Catalyst 9000 Simplifies Network-Based Threat Detection Using Inline Security Telemetry – Cisco Blogs


The term Catalyst is synonymous with accelerating change, stimulating actions, and facilitating transformations. The Cisco Catalyst 9000 family of switches and access points support these qualities for enterprise networks around the world, making it the fastest ramping product in Cisco’s history. Based on a powerful and flexible Programmable ASIC with Unified Access Data Plane (UADP) that unites wired and wireless data planes, the enterprise networking platform has delivered continuous innovations since its introduction, including:

  • Purpose-built Zero-Trust Fabric for campus to branch with Cisco SD-Access
  • Docker-based application hosting enabling use cases such as running ThousandEyes Agents on the switch
  • Network-Based Application Recognition Engine (NBAR) for identification and control of 2000+ applications

As enterprise networks expand from centralized data centers and campuses to support a distributed workforce and thousands of edge IoT devices, IT faces unique security challenges. While the workforce can take advantage of zero-trust multi-factor authentication to ensure proper access security, IoT devices cannot. Now Cisco is leveraging the programmability of the UADP ASIC to deliver zero-trust security for the world of IoT devices.

Zero Trust for IoT Using Network Telemetry Analytics

IoT devices should be continuously assessed to check for unusual behavior such as pretending to be trusted endpoints using MAC Spoofing, Probe Spoofing, or Man-in-the-Middle techniques. IoT devices—typically smart building technologies such as lighting, HVAC, and security cameras—need to be segmented from Information Technology assets to prevent threats from moving laterally in the network. The key to segmenting IoT devices is to accurately profile and classify them according to type, communication protocols, and traffic patterns. To implement Zero Trust with least privilege access, both historical and real-time traffic telemetry needs to be available to Trust Analytics to detect sudden changes in device behaviors.

To attempt to accomplish this in the past, overlay solutions required spanning of live traffic from switches to collectors that run analytics on samples of telemetry. These additional components, as depicted in Figure 1, introduce deployment, configuration, and maintenance complexity, thereby increasing the TCO as well as IT overhead.

Figure 1. Typical Overlay Model for Telemetry Generation

The unique way Catalyst 9000 switches and access points solve this problem—in conjunction with Cisco SD-Access—is by generating inline telemetry directly on the switches. This capability, based on the power of the UADP ASIC, eliminates the need to make copies of traffic from every switch to send to multiple services—exporters, brokers, collectors, and analyzers for each kind of traffic—to generate the necessary security telemetry. The capability to stream full telemetry information directly from Catalyst switches provides operational status of the network as well as Deep Packet Inspection of traffic flows so that Cisco DNA Center can detect the true purposes of device-to-device communications. Since DPI telemetry is generated directly by Catalyst switches, the need for expensive extraneous appliances is eliminated, as shown in Figure 2.

Another advantage is that since all Catalyst 9000 switches are generating telemetry simultaneously, there is no single point of failure—such as when a data broker is offline—increasing the reliability of catching abnormal traffic patterns being generated by an attempted infiltration by a threat actor.

Deep Packet Inspection and Telemetry Generation with Catalyst 9000 Switches
Figure 2. Deep Packet Inspection and Telemetry Generation with Catalyst 9000 Switches

Maintaining Zero-Trust Across Campuses

Wired and wireless traffic telemetry in one platform provides an expansive view across the campus for pinpointing security anomalies and threats from devices of all types. Cisco SD-Access plus Catalyst 9000 switches and access points uniquely provide traffic telemetry to Cisco DNA Center to identify device types, categorize devices by security group tags, and monitor every device for behavior anomalies.

For example, with all traffic telemetry streaming from Catalyst 9000 switches and access points, Cisco DNA Center can analyze the traffic being generated by each individual device and identify the type—security cameras, motion sensors, lights—tagging them with access policies for segmentation. Should a camera start talking in laptop language from a man-in-the-middle attack, the trust level of the camera will automatically be downgraded and isolated to prevent the lateral spread of an infection.

The Cisco SD-Access Zero-Trust Journey
The Cisco SD-Access Zero-Trust Journey

Connect, Secure, and Automate with Catalyst 9000 Infrastructure

The software-defined network fabric consisting of Cisco Catalyst switches and access points becomes a vast matrix of sensors supplying data for security analytics that monitor, detect, isolate, and report on threats as they occur. The Catalyst 9000 family of switches provides real-time security telemetry from millions of devices across multiple campus sites, from inner to outer edge of the network for endpoint analytics, policy analytics, and trust analytics to connect, secure, and automate the enterprise.

For more information on benefits and capabilities of Catalyst 9000:

Cisco Catalyst 9000 Wireless and Switching Family

Establish, Enforce, and Continuously Verify Trust with SD-Access in Simple Steps

Trust Analytics and Anti-Spoofing Protection: It’s Already in Your Network

Cisco Catalyst 9000 Brings ThousandEyes to Your Network

 

Check out our Cisco Networking video channel

Subscribe to the Cisco Networking blog

Share:



Source link