The Cisco® Proactive Automation of Change Execution (PACE) solution combines products and services that accelerate operational success by helping IT organizations to securely automate and control changes and configurations in their networks. The solution helps enterprises to meet compliance requirements, accelerate growth, ensure business continuity, and increase user productivity. The Cisco PACE solution is optimized to help medium-sized to large enterprises with challenges concerning compliancy, in-house expertise, network complexity, and growth.
Q. Why is Cisco Systems® introducing this solution?
A. One of the critical elements of managing an efficient network is the ability to manage configuration changes. In addition, customers are increasingly facing the challenges of a complex network and pressure to meet regulatory and internal process policies. The Cisco PACE solution helps customers automate and control their network changes. Included in the solution are services from Cisco experts to help customers implement the tools and analyze data from the network.
Q. What are the components of the Cisco PACE solution?
A. The Cisco PACE solution consists of the following products and services:
Products
• CiscoWorks Network Compliance Manager (NCM)
• Cisco Configuration Assurance Solution (CAS)
• CiscoWorks LAN Management Solution (LMS)
• Cisco Secure Access Control Server (ACS)
Advanced Services
• Operations consulting services: Assess, define, and optimize your network configuration and change-management processes
• Technical consulting services: Providing integration, custom compliance, and policy rules development, and report generation
• Deployment services: Helping you to plan, design, implement, and operate the Cisco PACE solution
Q. What are the benefits of deploying the Cisco PACE solution?
A. The Cisco PACE solution provides customers with the following:
• Secure and centralized access control to the network for security and auditing
• Automation of business policies for network configuration and changes
• Network analysis validation and recommendations for planning purposes
All of these benefits help enable customers to lower their risks and optimize network performance with tools and services that automate many of the configuration and change functions.
Q. Can I selectively deploy products from the Cisco PACE solution?
A. Yes. The Cisco PACE solution is designed to give customers flexibility in the tools and services required to meet their needs. Products and services may be ordered individually. However, the Cisco PACE solution provides a powerful set of tools and services that collectively help customers reduce risk and increase network performance.
Q. What role does each of the products play in the Cisco PACE solution?
A. Figure 1 shows how the components of the Cisco PACE solution work together to give customers comprehensive views of their network configurations and compliance, from device-specific views to network- and system-wide views.
Figure 1. Cisco PACE: Centralized, Secure Automation of Change Control Operations
In addition, CiscoWorks LMS provides discovery services for itself, CiscoWorks NCM, and Cisco CAS. CiscoWorks LMS provides real-time event management, topology mapping, and monitoring and diagnosis services. It also has a rich Cisco IOS® Software deployment technology.
Cisco Secure ACS helps ensure that only authenticated users and administrators have access to the network, CiscoWorks NCM, and Cisco CAS and that usernames, passwords, and authorization are controlled centrally for easy administration. Cisco Secure ACS is integrated with CiscoWorks LMS to provide automatic authentication and role-based authorization of administrators. Cisco Secure ACS also keeps audit trails of security events for compliance purposes.
CiscoWorks NCM is at the foundation of the Cisco PACE solution, controlling changes across the network. CiscoWorks NCM uses discovery data from CiscoWorks LMS to find the network components and capture their configurations for compliance analysis and reporting. CiscoWorks NCM can check a device configuration prior to deployment to help ensure the update complies with regulatory compliance rules such as Visa Card Holder Information Security Program (VISA CISP), Health Insurance Portability and Accountability Act (HIPAA), Gramm-Leach-Bliley Financial Modernization Act (GLBA), Sarbanes Oxley (SOX) Act, and Information Technology Infrastructure Library (ITIL). Custom compliance rules can be built easily to require adherence to corporate-specific policies as well.
Cisco CAS automatically performs network-level consistency checks that identify misconfigurations, policy violations, inefficiencies, security gaps, and resiliency problems. Cisco CAS analyzes and validates network-level consistency by executing rules that audit the entire network, checking security vulnerabilities, IP addressing, route maps and attributes (such as QoS), regulatory compliance, and a wide variety of switching and routing protocols. Cisco CAS allows for scheduled or configuration change event-based automated data import from CiscoWorks NCM and then automatically generates a model of the network for high-performance analysis.
