cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Cognitive Threat Analytics (CTA) Front-End and API Access: New URLs and IP Addresses - Configuration Change Recommended

1172
Views
10
Helpful
1
Comments

Problem Description

Cisco Cognitive Threat Analytics (CTA) will be migrated to a new location, which results in new URLs and IP addresses for access and use of the service.

Background

In order to help ensure future flexibility and performance, Cisco CTA will be migrated to the Amazon Web Services (AWS) Cloud.

The migration will take place in two phases:

  • The first phase covers the migration of the CTA Landing Page, CTA Portal, API Services, and Trusted Automated eXchange of Indicator Information (TAXII) service.
  • The second phase covers the migration of the data ingest services.

This document covers the changes related to the first phase of the migration only. A subsequent document that covers the second phase of the migration will be published at a later date.

 

Switchover Details

The switchover is scheduled to take place on Monday, August 20, 2018, 7:00 - 9:00 a.m. CEST (Sunday, August 19 10:00 p.m. - midnight Pacific).

During the switchover, there will be a two-hour maintenance window required to resync data from the old data center to the AWS data center during which the CTA user interface, Structured Threat Information eXpression (STIX)/TAXII services, and integration services will be unavailable. Data ingest will continue to accept customer telemetry, but no new devices can be provisioned during the maintenance break. 

In the process of the migration, we are not replicating incident database from the legacy data center to the new location. Instead, the system will migrate only anomalous traffic within the look-back period of 45 days and will independently derive new incidents in the target AWS environment. As a result of that, the visible history of your incidents is limited to only 45 days of anomalous traffic. Also there might be slight differences in the incident detail, due to the probabilistic nature of the detection engine.

 

Problem Symptom

As a consequence of the migration, you might need to perform changes in order to use the service unaffected. Failure to perform the needed changes will not result in loss of data analytics, but might result in loss of access to the CTA portal as well as a stop of import into your security information and event management (SIEM) solution should you use one.

Workaround/Solution

The current URLs will stay unchanged but point to new IP addresses after migration. In order to continue to use the service after the completed switchover, you should make these changes:

  1. If you have access control lists (ACLs) in place in your firewall that limits outbound access, and these ACLs are IP address-based, you must add the new IP addresses/ranges. Allow both AWS Elastic IP (EIP) addresses and Cisco IP addresses listed in the table.
  2. If you use the API offered by Cisco CTA to export your security data into your own SIEM solution, and you reference Cisco's API by IP address and not by URL, Cisco recommends that you change your setting in your SIEM solution to use the URL. If you cannot use the URL in your SIEM solution, you can change your settings to point to one of the IP addresses, but in that case, Cisco cannot guarantee the service availability. If you need the service to always be available you need to use the URL, as high availability will be implemented with Domain Name System (DNS).

Refer to the tables for the new as well as the current URLs and IP addresses.

 

Current URLs and IP Addresses

Service Description Service URL Service IP
CTA public landing page https://cognitive.cisco.com/ 108.171.128.81
CTA login page https://td.cloudsec.sco.cisco.com/CWSP/ 108.171.128.81
CTA TAXII service https://taxii.cloudsec.sco.cisco.com 108.171.128.84

 

New URLs and IP Addresses

Service Description Service URL Service IP
CTA public landing page

https://cta.eu.amp.cisco.com/

https://cognitive.cisco.com/ (alias)

AWS EIPs:
  • 34.242.41.248
  • 34.242.94.137
  • 34.251.54.105
Cisco IPs:
  • 146.112.59.0/24
  • 208.69.38.0/24
CTA login page

https://cta.eu.amp.cisco.com/

https://td.cloudsec.sco.cisco.com/CWSP/ (alias)

AWS EIPs:
  • 34.242.41.248
  • 34.242.94.137
  • 34.251.54.105
Cisco IPs:
  • 146.112.59.0/24
  • 208.69.38.0/24
CTA TAXII service

https://cta.eu.amp.cisco.com/taxii

https://taxii.cloudsec.sco.cisco.com (alias)

AWS EIPs:
  • 34.242.41.248
  • 34.242.94.137
  • 34.251.54.105
Cisco IPs:
  • 146.112.59.0/24
  • 208.69.38.0/24

For More Information

If you require further assistance, or if you have any further questions regarding this field notice, please contact the Cisco Systems Technical Assistance Center (TAC) by one of the following methods:

Comments
Not applicable

Good detail...easy navigation