacks.


CISCO METRO ETHERNET SWITCHING AT METRO AGGREGATION LAYER

Access Aggregation Core

Broadband or DSLAM Aggregation 2000 to 6000 Users

Cisco Catalyst 4500 or 6500 Series Switch

FIGURE 2 Security fea-tures—such as dynamicprotection from man-in-the-middle attacks, IPspoofing, and DHCP DoSattacks—are performedby the Catalyst switch atthe metro aggregationlayer.

RUPA KAUR, a senior technical marketingengineer in the Gigabit Switching Busi-ness Unit, has been at Cisco ten years.Before her role in technical marketing,she was a development engineer for ATMplatforms. She can be reached [email protected].


PVLANs are extremely useful in a Metro Ethernetenvironment because they automatically provideisolation between multiple DSLAMs. PVLAN isolat-ed trunks are used to multiplex several VLANs onthe same port while still maintaining isolationbetween subscribers. The feature also allows a cus-tomer to subscribe to multiple ISPs with transparentnetworks. The PVLAN promiscuous trunks(2HCY2005) are used to carry services for thou-sands of subscribers on the switch’s uplink ports.Prior to promiscuous trunks, a Catalyst switchcould only carry one VLAN on a promiscuous port,thus requiring a greater number of physical ports.With this new feature, many primary PVLANs canbe multiplexed onto one or both (resilient and loadsharing) 10 Gigabit Ethernet or Gigabit Ethernetuplinks. The PVLAN promiscuous trunks on theCatalyst 4500 connect to the Cisco 7600 SeriesRouter where IPv4, IPv6, or Multiprotocol LabelSwitching (MPLS) services are performed.

Trunk port security is also supported on PVLANtrunk ports. It restricts the allowed MAC addressesor the maximum number of MAC addresses to indi-vidual VLANs on a trunk port. It restricts the trunkport to configured MAC addresses so no otherMAC address can join the network. When a trunkport security violation occurs, the trunk port is shutdown and a Simple Network Management Protocol

(SNMP) trap might be generated. Trunk port securi-ty can be used when a Catalyst switch has an 802.1qor ISL trunk attached to a neighboring Layer 2switch or DSLAM.

Per port per VLAN QoS allows network managers tocreate their own service policy per VLAN. This policy,performed in hardware, might consist of ingress and


Policy-map P31_QoS // A 200 Mbps policer definitionClass RTPolice 200m 16k conform transmit exceed drop // Up to 8K in & 8K out policers

interface range GigabitEthernet3/1-48 // Sample Downlink portsswitchport trunk encapsulation dot1qswitchport private-vlan trunk native vlan 401switchport private-vlan association trunk 200 201 // PVLANs secondaries as servicesswitchport private-vlan association trunk 300 301 // PVLANs secondaries as servicesswitchport mode private-vlan trunk // Private vlan isolated trunkswitchport port-security // Enable port security vlan-range 201 // PVQoS and trunk port securityport-security maximum 3service-policy input P31_QoS // Ingress PVQoS for VLAN 201 (includes policing)service-policy output P31_QoS // Egress PVQoS for VLAN 201 (includes policing)

vlan range 202port-security maximum 3service-policy input P32_QoS // Ingress PVQoS for VLAN 202 (includes policing)service-policy output P32_QoS // Egress PVQoS for VLAN 202 (includes policing)

spanning-tree portfast trunk

interface range tengigabitethernet1/1-2 // Uplink portsswitchport mode private-vlan trunk promiscuous // PVLAN promiscuous trunks

FIGURE 3 Security fea-tures, such as PVLAN, onCisco Catalyst modularswitches allow networkmanagers to dynamicallycontrol security threatsat their inception.

FIGURE 4 Sample config-uration for ingress/egresspolicing, trusting DSCP,and giving precedence to voice packets on aCisco Catalyst 4500Series Switch.

SAMPLE PVLAN METRO AGGREGATION

Cisco 7600 Series Router IPv4 and IPv6 Routing and MPLS Services

Promiscuous PVLAN Trunks

10 Gigabit Ethernet

10 Gigabit Ethernet

Cisco Catalyst 4500 Series

Cisco Catalyst 4500 Series

PVLAN Trunks

802.1q Trunks

DSLAMsDSLAMs

SubscribersSubscribers

Gi4/3 Gi4/4


egress policing, trusting Differentiated Services CodePoint (DSCP), or giving precedence to voice packetsover data. Figure 4 shows a sample configurationfor these three features on a Cisco Catalyst 4500Series Switch.

DHCP interface tracking, or Option 82, satisfies thelegal requirements of many countries, which stipu-late that DSLAMs constantly track the DHCP offersand releases. DHCP interface tracking only providesa tracking path for the DHCP packet but does notenforce security. The DSLAM inserts informationabout itself in the DHCP request packet traversingfrom a client to a server. When a Catalyst switch isused in aggregation mode, it cannot change theOption 82 coming from DSLAMs, forcing the port tobe trusted. Trusting the port rendered the industry-leading DHCP Snooping, Dynamic ARP Inspection,and IP Source Guard security features to be unavailablefor Metro Ethernet. Today, Cisco has re-engineeredthe Catalyst switch for Option 82 passthrough, whichmeans that the switch transparently passes Option82, enabling deeper inspection of the DHCP packets.

DHCP Snooping combats rogue DHCP servers whileprotecting the network from DoS attacks. It achievesthis by rate limiting the incoming DHCP packets andlimiting client-facing ports for sending DHCP requestand renew traffic only. The edge ports, for example,cannot offer DHCP lease, which is a function for theDHCP server. DHCP Snooping also forms the basisfor other security features such as IP Source Guardand Dynamic ARP Inspection. This feature allows theswitch to “snoop” the switching traffic for DHCPpackets and create a dynamic binding (see Figure 5).

Dynamic ARP Inspection uses the DHCP Snoopingbindings to prevent ARP spoofing and man-in-the-middle attacks for both static and dynamic IPaddresses. Any violating hosts can be logged andthe ports error-disabled until an administrativeaction is taken. IP Source Guard mitigates IPaddress spoofing by dynamically maintaining perport VLAN ACLs. IP Source Guard adds security toIP source address using DHCP Snooping table. Thefeature automatically locks an IP and MAC addressto a given port. The dynamic ACL is removed whenthe user releases the IP address, for example, with“ipconfig /release.” Figure 6 shows a sample config-uration for these features.

All the Cisco Catalyst security and QoS features dis-cussed in this article build on one another—much likea set of security “stairs” upon which all services aredeployed concurrently. These security features empowerservice providers with resilient, high-performance,reliable, and secure metro Layer 2+ networks. Theswitches are not only built for the needs of today’snetworks but are well equipped to meet the demandsand challenges of tomorrow.


FURTHER READING■ Cisco Catalyst 4500 Series Supervisor Engine V-10GE


■ Cisco Metro Ethernet Switching Solution

for Service Providers


Switch#show ip dhcp snooping binding interface Gi4/1

MacAddress IpAddress Lease(sec) Type VLAN Interface

00:09:6B:50:B8:28 10.33.235.45 131585 dhcp-snooping 201 GigabitEthernet4/100:02:B9:A7:55:A5 10.33.232.47 439124 dhcp-snooping 200 GigabitEthernet4/1

ip dhcp snooping allow-untrusted // Option 82 Passthroughip dhcp snooping // Enabling dhcp snooping and activating it on vlans 2-10ip dhcp snooping vlan 2-10ip arp inspection vlan 2-10 // Enabling Dynamic ARP Inspection on vlans 2-10interface range gi2/1 – 48 // DHCP and ARP DoS attack rate limiters (in pps)ip dhcp snooping limit rate 200ip arp inspection limit rate 200ip verify source vlan dhcp-snooping port-security // IP source guard

FIGURE 5 Sample config-uration for DHCP Snoop-ing on a Cisco Catalyst4500 Series Switch.

FIGURE 6 Sample config-uration for Dynamic ARPInspection and IP SourceGuard on a Cisco Catalyst4500 Series Switch.



Next-generation networks (NGN) are rife with poten-tial: personalized services, interoperating applications,keeping a connection from home to office and fromPDA to PC to phone. But to a large extent, this poten-tial has yet to be realized with intelligent networksthat provide the subscriber and application awarenessrequired to effectively converge the plethora of resi-dential and business services available today. Con-sumers have access to a wide array of communications,entertainment, and online services, usually from awide variety of broadband service providers. Theseservices traverse multiple network types, each withtheir own unique capabilities, and they originate andterminate on many different devices. Most serviceproviders do not yet have the capability to convergethese services, but a few are beginning to implementnew levels of network intelligence that will dramati-cally change the way we work, play, and learn.

For example, Sprint is using presence and locationinformation from the Cisco Call-Session ControlPlatform (CSCP) to give its subscribers “push-to-talk” service. The CSCP tracks which people on theuser’s talk-to list are present on the network. PlalaNetworks, a subsidiary of NTT East Corp., is usingthe Cisco Service Control Engine (SCE) to monitorand manage bandwidth-gobbling peer-to-peer trafficso other users can receive acceptable service. TheCisco SCE detects peer-to-peer file transfers; thenpolicy servers limit the bandwidth available to thistype of traffic.

These uses are just the beginning. For a next step,cellular providers might evolve push-to-talk servicesso subscribers could push to access a voice-enabledportal offering applications such as Mapquest. Direc-tions could be spoken or displayed. A provider moni-toring and limiting bandwidth could determine, forexample, that demand is less during certain hours ofthe day and offer a managed service package forsmall businesses with guaranteed bandwidth andquality of service (QoS).

Service Exchange Framework Building BlocksImaginative, wide-ranging, useful services such as theseare possible now. Every required network element—hardware and software, core and edge—is available.And only Cisco offers them all, in the ServiceExchange Framework (SEF), which can be customized

to support a provider’s unique next-generation busi-ness model. The SEF provides the intelligence thatenables service convergence—a fundamental elementof IP-based next-generation networks (see Packet First Quarter 2005, cisco.com/packet/172_8b1).

“The SEF enables service providers to analyze, opti-mize, secure, and meter application- and content-basedservices in their existing IP networks,” says ThomasBarnett, Jr., senior service provider marketing managerat Cisco. “That’s every capability they need to maxi-mize and deliver services and applications in an IP-based next-generation network.” Right now, he adds,“Most providers have very little of the detailed infor-mation or control they need to deliver NGN services.They may not know what device a subscriber is using,where the subscriber is located, what applications heor she should have access to, or what policies such ascontent or bandwidth control, should be imposed. Sothe carrier’s ability to deliver services and applications,such as e-mail, instant messaging, voice, gaming, andvideo, with the desired quality of service and class ofservice [CoS]—in a way that maximizes network effi-ciency and the user experience—is limited.”

