Contact Us

|

Careers

|

Change Locale
close

How Cisco’s Smart Collector Security Architecture protects your sensitive network data

Servers, Storage and Networking | Posted on May 25, 2016 by Emily A. Davidson

 

As clients work with Softchoice to evaluate whether Smart Net Total Care will provide what they need, the inevitable question arises: how secure is my sensitive network data? Read on and get a quick reference guide for Smart Net Total Care security, including collection, transmission, processing storage and viewing.

Please join our upcoming webinar 3 Actions to Consider From Cisco Support Contract Changes on June 14th at 2:00pm EDT

Most networks are designed using the eggshell principle, hard on the outside and soft on the inside. Too often, once a hacker breaches the network perimeter, the rest of the network (and the data it transmits) is ripe for pilfering.

At Softchoice, we want to show our clients that their data security is important to us – and that using this service, your sensitive data is secure.

If you’re not familiar with Smart Net Total Care, it’s a service attached to Cisco devices that:

  • Identifies relevant alerts and advisories for your affected devices
  • Provides automated installed base and contract management functionality
  • Maintains up-to-date installed base data

Smart Collector Security 101 – Securing the discovery, collection and transmission of your data

Once it’s set up, the smart collector identifies Cisco devices and collects their Product Identifiers (PID), serial numbers and IOS releases. Additional device information like Cisco OS version number, host name, IP address, installed memory and firmware version number is also collected with the intent of providing richer insights in the final report.

cisco smart collector how it works

How the Smart Collector arrives

The Smart Collector comes in either a prepackaged hardware appliance or software deployed to your virtual environment. Set-up includes device SNMP read-only credentials and basic TACACS access to perform a valid inventory collection.

If network load is a concern, the tool actually places a very light load on the network, and it’s possible to reduce the number of threads and throttle collection traffic.

Device discovery is controlled by you

At the end of the day, you will control what type of network data will be transferred to Cisco. Cisco offers a wide choice of protocols to choose from for discovery including: Address Resolution (ARP), Link Layer Discovery (LLDP), Border Gateway (BGP) and more.

These devices are discovered through the use of a Simple Network Management Protocol (SNMP), Command-Line Interface (CLI) commands and Simple Object Access Protocol (SOAP) to gather additional information. For IP Phones, the MAC addressed are pulled from the Unified Communications Manager.

Data transmission uses a secure connection

As a measure to ensure data privacy, Cisco will never request information from the collector. This means that Cisco’s servers will never attempt to establish incoming connections to the collector. The connection will always be initiated from the collector to the Cisco upload server .

Also, the collector does not accept incoming connections from any external sources. It’s recommended that the collector be placed behind your existing firewalls to further reinforce this policy.

Top 3 collector security measures for safe transport

To eliminate the risk of data breaches during transport, Cisco utilized the CentOS distribution of the Linux operating system and quite a few hardening measures that are applied to the collector during configuration. These measures are outlined below:

  1. All sensitive device/passwords credentials are masked during transport
  2. Transferred data is encrypted at the application layer using a PKI-based 128 bit AES key generated per data upload
  3. The AES key is also encrypted with a public key generated by Cisco – the encrypted data plus the encrypted 128-bit key is signed using the private key generated at installation to form a digital signature

This means that even if your network is affected by a security hole or threat, it will be almost impossible for an undesired program or user to access sensitive network data. For a more in depth look into security measures used in the collector, view this CSPC Collector Overview.

The following security events are logged and reported

Any security events are logged locally by the collector. You will receive an alert if the self-monitoring system is concerned about:

  • Unsuccessful login attempts
  • Secure connectivity or cryptographic processing errors
  • Policy configuration changes
  • Collector subsystems status, like local database and file system
  • Data access from collector user accounts
  • Successful transmission of information to the Cisco data center

All data inventory is stored as part of the SQL database on the collector, not the general file system. All passwords and community strings are encrypted with 256-bit AES encryption, with different AES keys for database records, application code and backups – these credentials are never transmitted to Cisco.

IP Addresses and hostnames can be kept confidential

The actual hostname/IP address (useful information for a potential hacker) will never leave your network. An advanced security option allows you to keep IP addresses and hostnames confidential, with the option to map the IP address and hostname fields in the data gathered by the collector before the data is sent to the Cisco data center.

Data storage is private and confidential

The physical machines are kept in a lock-and-key facility where access is restricted to Cisco IT administrators only.

Once the data reaches the safety of Cisco’s data center, you (or your service provider) face an administrative shell that only allows you to perform basic tasks like IP address assignment and OS-related tasks. To access the interface for creating and managing discovery collection jobs requires access to a URL for a web UI that is only accessible via the HTTPS protocol. The Smart Net Total Care User Guide will show you how to do this.

The administrative shell requires a complex password, with change prompts every 6 months. Your network data must be protected to circumvent any hackers looming around your IT perimeter, gathering data to develop a footprint of your network and identify any weak spots.

For more in depth features of data storage, view the Security and Smart Net Total Care Service white paper.

Get this visibility today – at no cost

In a short Smart Net Total Care Briefing session, we will show you how to enable Smart Collectors easily, consolidate contract end dates and access ITIL based processes for parts replacements.

Click here to request a briefing session

Note: your email will only be used for the purposes of booking a briefing session.

Additional resources

Security and Cisco Smart Net Total Care Service Whitepaper (recommended)
Cisco Security Vulnerability Policy
Cisco Privacy Portal
Smart Net Total Care How-To Videos
Smart Net Total Care Collector Quick Start Guide
Smart Net Total Care Enhanced Data Privacy Feature Application

Upcoming webinar

Please join our upcoming webinar 3 Actions to Consider From Cisco Support Contract Changes on June 14th at 2:00pm EDT.

Related Articles

Cloud | August 19, 2019 by Softchoice Advisor

VMworld is the marquee VMware event of the year. The conference showcases the technology and solutions providers that are transforming the IT landscape. From mobility and the cloud to networking and security – VMworld offers a glimpse of what’s happening in IT now – and what’s coming next. The annual US conference kicks off in […]

Cloud | July 31, 2019 by Scott Mathewson

Most companies today use at least one cloud provider in some capacity.  Within two years, 92% of companies will be using two or more. This hybrid cloud world is forcing traditional data center design to evolve. The rise of hyper-converged systems and software-defined everything requires businesses to reevaluate traditional network and security designs to take […]

Nearly 56% of organizations have adopted or are planning on adopting Office 365. To help you avoid a long winter, download our infogrpahic on SD-WAN.