What if your network could know what you want to do before you do? How would network value change if you could program it? And would your confidence in security shift if you were able to see though encryption to spot security threats before they inflicted serious damage? At the Cisco Live! annual users’ conference in Las Vegas last week, the networking giant helped 28,000 attendees envision these possibilities with an introduction to The Intuitive Network. The culmination of innovation across the Cisco portfolio, “intent-based networking” represents a new software-based networking paradigm that CEO Chuck Robbins described as the “most significant announcement in a decade.”
According to Robbins, the new platform will inspire new levels of innovation, while helping to solve many of the challenges that enterprises will face in the coming era. “2016 was an inflection point,” he observed, when “the number of new M2M connections added to the network exceeded the number of phones on the network”: we are “moving to a world of massive expansiveness” and “massive distributed intelligence” where machine learning will provide an opportunity to extract greater insight than in the past. However, for this opportunity to be realized, Robbins argued that three issues that need to be addressed – scale must be sorted (Gartner counts 8.4 billion devices connected to the Internet by the end of 2017), complexity must be cut (for every 1 dollar spend on the network, 3 dollars are spent managing it, according to Chris Dedicoat, EVP, Cisco Worldwide Sales), and security must be strengthened to manage expansion of the threat surface associated with the connection of millions of ‘things’.
In this work, Cisco’s CEO believes that “the network has a role to play that is more significant than anything we have seen in the past” – a role that has been empowered by Cisco innovation. Essentially, the Intuitive Network is a “closed loop” data platform that begins with the harvest/monitoring of massive data from networking systems, applies machine learning and contextual analysis to uncover user intent, and that enables programming based on this insight to automate response at scale: intent-based networks constantly evolve as each subsequent action or behaviour generates new data to recharge the next cycle of automation. But how and where has Cisco embedded these new capabilities? According to Ravi Chandra, SVP, Enterprise Network Engineering, to transform its network platform, Cisco has had to “rebuild every layer, one layer at a time, across 14 different product lines” and has engaged in retrofit to ensure that the Digital Network Architecture (DNA) also supports older switching and routing hardware. But a number of the key announcements and technology on display at Cisco Live! can help to explain the principles behind Cisco’s new networking schema.
Feed Intuition (Monitoring)
A monitoring platform designed to provide visibility into the data centre and actionable insight in real time, Cisco’s Tetration Analytics relies on hardware and software-based sensors to monitor telemetry data, helping users to explore traffic flow records. According to Roland Acra, SVP, GM Data Center, Tetration “leverages the network as a sensor of traffic,” captures telemetry data and passes this on to the tetration visualization portal. The solution captures data on application behaviours – ex. how applications communicate with each other – to create a dependency map for any workload. Based on this data and behaviour analysis algorithms, the system can identify application groups, communications patterns and service dependencies, developing a “white list” of what is normal. “Normal” is set as policy for application segmentation at the infrastructure layer and compliance deviation is denied, thereby enforcing security policy. Since the workload carries security policy with it, Acra noted that user organizations “no longer need to rely on the [on-premise] fortress to protect the application, but can securely migrate workloads to the cloud.”
Intent at Scale (Automation)
‘Command and control’ for the network, DNA Center is a centralized management dashboard that allows administrators to see into the network, and which analyzes data to provide the context needed to support an intent-based approach to network design, provisioning, policy and assurance. Centralized management enables IT to program and deploy “intent” across the entire network, including wired, wireless and WAN systems, at the campus and access layers, with the goal of automating, speeding and simplifying policy deployment. To illustrate, Sachin Gupta, VP Product Management, Data Center and Enterprise Switching, outlined a healthcare provider scenario where there might be multiple new devices coming online, different user groups (doctors who need secure access to patient records vs. hospital visitors who may wish to browse the network): “previously, a customer would need trained engineers at each hospital site who would configure CLI using script as CLI to reach into the infrastructure. But this is error prone and can cost a lot of money. When you move to intent-based networking with DNA Centre, the first thing you see is a single command centre for the administrator to go in, design the network and apply policy, provision and get the data for context to provide assurance [and the right level of experience for each user]. Step one is to convert all hospital infrastructure (switches, routers and access points) into one unified system that can now consume intent; with the network up and running, the second step is to say doctors get special access to medical records, medical devices get access to their servers and systems, and guests get access to the Internet to provide a segmented, secure experience for all users of the network.” In the past, he argued, this kind of activity was highly complex and took months to execute, but a simple, policy-based approach obviates the need for manual CLI programming. Powered by ‘intent’, the network no longer requires IP address management, ACL management, VLAN management, and one-time provisioning to implement policy across the access, campus and WAN networks replaces CLI.
The Network is Code (Programming)
A key announcement at Cisco Live!, the new Catalyst 9000 Switching Portfolio was purpose built for intent-based networking, and features innovation at the hardware (ASIC) and software (IOS XE) layers. As Scott Harrell, VSP, Enterprise Networking, explained, in the past, the ASIC (application-specific integrated circuit) in typical switches had a 10-year lifespan with connections hardwired in – design that delivered speed, but not the flexibility needed to tackle new market challenges. In the Catalyst 9000 series, the ASIC is now programmable, and open APIs are available for communicating with the base level switch OS to support optimization of network operation for specific applications, specific environments or users.