The following four capabilities are crucial to deliver-ing next-generation service control (see figure):

■ Subscriber awareness and identity management—Thenetwork can identify users and their devices, deter-mine a person’s location, and establish presence forthat person, including sharing his or her status (on oroff network) with other subscribers. With these abil-ities, providers can deploy presence-based servicessuch as push-to-talk, instant messaging, voice, andvideo, call routing and screening, and 3G+ mobileapplications such as streaming audio and video andinteractive gaming.

■ Policy and resource management—The providergains programmable session and policy controlincluding authentication, authorization and account-ing (AAA), QoS, and VPN routing and forwardingfor all services the customer subscribes to, along withone very tangible subscriber benefit: signing on oncewith only one password for all applications.

By Janet Kreiling

The Service Exchange FrameworkMastering services requires comprehending and controlling everypacket and policy in your network. Here’s how to do it.



■ Dynamic session management—End-to-end attributesof individual sessions can be managed in real timeusing techniques such as queuing, policing, trafficshaping, and packet marking, which ensures con-tracted-for QoS and accurate billing. Internetwork sig-naling with border control allows services to follow asubscriber from a wireline to a wireless network, acircuit-switched to an IP network, or an enterprise toa public network.

■ Mobility service and management—Presence, namespace, subscriber data, and service integration—thefour information elements central to a mobile call—can all be managed centrally. When tasks such asstoring customer data, AAA, provisioning, and serv-ice interaction are consolidated, it becomes possibleto create new services for mobile networks or for callsmoving onto mobile networks quickly with maxi-mum re-use of assets and minimal expense.

Says Barnett, “These capabilities help service providersoptimize network resources, deliver customized serv-ices, enhance the subscriber experience, and ensurereliable service delivery and performance.”

Cisco Solutions for the Service Exchange FrameworkCisco provides a variety of solutions to deliver thesesubscriber- and service-aware capabilities for next-generation service control. Because these are stand-alone, inline hardware and software solutions thatdo not duplicate or interfere with any essential net-working functions (such as access or aggregation),service providers can deploy this critical service layerin a phased approach that meets their business andservice needs.

The Cisco Mobile Exchange (CMX) is an open plat-form that provides an intelligent enforcement layer

within the operator’s network and easily interfaceswith all of the control elements in the IP network.CMX has proven interoperability with all majorradio access network (RAN), AAA, content billing,and content filtering and compression vendors. It pro-vides three primary functions—access and servicecontrol, seamless mobility, and deep-packet inspec-tion. CMX also leverages Cisco IOS Software andenables mobile operators to deliver secure, profitablemobile services. The cornerstone of the CMX frame-work is the Cisco 7600 Series Router. Modular bladesdeployed in the Cisco 7600 Series provide a variety ofCMX capabilities, including packet gateways, mobileservices, load balancing, network management, andoperations. Together, these components successfullysolve the many challenges that face mobile operatorsseeking profitability from their second-generation(2G), 2.5G, 3G, or 4G mobile packet infrastructuresand IEEE 802.11 wireless LANs.

The aforementioned CSCP is designed for broadbandoperators interested in deploying a robust, carrier-grade, next-generation services delivery environmentfor providing multimedia applications and servicesover their IP-based networks. The CSCP consists ofthe Cisco Service Engine, Cisco Edge Proxy, and theCisco Name Resolution Server—software solutionsall based on Session Initiation Protocol (SIP), theInternet Engineering Task Force (IETF) standard thatdefines peer-to-peer, multimedia signaling. With theCSCP, operators can offer a differentiated multimediacommunication experience to their subscribers withservices integrating voice, video, push to talk, pres-ence, geolocation, “buddy” lists, and more.

The Cisco Service Control solution allows providersto take full advantage of their existing IP networkinfrastructure to differentiate between services suchas voice over IP (VoIP), Web browsing, music down-loads, video streaming, and peer-to-peer traffic. TheCisco SCE adds a programmable service layer to net-works, allowing operators to identify subscribers,classify applications, guarantee service performance,and charge for multiple IP services. PerformingLayer 7 stateful, deep-packet inspection at multigiga-bit speeds, the Cisco SCE is transport- and content-independent, fully extensible and programmable,and easily integrates into existing network fabrics.This network element resides “in traffic” behind anIP aggregation point and enables the network to dif-ferentiate between individual services—enablingproviders to manage and bill for premium servicesrunning on common transport.

Phased Approach to Service Control and Network IntelligenceThe starting point for an IP-based NGN is theprovider’s existing network. “A provider can startwith a specific service, add the solution or solutionsrequired for it, and then build more services onto that


FOUR KEY SERVICE CONTROL AREAS

Subscriber Awareness and Identity Management

User/Device IDSubscriber AwarenessLocation/PresenceService RegistrationAudit/LoggingAssured Authentication

Dynamic SessionManagement

Call ControlSession Border ControllerRich-Media ControlDifferentiated Bandwidth and QoS per SessionAccounting/Billing

Policy and ResourceManagement

Subscriber PolicyApplication/ChainingPer-Sub ServiceService Invocation

Mobility Service andManagement

Device RoamingService MobilityUser Mobility

Open Service Exchange Framework

NGN SERVICE CONTROLFour areas of servicecontrol help providersoptimize networkresources, deliver customized services, and ensure reliable service delivery and performance.


system or add other solutions for other services,”Barnett says. “This is a custom process, driven byeach provider’s business plan and customer needs.Providers can deploy solutions to offer services thatwill differentiate them in their own market.”

SEF solutions from Cisco give service providers aclear path for cost-effective, low-risk rollouts of mul-timedia applications and help to address operations,administration, management, and provisioning(OAM&P) challenges, adds Barnett. Triple-play(voice, video, and data) services, voice over broad-band, and presence-enabled communications are afew examples. A multitude of services can be initiatedand expanded using SEF solutions.

Copel Telecommunications, based in Brazil, uses theCisco SCE deep-packet inspection capability to iden-tify and classify applications and guarantee perform-ance of offerings such as VoIP, Internet access, andmultimedia services to enterprise clients. Copel willbe able to implement traffic-line intelligence thataddresses new standards, protocols, billing tech-niques, and classification of content type in real time,and can thus customize services to satisfy the needs ofindividual customers. A provider with such a wide-ranging application of the Cisco Service ControlEngine’s abilities might next enable tiered services byadding a policy control solution.

Swisscom Mobile is already using CMX for its“Mobility Unlimited” solution, which allows sub-scribers to access data from the fastest transmissiontechnology available wherever they are and changeto another transmission mode seamlessly while onthe move.

An evolution plan for a provider with this startingpoint might include adding deep-packet inspection tomonitor and manage data applications, or policy con-trol to ensure the security of a user’s corporateIntranet and applications while employees travel.With SEF solutions, providers could offer customers a“turbo button” for real-time bandwidth changes, orenable them to cross from a mobile to a fixed net-work while maintaining the same call. Such a capabil-ity would make the provider’s service very attractiveto third-party developers of high-bandwidth multi-media applications, Barnett says, and create opportu-nities for partnering.

Service OptimizationIn addition to gracefully evolving to next-gen offer-ings, providers can use the SEF to finally understanddown to the packet what’s going on in theirnetworks—how much bandwidth is consumed bygiven services, applications, and users. They can

determine how much bandwidth and what QoS todevote to a given user and application. They can seewhere the inefficiencies are in how their resources areused, and where efficiencies can lead to new serviceand revenue opportunities.

For example, providers can reduce costs by monitor-ing and regulating how much capacity is used bybandwidth-hungry applications, and limit them orpermit dynamic bandwidth allocation through policycontrol. “Taking the guesswork out of capacity plan-ning and detailing subscriber demographics helpsoperators uncover hidden operational costs and newrevenue potential in wireline, mobile, and cable net-works,” Barnett points out.

In a truly intelligent network, subscribers will be able tosign themselves up for services and service attributes.Examples include subscribing to a cell phone plan,VoIP, or pay-per-view; ordering bandwidth or QoSthat varies by time of day; and imposing parental oremployer controls. Each such interaction is one fewerthat is handled by a customer service representative,for further cost savings. Subscribers have proven will-ing to pay more for a more personalized experience—getting any service they want, when they want it, overany device—so the IP-based NGN also offers incomepotential even beyond revenues from services andventures with application developers.

As providers continue to face competitive pressures tocut costs and provide more flexible services, they are“already creating multiservice converged networks byeliminating networks dedicated to specific types oftraffic and applications, or reducing layers within net-works,” says Barnett. “IP is the basis for the sweepingtransformation we’re seeing in networks, and the SEFis the way to master profitable, innovative servicedelivery over the IP next-generation network.”


Read the full whitepaper, The ServiceExchange Frame-work: ProvidingGreater Control for Cisco IP Next-Generation Networks, atcisco.com/packet/172_8b2.

■ White paper: The Cisco Call Session Control Platform


■ White paper: Bridging the Infrastructure Gap: The

Importance of Service Control in Broadband Networks


■ White paper: Cisco and the Service Provider IP

Next-Generation Network Journey


FURTHER READING



Service provider customers increasingly demand net-working services that meet the geographical require-ments of their business. They expect a single point ofcontact for these services instead of approaching multi-ple providers for a solution. In many cases, serviceproviders find it more cost effective to extend their foot-print through agreements with other providers than toinvest in new network infrastructure. In other cases,regulatory or political reasons might require serviceproviders to rely on other providers to meet customerrequirements. Some providers using MultiprotocolLabel Switching (MPLS) have implemented these agree-ments for some time; however, most service providersnow have come to realize the inevitable need for suchaccords to compete effectively in their markets.

Cisco MPLS offers service providers the technologyto extend their MPLS networks and the coverage oftheir services. This technology includes support forimplementing MPLS VPN, multicast VPN, MPLStraffic engineering (TE), and Layer 2 VPN (L2VPN)across multiple autonomous systems (AS). An AS typ-ically defines a service provider’s administrativeboundary. However, some providers might use multi-ple autonomous systems in their networks. In thosecases, the Cisco IP/MPLS Interprovider solution also

helps expand services throughout multiple networksbelonging to a single service provider.

MPLS VPN Inter-AS and Carrier Supporting Carrier Cisco introduced support for MPLS VPN Inter-ASand MPLS VPN Carrier Supporting Carrier (CSC) in2001. MPLS Inter-AS is an extension of MPLS VPNthat enables peering agreements between two or moreautonomous systems to offer IP VPN services. MPLSVPN CSC is an MPLS feature that allows a serviceprovider to act as a transport network for otherMPLS networks. The transport network offers anMPLS service that can carry multiple services (e.g.,Internet, IP VPN, L2VPN). The presence of multipleproviders is transparent to the end customer for bothMPLS VPN Inter-AS and CSC.

Cisco has made numerous enhancements to these solu-tions since their introduction. The most recent improve-ment extends load balancing capabilities allowing ASboundary routers (ASBRs) to maintain a single externalBorder Gateway Protocol (eBGP) session using loop-back peering across multiple physical links.

