Cisco Security

Why do legacy ASAs need Migration to ASA X Generation?

Cisco Security

The traditional legacy ASA Firewalls (5505, 5510, 5520, 5540, 5580) are End of Life (EOL) and soon will be End of Support (EOS). There are still a vast number of ASA’s in the public realm used as a security device/internet edge firewalls where many companies think they are providing the necessary security, the reality cannot be further from the truth.

These older model ASA’s have the following problems

  1. Hardware Problems

Cisco ASA Firewalls have a Meantime-Between-Failure (MTBF) which is simply the predicted elapsed time between inherent failures of such devices. When legacy ASA’s are out of support it is not possible to renew support contracts as Firmware updates are no longer available, effectively making the devices EOL. Meaning they are a ticking bomb and without support any network can suffer significant downtime when the device gives up.

  1. Code Vulnerabilities

ASA updates are uncommon, occurring every 6 months or so, meaning security holes can appear with such a time gap between security patch updates. Effectively your device is vulnerable and unsecured whilst it awaits the next patch update. Currently legacy ASA Firewalls only run to version 9.1 updates. These vulnerability problems wouldn’t be a threat if default and most deployed scenario is an Internet Edge Firewall.

  1. Lack of new features

Cisco is not deploying any new features to the legacy ASA’s and the major version will probably not move away from 9.1 (when the newest is 9.6 for next generation Firewalls)

  1. Lack of real security

Any working firewall cannot only rely on the Stateful Firewall technology for protecting the assets of an organization. Legacy ASA’s can only run the legacy Cisco IPS with a separate module which cannot measure to the modern IPS technology. The new generation of firewalls have the Firepower functionality which is the industry leading IPS technology.

Challenges for migrating Legacy ASA to ASA X?

  1. Configuration migration
  • Manual migration – Configuration between Legacy ASA’s and the new ASA X usually differs and cannot be simply copied and pasted into the new device. Different naming for interfaces and different features and functionalities means different syntax for the CLI.

Very often the legacy ASA’s run a pre-8.3 code due to RAM restrictions (RAM needs to be upgraded for post 8.3+ code). The pre-8.3 code is very different from today’s code in terms of syntax. It does mandate the obligatory use of objects, the NATs are the old PIX like fashion and any policies use the global ip addresses (the so called real ip addresses seen on the interface) than the original one (the ip addresses on the hosts). That means that large portions of the config need to be redone (in most cases manually) when you do the switch over.

The sections that needs manual work are: Objects, NATs, Policies and ACLs. That is the recommended approach and usually an experienced Cisco Security Consultant is needed to perform the job.

  • Automatic migration is possible if the legacy ASA has its RAM upgraded (512MB for 5505 and more than 1GB for the other models is mandatory). Depending on the starting OS Image version several upgrades are done to ensure the device runs the latest 8.2.x code and then jump to 8.4.1. During that jump the device will automatically redo the configuration to its best (will shout out errors on console while booting if it cannot migrate certain areas of the config), it will create objects (with automatic names) and will deploy them.

During automatic migrations, there is always a chance that something will not work so the migration again needs to be performed by someone who understands the migration process, can track down and manually intervene to correct errors or add configuration after the migration. Also, the configuration after an automatic migration is not easily readable due to the creation of objects with automatic naming convention.

  • Raising the security level – if you migrated from a legacy ASA to a new generation ASA X that supports other security technologies and Firepower then it makes sense to leverage new technologies and enable/configure/tune them. A blind one-to-one migration might give you more in the world of availability (new hardware, newer code, less code vulnerabilities and frequent code updates), but will not give you ultimately better protection for your assets. A deep packet inspection with content analysis is a must in the modern threat landscape. Implementing the Firepower technology is necessary but a complex step that needs to be done by people with the right skillset and experience.

References:

  1. EOS / EOL announcement

http://www.cisco.com/c/en/us/products/collateral/security/asa-5500-series-next-generation-firewalls/eol_C51-727283.html

CRN White Paper 4cornernetworks.indd

Whitepaper – Meeting the challenge of Cisco technical services delivery

Assessing the needs of MSPs, integrators and other organisations and the challenges they face when sourcing quality third-party professional project and technical services for Cisco technologies.

What’s Your Problem?

15315694

Your Pain Points when working with a Supplier of Cisco Engineers

“They” say that 98% of published statistics are made up, and people will think that when market research doesn’t provide them with the answers they anticipated. Conducting market research with a 3rd party will help to eliminate subconscious bias when asking questions and help to provide a survey format whereby respondents submit honest and detailed responses. Here at 4CornerNetworks, that’s exactly what we did when partnering with CRN Channel Web as we embarked upon a quest to understand client experiences, good and bad, when engaging with a supplier of Cisco Engineering Resources.

