Bruce Schneier, the security technologist and author famously said, “Complexity is the worst enemy of security.”
We have been working with some customers who agree strongly with this sentiment because they have been struggling with increasing complexity in their access control lists and firewall rules.
Typical indicators of operational complexity have been:
- The time that it can take for some organizations to update rules to allow access to new services or applications, because of the risks of misconfiguring rules. For some customers, the number of hours defining and actually configuring changes may be an issue, for other customers the biggest issue may be the number of days that it takes to work through change control processes before a new application is actually in production.
- The number of people who may need to be involved in rule changes when there are high volumes of trouble tickets requiring rule changes.
Virtualization tends to result in larger numbers of application servers being defined in rule sets. In addition, we are seeing that some customers need to define new policies to distinguish between BYOD and managed endpoint users as part of their data center access controls. At the same time, in many environments, it is rare to find that rules are efficiently removed because administrators find it difficult to ascertain that those rules are no longer required. The end result is that rule tables only increase in size.
TrustSec is a solution developed within Cisco, which describes assets and resources on the network by higher-layer business identifiers, which we refer to as Security Group Tags, instead of describing assets by IP addresses and subnets.
Those of us working at Cisco on our TrustSec technology have been looking at two particular aspects of how this technology may help remove complexity in security operations:
- Using logical groupings to define protected assets like servers in order to simplify rule bases and make them more manageable.
- Dynamically updating membership of these logical groups to avoid rule changes being required when assets move or new virtual workloads are provisioned.
While originally conceived as a method to provide role-based access control for user devices or accelerate access control list processing, the technology is proving of much broader benefit, not least for simplifying firewall rule sets.
For example, this is how we can use Security Group Tags to define access policies in our ASA platforms:
Being able to describe systems by their business role, instead of where they are on the network, means that servers as well as users can move around the network but still retain the same privileges.
In typical rule sets that we have analyzed, we discovered that we can reduce the size of rule tables by as much as 60-80% when we use Security Group Tags to describe protected assets. That alone may be helpful, but further simplification benefits arise from looking at the actual policies themselves and how platforms such as the Cisco Adaptive Security Appliance (ASA) can use these security groups.
- Security policies defined for the ASA can now be written in terms of application server roles, categories of BYOD endpoints, or the business roles of users, becoming much easier to understand.
- When virtual workloads are added to an existing security group, we may not need any rule changes to be applied to get access to those workloads.
- When workloads move, even if IP addresses change, the ASA will not require a rule change if the role is being determined by a Security Group Tag.
- Logs can now indicate the roles of the systems involved, to simplify analysis and troubleshooting.
- Decisions to apply additional security services like IPS or Cloud Web Security services to flows, can now be made based upon the security group tags.
- Rules written using group tags instead of IP addresses also may have much less scope for misconfiguration.
In terms of incident response and analysis, customers are also finding value in the ability to administratively change the Security Group Tag assigned to specific hosts, in order to invoke additional security analysis or processing in the network.
By removing the need for complex rule changes to be made when server moves take place or network changes occur, we are hoping that customers can save time and effort and more effectively meet their compliance goals.
For more information please refer to www.cisco.com/go/trustsec.
Follow @CiscoSecurity on Twitter for more security news and announcements.
Tags: ASA, byod, security, Security Group tags, TrustSec
Network World recently completed a competitive review of the leading Virtual Private Networking (VPN) products and the Cisco® Adaptive Security Appliance (ASA) and AnyConnect™. With a long history of providing market-leading remote access VPN capabilities and optimal usability, Cisco is honored to receive this recognition from Network World based on their hands-on product testing. Read More »
Tags: anyconnect, ASA, Cisco ASA 5515, Cisco Security, cisco sio, vpn
On April 10, 2013, a collective of politically motivated hacktivists announced a round of planned attacks called #OPUSA. These attacks, slated to begin May 7, 2013, are to be launched against U.S.-based targets. #OPUSA is a follow-up to #OPISRAEL, which were a series of attacks carried out on April 7 against Israeli-based targets. Our goal here is to summarize and inform readers of resources, recommendations, network mitigations, and best practices that are available to prevent, mitigate, respond to, or dilute the effectiveness of these attacks. This blog was a collaborative effort between myself, Kevin Timm, Joseph Karpenko, Panos Kampanakis, and the Cisco TRAC team.
If the attackers follow the same patterns as previously witnessed during the #OPISRAEL attacks, then targets can expect a mixture of attacks. Major components of previous attacks consisted of denial of service attacks and web application exploits, ranging from advanced ad-hoc attempts to simple website defacements. In the past, attackers used such tools as LOIC, HOIC, and Slowloris.
Publicly announced attacks of this nature can have highly volatile credibility. In some cases, the announcements exist only for the purpose of gaining notoriety. In other cases, they are enhanced by increased publicity. Given the lack of specific details about participation or capabilities, the exact severity of the attack can’t be known until it (possibly) happens. Read More »
Tags: advisories, ASA, botnet, botnets, Cisco Security, Cloud Computing, cloud security, data center security, DDoS, exploits, firewall, incident response, IPS, IPS signatures, malware, mitigations, security, targeted attacks, TRAC, vulnerability
The Global Certification Team is proud to announce the FIPS 140-2 crypto certification of the Cisco Adaptive Security Appliance (ASA) family. This certification covered the following models: Cisco ASA 5505, ASA 5510, ASA 5520, ASA 5540, ASA 5550, ASA 5580-20, ASA 5580-40, ASA 5585-X SSP-10, 5585-X SSP-20, 5585-X SSP-40 and 5585-X SSP-60 Security Appliances. The ASA’s were evaluated at level 2 and earned FIPS certificate #1932 on software version 220.127.116.11.
The Cisco ASA 5500 Series helps organizations to balance security with productivity. It combines the industry’s most deployed stateful inspection firewall with comprehensive next-generation network security services. More information on the Cisco ASA family can be found on Cisco.com!
Get up to the minute updates on Cisco product certifications from the official Cisco Global Certification Team twitter, @CiscoCertTeam!
FIPS-140 is a US and Canadian government standard that specifies security requirements for cryptographic modules. A cryptographic module is defined as “the set of hardware, software, and/or firmware that implements approved security functions (including cryptographic algorithms and key generation) and is contained within the cryptographic boundary.” The cryptographic module is what is being validated.
Tags: 5500, 5505, 5510, 5520, 5540, 5550, 5580, 5585, adaptive, appliance, ASA, security, SSP-10, SSP-20, SSP-40, SSP-60
I recently interviewed Mike Geller, a 15-year Cisco veteran and a security architect, who focuses on securing infrastructure, devices, and services delivered by service and cloud providers to governments, enterprises, and end users. I asked Mike to discuss three key feature sets that firewalls should have today to enable users to securely access the applications in the data center. This topic is very timely as application control is quite the “in vogue” topic.
#1: Network Integration
Mike takes the position that security is an attribute of the network versus a siloed, bolt-on element. With applications delivered from a combination of the cloud, service provider or hosted data center (the on premise data center at the enterprise or the mobile endpoint), security is pervasive across all domains. Integrating security into the network fabric that is used to deliver key business applications is the only way to offer services at the size and scale of today and tomorrow. How do you approach full integration of security? Let’s break it down. Read More »
Tags: application aware routers, ASA, ASA 1000V, byod, cloud, data center, firewall, integrated security, network integration, secure infrastructure, SecureX, security