Cisco Blogs


Cisco Blog > Security

Taking Complexity Out of Network Security – Simplifying Firewall Rules with TrustSec

Bruce Schneier, the security technologist and author famously said, “Complexity is the worst enemy of security.”

We have been working with some customers who agree strongly with this sentiment because they have been struggling with increasing complexity in their access control lists and firewall rules.

Typical indicators of operational complexity have been:

  • The time that it can take for some organizations to update rules to allow access to new services or applications, because of the risks of misconfiguring rules. For some customers, the number of hours defining and actually configuring changes may be an issue, for other customers the biggest issue may be the number of days that it takes to work through change control processes before a new application is actually in production.
  • The number of people who may need to be involved in rule changes when there are high volumes of trouble tickets requiring rule changes.

Virtualization tends to result in larger numbers of application servers being defined in rule sets. In addition, we are seeing that some customers need to define new policies to distinguish between BYOD and managed endpoint users as part of their data center access controls. At the same time, in many environments, it is rare to find that rules are efficiently removed because administrators find it difficult to ascertain that those rules are no longer required. The end result is that rule tables only increase in size.

TrustSec is a solution developed within Cisco, which describes assets and resources on the network by higher-layer business identifiers, which we refer to as Security Group Tags, instead of describing assets by IP addresses and subnets.

Those of us working at Cisco on our TrustSec technology have been looking at two particular aspects of how this technology may help remove complexity in security operations:

  • Using logical groupings to define protected assets like servers in order to simplify rule bases and make them more manageable.
  • Dynamically updating membership of these logical groups to avoid rule changes being required when assets move or new virtual workloads are provisioned.

While originally conceived as a method to provide role-based access control for user devices or accelerate access control list processing, the technology is proving of much broader benefit, not least for simplifying firewall rule sets.

For example, this is how we can use Security Group Tags to define access policies in our ASA platforms:

KReganCapture

Being able to describe systems by their business role, instead of where they are on the network, means that servers as well as users can move around the network but still retain the same privileges.

In typical rule sets that we have analyzed, we discovered that we can reduce the size of rule tables by as much as 60-80% when we use Security Group Tags to describe protected assets. That alone may be helpful, but further simplification benefits arise from looking at the actual policies themselves and how platforms such as the Cisco Adaptive Security Appliance (ASA) can use these security groups.

  • Security policies defined for the ASA can now be written in terms of application server roles, categories of BYOD endpoints, or the business roles of users, becoming much easier to understand.
  • When virtual workloads are added to an existing security group, we may not need any rule changes to be applied to get access to those workloads.
  • When workloads move, even if IP addresses change, the ASA will not require a rule change if the role is being determined by a Security Group Tag.
  • Logs can now indicate the roles of the systems involved, to simplify analysis and troubleshooting.
  • Decisions to apply additional security services like IPS or Cloud Web Security services to flows, can now be made based upon the security group tags.
  • Rules written using group tags instead of IP addresses also may have much less scope for misconfiguration.

In terms of incident response and analysis, customers are also finding value in the ability to administratively change the Security Group Tag assigned to specific hosts, in order to invoke additional security analysis or processing in the network.

By removing the need for complex rule changes to be made when server moves take place or network changes occur, we are hoping that customers can save time and effort and more effectively meet their compliance goals.

For more information please refer to www.cisco.com/go/trustsec.

Follow @CiscoSecurity on Twitter for more security news and announcements.

Tags: , , , ,

Summary: Crossing the bridge – Five cloud services you should pay attention to

A number of key applications consumed by businesses through premise-based deployments are now available from the cloud. Irrespective of where you are in the evolution to the cloud, here are five services that are worth your attention.

Read my full article for a closer look!

Tags: , , , , , , , , , , ,

Is Your K-12 Network Ready for Common Core Standards?

What do IT and K12 Common Core Standards have in common? Forty-five states, the District of Columbia, four territories, and the Department of Defense Education Activity have adopted the Common Core State Standards. 100% of each of these states’ schools must update their network infrastructure to support the mandated online testing capabilities. Enter district IT.

Technology is a key component when it comes to achieving the objectives of these standards. The objective is to augment the learning experience through the use of wired and wireless devices and enhance skills such as communication, collaboration, research, critical thinking and tackling problems. The mandate is computer based assessments. This promotes more personalized leaning. The students are also acclimated to use technology effectively for productive life activities in the future.

The combination of common core standards adoption with BYOD or 1:1 initiatives, results in an exponential growth in addressing endpoints, bandwidth, and security. Schools are looking to upgrade their existing networks to be able to handle the current and future requirements of these standards.

Deploy K-12 Common Core-Ready Networks 20140121 Read More »

Tags: , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

Security Realities of IoT (Internet of Things)

January 23, 2014 at 9:00 am PST

Are you a security professional or IT professional just resolving the security issues with BYOD (bring-your-own-device)? Watch out, BYOD was a precursor or warm up exercise to the tsunami just hitting your shores now.

The SANS Institute just completed a survey on the security viewpoints on IoT, predominantly with security and IT professionals.

78% of respondents were unsure of the capabilities for basic visibility and management of Things they will need to secure or lack the capability to secure them.

It seems that, like BYOD, IoT is driven with minimal IT consultation. And it happens with security as an afterthought, with 46% who do not have a policy to drive the visibility and management of IoT devices.

The top security controls used today for securing IoT were 68% authentication/authorization, 65% system monitoring, and 49% segmentation. That translates into Cisco Secure Access solutions that offer superior visibility, robust intelligent platform of critical context, and highly effective unified secure access control. More importantly, this will also help the 74% that rely on manual processes for discovery and inventory of connected device (from previous SANS research).

Over half (67%) are using SIEM (security information and event management) to monitor and collect data to secure IoT. Cisco ISE (Identity Services Engine) integrates with SIEM to bring together a network-wide view of security events supplemented with relevant identity and device context. This provides security analysts the context they need to quickly assess the significance of security events. More details on the ISE and SIEM integration may be found in this new white paper: Cisco ISE Plus SIEM and Threat Defense: Strengthen Security with Context

The research rightfully points out that, of the many categories of Things, the newest category of single-purpose devices typically connected by wireless (and more likely embedded) software will be the most problematic for security. Due to this difficulty, the SANS community (61%) would like the Thing manufacturers to take more responsibility for providing security. While this is a reasonable request, the question is whether they have the expertise to do this when their focus is on the exciting new IoT market opportunities. Weigh in and tell us your outlook on securing this next wave of Things connecting to your network!

The paper on the SANS survey results is in the SANS reading room.

Tags: , , , , , , , ,

Cisco Partner Weekly Rewind – January 17, 2014

January 17, 2014 at 10:51 am PST

Partner-Weekly-Rewind-v2Each week, we’ll highlight the most important Cisco partner news and stories, as well as point you to important, Cisco-related partner content you may have missed along the way. Here’s what you might have missed this week:

Off the Top

While it may not have been one of our own Channels Blogs, John Monaghan posted a great blog today on what’s up next for BYOD.

The BYOD influx of personal devices into the Enterprise causes IT departments numerous challenges. John takes a look at the Cisco BYOD solution and mobile device management (MDM) and how the two must co-exist. It’s a good forecast at where the segment is going and definitely worth a look, especially with the new marketing plays for Cisco BYOD and Connect to the Cloud II. Read More »

Tags: , , , ,