We Asked…

C-Level Executives, Operations & Project Managers from Telecomms, Managed Service Providers, ICT Providers and Cisco Channel Partners were asked about their experiences when utilising Cisco Engineers from a 3rd party vendor.

You Said…

  • 1/3 Were not satisfied with their external supplier of choice
  • Only 1/3 said they were happy!
  • 83% Concerned with rising costs and additional charges
  • 83% Concerned with lack of Engineering availability
  • 48% Concerned with a lack of transparency on attending Engineers certifications and experience

Engineering Availability

We asked, the channel spoke and specified that a lack of available Cisco Engineers and High Costs were the two primary concerns. 40% of C-Level Executives stated that they used more than one supplier of Cisco Engineering Resources, with 45% of those respondents doing so due to a lack of engineering availability. A lack of available Engineers will naturally occur when external partners fail to understand your everyday business requirements. Where are your clients located? When do you experience dips or peaks in client demand? How quickly can your external partner process your request? – All these questions impact on Engineering availability and all can be avoided by planning, integrating processes with your external partner and studying previous trends to ensure that you can get Cisco Engineering excellence, where you need it, when you need it.

Access to Cisco Engineering Skills

2/3 of Telecomms, MSP’s, ICT & Cisco Partners utilised the services of a 3rd party vendor to gain access to specific Cisco Engineering skills not available in-house. However only a fraction, 7% of all respondents concluded that when hiring an external Cisco Engineering partner, that costs were a benefit of any such relationship – that’s 93% of hiring companies NOT completely satisfied with the costs they are being charged.

Almost half of all respondents expressed their concerns with the experience and qualifications of attending Engineers. Often the end client provides feedback on how each Engineer performs. How long it took them to perform tasks, their customer and communications skills and their overall technical ability and expertise. If an attending Engineer takes twice as long to perform tasks due to their lack of experience or because they are not adequately qualified, then costs increase and the quality of workmanship will reflect poorly on your Brand.

Peek-A-Boo Charges

Peek-a-boo charges were the main cost concern when hiring a Cisco Field Engineer from an external partner. Upon opening your invoices, all of a sudden, peek-a-boo! Out pop charges for account set up, account maintenance, minimum booking time of 2-4 hour slots (when you only need an Engineer for 1 hour) and being charged for a CCNA, when all you got was a technical courier. Such charges make financial budgeting and forecasting almost impossible when you have no idea how much additional costs will be added to your invoice.

We Listened and…

We understood what problems your organisation faced when working with 3rd party suppliers of Cisco Engineers and what solutions will help to alleviate your pain points. More transparency, greater Cisco Engineering availability, consistent pricing and a select partner to work in tandem with your current business processes, ethos and culture.

SMART Onsite Service from 4CornerNetworks implemented by a customised Partnership Portal provides a solution to each and every pain point.

Transparent Billing

No set-up fees and no account management fees will ever be charged. We do not believe in winning new clients, then charging them for the privilege of being our client. Securing clients in a mutually beneficial long-term relationship will always be a main objective of 4CornerNetworks. Financial planning and budget control is now placed firmly back in the hands of our clients as a set monthly fee is charged by Direct Debit making forecasting easy and accurate because you know how much your bill will be every month.

Ease of Booking

S.O.S is only available to clients who outsource their requirements for Cisco Field Engineers of 500+ hours annually. You will be able to access the exclusive Partnership Portal of 4CornerNetworks where booking an Engineer when and where you need them is quick and easy to use. Simply choose the date, time and location of where you require an Engineer, provide a brief scope of work to gain instant access to Cisco Engineers where you need them, when you need them. This results in less admin time to source Engineers and less time and cost when working with an external partner.

Cisco Field Engineers Availability & Quality

Have you ever found yourself questioning the certifications and experience of an attending Engineer? Have you experienced Engineers turning up onsite late, unprepared and lacking in both customer and technical skills?

With S.O.S you will be able to view the details of Engineers, their Certifications and previous Quality Assurance scores. Therefore any Engineer you book will firstly need to satisfy your exact requirements and those of the end client.  As a result of this function, the quality standards of your organisation will be significantly boosted brining you and your clients’ complete piece of mind.

Sourcing Cisco Engineers from a 3rd party supplier has thus far caused many organisations to seek alternative solutions to their Engineering requirements. Many existing suppliers of Cisco Field Engineers have caused customers to switch suppliers in search of transparent billing and certified Engineers. Perhaps the lesson to learn is to view your clients as partners and understand that there is a direct correlation between fair pricing, quality standards and long-term relationships.

