Cisco Blogs


Cisco Blog > Security

The Three Pillars to Cisco’s Secure Data Center Strategy: Part 1 Segmentation

Last week Cisco announced several new products in it’s Defending the Data Center launch. These included the Cisco Adaptive Security Appliance Software Release 9.0, Cisco IPS 4500 Series Sensors, Cisco Security Manager 4.3, and the Cisco ASA 1000V Cloud Firewall, adding enhanced performance, management, and threat defense capabilities. Core to this launch was also Cisco’s new strategy for developing Secure Data Center Solutions, a holistic approach similar to what Cisco previously did with Secure BYOD. This new strategy integrates Cisco security products into Cisco’s networking and data center portfolio to create validated designs and smart solutions. Organizations that lack bandwidth and resources or the know how to test and validate holistic designs can simply deploy template configurations based on pre-tested environments that cover complete data center infrastructures. These designs enable predictable, reliable deployment of solutions and business services and allow customers infrastructures to evolve as their data center needs change.

In developing this strategy we interviewed numerous customers, partners and field-sales reps to formulate the role of security in the data center and how to effectively get to the next step in the data center evolution or journey, whether you are just beginning to virtualize or have already advanced to exploring various cloud models. Three security priorities consistently came up and became the core of our strategy of delivering the security added value. They are Segmentation, Threat-Defense and Visibility.  This blog series, beginning with segmentation, will provide a deeper dive into these three pillars.

Segmentation itself can be broken into three key areas. Perimeters are beginning to dissolve and many environments are no longer trusted, forcing us to segment compute resources, the network, and virtualized environments to create new boundaries, or zones. Along with segmenting physical components, policies must include segmentation of virtual networks and virtual machines, as well as by function, device, and logical association. Lastly, segmenting access control around networks and resources whether they are compute, network or applications offers a higher level of granularity and control. This includes role-based access and context based access.  Let’s discuss even deeper.

Read More »

Tags: , , , , , , , , , , , , , , , , ,

Global Correlation: IPS + SIO = Greater Protection

The Cisco Intrusion Prevention System (IPS) includes Global Correlation capabilities that utilize real-world data from Cisco Security Intelligence Operations (SIO). We have seen on this blog before how IPS Global Correlation can be used to detect and validate the urgency of emergent threats as well as allow our team to hone the protection capabilities of our IPS Sensors.

Perhaps more fundamentally however, Global Correlation allows Cisco IPS Sensors to filter network traffic using the “reputation” of a packet’s source IP address. The reputation of an IP address is computed by Cisco SensorBase using the past actions of that IP address. IP reputation has been an effective means of predicting the trustworthiness of current and future behaviors from an IP address.

Our team has recently published a new white paper that explores the benefits of IPS Global Correlation and how they relate to various IPS deployment scenarios. I would like to share a couple of items from the white paper and encourage you to read it for more information.

Read More »

Tags: , , ,

Lock It Down or Free It Up?

March 1, 2012 at 12:54 pm PST

On February 29th, Christopher Young, Senior Vice President of Cisco Security, delivered a rousing keynote address at the RSA 2012 conference in San Francisco.

The title and theme of his presentation, “Lock it Down or Free it Up?”, spoke to the dilemma organizations of all sizes face every day. Read More »

Tags: , , , , , , , ,

Cisco IPS Signature Retirement and the Default Configuration

Walter Sulym from the Cisco IPS team explains the signature retirement process and how the default configuration is determined.

Tags: ,

Cisco IPS Sensor Default Signature Configuration Modifications

The threat landscape is an ever evolving environment that must be addressed with constant iteration. Since the Cisco Intrusion Prevention System signature configuration has grown over the past few years, the Cisco Security Research and Operations IPS Signature Development Team performed an exhaustive review of the default IPS signature settings currently shipping. As a result of that analysis, the team will be releasing changes to the default signature set via signature updates in a two-phase process over the course of several months.

Read More »

Tags: , ,