By Santiago Alvarez

IP/MPLS Interprovider Extending Network Infrastructures and Services Beyond Administrative Boundaries


FIGURE 1 Cisco MPLSVPN Inter-AS and CSCcan be used across IPand MPLS networks, providing greater flexi-bility for interproviderservice agreements orfor service providers thathave multiple networks.

MPLS VPN INTER-AS AND CARRIER SUPPORTING CARRIER

C-PE1

AS A

AS A AS C

AS B

AS B

A-ASBR1

B-ASBR1 B-ASBR3

C-ASBR1

C-ASBR

C-PE1

A-PE1

A-PE1

A-ASBR

VPN 1 VPN 1

VPN 1VPN 1

Transport Network

MPLS VPN Inter-AS MPLS VPN Carrier Supporting Carrier


Figure 1 illustrates the configuration of MPLS VPNInter-AS and CSC. In the case of MPLS VPN Inter-AS, two autonomous systems A and B peer to provideVPN service to two separate VPN sites. This technol-ogy offers three different peering alternatives thatprovide different levels of control and scalability. Inthe other scenario, AS B provides an MPLS transportservice to AS A and AS C. CSC defines a hierarchicalVPN model where B sees A and C as VPN sites with asingle signaling relationship regardless of the numberof VPN instances and VPN sites in A and C.

Interprovider MPLS VPN over IPInterprovider MPLS VPN over IP is an extension ofthe inter-AS and CSC functions in MPLS VPN toinclude IP networks that are not MPLS-enabled. In2004, Cisco introduced support for MPLS VPN overIP using Layer 2 Tunneling Protocol version 3(L2TPv3) encapsulation. This encapsulation providesintrinsic spoofing protection for VPN traffic. TheCisco MPLS VPN Inter-AS and CSC features can nowbe used across both IP and MPLS networks, provid-ing greater flexibility for interprovider service agree-ments or for providers that have multiple networks

(some of which are not enabled with MPLS). MPLSVPN Inter-AS and CSC with IP networks was intro-duced in Cisco IOS Software Release 12.0(30)S.

In Figure 1, one or even both of the autonomous sys-tems in the inter-AS solution could use an IP backbone.In the CSC scenario shown in Figure 1, any networkcan be an IP or MPLS network as long as the customerautonomous systems A and C are of the same type.

Inter-AS Multicast VPNService providers can now establish agreements toexpand their multicast VPN (mVPN) services. Multi-cast distribution trees (MDTs) can be created betweentwo autonomous systems without having to exchangeadditional unicast routing information. Provider edge(PE) routers can create trees triggered by ProtocolIndependent Multicast (PIM) joins across AS bound-aries. Intermediate hops can perform the Reverse PathForwarding (RPF) check even if unicast reachabilitycannot be verified directly across autonomous systems.Ultimately, the VPN customer receives a service experi-ence as if a single AS or service provider were present.

Cisco Inter-AS mVPN introduces an extension to PIMand a new address family for BGP. A new PIM joinmessage encoding includes the exit point (called an RPFvector) to the other AS together with the source. ThePE router that originates the join message has learnedthe exit point and MDT group address using BGP.

Cisco Inter-AS mVPN uses a new BGP sub-addressfamily identifier (SAFI) to distribute MDT information.


INTER-AS mVPN ACROSS TWO AUTONOMOUS SYSTEMS

A-PE1

A-PE2

AS A AS B

A-ASBR1 B-ASBR1 C-PE1

C-PE2C-PE3

MDT for VPN 1MDT for VPN 2

VPN 1

VPN 2

VPN 2

VPN 2

VPN 1

VPN 1

FIGURE 2 With CiscoInter-AS mVPN, two mul-ticast distribution treesare created between twoseparate autonomoussystems.

SANTIAGO ALVAREZ, CCIE No. 3621, is atechnical marketing engineer in Cisco’sInternet Technologies Division and focuseson MPLS and QoS technologies. He hasbeen a regular speaker at Networkersand a periodic contributor to Packet. Hecan be reached at [email protected].


Intermediate routers that run BGP select an RPF inter-face by conducting a direct lookup in a special BGPMDT table. Intermediate routers that do not run BGP use the RPF vector in the PIM message to find theRPF interface. Figure 2 shows two MDTs createdbetween two separate autonomous systems. The Inter-AS mVPN feature was introduced in Cisco IOS Soft-ware Release 12.0(30)S (including PIM RFP vector).

Inter-AS Traffic EngineeringInter-AS TE is an extension of MPLS TE that enablesthe creation of traffic-engineered label switched paths(LSPs) across AS boundaries. Historically, MPLS TEtechnology has been used within a single AS, in partbecause it is generally deployed closely tied to a link-state Interior Gateway Protocol (IGP). With Inter-ASTE, each AS can have its own IGP, and TE LSPs canbe created across AS boundaries and still take advan-tage of the constrained-based routing, admission con-trol, explicit routing, and protection capabilities ofMPLS TE. These TE LSPs can be used to extendMPLS VPN and L2VPN services.

Figure 3 shows a sample implementation of Inter-ASTE. AS A signals two TE LSPs toward AS C. The LSPheadend relies on loose routing for end-to-end pathcomputation. A list of loose path entries specifiesingress points to all autonomous systems. Thosedevices are responsible for path computation withintheir AS and signaling to the next entry in the path.Using the Cisco Inter-AS TE feature, ASBR devicescan enable a secure interface using Resource Reserva-tion Protocol (RSVP) authentication and local policycontrol to prevent unauthorized access. Networkavailability is also enhanced in this scenario usingMPLS TE Fast Reroute (FRR). A backup LSP betweenAS A and AS B protects against the failure of one ofthe ASBR devices in AS B. FRR could be deployed atdifferent points to provide node, link, and shared-risklink group protection. The Inter-AS TE feature wasintroduced in Cisco IOS Software Release 12.0(29)S.

Interprovider L2VPN Service providers can extend L2VPN services acrossmultiple autonomous systems. Cisco L2VPNpseudowire switching allows network administratorsto establish a pseudowire to a peering device thatinterfaces with other autonomous systems. This modelincreases scalability, reduces peering relationships,and can be extended to support disparate L2VPN con-trol planes (e.g., MPLS and L2TPv3). The previousalternative approach for interprovider L2VPN relieson a single end-to-end pseudowire being signaledacross multiple autonomous systems. In that case, anLSP connects the two PE devices, and they must beable to establish a directed LDP session to set up thepseudowire. MPLS VPN Inter-AS CSC and Inter-ASTE provide configurations that satisfy these require-ments. Cisco IOS Software Release 12.0(31)S intro-duced support for L2VPN pseudowire switching.

Future WorkQoS is an important area of future work in inter-provider environments. The current MPLS QoS capa-bilities enable end-to-end QoS across multiplenetworks. However, there are several aspects ofinterprovider QoS that can be enhanced. First, serviceproviders can benefit from an agreement frameworkfor traffic classes, their syntax and semantics. Second,better understanding is needed on how to budget appli-cation service-level agreements (SLAs) across serviceprovider networks. In addition, control plane enhance-ments might be made to allow QoS signaling across ASboundaries. Some of these interprovider QoS compo-nents require the definition of frameworks with guide-lines or best practices. Others might require protocolenhancements. The new developments should simplifythe implementation of QoS peering agreements.

◆ ◆ ◆

With the Cisco IP/MPLS Interprovider solution, serv-ice providers can build agreements with otherproviders to extend their MPLS VPN, multicast VPN,TE, and L2VPN services. These interprovider capa-bilities are increasingly important as MPLS adoptiongrows worldwide and more customers expect a singlepoint of contact for their networking services.

Cisco leads the industry in implementing and stan-dardizing IP/MPLS interprovider technologies. Inter-provider L2VPN and QoS are two areas of activediscussion at standard bodies and forums where Ciscoparticipates.


FIGURE 3 With CiscoInter-AS Traffic Engineer-ing, ASBR devices canenable a secure interfaceusing RSVP authentica-tion and local policy control to preventunauthorized access.

INTER-AS MPLS TE ACROSS MULTIPLE AS

AS A AS B AS C

A-PE1

A-ASBR1

A-ASBR2

B-ASBR1

B-ASBR2

B-ASBR3

B-ASBR4

C-ASBR1

C-ASBR2

C-PE1

TE LSP 1 (Loose Route: B-ASBR2, C-ASBR2, C-PE1)TE LSP 2 (Loose Route: B-ASBR1, C-ASBR1, C-PE1)Backup LSP for ASBR Protection Using FRR

■ Cisco IP/MPLS Interprovider Solution


FURTHER READING



Integrated Services Routers in the Small Office

Following up on the successful launch in September 2004 of theintegrated services router line (see Packet magazine, FourthQuarter 2004), Cisco recently announced availability of newmodels and capabilities to these routers that extend its powerfulintegration into small and remote offices. These models satisfy amarket demand for platforms that deliver greater performancefor deploying services such as security and wireless LAN(WLAN) capabilities to the enterprise branch and small and mid-sized businesses—platforms that are easy to deploy and costeffective to manage.

The new Cisco 800 and 1800 Series integrated services routersoffer concurrent services including firewall, virtual private net-works (VPNs), and WLANs at an attractive price point for smalloffices. These Cisco IOS-based platforms also deliver centralizedmanagement features that make them ideal for small office or tele-worker sites as part of an enterprise or service provider network.

“These new models extend the benefits of the [integrated servicesrouter] line to small offices for both enterprise and small andmedium-sized business customers,” says Marc Bresniker, productmanager in the Premises Communications Business Unit at Cisco.“Their strong performance allows businesses to layer on newservices, such as security, QoS [quality of service] for voice, orwireless LANs, while taking full advantage of DSL and cablebroadband speeds. And for those customers who want to use thenewer and faster DSL standards, such as ADSL2+ [more than 20-Mbit/s downstream speeds] and multipair symmetric DSL[G.SHDSL], the DSL models in the portfolio will support thesenew standards.”

Cisco 1800 Series: Greater Performance and Services IntegrationThe most highly integrated of the fixed-configuration integratedservices routers is the Cisco 1800 Series. These models include afull suite of advanced security features: firewall, IP Security(IPSec) VPNs, and support for intrusion prevention and Cisco

Cisco extends integrated services routers with new models and integratedwireless across the portfolio.

By David Barry


PERFORMANCE PUNCH New models in the Cisco integrated services router line bring concurrent services, such as security and wireless LAN, at wire speed to small offices and enterprise teleworker sites.


Network Admission Control (NAC) for securitypolicy control and protection against viruses andworms. Also included are models with options forfully integrated ISDN BRI, an analog modem, anddual Fast Ethernet ports for redundant WAN linksand load balancing.