Cisco Technical Support, a speciality service offered by Cisco Support Engineers at 4CornerNetworks

A friend in need is a friend indeed

– and we’re true to all our customers, whenever they need us

We all know that you find out who your true friends are when things are going badly. When you need to ask a big favour, and you call around – or more likely these days post on social media – there are those that will drop everything and come and help, and those that will mutter something about getting back to you when they have the time.

Of course, when you’re a big company paying good money for a service contract, you can count on your partners to rush to your support at the first sign of trouble. Can’t you?

We at 4CornerNetworks certainly think so, and we are proud to provide the very best Cisco Technical Support, whether it be on-site or remote, at any time of the day and night. Indeed, our highly qualified Cisco Network Engineers are usually so involved in the projects we work on that it is they who flag up problems to our clients, not the other way around.

Cisco Technical Support from 4CornerNetworks

But the important thing is that whoever flags up a problem, we will throw ourselves into dealing with it immediately, because we know how important IT networks are, both to our clients in their respective sector and the companies which they work for – who we also regard as our clients and friends. When an issue arises which is threatening the wellbeing of one of our client businesses, our usual stipulations for booking resource of three to five days’ notice becomes meaningless: we scramble to it the instant we hear about the issue, and everyone in the organisation from myself down takes responsibility for what we have to do to fix it and meet the end clients expectations. Fortunately, our international network and flexible, shift-based approach means that we always have people ready to do the job, however remote the location.

Sadly, it appears that this is not a universal standard within our sector. Many clients come to us because they are unhappy with the treatment they have received for network services when the really needed them. Needless to say, this often comes after years of paying good money for a perfectly reasonable but unspectacular service, which means they are left all the more disappointed when managers who should be their friends and who know they are in trouble simply turn their phones off for the night or the weekend. In modern business, many firms don’t have the luxury of waiting until Monday before even starting to think of solving a serious problem.

The essence of good service in a business-to-business operation such as ours is therefore to be available when we are needed.

The knock-on effects of providing a 24/7 service, compared to not doing so, were neatly illustrated last week in this tale of two cities: http://www.chicagotribune.com/news/nationworld/ct-east-coast-blizzard-20160125-story.html

Basically, when a once-in-a-decade storm dumped several feet of snow on the Eastern US, New York sent out 4,600 workers and more than 2,000 pieces of equipment, with its crews on 12 hour shifts so that half were on the streets at any time. This round-the-clock operation through the weekend ensured that most people got to work on Monday morning, kids got to school, and the city lost just 7% of its economic output for the affected period.

In Washington DC by contrast, fewer workers were sent out, and there was a less concerted effort generally to get the city up and running. The article highlights a number of reasons, such as the fact that the US capital has less snow on average and is therefore not as well prepared and resourced to deal with the issue as New York. But reading through the lines, we can see what are basically excuses. Excuses for why the city lost 25% of its economic output for three days.

Many businesses are all too familiar with excuses from their suppliers. Some corporations have a culture which seems to value excuse-making above problem-solving. This seems to be a mindset too many organisations drift into as they scale up, and that is why I have always strived to create an open and accountable culture at 4CornerNetworks. We are still small enough that either myself or our operations manager Heidi Toms will be on the end of that phone dealing with an issue for a customer, and neither of us is going to shirk responsibility or switch our phone off for the evening.

But we are growing, and that’s why I am also encouraging a culture where everyone at 4CornerNetworks, employees and contracted Cisco Engineers alike, takes responsibility for and ownership of our clients’ problems. The flip side of this is that everyone within 4CornerNetworks is treated as a professional, and paid accordingly.

Cisco Field Engineers, the boots on the ground from CCNA-CCIE level from 4CornerNetworks

Cisco Field Engineers

infrastructure

Monitoring, managing and maintaining IT Networks has evolved in recent years with innovations in network management tools, cloud storage and Software Defined Networking. Solar Winds seems to be the network management tool of choice and the recent $67Billion Dell-EMC acquisition shows the market focus on cloud storage is altering the landscape for IT Networks. Such advancements in methodology and technology has led to the demise of in-house Field Engineering teams. MSP’s, Cisco Channel Partners and Telecommunications & ICT Providers have all reduced their focus and expenditure on their in-house Cisco Field Service capabilities.

However not all network upgrades and faults can be rectified remotely. Network management tools are limited to identifying bottlenecks, firmware upgrades and faults, but at some point your clients will need the expert help of Cisco Field Engineers. Until network management tools or SDN can develop Artificial Intelligence, grow legs and hands armed with screwdrivers to rack and stack, people need people to solve network issues.

