"It is literally driving our product development direction" - how Cisco is redefining networking security to better protect against cyberattacks and human error

(Image credit: Shutterstock / Gorodenkoff)

At the recent Cisco Live! 2025, I saw the unveiling of Cisco’s new N9300 Series Smart Switches, designed to improve security and networking capabilities for multi-cloud environments and AI workloads.

The new Smart Switches feature Cisco E100 Silicon One network processors and AMD data processing units (DPUs), alongside Hypershield with Cisco Security Cloud Control.

To find out more, I spoke to Tom Gillis, SVP and General Manager of the Cisco Security, Data Center, Internet & Cloud Infrastructure Group, on how the design and implementation of these Smart Switches could help mitigate the threats faced by datacenters today.

Protecting against faulty updates and cyberattacks

2024 saw its fair share of cyber disasters, from the CrowdStrike outage that seemingly took half the world offline, to the Salt Typhoon attacks on US telecommunications networks. While not entirely similar events, both were a huge shakeup for technology and networking industries.

For the CrowdStrike outage, an update was pushed live on the Falcon security platform that contained an error causing millions of Windows devices worldwide to get the blue-screen-of-death (BSOD) upon startup. Before being released, the update was ‘successfully’ tested, but the error was not picked up by the diagnostic software.

“CrowdStrike showed you, if you're putting security updates - which are constantly updating - into a kernel module, it's a nightmare,” Gillis explains. “You push a bad update, it takes the whole system down, a giant global outage, a huge, huge, huge impact." (A CrowdStrike spokesperson later contacted TechRadar Pro to clarify that, as detailed in CrowdStrike’s Root Cause Analysis report, the July 19, 2024 outage was caused by a faulty rapid response content update. Rapid response updates do not execute code in the kernel.)

"So with this Smart Switch architecture, we create isolation between the network and the security stuff.”

The way the Smart Switch works is through a strict separation of networking and security. The networking side runs on the Silicon One processor, and the security side runs on the DPU.

“Our software is running on both of them, but those are independent memory spaces, so the network stuff is updated independent of the Hypershield software that runs on that DPU,” Gillis says.

“The defining characteristic of this category is that you have a network processing element and a security processing element that are sitting in the same box, but they run in different memory space, which means their life cycle is managed independently.”

Gillis explains that by separating the two, security updates can be freely applied to keep the firewall up to date without risking a faulty update causing a shutdown on the networking side.

Now when it comes to updating the firewall in the Smart Switch, there is a local AI engine running on the DPU, which is monitoring the individual firewalls running on every switch port - meaning that a single datacenter could have upwards of a million individual switch ports, each with its own firewall.

What's especially interesting is it isn’t just one firewall per switch port. In order to mitigate the potential for a bad update to be put live, each firewall has a primary data path that is running the active firewall, and a shadow data path which will be running the latest update.

Checks are then constantly run on the infrastructure to monitor important metrics. “The local AI engine is comparing every single [switch port] and looking at packet formulation, jitter, latency, memory utilization, CPU utilization, [making sure] these things are the same, and then we cluster between the two data paths.”

“So without taking the system offline or disrupting, we move flows from the primary to the shadow. It's called a blue green migration. Now the shadow is the primary, and the primary becomes the shadow. We run that for five days, AI engine says things are still the same, and we load the next release,” Gillis explains.

When I ask if the recent Salt Typhoon attacks against US telecommunications companies are shifting priorities and focuses for security and design at Cisco, Gillis states that, “it is literally driving our product development direction. It's kind of one of those watershed events, in my opinion.”

“Infrastructure is fundamentally software, and the software is hard to upgrade, and so the vast majority of firewalls and switches and routers are running code that's 6, 12, 24, months old, and these very sophisticated attackers find these vulnerabilities and exploit them.”

“So we're building a different architecture that allows infrastructure to be more resilient and more self defending,” Gillis says, referring to the design of the latest Smart Switch. “That's the first in a series of steps that we're taking to dynamically defend and instrument infrastructure against attacks like that,” Gillis concludes.

Benedict has been writing about security issues for over 7 years, first focusing on geopolitics and international relations while at the University of Buckingham. During this time he studied BA Politics with Journalism, for which he received a second-class honours (upper division), then continuing his studies at a postgraduate level, achieving a distinction in MA Security, Intelligence and Diplomacy. Upon joining TechRadar Pro as a Staff Writer, Benedict transitioned his focus towards cybersecurity, exploring state-sponsored threat actors, malware, social engineering, and national security. Benedict is also an expert on B2B security products, including firewalls, antivirus, endpoint security, and password management.