With the increased availability and affordability ofbroadband DSL and cable, some companies are look-ing to use dual broadband WAN ports; for example,they are contracting with separate broadbandproviders to ensure automatic failover if either serviceexperiences congestion or failure. An integrated inter-nal power supply on the Cisco 1800 Series also makesit easy to deploy with fewer cords to set up.

The 1800 Series models with an integrated 8-portswitch are targeted for small offices. With supportfor advanced QoS and multiple virtual LANs(VLANs), businesses can configure and segment theirnetwork for application performance and security.

Further integration of the Cisco 1800 Series isachieved with an option for Power over Ethernet(PoE) support. PoE is especially beneficial for com-panies that deploy a Cisco 1800 Series model with

IP phones or external wireless access points andwant to eliminate the need for separate power sup-plies for those devices.

The Cisco 1800 Series models include an option forintegrated wireless access points, providing secureWLAN services in a single device—and helping busi-nesses reduce their total cost of ownership with simpli-fied WLAN deployment and management capabilitieswhile maintaining network security. The integratedwireless access point can support IEEE 802.11b/g and802.11a simultaneously to provide added flexibility inhigh-speed wireless applications. The removable,replaceable antennas allow choices for mounting indifferent locations to place wireless coverage whereneeded. For instance, a retail store that deploys a Cisco1800 Series Integrated Services Router behind the frontcounter or in a utility room can mount the antennaselsewhere for better wireless coverage.

Cisco 800 Series: Small but PowerfulThe Cisco 800 Series has several models targeted forsmall remote offices and teleworkers, each providinga cost-effective solution for delivering secure WAN


Cisco’s integrated services routers now offer WLAN capa-bilities across the entire portfolio. The recently launchedfixed-configuration 800 and 1800 Series integrated serv-ices routers include 11 factory-configured wireless mod-els with antennas. Also included in this launch is a high-speed wireless interface card (HWIC) for the modularintegrated services router platforms. Installing the HWICinto a slot on the Cisco 1841 or the Cisco 2800 or 3800Series routers enables businesses to integrate a wirelessaccess point onto their access router.

“Most exciting about the new wireless capabilities is thatthey further build on the compelling premise of the inte-grated services router line—delivering secure data, voice,and video services to wired and wireless users to maxi-mize productivity,” says Sunny Mahant, product marketingmanager in the Multiservice Customer Edge Business Unitat Cisco. “Not only can these models run multiple servicessuch as security, voice, and VPNs without degradingbroadband connections, now they can also run wireless,all from one integrated platform.”

Offices that need to support survivable IEEE 802.1X localauthentication can combine a modular integrated servicesrouter with a wireless HWIC or with several Cisco Aironetaccess points. “This allows the router to act as a localauthentication server to authenticate wireless clients whenthe AAA [authentication, authorization, and accounting]server is not available,” says Mahant.

Fixed and Modular Access Points

With support for 802.11 Wi-Fi Certified Access on both thefixed and modular integrated services routers, Cisco pro-vides a low-cost entry point for companies that want toadd WLAN connectivity to their branch or small office.These routers eliminate the requirement for dedicatedwireless appliances at each site when only one accesspoint is needed—simplifying wireless access deploymentand management. No changes are required to the existingwired infrastructure.

WLAN Capabilities Added to Integrated Services Routers



Both the fixed and modular integrated access pointsdeliver robust, predictable 802.11 wireless coverage withstrong radio sensitivity and superior performance, notesMahant. They support Wi-Fi Protected Access (WPA) forper-user IEEE 802.1X mutual authentication with an Exten-sible Authentication Protocol (EAP) such as Cisco LEAP.They also support 802.11e for QoS, Wi-Fi Multimedia(WMM), VLANs, and multiple service set identifiers (SSID).

Scaling Wireless and Deploying Advanced Services

with Aironet Access Points

In situations where only a single access point is needed,businesses gain the full benefits of integration and costeffectiveness by choosing a fixed-configuration integratedservices router with a built-in access point or by installingthe HWIC into a modular model. Depending on the inte-grated services router and whether it operates in singlemode (802.11 b/g) or dual mode (802.11 a/b/g), the routerwill support up to 20 or 50 users, respectively.

For companies or sites that require more than oneaccess point either immediately or in the future, CiscoAironet access points are recommended, says Mahant. Themodular integrated services router platforms presentlysupport either the Cisco Aironet access points or the mod-ular platform access points with HWIC, not both options.

Cisco Aironet access points deliver high security withWPA2 and high-capacity wireless access for offices andchallenging RF environments. These robust access pointsare perfect for single access point deployments that requireflexible, secure installation options, or for enterprisedeployments that require more than one access point.

To learn more about new wireless capabilities of the Ciscointegrated services routers, visit cisco.com/go/isr.

connectivity with optional integrated IEEE 802.11b/gfor WLANs in a single device (see sidebar, “WLANCapabilities Added to Integrated Services Routers”).In addition, the Cisco 800 Series is easy to set up anddeploy using the Web-based configuration tool, CiscoRouter and Security Device Manager (SDM)—idealfor small offices with minimal local technical resources.

The Cisco 870 Series includes hardware-assistedencryption for VPNs. Integrated security features arefurther enhanced with support for intrusion preventionand Cisco NAC for security policy control and virusand worm protection. Each model also has 802.11b/gWLAN capabilities with removable, replaceable dualdiversity antennas.

The Cisco 870 Series offers advanced QoS supportwhich, along with its increased performance forencryption, makes it ideal for teleworker or remotecall agent applications. Users can connect an IPphone to the router’s switch port to act as an enter-prise extension and give voice traffic precedence overdata applications.

The Cisco 850 Series, with four 10/100 Mbit/s portsand 10/100 Fast Ethernet or ADSL connections, sup-ports up to 10 users and offers a basic set of securityfeatures, including stateful inspection firewall and

VPN encryption. Each model has an option for inte-grated wireless, the Cisco 851W and Cisco 857W,and come equipped with a single, fixed antenna and802.11b/g WLAN support.

◆ ◆ ◆

Affordable broadband access is changing the waybusinesses communicate with customers, suppliers,and employees. WLANs can further extend the effec-tiveness of business applications. To take advantageof these high-speed connections, small offices musthave the same level of security enjoyed by their largercounterparts. With its new line of fixed-configurationintegrated services routers, Cisco is delivering theright combination of integrated services with theperformance punch small offices need.

FURTHER READING■ Cisco Integrated Services Routers home page

cisco.com/go/isr




Initially designed as a way to keep hazardous materi-als out of landfills, global environmental regulations—including the Restriction on the Use of CertainHazardous Substances and the Waste Electrical andElectronic Equipment Directive—have sparked a sig-nificant trend: More than ever, used hardware prod-ucts are being refurbished and resold to otherbusinesses, often at a fraction of their original cost.

Major PC vendors such as IBM, HP, and Dell are pro-viding environmentally sound disposal of electronicdevices and offering an array of solutions to reselllegacy equipment, according to Michael Burlison, ananalyst with META Group.

Buying refurbished gear is a good way for SMBs to savemoney, but there are some important issues to consider if you want to ensure that you won’t end uppaying more in the long run. The quality and conditionof used products available for purchase on the second-ary market varies considerably and is unpredictable, sobe sure you deal with a reputable vendor—ideally, the

company that manufactured the products in the firstplace, or one of its authorized resellers. Products areavailable from other sources, too, but purchasingequipment from these providers involves a number oflimitations and risks, including the following:

Many used products turn out to be “gray market”merchandise—new merchandise that is being distrib-uted illegally, without the authorization of the manu-facturer. Other products turn out to be counterfeit.

Used products are typically not eligible for a servicecontract without a vendor-authorized inspection toverify their condition.

Software licenses are generally non-transferable andmust be purchased from the appropriate vendors.

Learn about the Cisco Authorized Refurbished Equip-ment program at cisco.com/go/iq-refurb.

—David Baum

Buying Strategies



When financial institution CIOs lose sleep, informa-tion security is usually to blame. Peter Simonsen, CIOof Arizona State Savings and Credit Union, the largeststate-chartered federally insured credit union in thestate, explains why: “Only financial institutions con-vert their assets into zeroes and ones and store them ona hard drive, which is why digital security issues haverisen to the top of the list of boardroom concerns.”

And money is not the only asset at risk from net-work security breaches. “At the highest level, secu-rity is about banks and credit unions protectingtheir most valuable asset, customer trust—theirstock in trade,” adds Rune Olslund, a financialservices market manager at Cisco. “If that trust isever compromised or violated, the bank will have ahard time restoring its reputation.”

New Factors in Financial Information SecuritySeveral factors have converged to catapult informa-tion security to the top of priority lists for financialinstitution IT groups.

Changed Regulatory LandscapePrudent information security and technology riskmanagement are no longer just industry best prac-tices, they’re mandated by a spate of security andprivacy regulations including the Gramm-LeachBliley Act Data Protection regulation, Sarbanes-Oxley Act, BASEL II-Operational Risk, and the USAPatriot Act. “Financial institutions deserve credit forhaving monitored security and privacy without reg-ulatory oversight for many years,” says Paul Rey-mann, co-author of the Gramm-Leach-Bliley DataProtection regulation and CEO of ReymannGroup,Inc. (reymanngroup.com), a team of leading subjectmatter experts on finance, healthcare, retail, and


Digital SecurityFinancial institutions manage risk and regulatory complianceproactively, with Cisco Self-Defending Networks.

By Rhonda Raider

SELF-DEFENDING NETWORK

Integrated Services Router• Firewall• IDS/IPS• VPN

Integrated Services Router• Firewall• IDS/IPS• VPN

SecureTransmissions Regulatoryand Audit Compliant

Back Office

Worm, Virus, and Intrusion Detection and Protection

Complete Virus and Privacy Protection

VPN Connection

Firewalling for Secure Segmentation andContainment

Security Credential Checking

SecureCommunications

IP Video Surveillance

Cisco Security Agent, Trust Agent, and Antivirus ProtectionImage Capture,

Secure Transmission, Check 21 Enabled

Branch OfficeRemote/MobileWorkforce

Private WAN

Internet

Secure Wireless Access

Wireless Hotspot

DEFENSE IN DEPTHFinancial institutions canmanage risk proactivelythrough a technologyinfrastructure with anintegrated suite of solu-tions for secure connec-tivity, threat defense,and trust and identitymanagement.



manufacturing. “Many of today’s compliance require-ments evolved from what had been industry best prac-tices. Now, rather than being followed by a few leadingorganizations, they’re mandated for everybody.”

Greater Reliance on Internet ChannelsNot so long ago, network security was intended tokeep out outsiders. “Now financial institutions offer aslew of self-service products that allow customersbehind the firewall, including Internet banking, onlinebill pay, and electronic statements,” says Simonsen.“Electronic delivery channels are required to succeedin the marketplace, which makes digital security theforefront issue for CIOs of financial institutions.”