Expansion of Capabilities

Austerity and cost-cutting are best of friends and many Enterprise companies and SME’s have not only reduced their Field Engineering Services but their NOC’s and Technical teams too. IT Networks require Cisco Engineers with specialist skills in Security, Wireless and Collaboration, to name but a few. Employing such a vast range of specialist Cisco Engineers may no longer be cost-effective, but the demand for boots on the ground remains buoyant. If the end client is situated in a challenging postcode, remote location and/or requires a specialist Cisco Engineering track, you can choose to send your own in-house Engineer half way across the world, or you can work in partnership with a reputable supplier of Cisco Field Engineering Services.

Strategic partnerships between MSP’s, Channel Partners and Telecomms providers must be complimented by external providers of Cisco Field Engineering Services. The newest advancements in methodologies and technologies may reduce the demand for Cisco Field Engineering Services, but it will NEVER make them obsolete.

Integration

Forming a strategic partnership requires an alignment of capabilities, complementary services and, most importantly, sharing knowledge. You could chose to form a simple client/customer relationship, but the benefits of integrating organisations help to deliver market-leading service delivery and customer service.

When an MSP, Cisco Partner or Telecomms/ICT provider employ the services of an external Cisco Field Support company, those two companies need to deliver services as one entity. Both organisations need to integrate departments, processes and technology. Departments integrate when Project Managers, Account Managers, Operations Co-ordinators and Cisco Field Engineering Teams align objectives and targets. Define duties, roles and responsibilities and always assign a designated contact and point of escalation within each organisation. Frequent and open communications is a tangible asset and must not be underestimated or undervalued.

When ICT/Telecommunications providers, MSP’s and Cisco Partners reduce their in-house Cisco Field Engineering Team, a gap in the market opens up for providers of Cisco Field Support. Apply the same principal to providers of Cisco Field Engineers, they cannot gain access to such lucrative clients on a mass scale. The truth is that neither company can achieve growth, amass industry & operational knowledge & skills or service the end client without the help of one another.

Competitors Don’t Mean War: The Value of Strategic Partnerships

forn1189l

In the IT channel, Strategic Partnerships are commonplace, most notably with the recent collaboration between the two technology giants, Cisco and Apple. The Apple & Cisco partnership is a perfect marriage, Apple gain access to the Enterprise market, whilst Cisco benefit from iOS and facilitate Apple’s entry into the Enterprise arena. But, what exactly is a Strategic Partnership?

Price Waterhouse Cooper define a Strategic Partnership as:

“A strategic partnership involves some shape of formal agreement between two or more parties that have agreed to share finance, skills, information and/or other resources in the pursuit of common goals.”

Sharing

Before a Strategic Partnership has been formalised, firstly ensure that all parties share the same expectations of the outcome of such partnerships. Start by clearly defining shared business objectives, you both might want to achieve A or B, but can you achieve them together? Strategic Partnerships are generally triggered by the existence of shared objectives. For example a Managed Services Provider or Cisco Channel Partner may need Cisco Technical Resources worldwide due to a lack of in-house specialist Cisco Network Engineers. Therefore there exists an implied shared objective, prior to a formalised agreement being signed.

As highlighted in the PwC definition, a successful Strategic Partnership can only be achieved by sharing resources, finance, information and skills. Each company will have a unique strength which the other lacks, therefore combining capabilities allows both partners to access new markets, increase product/service offerings, increase revenues and embark on a mutually beneficial knowledge sharing relationship. Strategic Partnerships are a viable alternative to traditional growth strategies including organic growth, angel investors and borrowing.

Culture & Values

A 2013 CIPD survey showed that 60-70% of Strategic Partnerships fail, often triggered by a mismatch in culture and company values. The lesson learned from this statistic is to choose your partners based on common shared values and company culture. If your company has an aggressive sales culture who earn their competitive advantage via low prices, then your ideal partner isn’t a company who values quality of service over price.

Achieving a cultural fit where both parties share values, should not be underestimated. A written agreement will specify relevant KPI’s including volume of sales, quality of service and conflict management. However, in the blink of an eye, the days and months of negotiations can be destroyed with a cultural faux pas. Obvious cultural differences occur when partnering with an international partner in body language, linguistics and beliefs. However, more subtle factors like equality, gender balance and employee & stakeholder engagement can contribute to a failed or successful Strategic Partnership.

Ease of Integration

After agreeing on shared objectives, resources and culture, integration is the next step before the partnership is good to go. The theory of how companies form a partnership is the easy part, now it’s time to fit the final pieces together.