Cisco has also updated the switch OS. Susie Wee, VP and CTO of DevNet Innovations, whose first project in the CTO’s office involved work on the APIC-EM, explained that Cisco’s SDN controller originally provided global visibility into the network, as well as a means to automate configuration changes using standard tools (CLI) to manage devices that were not yet programmable. But the new Catalyst 9000 series features a programmable operating system – the IOS -EX – and NETCONF/YANG (a modelling language/standard that Cisco contributed to the IETF) that enables devices to be configured in a one way and speaks a protocol that allows them to be updated, or even to host applications to support edge processing. Since the ASIC is also programmable, she explained: “packets are coming through really fast, and they can be programmed at line rates. With threat analytics, for example, if we figure out new algorithms for new attacks we detect, we can do a software update on the ASIC. As the world of IoT comes on, there will be new protocols designed to handle security and scale – and this can also be managed on the ASIC through a software update.”
Seeing Bad Behaviour (Analyzing Encrypted Traffic)
Cisco has applied a policy-based approach to network segmentation and assurance; the Network Data Platform and Assurance platform, for example, uses data generated by networking infrastructure to provide contextual information, and through machine learning in the DNA controller is able to automatically recommend actions that would resolve security issues, delivering prescriptive analytics. Similarly, Software-Defined Access (SD-Access) uses automated policy enforcement and network segmentation to simplify the creation of network access for users, devices and things, and through automated configuration, provisioning and troubleshooting, helps to time to reduce time to resolve issues and hence the impact of security breaches. But what of malware threat prevention and detection?
Ironically, one of the key security challenges we face in detection is encryption. While encryption helps to ensure data privacy and security, it also provides a shield for threat actors, who use it to remain hidden, and persistently hidden. According to TK Keanini, principal engineer at Cisco, we have reached an online tipping point where everything will be encrypted: while approximately 55 percent of traffic is encrypted in 2017, by 2019, an estimated 80 percent of traffic will be encrypted, and 70 percent of attacks will use it to avoid detection. Decryption, which slows network performance to a virtual standstill is not an option.
To maintain encryption while providing insight into the network, Cisco has developed Encrypted Traffic Analytics, which provides the metadata needed to identify what cyphers are used and what encryption keys are used – armed with information on the quality of cryptography, organizations are able to enforce enable cryptographic compliance, without decrypting the data. Using the “body language of packets” the new solution looks at the metadata of the packet flow and with Cisco's Talos cyber intelligence and machine learning analyzes metadata traffic patterns to identify the fingerprints of known threats. Cisco claims it can detect threats in encrypted traffic with up to 99 percent accuracy, with a rate of less than 0.01% false positives, enabling the new network to deliver security without compromising privacy.
Since the introduction of software-defined networking five years back, Cisco has worked to refine its hardware platform and the messaging around it. Unlike competitors such as VMware, the company has chosen to develop functionality that builds on the synergies between its own hardware and software capabilities. With announcement of intuitive networking, Cisco is focusing on the latter, taking advantage of state-of-the-art in current technologies – machine learning, contextual analysis and prescriptive action – to create its own flavour of SDN, a much more capable and sophisticated version than appeared with Open Flow back in 2011. The company claims significant success through this approach: according to Cisco, initial analysis with field trial customers and internal testing for intuitive networking have shown a reduction in network provisioning time of 67 percent, an 80 percent improvement in time for issue resolution, a 48 percent reduction in security breach impact, and OPEX savings of 61 percent.
Through this focus on software, the company is also looking to extend its ecosystem, providing functionality that can engage and address the needs workers at any level of the stack in order to inspire more broad innovation on the Cisco platform. While automation can replace many manual tasks to speed network operation; at the same time, with intuitive networking, the network administrator can program to support the specific requirements of a particular environment/app/device, and then harness automation to deploy at scale. As Susie Wee explained, by adding programmability at the ASIC, device, controller and DNA Centre layers, Cisco is delivering new levels of speed and scale: “The speed at which you can deploy change, the speed at which you can create a new group, the speed at which you can set a new policy in the network,” are key benefits of the automated, programmable network, which can quickly adjust to address connectivity or other application requirements. “If a microservice suddenly scales, you can now dynamically configure the resources to make that work. It was not possible to do this with such speed and in such an automated way before.” In her view, automation and programmability represent complementary capabilities that enable operation at a higher level: “Programmability allows you to make changes in the network, but programmability also enables automation. You can now send your intent to all those programmable devices, and instantly roll that out in an automated way.”
Wee has longstanding interest in combining user experience and technology, and has been able to translate some of her earlier work with collaboration tools to networking more broadly, to support a wider group of ‘users’ that would include the operations staff, end users and the developer. And while organizations may need to develop some constructs around groups and policy control – “you don’t want every app developer programming the network at a deep level,” she added – to reserve some control to the IT and network professional, there is also information generated by the network that the developer can leverage to optimize app delivery. As they learn to communicate via new software interfaces, Wee believes the network professional can also be viewed as a ‘developer’ – a “power user of software systems” who understands what the network is capable of and who may work with a coder who represents the interface. But with programmable networks, the app developer can also use networking data to create new services or businesses that enhance network performance and management, or build new vertical or business applications that can be grouped according to different policy and priority, can request varying levels of QoS and security, or can easily onboard a new device. “The level of programmability and instruction that the IT and the app developer will use will be a little bit different, but they can both benefit in different ways.” In Dev/Net, she explained, Cisco is working to train, educate and encourage each type of developer, whatever their starting point – simple code and APIs for the administrator, and networking 101 for the app developer – and through this education provide the support needed for better communication between IT and development teams. With some knowledge and control of infrastructure, the developer is better equipped to assume ownership of a project; with better understanding and ability to provision and program policy for specific applications, networking and IT are also engaged. Ultimately, the intuitive network may join the ranks of the conversation starters, a tool to help the app developer and the infrastructure provider improve Dev/Ops processes, and with it, app operation and time to value.