Widespread PublicityRecent high-profile privacy breaches have sharpenedpublic interest in information security. “Our membersare very concerned about identity theft,” says RayCarsey, assistant vice president of technology forMountain America Credit Union, Utah’s second-largestcredit union, with branches in four states. “We doeverything in our power to protect our members’information. We know that if we don’t have a member’strust, that member is going to go somewhere else.”

Greater Board Oversight“Until a few years ago, financial institution boardmembers would redirect all security concerns to thetechnology staff and say, ‘You deal with this,’” saysOlslund. Now boards take a more hands-on approachbecause they’re held more accountable under manysecurity and privacy regulations.

Recognition of Financial Institutions’ Role inNational SecurityThe US government recognizes financial institutionsas one of eight vertical industries critical to sustainingthe way of life in the event of a doomsday scenario,according to Simonsen. “Imagine if you couldn’t getto your money,” he says. “That’s why there’s no suchthing as too much attention to security.”

What’s Needed for Compliance and SecurityTo satisfy the new demands, financial institution ITgroups face the following information security challenges:

■ Protect the security and confidentially of customers’nonpublic personal information, the focus of theGramm-Leach Bliley Data Privacy regulation.

■ Institute administrative, technical, and physical safe-guards against internal and external threats.

■ Protect against viruses, worms, and DistributedDenial-of-Service (DDoS) attacks. “DDoS and hackerattacks are becoming more of a concern for small andmedium financial institutions because more customersconduct business using Websites,” says MichaelPayne, financial services enterprise manager at Cisco.

■ Implement digital security defense-in-depth to addressthe issues of technology, people and processes. “Youneed to be able to prevent, protect, prosecute, andultimately recover successfully from potential exter-nal attacks” says Simonsen.

■ Establish continuous, risk-based information securitypolicies with board oversight. This contrasts with thetraditional project-based approach to risk manage-ment. “The infrastructure must continuously manageand monitor risk, and the technology needs to beproactive rather than reactive,” says Reymann.

Self-Defending NetworksWhile Cisco does not promote regulation of IT secu-rity, the company recognizes that regulatory compli-ance is an urgent business concern for its financialinstitution customers. The Cisco Self-Defending Net-work approach gives financial institutions the capabili-ties they need to meet the security and regulatory chal-lenges they face in guarding against network invasions.

The premise of the Self-Defending Network is thatwith more threats, more advanced networks, andmore regulations, financial institutions can no longerrely on a reactive approach to threat defense. Instead,they need a way to proactively manage regulatorycompliance and risk. “New threats are being intro-duced in such high volumes and such a fast pace that‘reactive mode’ is no longer practical,” says Reymann.“Financial institutions need to take a proactive stance,and many find they need help from partners—not justvendors, but partners—who are trusted and proven.”

In the late 1990s, regulators had lengthy discussionsabout the dynamic threat environment. By the time theink was dry, the threats would be changing. Therefore,we decided to write the rules to address the risks as weknow them today, but also to create an environmentwhere financial institutions would need to go through adiscovery process to find a compliant solution ratherbuying pre-packaged solutions that might quicklybecome obsolete. Today, the rules keep up with thechanging environment because they’re written to besupplemented by new guidance from the FederalFinancial Institutions Examination Council (FFIEC).

Common threads in most regulations are protectingcustomers’ nonpublic personal information; contin-uous risk management; and monitoring, auditing,and adjusting.

—Paul Reymann, CEO, ReymannGroup, Inc.

Regulatory Compliance



Developing a Self-Defending Network requires atten-tion to technology, processes, and people (see sidebaron page 78). Cisco provides the technology infra-structure with an integrated suite of solutions forsecure connectivity, threat defense, and trust andidentity management (see table on this page).

Integrated SecurityUnlike point security solutions, the Cisco Self-Defending Network relies on integrated security,applied on multiple layers throughout the network.“In the old paradigm, an intrusion detection systemwould spot traffic that shouldn’t be there, but then ahuman had to do something about it,” says Olslund.“Because Cisco solutions are integrated, componentscan communicate with each other to take actionmuch faster and more effectively.” The result is amore in-depth defense.

“The network has to be designed with integratedsecurity—not security as a point solution or after-thought,” says Simonsen. “Defense in-depth has to be

comprehensive so that if one system is compromised,it doesn’t affect the rest of your business.”

Case in point: Mountain America Credit Union inte-grates its internal and external Cisco IDS sensors withCiscoWorks VPN/Security Management Solution(VMS), and Cisco Threat Response technology.

“The Cisco IDS sensors report attempted intrusionsto the CiscoWorks VMS management console, whichimmediately alerts my staff,” says Carsey. “CiscoThreat Response, which is integrated with the CiscoVMS console, collates the IDS alerts so that instead ofreceiving hundreds of messages about an IP address,we’ll receive one message saying, ‘This person islaunching the attacks.’” The proactive angle? Carseyhas configured the Cisco IDS to automatically stopany perceived attack with low, medium, or highseverity. “We can blackhole the attacker using eitherthe Cisco IDS sensor or the Cisco PIX Firewall,” hesays. “Later we can check to see if we’ve been tooaggressive, but in the meantime, we’ve protected ourcustomers and our business.”

BANK NEED STRATEGY CISCO TECHNOLOGIES

Protect data and voice confidentiality Secure the transport Virtual private networks (VPNs) based on IPSec and Secure Sockets Layer (SSL)

Detect and prevent external attacks Defend the network edge Router-integrated securityFirewallsIntrusion detection systems (IDS)Intrusion prevention systems (IPS)AutoSecure

Protect against internal attacks Protect the interior Cisco Catalyst switch-integrated securityFirewallsIDSContent engines

Protect hosts against infection Guard endpoints Cisco Security Agent

Control access to network by individuals Verify user and device against access policies Cisco Identity-Based Networking System and devices (IBNS)

Cisco Secure Access Control Server (ACS)Cisco Network Access Control (NAC)

SECURE CONNECTIVITY

THREAT DEFENSE

TRUST AND IDENTITY MANAGEMENT

Self-Defending Network Stategy


Mountain America has additional layers of security,as well, including Cisco Security Agent installed oncritical servers. “On the outermost layer, we have IDSsensors on our external network that protect againstbroad types of attacks,” Carsey explains. “On theinnermost layer, Cisco Security Agent guards againstspecific attacks targeted to Web or SQL servers.”

As another example of the value of integrated secu-rity compared to point solutions, suppose anemployee takes home a laptop that becomes infectedwith viruses and spyware, and then brings it back towork. When the employee attempts to connect, CiscoTrust Agent on the laptop communicates with CiscoNetwork Access Control to direct the laptop to aremediation service and to third parties that will pro-vide current patches and signatures. The result: Thefinancial institution network proactively evadesinfection through integration of two Cisco solutionsand third-party services.

Finding the Overlap in RegulationsSmall and midsized financial institutions, in particular,need to handle network security cost effectively, andone way to do that is to invest in solutions that satisfymultiple regulatory requirements (see sidebar, “Regu-latory Compliance”). “Most regulations were notwritten with the others in mind,” says Olslund. “Andwith so many mandates, smaller banks and creditunions are struggling to identify areas of overlap.”

Cisco helps banks and credit unions identify andaddress risk management elements common to multi-ple regulations. “Cisco helps smoothly navigate thejourney to regulatory compliance,” says Jim Bright,Cisco US industry marketing manager for financialservices. “For example, if a financial institution issubject to a regulation regarding safeguarding voicecalls or e-mail transactions, we might suggestencrypting traffic over a VPN as one way to addressthe requirement.”

Making It ManageableThe Cisco Self-Defending Network helps financialinstitutions manage risks to information and voicetraffic in an easier and more manageable environ-ment, according to Bright. “It also helps them pro-vide proof of compliance to regulatory bodies,” hesays. “Proving that they’re taking the appropriatesteps in proactive fashion puts financial institutionsahead of the game.”

The Self-Defending Network suits the cost-con-sciousness of small and medium banks and creditunions because it automates manual securityprocesses, avoiding the need to add staff. “Withoutthe Self-Defending Network, I’d need at least onefull-time person just to manage our firewall logs andsensor alerts,” says Carsey. “We’ve eliminated thatneed by tying the threat response into the Cisco VMSconsole. If the Cisco IDS sensor sees an attack on a

particular host, it checks the host’s operating systemversion and security patches. If the host is not vulner-able, I’ve specified that the system should not alertme, so I have one less thing to look at.”

A Competitive AdvantageNot only does a Self-Defending Network safeguardcustomer trust and help meet regulatory require-ments, it can help create a competitive advantage.One way is by ensuring service continuity. “If theATMs for the bank down the street are down becauseof a security breach and yours are up and running,you stand to gain new customers,” says Olslund.

A secure network also enables financial institutionsto offer new, competitive services. For example, witha secure wireless network, financial institutions canimprove their customer service with “wirelessconcierge” service. Equipped with a tablet PC andwireless printer, a teller can provide noncash tellerservices to customers in line, making service faster.

A Self-Defending Network can cut operational costs,as well, by providing secure network access to tele-workers. Mountain America Credit Union reducedcontact center costs by enabling agents to work fromhome, using the Cisco Secure Access Control Serverfor access control.

Aligning with a PartnerSimonsen emphasizes the role of technical support inthe Self-Defending Network. “In a 24 x 7 businesslike banking, it’s critical that the business partner youalign with offers support whenever you need it. CiscoSMARTnet and Cisco SASU [Software ApplicationSupport plus Upgrades] ensure that we have up-to-date files and responsive support around the clock.Cisco matches our level of urgency in getting securityright before something goes wrong. That kind ofcommitment to the customer’s success is what differ-entiates a business partner from a vendor.”


■ Self-Defending Networks for Financial Institutions

cisco.com/go/sdn_for_finance

FURTHER READING


TECHNICALLY SPEAKING

Cluster and Grid Computing – Low Cost,High Power

With the recent appearance of new cluster and grid products andservices, cluster and grid technologies are receiving considerablepress attention. What’s behind all the hype?

Think about the fastest computers in the world. These high-per-formance “supercomputers” model hurricanes, simulate nuclearexplosions, and analyze the human genome. Companies such asCray Research and Silicon Graphics dominated this market foryears. Their custom “Big Iron” machines cost millions and werethe only options for solving complex computing tasks.

In the past five years, significant changes have occurred. Clustersare replacing “Big Iron” machines. Clusters can be built fromstandard PC server and networking hardware with price tags ahundred times cheaper than custom supercomputers. Clustersmake up half the systems on the “Top 500 list,” (top500.org),which ranks the 500 fastest computers in the world. Users ofhigh-performance computing are changing as well. Corporationsnow harness the same computing power that only academic andresearch organizations had access to previously. More than halfof the current “Top 500” machines are in commercial industry.

