Cisco Blogs


Cisco Blog > Security

Firewall, IPS, and Web Security Without Degrading Performance? Yes You Can Have It All!

February 28, 2012 at 4:00 am PST

In an effort to reduce costs and improve operational efficiency, organizations of all sizes have begun compressing their firewall and other security services into smaller form factors and fewer physical units. Many small and midsized companies have opted for UTMs to run all of their security on a single box. Unfortunately, UTMs have failed to deliver on their promise to deliver true multi-service security. Most UTMs do one or two things really well, but add all the other services as “checkbox” items just to say they have it. Read More »

Tags: , , , , , , , , ,

Think You Know What’s Going on in Your Network? Think Again!

February 28, 2012 at 4:00 am PST

One of the most commonly used – yet misunderstood – terms in all of network security is the “next generation firewall”. When we look under the covers, we see that most “next generation” firewalls are still relatively limited, providing only application and user ID awareness. Visibility into how the network is being used might produce a report that may make for a curious read. But there’s so much more going on in your network, app and ID just don’t go far enough to help administrators with actionable security enforcement. For example, knowing which interns are the heaviest Facebook users is one thing; knowing that the majority of their network traffic is due to video uploads to Facebook – and having the ability to disallow those uploads – is quite another.

Think of it this way. In scenarios that require additional context beyond what can be provided by a classic firewall, current next generation firewalls still lack the level of visibility required for administrators to make intelligent security decisions. I liken it to a knock at your door at midnight, and the porch light is out. How many of us would open the door anyway, without knowing who or what is on the other side? Of course, the safest thing to do is to keep the door closed and locked, rather than opening it to a potential threat. That’s exactly what so many firewall administrators are doing today – in fear of opening the network to unknown attacks, they say “no” to users, applications, devices, and new use cases that can tremendously improve the efficiency of the organization.

Unfortunately, the behavior with “next generation” firewalls isn’t much different. Though our porch light may be on now, it’s dim and we can’t see much out of the peephole in the door. What’s more, we only have two options – either completely open the door or leave it completely closed. This is because next generation firewalls don’t offer the level of granularity required, so entire applications must be allowed or denied. Think of a complex application with an array of micro-applications such as Facebook; current next generation firewalls on provide administrators with the capability to “allow” or “deny”, without the additional granularity to “Allow Facebook, but deny Farmville”.

As a result, we still have to be weary of opening the door, since we can’t truly know who or what is out there. Bottom line, unless we’re sure, it’s still safer to say “no”. That means saying no to the growing number and types of devices that are being used to access the corporate network, including iPhones, iPads, and Android devices; it also means locking down applications such as Facebook and Twitter, which have legitimate business uses. So not only is having to always say “no” a dark, lonely place to be – it also puts an artificial cap on corporate productivity!

Today’s announcement of Cisco ASA CX Context-Aware Security changes all of this by extending the ASA platform with unprecedented visibility and control. ASA CX uses the Cisco SecureX framework to gain end-to-end network intelligence from the local network using Cisco AnyConnect Secure Mobility, and to gain near-real-time global threat information from Cisco Security Intelligence Operation (SIO). As a result, ASA CX empowers enterprises to finally say “yes” to applications, devices, and the evolving global workforce while maximizing protection and control.

Going back to our example of a knock at our door, ASA CX is like looking through a picture window at noontime, rather than the peephole at midnight. While the firewall itself is powerful, what really makes ASA CX so exceptional compared with current “next generation” firewalls is its capability to gather extraordinary amounts of intelligence from throughout the local and global network, including deep application visibility; identity of users, as well as the devices they are using to access the network; and proactive, reputation-based threat protection backed by global correlation. It makes this intelligence available in a simple, intuitive interface. This, in turn, enables administrators to truly understand what’s happening throughout the network, so that they can make more informed security decisions and write more effective policies. As a result, they can strike a real balance between flexibility and control!

So now that we know what true visibility really is, who would still settle for making decisions based on looking through the peephole at midnight?

For more information, visit http://www.cisco.com/go/asacx or the following video.

Tags: , ,

Block a country with my Cisco Router or Firewall

Problem:

We are often asked by customers about how they can prevent traffic from a certain country (let’s say country X) from entering their network. The motivations for doing this could vary. Sometimes a company does not do business with all countries in the world; therefore, the company doesn’t need to be accessible from all countries. Other times it is an issue of trust and security, where an administrator may not want to allow country X to enter their infrastructure. Finally, there are cases where country X has often been incriminated with malicious activity, so an administrator may want to block country X when there is no need for the organization to interact with this country. In this document I present a methodology on how to write a tool that provides the configuration lines to block country X, using your IOS router or ASA/ASASM firewall.
Read More »

Tags: , , , , , ,

Fundamentals of High End Firewalls

November 29, 2011 at 4:25 pm PST

We had fun turning out a few new security oriented fundamentals that we always hope you enjoy.  This one firewall animation is very complimentary to a full TechWiseTV show we recently released..you can see it embedded just after the jump.  Nothing in networking is ever really an apples to apples comparison but it seems like firewall vendors are more full of hot air than anyone.   Read More »

Tags: , , , , , , , ,

Cisco ASA 1000V: The Cloud Ready Firewall

November 28, 2011 at 11:57 am PST

Juniper Reality

In this show, we cover the new ASA 1000V and how this security family represents the oldest yet most future ready security platform.

What is the relevance of a Firewall in today’s modern world where security must encompass every part of increasingly distributed operations? What is really meant by a Cloud Ready Firewall?  What the heck is this new ‘virtual ASA’…didn’t we already have the Virtual Security Gateway?  Perhaps its all just marketing hype…

Or not.

In my estimation, the cloud is overhyped in the short run, but underestimated in the long run.  Every enterprise is now exploring some aspect of a cloud based service model – whether this represents you now or in the future, the notion of a flexible security solution remains important.  Incredible advances for data center infrastructure with the flexibility and speed enabled by the virtualized tools we are all now using – MUST be accompanied by equally capable security tools.

The original maxim still rings true: Security must be addressed at every layer.

Questions we must answer:

Read More »

Tags: , , , , , , , ,