In my last post on this topic, I highlighted just how true the words “Work is no longer a place you go, but what you do” really are. We now have the ability to work anytime, anywhere, using any device. As easy as this has made the lives of workers all over the world, it’s made the lives of security administrators immensely difficult. Providing secure access to the corporate network in a borderless world, while still somehow keeping out the bad stuff, has caused traditional security policies to become increasingly difficult to configure, manage, and troubleshoot – the source of inordinate amounts of pain for security administrators.
That’s why Cisco has introduced identity-based firewall security as a new capability of the ASA platform. As the first installation of what will soon become full context-aware security, identity-based firewall security enables security administrators to utilize the plain language names of users and groups in policy definitions. Rather than authoring and managing the growing list of IP addresses to cover every possible location, device, or protocol that may be required for secure access to the network, identity-based firewall security enables security administrators to grant access to “Jeff.” Regardless of where I am or what I’m using for access, I’m still Jeff… so in the simplest case, my administrator can literally write one policy to provide “Jeff” access to the corporate network, rather than six different IP addresses for all the instantiations of Jeff.
Now in reality, the administrator won’t just write one policy. The reason is simple. Just because “Jeff” has been authorized access to the network, it may not be desirable to grant him access to certain applications; or perhaps he has access to certain applications only when he’s on a corporate-owned asset and located inside the firewall. But regardless of how many policies are written at the end of the day, the two main advantages of identity-based firewall security remain the same. First, it dramatically reduces the number of rules that need to be configured to provide secure access to the network. Second, all policies are written in plain language, which greatly simplifies the long-term management of those policies. Since plain language makes it easy for even different administrators to understand what the policy is, and to whom it’s applied, administrators are far more capable of making long-term decisions about those policies than is possible when they’re just looking at a long list of IP addresses.
So let’s see… identity-based firewall security requires fewer policies to be written, and those that are written are easier to understand and modify, as necessary, without inadvertently breaking other policies. Where’s the downside?
Identity-based firewall security functionality is available throughout the ASA product platform, so whether you have an ASA 5510 for your branch office or an ASA 5585-X for your datacenter, you can benefit. This functionality also has the capability to tie in with Cisco content security and IPS modules, enabling traffic from specified users to be redirected to these modules for further inspection.
For more information on identity-based firewall security, view the following video from Cisco product manager Kinshuk Pahare, visit the context-aware security page, or see the “At-A-Glance” overview document.