Consider how this applies to the smaller cousins of supercomput-ers, the proprietary SMP enterprise systems such as those sold byHP or Sun. These systems also can be replaced by clusters.Recently, Microsoft and Apple announced enhancements to theiroperating systems that allow them to form clusters. Large data-bases such as Oracle and DB2 now support clusters as well.

Plugging in the “Grid”A less mature technology than clusters, “grid computing” usuallyimplies a looser collection of computers than a traditional cluster.Grids typically span administrative domains to include differentdepartments, buildings, or even different cities and regions of theworld. The SETI@home project (setiathome.ssl.berkeley.edu) isan extreme example of this concept. Hundreds of computersowned by individuals worldwide are being used together to ana-lyze radio telescope data.

The term grid also is often used to describe the concept of an on-demand utility computing model where computing resources canbe purchased and allocated to an application as needed. The termdraws parallels to normal utility grids like power or natural gas.Utility computing grids can be rented through “computing serv-ice providers.”

Cluster ApplicationsIn a cluster application, a single problem or query is brokendown into multiple smaller pieces. Each piece is distributed toprocessing nodes in the cluster using a scheduling mechanismand job control. Many different cluster infrastructure tools existto help accomplish this task.

Cluster applications vary widely, including weather simulation,fluid dynamics, biotech and genetic research, defense and energyresearch, aerospace and automotive design, graphics and videorendering, and financial analysis.

Three characteristics that can influence cluster application per-formance are message latency, throughput, and CPU utilization.A graphics rendering application may not care about messagelatencies. A database query may not be CPU bound. Choosingthe appropriate cluster interconnect to support a given applica-tion is a common dilemma.

The hidden internal hardware connecting processors inside super-computers and SMP systems is replaced with standard intercon-nect switch fabrics on clusters. The ubiquity of Ethernet, and thefact that most modern PC server systems come with a built-inGigabit Ethernet network interface card (NIC), have made Ether-net the “interconnect of choice” for most cluster implementa-tions. In the future, 10 Gigabit Ethernet will likely be used.

In addition to Ethernet, other cluster interconnect technologiesexist for applications requiring higher throughput or lower end-to-end message latencies. InfiniBand, Myrinet, and Quadrics arecommon examples.

As a lower latency alternative to standard Ethernet, several ven-dors are developing RDMA-enabled NICs, also known asRNICs, which decrease Ethernet application latencies by bypass-ing operating system protocol overhead.

Cisco’s RoleCisco has many products to provide the interconnect infrastructurefor both cluster and grid computing. Cisco has designed and builtmulti-thousand-node clusters for customers using Catalyst 6500Series switches. Several Catalyst 6500 switches can be combined tocreate a nonblocking Layer 3 fabric, supporting up to 3600 nodes.

Cisco’s storage switches can be used to build storage subsystemssupporting clusters. Cisco’s metro and WAN products facilitategrid implementations. Cisco security products can be used toprotect grids and isolate users in the grid utility computingmodel. Also, Cisco partners with blade server manufacturers tobuild switches into the backplanes of these devices.

By Joel Krauska and Drew Pletcher


JOEL KRAUSKA AND DREW PLETCHER are technical marketing engineers in Cisco’sInternet Systems Business Unit, and are responsible for high-performance computingcluster testing and analysis. Both are experts in data center switching and routing.They can be reached at [email protected] and [email protected].


NEW PRODUCT DISPATCHES


Edge Routing, Access,and AggregationCisco 1800 Series Integrated Services Routers: Fixed-Configuration ModelsDesigned for small offices, the new fixed-configuration Cisco 1800 Series IntegratedServices Routers embed data, security, andwireless technology into a single systemwith wire-speed performance. Among thecapabilities of the Cisco 1801, 1802,1803, 1811, and 1812 fixed-configurationrouters are secure broadband access; inte-grated ISDN basic rate interface (BRI),analog modem, or Ethernet backup portsfor redundant WAN links and load bal-ancing; secure wireless LAN (WLAN) forIEEE 802.11a and 802.11b/g operationwith use of multiple antennas; advancedsecurity including stateful inspection fire-wall, IP Security (IPSec) virtual privatenetworks (VPNs), intrusion prevention,antivirus support; and 8-port 10/100 man-aged switch with virtual LAN (VLAN)and optional Power over Ethernet (PoE).For more on the new Cisco 1800 Seriesmodels, see page 73.cisco.com/go/isr

Cisco 870 Series Integrated Services RoutersThe new Cisco 870 Series Integrated Ser-vices Routers make it possible for smalloffices to run secure, concurrent services—including firewall, VPNs, and WLANs—atbroadband speeds. The fixed-configurationCisco 870 Series provides advanced secu-rity including stateful inspection firewall;IPSec VPNs; intrusion prevention andantivirus support; 4-port 10/100 managedswitch with VLAN support; and secureWLAN 802.11b/g option with use of mul-tiple antennas. Easy to deploy and managecentrally via Web-based configurationtools and Cisco IOS Software, theserouters are ideal for deployment in smalloffices or teleworker sites as part of anenterprise network, and small to midsizedbusinesses for secure WAN and WLANconnectivity. For more on the Cisco 870Series, see page 73.cisco.com/go/isr

Cisco Catalyst 4948-10GE Switch

SPOTLIGHT ON:

A challenge in any

data center is how to

serve more applica-

tion traffic without

becoming overburdened by additional equipment. The new Cisco Catalyst

4948-10GE Switch overcomes this challenge for enterprises that need a

device for single-rack-unit, multilayer aggregation of high-performance

servers and workstations.

Based on the proven Cisco Catalyst 4500 Series hardware and software

architecture, the Cisco Catalyst 4948-10GE offers exceptional Layer 2/3/4

switching performance, bandwidth, and reliability. This fixed-configuration

switch delivers wire-speed throughput with low latency for data-intensive

applications using a 126-Gbit/s switching fabric with a 102 million packets

per second (pps) forwarding rate in hardware. It includes 48 ports of wire-

speed 10/100/1000BASE-T Ethernet with two ports of wire-speed 10

Gigabit Ethernet (using X2 optics) for rack-optimized server switching

applications.

Optional internal AC or DC 1 + 1 hot-swappable power supplies and a

hot-swappable fan tray with redundant fans deliver the high reliability and

serviceability required for server switching.

Among the new software features supported on the Cisco Catalyst

4948-10GE Switch are per port per virtual LAN (VLAN) quality of service

(QoS) for differentiated QoS to individual VLANs on a trunk or access port;

trunk port security; IEEE 802.1X private VLAN assignment and 802.1X pri-

vate guest VLAN; 802.1X RADIUS-supplied session timeout, which enables

the switch to determine the duration of a session and the action to take

when the session’s timer expires.

cisco.com/packet/172_npd1



Cisco 850 Series Integrated Services RoutersDesigned for small businesses and smallremote sites with up to 10 users, the newfixed-configuration Cisco 850 SeriesIntegrated Services Routers provide secureconnectivity with stateful inspection fire-wall and IPSec VPN; 4-port 10/100 switch;secure WLAN 802.11b/g option with asingle fixed antenna; and easy setup,deployment, and remote managementcapabilities through Web-based tools andCisco IOS Software. For more on the Cisco850 Series, see page 73.cisco.com/go/isr

Security and VPNsCisco Security Auditor Cisco Security Auditor software helpscustomers cost effectively audit their net-work infrastructure to assess compliancewith corporate security policies and indus-try best practices. Deployed in a networkoperations center, the automated auditingand reporting capabilities of this softwarereduce audit time and eliminate costlymanual auditing operations for large-scale networks. Cisco Security Auditorcoverage includes Cisco PIX firewalls, vir-tual private network (VPN) devices,routers, switches, services modules, andthe new Cisco ASA 5500 Series AdaptiveSecurity Appliances (see below). For moreon Cisco Security Auditor and other newsecurity products from Cisco, see page 26. cisco.com/packet/172_npd2

Cisco Security Monitoring, Analysis, and Response System The Cisco Security Monitoring, Analysis,and Response System (Cisco SecurityMARS) appliances provide a solution forsecurity threat management, monitoring,and mitigation. Product features includenetwork intelligence, context correlation,vector analysis, anomaly detection,hotspot identification, and automatedattack mitigation. These features helpadministrators identify, manage, andeliminate network attacks as well asmaintain compliance with security poli-cies. With five Cisco Security MARS mod-els to choose from, they can process up to10,000 events or 300,000 flows per sec-ond and are designed for use in a networkoperations center. For more on CiscoSecurity MARS and other new securityproducts from Cisco, see page 26.cisco.com/packet/172_npd3

Cisco PIX Security Appliance Soft-ware Version 7.0 The Cisco PIX Security Appliance Version7.0 software delivers an extensive list ofnew features. Key enhancements includecapabilities for inspection and control ofa broad range of HTTP, voice, and IP-based applications. In addition, a highlyflexible security policy framework enablesadministrators to implement fine-graincontrol over individual user-to-applica-tion flows. For more on Cisco PIX Ver-sion 7.0 software and other new securityproducts from Cisco, see page 26. cisco.com/go/pix

Cisco Intrusion Prevention SystemSoftware Version 5.0 Cisco Intrusion Prevention System (IPS)Version 5.0 software enhances inline pro-tection against threats such as spyware,adware, worms, viruses, and anomalousactivity through detailed inspection ofLayer 2 through 7 traffic. It also supportsbetter targeting of attack-preventionactions, and offers more flexible IPSdeployment and collaboration options forimproved security control. IPS Version 5.0is supported by Cisco IPS 4200 Seriesappliances, and the Cisco Catalyst 6500Series Switch and 7600 Series RouterIntrusion Detection System Module(DSM-2) through a software upgrade. Formore on new IPS enhancements and secu-rity products from Cisco, see page 26.cisco.com/go/ips

Cisco VPN 3000 Series Concentrator Version 4.7 The Cisco VPN 3000 Series ConcentratorVersion 4.7 software provides a newSecure Sockets Layer (SSL) VPN client,support for Citrix-based applications,and integrated support for NetworkAdmission Control (NAC) to enforcesecurity on devices using the Cisco IPSecclient. The Cisco Secure Desktop featuresimprove endpoint security by creating avirtual desktop that protects and elimi-nates sensitive session information. Formore on the Cisco VPN 3000 Series Con-centrator and other new security productsfrom Cisco, see page 26.cisco.com/go/vpn3000

Cisco Security Agent Version 4.5Key enhancements in Cisco Security AgentVersion 4.5 software include protection forserver and desktop computing systems, or“endpoints.” Rather than relying on signa-ture matching, Cisco Security Agent identi-fies and prevents malicious behavior beforeit can occur, including preventive protec-tion against entire classes of attacks, suchas port scans, buffer overflows, TrojanHorses, malformed packets, and e-mailworms. It includes support for 100,000agents per management server, NAC,application inventory and use tracking,and automated checking for current virusdefinition files. User-based and location-based security policies can be appliedbased on the physical or logical location ofa user’s computer. Cisco Security AgentVersion 4.5 is covered in greater detail onpage 47.cisco.com/go/csa