Q. What is the difference in functionality between CiscoWorks NCM and Cisco CAS?
A. CiscoWorks NCM tracks and regulates configuration and software changes throughout a multivendor network infrastructure. It provides superior visibility into network changes and can track compliance with a broad variety of regulatory, IT, corporate governance, and technology requirements. CiscoWorks NCM helps IT staff identify and correct trends that could lead to problems such as network instability and service interruption.
Cisco CAS audits and analyzes the network on a regular basis to assess the impact of network changes and help ensure the integrity, security, and availability of the IP infrastructure. Cisco CAS regularly and systematically audits a high-fidelity network model to identify problems with connectivity, security, and resiliency. Cisco CAS examines the operational network for design and configuration issues. This management tool builds a virtual connected model of the network by importing and analyzing network configuration files. Cisco CAS can "auto-generate" rules used to interrogate attributes of a network model as well as customize the rules engine used during the audit and compliance process.
The following table (Figure 2) illustrates the functionality of each product.
Figure 2. CiscoWorks NCM and Cisco CAS Capabilities
Q. How do CiscoWorks NCM and Cisco CAS work together to increase network availability and uptime?
A. Both tools help automate audit and compliance checking, which are critical to network availability and uptime. For an operational network, CiscoWorks NCM and Cisco CAS provide time-saving, highly scalable, automated multivendor network auditing, analysis, and compliance reporting based on internal IT and regulatory requirements.
CiscoWorks NCM helps users meet regulatory compliance goals and enforce internal IT best practices in many ways:
• It tracks all changes to the network-configuration, software, and hardware changes-in real time and captures them in a detailed audit trail.
• It screens all changes against authorized policies immediately to help ensure that they comply with regulatory requirements or IT best practices.
• It automatically validates new changes against appropriate policies before they are pushed to the network. If the changes are not compliant, CiscoWorks NCM does not allow them to be deployed.
• It automates the change review process, closing the gap between the approval of a change and the actual configuration change that is pushed to the network.
Cisco CAS takes audit and compliance to the network level by combining modeling, simulation, visualization of topology and traffic, and configuration validation. For network operation purposes, Cisco CAS automatically:
• Uses its powerful modeling platform and inherent understanding of topology and routing to check network-level consistency and detect issues
• Analyzes individual devices, groups of devices, topology, technology (such as VoIP), attributes (such as QoS), and routing information using several hundred predefined (and configurable) rules
• Identifies problems related to routing and switching protocols
• Inspects IP addressing, route maps, and ACLs
• Examines security scenarios in the network
– Using fully tested security rules to assess vulnerability and risk
– Analyzes access requirements and restrictions, simulates unauthorized flows, pinpoints misconfigured nodes that block valid connectivity
– Predicts the ability of the network to maintain security under failure conditions
• Verifies network resiliency and identifies capacity issues
• Compares the results of successive network audits to identify recurring network problems
• Schedules to run multiple regular audits that vary in terms of network scope, frequency, and target analyses
For configuration deployments, CiscoWorks NCM can push compliant configurations out to a very large number of network devices, helping ensure that any changes subsequently made do not violate compliance. CiscoWorks NCM can roll back configurations to known good states.
Q. What will the Cisco CAS network model allow me to do?
A. Cisco CAS helps ensure network security and integrity by automatically creating a daily or more frequent model of the production network. Cisco CAS extracts data from multiple sources to model the network for high-performance audit and analysis. Data can come directly from network devices including Cisco routers, switches, and Cisco PIX® security appliances, as well as data imported from CiscoWorks NCM and CiscoWorks LMS (including CiscoWorks RME and Campus Manager). Cisco CAS uses operationally valid traffic and flow data (such as NetFlow data) as part of multilayer failure analyses across the network to determine which traffic flows will be most affected by outages, and where resulting bottlenecks are most likely to occur. For topology and configuration information, Cisco CAS automatically reconciles conflicting or overlapping data based on user-configurable priorities. Other data sources supported include HP Network Node Manager and Muti Router Traffic Grapher (MRTG).