Integration is the point where 2 (or more) companies in a Strategic Partnership become one entity. What type of information is shared between parties? What processes should be implemented to directly deal with joint customers? What systems are implemented to process enquiries, sales and communications?

When a Cisco Channel Partner or ICT Provider, needs to book a Cisco Network Engineer from a Cisco Professional Services partner onto a client site, there needs to be a unified and coherent system used by both parties. A scope of work will be agreed along with timescales, prices and quality standards. Mapping systems would be in place so all partners can identify where Network Engineers are working and how and when to book the next available one: all contributing to a seamless synergy between Strategic Partners.

Have you experienced a Strategic Partnership where only 1 party truly benefits? Have you been involved in a Partnership where you value quality of service but your partner values low price more? Tell us your horror and success stories 🙂

Locally sourced Cisco Network Engineers represented by connecting cities

3 Reasons to outsource your requirements for Cisco Engineers

Locally sourced Cisco Network Engineers represented by connecting cities

With a market cap of $119 billion, 2014 sales of $48 billion and ranked number 12 in the world’s most valuable Brands, Cisco are the industry leaders in IT Networking equipment. The likelihood is that readers of this article will be working with or have worked with Cisco Network Systems. Therefore if your company is working with a Cisco Network System then you’ve faced the dilemma of choosing between outsourcing the need for Cisco Support or employing in-house Engineers.

As an SME, Enterprise or a non-ICT related company with a Cisco IT/Phone system, then you need to think about the level of Cisco Engineers you need to employ for your business. Whereas Managed Service Providers, Professional Services & Cisco Channel Partners need to think about the level of Cisco Engineers your clients require. Either way, outsourcing can provide your business with the specialist Cisco skills you need and at a fraction of the cost and risk of employing Cisco Engineers in-house.

1) Lower Operational Costs

In the UK Cisco Engineers command high salaries and rightfully so, they’ve studied and trained hard to achieve their status. Current 2015 average salaries for Cisco Engineers in the UK are:

CCNA    £40,500

CCNP     £47,500

CCIE       £60,000

Your Operational costs don’t end there, other costs associated with in-house Cisco Engineers are:

  • Holidays & Sickness
  • Salary benefits – Bonus, Shares, Pension, Health Care & Annual Pay Increase
  • Additional Benefits – Company Car, Petrol Allowance, Laptop, Mobile Phone
  • Maternity/Paternity Pay
  • Staff Training
  • National Insurance & Tax Contributions
  • Portion of running costs – office, furniture, equipment, admin costs & consumables
  • Cost of Employment – In-House costs or Recruitment Agency

Accumulating the additional costs of employing in-house, a CCNA salary can be well in excess of £50,000 per year or around £23 per hour. Compare this to the average hourly rate of a CCNA which is currently £18 per hour resulting in savings of 27.8% when outsourcing against employing in-house. Your wallet, your choice.

(Visit http://www.accountingservicesforbusiness.co.uk/calculators1/true-cost-of-an-employee/ to calculate the annual cost of your employees and http://www.itjobswatch.co.uk/contracts/uk/ccna.do for CCNA rates)

2) Access to Skills & Knowledge

The Internet of Things (IoT), mobile devices, smart cities, big data and the human fascination and dependency on technology facilitate the need for Cisco Engineers to specialise in certain tracks. You might have an in-house CCNA, or CCIE, but do they specialise in Unified Communications, Security, Wireless, VoIP, R&S and Data Centre? How many hours and years of training would be required to have access to such a varied and multi-skilled workforce in-house? How much would this cost your company?

Having access to the skills and knowledge of certified Cisco Engineers is the most significant reason to consider outsourcing your need for Cisco Support. Quality of service is often cited as a reason not to outsource, however if you focus on creating strict SLA’s and define a clear scope of work between your outsourcing partner, then you can achieve exemplary quality of service for your end customers.

3) Risk

If you outsource your Cisco Support then you simply pay for what you need and use. Replace outsourcing with employing the multitude of Cisco Engineers in-house and you’ll need to ensure you have enough work for the Engineers every day, 52 weeks of the year.

How much time and money do you think line managers and HR departments waste on frivolous staff issues? “Can I have a day off for the dentist?”, “I need to take my dog to the vet” and so on. Employees also are savvier with their knowledge of employment legislation and their rights – holidays, sick pay, pensions, maternity leave and more heavyweight issues such as unfair dismissal and equal rights. It’s not only your balance sheet at risk; it’s your Brand, reputation and credibility in your industry. Taking risks is part of business, but if you can avoid being exposed to such substantial risks then why wouldn’t you outsource.

Do you employ in-house or outsource and why? However opinionated you may be, please feel free to leave your comments.