Cisco ASA 5500 Series AdaptiveSecurity AppliancesThe new Cisco ASA 5500 Series AdaptiveSecurity Appliances combine best-of-breed security and VPN services with aninnovative Adaptive Identification andMitigation (AIM) services architecture.Designed for small and midsized busi-nesses and enterprise networks, the multi-function Cisco ASA 5500 Series providesproactive threat defense that stops attacksbefore they spread through the network,controls network activity and applicationtraffic, and delivers flexible VPN connec-tivity. Security capabilities include fire-wall, intrusion prevention, networkantivirus support, and IPSec/SSL VPN.The AIM services architecture allows busi-nesses to adapt and extend the securityservices profile of the Cisco ASA 5500Series through highly customizable, flow-specific security policies that tailor secu-rity needs to application requirementswhile providing performance and securityservice extensibility via user-installablesecurity services modules. For more on theCisco ASA 5500 Series and other newsecurity products from Cisco, see page 26.cisco.com/go/asa



Cisco IOS Firewall: ApplicationInspection and Control The Cisco IOS Firewall has beenenhanced with advanced applicationinspection and control capabilities thatare delivered through HTTP and e-mailinspection engines. The HTTP InspectionEngine enforces protocol conformanceand prevents network access by maliciousor unauthorized behavior such as port 80tunneling, malformed packets, TrojanHorses, and instant messaging traffic thatis probing for vulnerabilities. The E-mailInspection Engine detects misuse of e-mailconnectivity and prevents protocol mas-querading activity. For more on this andother new security products from Cisco,see page 26.cisco.com/packet/172_npd5

Cisco IOS Software: IPSec VirtualTunnel Interfaces Cisco IPSec virtual tunnel interfaces(VTIs) configure IPSec VPNs betweensite-to-site devices. These tunnels providea designated pathway across the sharedWAN and encapsulate traffic with newpacket headers, which helps to ensuretraffic privacy and delivery to specific des-tinations. The IPSec VTIs were intro-duced in Cisco IOS Software Release12.3(14)T. New Cisco security productsand enhancements are covered in greaterdetail on page 26.cisco.com/packet/172_npd6

Cisco IOS Software: EnhancedInline IPS FunctionalityEnhanced inline IPS capabilities intro-duced in Cisco IOS Software Release12.3(14)T increases protection againstnew classes of threats such as spyware,network antivirus, and malware associ-ated with Instant Messaging (IM) applica-tions that significantly imporoves theability to prevent and mitigate damagefrom worm and virus attacks. The newIPS functionality also allows users to cre-ate custom signatures to address newlydiscovered threats for broader protection.New Cisco security products andenhancements are covered in greaterdetail on page 26.cisco.com/packet/172_npd7

Cisco VPN Acceleration Module 2+The Cisco VPN Acceleration Module 2+(VAM2+) for Cisco 7200 Series and Cisco7301 routers provides high-performanceencryption, compression, and key-genera-tion services for IP Security (IPSec) VPNapplications. Designed for enterprise andservice provider network environments,the VAM2+ supports all Cisco VAM2 fea-tures, but adds hardware acceleration for192-bit and 256-bit Advanced EncryptionStandard (AES) keys. cisco.com/packet/172_npd8

WirelessCisco 1000 Series LightweightAccess Point The Cisco 1000 Series Lightweight AccessPoint is designed for enterprise deploy-ments that require coverage flexibility.These devices handle important IEEE802.11 a/b/g radio functions within a Ciscowireless LAN, including radio transmit andreceive, client probe requests, and air mon-itoring. The Cisco 1000 Series LightweightAccess Point also handle time-sensitivefunctions, such as Layer 2 encryption, thatenable Cisco wireless LANs to securelysupport voice, video, and data applica-tions. A unique model, the Cisco 1030Remote-Edge Access Point communicateswith Cisco Wireless LAN Controllers (seebelow) via most standard WAN technolo-gies. The Cisco 1000 Series LightweightAccess Point is a result of the recentlyacquired Airespace product portfolio. cisco.com/go/securewireless

Cisco Wireless LAN Controllers Cisco Wireless LAN Controllers performsystem-wide wireless LAN functions suchas security policies, intrusion prevention,RF management, quality of service (QoS),and mobility. The controllers work withCisco Wireless Control System softwareand Cisco 1000 Series lightweight accesspoints. For small and midsized enterprisefacilities, such as branch offices, the Cisco2000 Series Wireless LAN Controller sup-ports up to six lightweight access pointsand coverage up to 60,000 square feet. Inlarger enterprise environments, threemodels of the Cisco 4100 Series WirelessLAN Controller (the 4112, 4124, and4136) support 12, 24, or 36 lightweightaccess points and dual Gigabit Ethernetuplinks for connection to the wired LAN.The Cisco Wireless LAN Controllers are aresult of the recently acquired Airespaceproduct portfolio. cisco.com/go/securewireless

ABOUT NEW PRODUCT DISPATCHES

Keeping up with Cisco’s myriad newproducts can be a challenge. To helpreaders stay informed, Packet mag-azine’s “New Product Dispatches”provide snapshots of the latest prod-ucts released by Cisco betweenJanuary and April 2005. For real-timeannouncements of the most recentlyreleased products, see “NewsArchive, News Releases by Date” atnewsroom.cisco.com/dlls.

ABOUT SOFTWARE: For the latestupdates, versions, and releases of allCisco software products—from IOSto management to wireless—regis-tered Cisco.com users can visit theSoftware Center at cisco.com/kobayashi/sw-center/.



Cisco Wireless Control System Cisco Wireless Control System (WCS)software enables managers to centrallydesign, control, and monitor Cisco wire-less networks that encompass hundreds ofCisco Wireless LAN Controllers andthousands of Cisco 1000 Series light-weight access points. The graphical soft-ware includes functions for RFprediction, policy provisioning, networkoptimization, troubleshooting, user track-ing, security monitoring, trending andanalysis reports, and wireless LAN sys-tems management. The Cisco WCS is aresult of the recently acquired Airespaceproduct portfolio.cisco.com/go/securewireless

Cisco 3800, 2800, and 1800Series Integrated ServicesRouters: New Wireless LAN Interface CardsNew wireless LAN interface cards in thehigh-speed WAN interface card (HWIC)form factor provide integrated, secureIEEE 802.11 access point functionality forthe Cisco 3800, 2800, and 1800 (modularmodels) Series integrated services routers.Designed for enterprise branch offices andsmall and midsized businesses, the CiscoHWIC-AP 802.11b/g and HWIC-AP802.11a/b/g interface cards deliver single-band 802.11b/g or dual-band 802.11a/b/gradios; support for various external dipoleor dual-mode antennas; and extensivewireless LAN security. These new capabil-ities for Cisco integrated services routersare covered in greater detail on page 73. cisco.com/go/isr

Storage NetworkingCisco MDS 9000 Series StorageServices Module The Cisco MDS 9000 Series Storage Services Module (SSM) is an open, stan-dards-based module designed specificallyto support intelligent fabric applicationsfrom multiple Cisco partners includingEMC, IBM, and Veritas. The SSM can beused with any Cisco MDS 9500 SeriesDirector or Cisco MDS 9200 Series FabricSwitch and provides 32 Fibre Channelports. Embedded ASICs in the moduledeliver performance improvements forthird-party intelligent fabric applicationsthat are based on open standards such asFabric Application Interface. For an article

on securing storage area networks (SANs)using the Cisco MDS 9000 Series switches,see page 42.cisco.com/packet/172_npd9

Networked HomeLinksys Wireless-G Media Link The Linksys Wireless-G Media Link sup-ports Digital Transmission Content Pro-tection over IP (DTCP-IP), an industrystandard that will help consumers enjoypremium and high-definition video andmusic services on televisions and stereosaround the home. The Wireless-G MediaLink connects to TVs and stereos, then toa home network by Wireless-G (802.11g)networking or standard 10/100 Ethernetcabling. The media link can also connectdirectly to a PC for transferring content tothe entertainment center. cisco.com/packet/172_npd10

Linksys Wireless A/G GameAdapter The Linksys Wireless A/G Game Adaptergives wireless connection capabilities toany wired, Ethernet-equipped game con-sole. This connection supports lag-free,head-to-head, or Internet gaming at up to54 Mbit/s over a Wireless-A, -B, or -Ghome network.cisco.com/packet/172_npd11

Linksys Wireless-G Router withSRX and Wireless-G PC Card with SRX The Linksys Wireless-G Router withSpeed and Range eXpansion (SRX) andWireless-G PC Card with SRX deliverfaster throughput, fewer dead spots, andincreased range over standard Wireless-Gnetworks. SRX is based on Multiple In,Multiple Out (MIMO) technology, a keycomponent in the upcoming Wireless-N(802.11n) standard, which uses smartradio and technology antenna on thewireless router or client adapter.cisco.com/packet/172_npd12

Linksys Compact Wireless-GRouter The Linksys Compact Wireless-G Routerprovides an integrated device for home net-working. The product includes a wirelessaccess point using Wireless-G (802.11g)or Wireless-B (802.11b); a 4-port 10/100switch to connect wired Ethernet devices,and a router for Internet access over a high-speed cable or DSL Internet connection.

The router’s compact size and built-inantenna make it suitable for placementalmost anywhere in the home.cisco.com/packet/172_npd13

Linksys Power over EthernetAdapter Kit The Linksys Power over Ethernet (PoE)Adapter Kit supplies 12-volt AC powerdirectly to wall-mounted or ceiling-mounted devices, including wirelessaccess points, routers, and bridges. Thekit includes an injector and splitter, whichenable the electrical power and data totravel on one Category 5 cable. cisco.com/packet/172_npd14

Cisco IOS Software Cisco IP/MPLS Interprovider SolutionThe Cisco IP/MPLS Interprovider solu-tion enables the implementation of Mul-tiprotocol Label Switching (MPLS)services across service provider bound-aries—allowing service providers to part-ner with other providers to extend thecoverage of their existing services andintroduce new offerings that go beyondtheir network. The Cisco IP/MPLS Inter-provider solution includes five technolo-gies: Inter-Autonomous System (AS)multicast VPN, Inter-AS Traffic Engineer-ing, Interprovider MPLS VPN over IP,MPLS VPN Inter-AS and Carrier Sup-porting Carrier (CSC) load balancing,and interprovider network management.To manage these new interprovider tech-nologies, Cisco has made enhancementsto Cisco IP Solution Center, Cisco InfoCenter, CiscoWorks LAN ManagementSolution, and Cisco IOS NetFlow withReporting and IP service-level agreement(SLA) capability. The Cisco IP/MPLSInterprovider solution is covered ingreater detail on page 69.cisco.com/packet/172_npd15


NETPRO EXPERT


Configuring and Troubleshooting Dial-Related Issues

The Cisco Networking Professionals Connection is an onlinegathering place to share questions, suggestions, and informationabout networking solutions, products, and technologies withCisco experts and networking colleagues. Following are excerptsfrom a recent “Ask the Expert” forum, “Configuring and Trou-bleshooting All Dial-Related Issues,” moderated by Cisco’s TejalPatel. To view the full discussion, visit cisco.com/packet/172_10a1. To participate in other live online discussions, visitcisco.com/discuss/networking.

