Send Us Your Feedback

  • We'd love to hear from you. Let us know how we're doing and how we can make your experience here more enjoyable! We are always looking for ways to improve.
  • [blogs-support@cisco]

February 23, 2009

Security - more than just a stateful firewall!


Security is hot. It has always been. It will always be. If you look at IT-related spending security budget allocations usually tend to be among the highest. However, having spent nearly 15 years directly and indirectly in various security-related roles, I’ve observed it to be among the most misunderstood areas of technology as well one with the most number of preconceived notions.

Interestingly, many organizations start taking their security requirements more seriously when they’ve been exposed to an attack of sorts. It could be a virus attack, denial-of-service, data compromise or theft. Though never an afterthought, security considerations are given more prominence after exposure to risk.

Sometime back, while speaking at a Roadshow, I ran an impromptu survey with the attending audience in three cities before beginning my session. These were a random cross-section of customers from different verticals, varying business sizes and mostly those making business decisions. They were asked to provide a true/false response to the questions below. Some words were purposely bolded, to add a blind and make the responder think:

- My organization is completely secure because I have a stateful firewall
- Most security threats originate from outside the network and can be prevented by installing a firewall at every ingress path
- Installing an self-updating anti-virus package on laptops is sufficient to prevent internal security breaches
- Securing my IP data network, helps provide Secure voice-over-IP
- Mobile phones cannot transmit viruses as they have to pass through service provider firewalls

Any guesses what a majority of respondents answered? Interestingly, the bolded words which were incorporated as placebos threw most people off-track. Everybody had a hearty laugh when they saw the results. With so many organizations (including Cisco) spending millions of marketing dollars over a decade or more, creating security awareness, one would think people get what pervasive security is all about. They don’t, at least not yet. Organic education takes time, as opposed to threat-based education that provides shock value. You may see continued spending of these millions of marketing dollars over the next decade…:-)

As Jimmy Ray Purser states in one of his earlier videos for the Cisco Developer contest, calling application developers to think secure, "security is a lot more than just a firewall". As always, Jimmy Ray stimulates grey cells as only he can.

The truth is - the nature, source and complexity of threats is evolving as we adopt different media for communication and bring different types of devices into the "network". Today, in an IP-based environment, where mobile phones, microwave owens and video cameras are all different network-addressable devices jostling for attention, anything could be a source of threat, and should be treated accordingly.

And there are other extremes. These are the people who just don’t trust anything. Here’s an anecdote. For most of us, AES may be inherently secure and widely adopted. However, a number of institutions are mandated not to believe it. They still have their own proprietary encryption algorithms, which they believe provide superior security. It is interesting to recollect that one of the reasons Cisco considered opening their routers, was a Eastern European government outfit requesting permission to port their own security algorithm on the Integrated Services Router instead of the standards-based ones that Cisco supports by default. They didn’t trust AES.

Developers planning applications should think security from day one and not just application performance or functionality. Security shouldn’t be an afterthought. Network architects designing network infrastructure security should cross over and consider application security as well. Innovation is not just doing new things. Many times it is connecting the dots and seeing the bigger picture. Typically, we make assumptions about what we don’t know. Our assumptions are only right 50% of the time.

Would you let your business be secure half the time? 

Shashi Kiran Posted by Shashi Kiran at 11:41PM PST

Permalink, Comments (6), Trackbacks (0)

Tags: cisco developer contest integrated services router jimmy ray purser security applications stateful firewall

6 Comments

Thomas Warner Feb 25, 2009

We have spent a fortune on Security and Security consultants. Our division is the gatekeeper and I could not agree more. However you should focus on the misconfiguration errors and security implications. In a previous role we fired a consultant for misconfiguring our firewall and deviating from certified policies. Perhaps Cisco stuff is complex to configure though things have improved of late.

Michael Tran Feb 27, 2009

Hi, While many people neglect Security because they don’t understand the implications, you should also account for operator misconfigs. in one of my previos roles our university network got blasted because somebody allowed router telnet from outside. our router guy configured router like a server for ease of use with no idea about security. Now we have stringent policies.

Shashi Kiran Mar 6, 2009

Yes, operator misconfigurations are certainly a key issue that I’ve seen in the past as well. In fact, we say security is only as strong as the weakest link, and that link is usually the person who configures.

That said, many vendors are taking steps to minimize operater error, through stringent reconfirmations before acceptance, having more secure defaults, training and hiearchical chain of command for policy committs. Admittedly, a lot of these are in place in larger enterprises, and not as much in smaller outfits, and mom-and-pop outlets.

Cisco has been promoting zero touch out-of-the-box deployment solutions as well with our Cisco Virtual Office (CVO), Mobility solutions, UC solutions etc. I’ll see if I can get our security guys to pitch in and comment as well.

Siva Mandalam Mar 9, 2009

With the CVO solution available with Zero Touch deployment, it really addresses a whole bunch of issues associated with initial (and ongoing) provisioning.

With NFP type of technologies, one can enable greater security by turning on things only you need. (you can use CCP/SDM to enable NFP).

Even though security is everyone’s job, Developers’ planning Security should consult/add security group consultants in their teams.  This will help designing solutions that are more secure.

Shashi Kiran Mar 9, 2009

Siva, you just threw three acronyms in there grin

Erin Winchester Mar 10, 2009

Cisco has made progress on this issue with things like AutoSecure and Cisco Configuration Professional offering "TAC-approved" IOS Firewall configurations.

AutoSecure provides a “single command” device lockdown process for ISRs that enables rapid implementation of security procedures without requiring extensive knowledge of Cisco IOS Software features. With just one command, you can instantly configure the security posture of your router and disable non-essential system processes and services. This is just one feature that helps to combat misconfigurations.

Post a comment

Join the conversation!

We encourage your comments, questions and suggestions. All comments are moderated and will appear as soon as they are approved by the moderator.

Please increase the validity of your comment by providing a valid first and last name. Spam, off-topic or offensive comments will not be posted.

Name:
Email:
URL:

Comments:

Notify me of follow-up comments?

Submit the word you see below:


Post a trackback

Ping this URL to post a trackback:
http://blogs.cisco.com/trackback/7016/57mAvjoD/

More blog posts

Previous post:
Cisco's INTERNAL Developer contest closes - Results around the corner

Next post:
24 Hours to go - Clock's Tickin' as Proposals Surge

Recent posts:
November 2009 Archive

Search

What We're Reading

Subscribe By Email (info)

What's on the Cisco Tube?

Video

Archives