The Cisco Cyber Vision solution can have a 2-tier or 3-tier architecture made of:

• Edge sensors which are installed in the industrial network. These sensors are dedicated to capture network traffic, decode protocols using the Cisco Deep Packet Inspection engine and send meaningful information to the Cisco Cyber Vision Center.

• The Cisco Cyber Vision Center, a central platform gathering data from all the Edge Sensors and acting as the monitoring, detection and management platform for the whole solution.

• Optionally, a third-tier Global Center to which all Centers are connected, for a central view of all Centers deployed within an organization for alerting, reporting and management functions.

To safeguard the data collected from the industrial network and ensure maximum reliability, the Center includes a RAID storage array. It also includes redundant internal cooling fans (x3) and dual hot-swappable power supplies.

During the installation of the Center, you will have the opportunity to set up Center data synchronization to a Global Center. Although, if you choose to set up a global infrastructure, you must install the Global Center first, then the Centers, and finally, the sensors.

Networks or segments involved

From Cisco Cyber Vision perspective, three important networks will be involved with the platform:

• The Administration network, used to access the Center User Interface (UI) and interact with authorized external services (NTP, DNS, API, SIEM, etc.).

• The Collection network, used to manage all Cisco Cyber Vision sensors. This network must be isolated from the operational traffic plant (separated VLAN/subnet).

• The Acquisition/Industrial network, used for all industrial plant traffic and/or external interconnection under consideration that will be analyzed by the sensors (SPAN traffic collected).

Example of a Cisco Cyber Vision installation (without Global Center):

Configuring single or dual interface (not applicable to a Global Center)

For security reasons, it is recommended to use the Center on two separate networks, respectively connected to the following interfaces:

• The Administration network interface (eth0), which gives access to the user interface.

• The Collection network interface (eth1), which connects the Center to the sensors.

The Center provides two dedicated and separate 10 Gigabit Ethernet network ports to connect to these two networks.

However, in case of incompatibility with the industrial network infrastructure or for limited environments, you can use a single network interface (eth0).

Refer to the Cisco Cyber Vision Architecture Guide for more information about defining Cisco Cyber Vision environment configuration.