Q: I have a Cisco AS5800 and AS5400 and am getting low callsuccess rate. What is the recommended modemcap that can beused to improve the CSR [connection success rate] on the MICAmodems and SPEs [service processing elements]?

A: Here is the link to a document called “RecommendedModemcaps for Internal Digital and Analog Modems on CiscoAccess Servers,” which talks about the recommended modemcapfor MICA and NextPort-based platforms to improve the CSR:cisco.com/packet/172_10a2.

Q: Can we mix the T1 and E1 cards on AS5800 and AS5850?

A: No, mixing T1 and E1 cards are not supported or recom-mended on the AS5800 and AS5850.

Q: I have a Cisco 2621 Router with VWIC-1MFT-T1 with PRIline for voice calls. Can I support data calls on the same PRI?

A: The VWIC-1MFT-T1 card does not support ISDN data con-nections. Here is the link to a document called “Cisco Digital1-Port and 2-Port T1 Multi-Flex Voice WICs,” which talks aboutthe features of that card: cisco.com/packet/172_10a3. When thecard is set up to use ISDN PRI signaling, ISDN data connection isnot supported. The card is unable to terminate the ISDN 64K or56K data connection. It only supports voice call terminationwhen using ISDN PRI signaling. Also, the Multi-Flex Trunk, withor without the accompanying voice-enabling hardware, is unableto terminate a modem connection on the router in a traditionalNAS dial scenario.

Q: I want to connect to the Internet using two GPRS [GeneralPacket Radio Service] connections via two serial interfaces. Theservice provider will provide me with two different IP addresseson two serial interfaces (no PPP multilink is available). Is thereany method to do the load sharing?

A: Multilink is the best option, which also buys you a fragmenta-tion. But because no multilink is available, you need to rely onrouting protocol to queue the packets on two equal cost links forload balancing. You can use Enhanced Interior Gateway RoutingProtocol (EIGRP) or Open Shortest Path First (OSPF) on the

router. Here are links to the documents called “How Does LoadBalancing Work?” (cisco.com/packet/172_10a4) and “Trou-bleshooting Load Balancing over Parallel Links Using CiscoExpress Forwarding” (cisco.com/packet/172_10a5), which discussthe process in detail.

Q: Using a VWIC-2MFT-T1 in a Cisco 2801 Router, can oneport be set to “User” and the other port set to “Network”? If allI do is pass calls from port 0 to port 1 on the VWIC, will the callsrequire any DSP [digital signal processing] resources? Will therebe an effect on modem and fax calls going through the Cisco2801 to the Norstar?

A: If you use T1 crossover cable between those two ports, youcan make calls across with one port as “Network” side and theother as “User” side. DSPs are required to interface the telephonyside with the IP side. So, if you want to pass those calls to the IPside, you need to have DSP. Also, it should not affect the opera-tion of fax modem calls.

Q: I have a configuration on a Cisco 1760 Router that runs anIPSec [IP Security] VPN with another site across the Internet.When the VPN goes down, I route my packets out via a dialerinterface that uses DDR [dial-on-demand routing] and an accesscontrol list to keep uninteresting traffic from initiating a callkeeping it up. I would like to run IPSec across the dial link. Atwhat point is a packet being sent across a dialer checked for beinginteresting?

A: You can configure a router to initiate a DDR session triggeredby IPSec. Incoming traffic to a router that needs to go over aDDR link and that matches the crypto map definition will be con-sidered “interesting.” In that case, the IPSec tunnel is created,where the destination IP address is the remote IPSec peer. Checkout the document called “Setting Up IPSec on a DDR Link”(cisco.com/packet/172_10a6), which discusses interesting anduninteresting traffic over the IPSec tunnel for DDR in detail.

Do you have a question about configuring or troubleshootingdial-related issues? Ask the NetPro Expert. Send your question [email protected], with the subject line “Dial-RelatedIssues.”

TEJAL PATEL, CCIE No. 6619, is an internetworkingengineer in the Cisco Technical Assistance Center, San Jose, California. He specializes in cable and voicesolutions. He can be reached at [email protected].


protection safeguards are available for dif-fusing wireless service disruptions andhijacks, whether intentional or not.

■ Broad and detailed network visibility.Infrastructure access points alone mightnot be able to “see” into far corners orstairwells of a building. All Cisco infra-structure access points running CiscoIOS Software act as both access pointsand intrusion detection sensors. In addi-tion, via the Cisco Compatible Exten-sions program, laptops and other clientdevices serve as sensors that report theexistence of rogues, allowing intrusiondetection to stretch farther for the dis-tributed solution.

■ Multifrequency scanning. In monitoringthe air space, companies are basicallytaking continual inventory of the air-waves. Sensors should scan 802.11a, b,and g networks, regardless of whether agiven organization is actually runningtraffic on each wireless band. Other-wise, the enterprise risks securitythreats from ad-hoc and rogue accesspoints operating in the other bands.

■ Location tracking. Cisco’s ability toapply location tracking to rogue devicedetection assists in eradicating thesource of a number of types of attacks.

In addition to taking appropriate countermeasures to spurn the effects of anattack, advanced tracking locates theactual source of undesirable activity toexpedite problem resolution.

24/7 RequirementsThe use of wireless LANs has ramped upto the point where a mere occasional checkon the state of the airwaves for unusualbehavior or performance problems is nolonger sufficient.

Rather, all network layers must work inreal-time to continually protect data bothin corporate servers and on end-userdevices from the unique susceptibilities ofthe wireless medium.

Wireless is especially prone to attackbecause radio is an open medium, sharedamong anyone transmitting and receivingin the same unlicensed RF spectrum, andbecause of the self-associating nature ofwireless clients and access points. As vol-umes of 802.11-based traffic grow, ad-hocassociations will only increase, with morepotential for mischief. Fortunately, the


FURTHER READING

■ Expansion of Cisco Wireless Networking


■ White Paper “Wireless Intrusion Detention

& Prevention with Lightweight

Access Points”


■ Cisco Structured Wireless-Aware

Network Solution

cisco.com/go/swan

Wireless Security, Continued from page 41

PACKET ADVERTISER INDEX

ADVERTISER URL PAGE

ADC - The Broadband Company www.adc.com/truenet D

AdTran www.adtran.com/info/wanemulation 2

Aladdin Knowledge Systems www.Aladdin.com/Cisco IFC

American Power Conversion (APC) http://promo.apc.com 4

BellSouth Business www.bellsouth.com/business/netvpn OBC

Boson Software www.boson.com A

Cisco Press www.ciscopress.com B

Cisco Systems www.cisco.com/poweredby 38/68

Cisco Systems-Networkers www.cisco.com/go/nwpacket F

Cisco Systems www.cisco.com/go/isr 56

Corvil www.corvil.com 6

eiQ Networks www.eiqnetworks.com 13

extraxi www.extraxi.com/packet 14

Fluke Networks www.flukenetworks.com/packet 72

GL Communications www.gl.com 76

Liebert Corporation IP.Liebert.com 25

NetScout www.netscout.com/ad/cii 52

Network General https://networkgeneral.mnl.com/c1 82

New Edge Networks www.newedgenetworks.com/products 22

OPNET Technologies www.opnet.com 60

Panduit www.panduit.com/dp08 IBC

Solsoft www.solsoft.com/packet 8

SurfControl www.surfcontrol.com/go/cisco 46

Trend Micro www.trendmicro.com/cisco 30/31

Websense www.websense.com/patch1 50


CACHE FILESnippets of Wisdom from Out on the Net

RFID Market GrowthThe worldwide Radio Frequency Identi-fication (RFID) tag market will grownearly tenfold from US$300 million in2004 to US$2.8 billion in 2009, accord-ing to an In-Stat report. That wouldmake RFID tags the most prevalentwireless technology since the cellphone. The key drivers of the projectedgrowth will be shipping cartons and other supply chain elements, expectedto account for 35.1 percent of the RFIDmarket by 2009, up from 4.9 percent in2004. The second largest market forRFID in the forecast’s later years will beconsumer products, currently one of themost privacy-sensitive verticals.

Wireless Gaining Subscribers WorldwideThe untethered life holds great appealfor Internet users worldwide as thenumber of subscribers to wireless appli-cations continues to grow. The YankeeGroup predicts that wireless users willgrow nearly 9 percent from 2002 toexceed 1.75 billion in 2007, and In-Stat/MDR expects the number ofworldwide wireless Internet subscriberswill have risen from 74 million at theend of 2001 to more than 320 millionby the end of 2006. The Asia-Pacificregion alone will account for a signifi-cant portion of the global usage, reportsthe Yankee Group.

Net LingoPixel dust—Slang for the thin coat of dirt on your computer screen. (netlingo.com)

Traveler’s First Trip Is Often the Internet Whether it’s used for research or for purchase, the Internet is an increasinglyvaluable tool for travelers. According to an April 2003 My AvantGo survey of more than 1,000 individuals, 52 percent purchased more than halfof their travel needs online, with 29 percent indicating that they made alltheir travel arrangements on the Web. As an added bonus, 30 percent planto increase their online travel purchases over the coming year.

Online Safety: Users Talk the Talk, Don’t Walk the WalkWhen it comes to online security, perception is definitely not reality. Accord-ing to a joint AOL/National Cyber Security Alliance (NCSA) Online SafetyStudy, users believe themselves to be generally “safe,” but their computersindicate otherwise. The survey found 77 percent of users believe their homecomputers are either very safe (28 percent) or somewhat safe (49 percent)from online threats. When pollsters asked how safe users feel they are againstviruses, the combined percentage dropped to 73 percent. When asked aboutsafety from hackers, the numbers drop further still, to only 60 percent. Themajority of participants (67 percent) either hadn’t updated their virus protec-tion in the past week, or had no antivirus protection at all.

THE 5TH WAVE

©The 5th Wave, www.the5thwave.com

CYBER QUOTE

“What goes up must

come down. Ask any

system administrator.”

—Anonymous

“Our security program responds to three things. A false

access code, an inappropriate file request, or sometimes

a crazy hunch that maybe you’re just another slime-ball

with misappropriation of secured data on his mind.”


SDN'S

Documents

Transcript of SDN'S