Q. How will the Cisco PACE solution help my organization with our compliance requirements for VISA CISP, HIPAA, GLBA, SOX, ITIL, and other regulations?
A. With CiscoWorks NCM and Cisco CAS you can document compliance with regulatory requirements such as Sarbanes-Oxley, HIPAA, the Federal Information Security Management Act (FISMA), and others. CiscoWorks NCM and Cisco CAS support critical processes from popular IT governance frameworks including ITIL/BS15000 and ISO 17799. You can generate reports in Web (HTML), Microsoft Word (.rtf), or XML format.
CiscoWorks NCM ships with regulatory reports for SOX, VISA CISP, HIPAA, GLBA, ITIL, CobiT, COSO enabled, providing the detailed metrics required by each of these regulations and providing the network information necessary to prove compliance. Included by default are reports on users, systems, network status, configurations, devices, software vulnerabilities, tasks or jobs, Telnet/SSH sessions, and compliance centers. Flexible reports can be customized to include a diverse and rich set of information.
Cisco CAS analysis automatically generates reports that identify network issues and provide guidance to administrators. An integrated report server allows for easy, controlled distribution of information. Cisco CAS reports can focus on:
• Issues related to operational network design
• Switching and routing analytics: network performance, availability, protocols, technology, and configurations
• Risks associated with the security posture of the network
Q. How do CiscoWorks NCM and Cisco CAS integrate with other management applications?
A. CiscoWorks NCM and Cisco CAS allow for integration with third-party tools. They integrate with CiscoWorks applications such as CiscoWorks LMS, as well as Cisco Info Center, Cisco NetFlow Collector, and third-party tools. Integration with CiscoWorks NCM allows Cisco CAS to obtain multivendor device inventory and configuration data. Cisco CAS also updates its network model based on CiscoWorks NCM change events.
Q. Does Cisco PACE support third-party network components?
A. Yes. With the Cisco PACE solution you can manage multivendor networks. It is a highly scalable solution that allows customers to manage large global networks.
Q. How does the Cisco PACE solution complement the Cisco Network Application Performance Analysis Solution (NAPAS)?
A. With NAPAS, Cisco introduced a solution to help you manage and optimize your application and network performance. A critical part of ensuring that your network is running at specification is to manage network configurations and changes. With the Cisco PACE solution, you have all the tools from Cisco necessary to validate and maintain your network configuration.
Q. How does Cisco PACE redefine network compliance, configuration, and change management?
A. With the Cisco PACE solution, network compliance is addressed within a broad context of change execution, proactive impact analysis, and network security management. By using Cisco PACE, customers can fully model and analyze both device-level and network-level aspects to help ensure compliance and consistency. While other vendors provide mostly point products, Cisco PACE gives customers a comprehensive network compliance, configuration, and change-management solution from the proven networking technology leader.
ORDERING INFORMATION
Q. Is there a part number for the Cisco PACE solution?
A. There is not a specific part number for the Cisco PACE solution. Customers have the flexibility to order tools and services based on their specific requirements. There is an ordering guide for your reference at http://www.cisco.com/go/pace. Please consult with your account manager to assess your requirements.
ADVANCED SERVICES
Q. Does Cisco offer services to help deploy the Cisco PACE solution?
A. Yes. Cisco Advanced Services help enable the success of your Cisco PACE solution through a complete portfolio of lifecycle services, dedicated to helping you deploy and use the solution tools. Services are positioned in a three-tier approach:
• Operations consulting services: Assess, define, and optimize your network configuration and change-management processes
• Deployment services: Helping you to plan, design, implement, and operate the Cisco PACE solution
Cisco Advanced Services business and technical consultants are experts in operations and network management architectures. They have a deep understanding of problems associated with the deployment and operation of network-configuration and change-management systems and offer expertise based upon extensive design and deployment experiences.
Q. Where can I find more information about the Cisco PACE service offerings?
