One of the most commonly used – yet misunderstood – terms in all of network security is the “next generation firewall”. When we look under the covers, we see that most “next generation” firewalls are still relatively limited, providing only application and user ID awareness. Visibility into how the network is being used might produce a report that may make for a curious read. But there’s so much more going on in your network, app and ID just don’t go far enough to help administrators with actionable security enforcement. For example, knowing which interns are the heaviest Facebook users is one thing; knowing that the majority of their network traffic is due to video uploads to Facebook – and having the ability to disallow those uploads – is quite another.
Think of it this way. In scenarios that require additional context beyond what can be provided by a classic firewall, current next generation firewalls still lack the level of visibility required for administrators to make intelligent security decisions. I liken it to a knock at your door at midnight, and the porch light is out. How many of us would open the door anyway, without knowing who or what is on the other side? Of course, the safest thing to do is to keep the door closed and locked, rather than opening it to a potential threat. That’s exactly what so many firewall administrators are doing today – in fear of opening the network to unknown attacks, they say “no” to users, applications, devices, and new use cases that can tremendously improve the efficiency of the organization.
Unfortunately, the behavior with “next generation” firewalls isn’t much different. Though our porch light may be on now, it’s dim and we can’t see much out of the peephole in the door. What’s more, we only have two options – either completely open the door or leave it completely closed. This is because next generation firewalls don’t offer the level of granularity required, so entire applications must be allowed or denied. Think of a complex application with an array of micro-applications such as Facebook; current next generation firewalls on provide administrators with the capability to “allow” or “deny”, without the additional granularity to “Allow Facebook, but deny Farmville”.
As a result, we still have to be weary of opening the door, since we can’t truly know who or what is out there. Bottom line, unless we’re sure, it’s still safer to say “no”. That means saying no to the growing number and types of devices that are being used to access the corporate network, including iPhones, iPads, and Android devices; it also means locking down applications such as Facebook and Twitter, which have legitimate business uses. So not only is having to always say “no” a dark, lonely place to be – it also puts an artificial cap on corporate productivity!
Going back to our example of a knock at our door, ASA CX is like looking through a picture window at noontime, rather than the peephole at midnight. While the firewall itself is powerful, what really makes ASA CX so exceptional compared with current “next generation” firewalls is its capability to gather extraordinary amounts of intelligence from throughout the local and global network, including deep application visibility; identity of users, as well as the devices they are using to access the network; and proactive, reputation-based threat protection backed by global correlation. It makes this intelligence available in a simple, intuitive interface. This, in turn, enables administrators to truly understand what’s happening throughout the network, so that they can make more informed security decisions and write more effective policies. As a result, they can strike a real balance between flexibility and control!
So now that we know what true visibility really is, who would still settle for making decisions based on looking through the peephole at midnight?
Forensic analysis of IOS images can be a tricky science, due in part to the diversity in IOS image versions and branches. Between IOS 11 and IOS 12.4, over five thousand different images were built, a quarter of which belong to the 12.2 train. Some IOS trains are in more widespread use than others, just as some hardware platforms are more popular than others, but even when narrowing down by feature-set or hardware, there is a large diversity of images. There are however, some steps that can be taken, both while the IOS device is running, as well as offline, that can help determine the integrity of an IOS image.
Last year at the RSA security show, Cisco announced the SecureX security strategy. SecureX is designed to help organizations address security from a holistic perspective, rather than a siloed approach, using an integrated framework of innovative new security devices blended with the security-aware network. This approach allows organizations to truly address critical issues like BYOD and the consumerization of network enabled devices, the transition to virtualized data centers and cloud-based computing, the flood of data coming from social media sites and the use of new high-bandwidth services such as video collaboration, and the spread of sophisticated new attacks aimed at your organization’s soft spots. Cisco also announced powerful new tools to increase the reach and efficacy of security. The first was the addition of context awareness to security and network devices to add real granular control over users and devices. We also announced a powerful new policy-based solution, the Cisco Identity Services Engine, which allows organizations for the first time ever to truly take control of security policy creation, deployment, enforcement, and management. Next, we announced the broadening of our Security Intelligence Operations that allows us to fine tune our entire family of security solutions in real-time with actionable data gathered from hundreds of thousands of sensors located across the globe. Cisco SIO is now the largest threat telemetry service in the world. And in the year since that announcement we have continued to deliver innovative new devices and technologies designed to address security issues, from the endpoint, across the edge and branch, and out across the virtualized data center and cloud environments. So this year, at RSA 2012, Cisco will announce our plans to continue to drive innovation and revolutionize security through our SecureX strategy. For those of you heading out to this year’s event, here is a sneak peek at what you can expect: Read More »
We are often asked by customers about how they can prevent traffic from a certain country (let’s say country X) from entering their network. The motivations for doing this could vary. Sometimes a company does not do business with all countries in the world; therefore, the company doesn’t need to be accessible from all countries. Other times it is an issue of trust and security, where an administrator may not want to allow country X to enter their infrastructure. Finally, there are cases where country X has often been incriminated with malicious activity, so an administrator may want to block country X when there is no need for the organization to interact with this country. In this document I present a methodology on how to write a tool that provides the configuration lines to block country X, using your IOS router or ASA/ASASM firewall. Read More »
It’s that time of year again. The annual RSA security show brings together all the major security vendors under one roof for a week of training, announcements, and vendors hawking their latest wares. This year we can expect the usual cadre of legacy security vendors with their stand-alone, siloed products pretending that they now support clouds and mobile workers and BYOD. Booth babes, jugglers, magicians, and flashy giveaways will fill the exhibit halls while vendors play shell games with the security of customers, all adding a cacophony of noise to an already confusing situation.
Amidst all the hoopla and fanfare, however, Cisco Systems, the largest security vendor in the world, will be there with perhaps the only reasonable strategy for securing the networks organizations are creating today.