Cisco Blogs


Cisco Blog > Security

The Continuum Approach for Secure Mobility

May 5, 2014 at 6:00 am PST

A couple weeks ago, we spoke about the mobility journey and the phases that organizations take as they embrace the widely accepted mode of mobility—Beyond BYOD to Workspace Mobility (device-focus, application-focus and experience-focus). Whatever phase your organization is in, security is a top priority. These phases can help determine your secure mobility approach but your risk aversion level will also define it. Whatever your risk tolerance, the mobile threat landscape is extremely active and clever—do not underestimate it.

The dynamic nature of mobile threats does not stop by simply entering from your mobile device but it can further propagate and manifest across the network, wired devices, virtual, cloud and data center environments. So your secure mobility approach must be non-stop, continuous and pervasive—end to end. To hinder the chance of threat damage or inappropriate access whether intentional or not, one must offer comprehensive secure mobile access controls at the access layer across each phase of an attack, before, during and after.

Read More »

Tags: , , , , , , ,

What Next for BYOD?

One of the interesting and challenging aspects of working in the Mobility space is the sheer pace at which the industry is moving.  I’m fortunate to work with many Customers in EMEA to help support and shape their strategy towards Mobile technology.  A great example of this has been the reaction to BYOD.

The influx of personal devices into the Enterprise caused by the BYOD trend poses numerous challenges to IT Departments.  Understandably, initial reaction was to focus on network and device level Security.

Cisco responded by introducing a BYOD Solution to remove some of the burden from IT Departments and provide them with a central point for managing many aspects of the BYOD lifecycle: onboarding, device profiling, authentication, authorization, offboarding and self-service management.

Almost at the same time, a new industry segment was created: Mobile Device Management. The intent of MDM systems is Read More »

Tags: , , , , , , , , , , , , , , , ,

Cisco ISE in the lab.

November 6, 2013 at 7:38 pm PST

My company is in the very early stages of an MDM BYOD project.  As part of that we are looking at the Cisco Identity Service Engine (ISE) as a central piece.  I am about half way through my testing and I thought that I would pass on some of what I have learned so far.  I am far from being an ISE expert and I don’t mention profiling or the advanced features in this post. I have tried them but don’t feel knowledgeable enough to go into these details.

ISE

ISE is an excellent NAC system but it does much more than that.  One of the advantages of trying to configure a new piece of technology yourself is that you learn much more and also other ways to increase the ROI.  The main reason we are interested in ISE is as the enforcement point on our wireless network.  When a device tries to connect to our BYOD network we want ISE to query the MDM server to verify if the device is registered and if not to redirect the device to the MDM provisioning portal.  If the device is registered with MDM ISE will then query AD and verify the user credentials.  This is a core function of ISE and went fairly well. Read More »

Tags: , , , ,

TMA? Get Some Relief from Acronym Overload

I see and hear a variety of acronyms being used on a daily basis. I recently heard one tossed around with good humor that makes a point: TMA or Too Many Acronyms. Every once in a while, when I think I’ve embedded the definition and use of an acronym into my long-term memory (anything beyond an extended weekend), it seems as if either a new acronym was spawned, or it has been overloaded with a different meaning. My goal in this blog post is offer both a refresher on some topical acronyms that appear to be quite commonly circulated in security technology circles and media outlets. It is challenging to be a subject matter expert in every aspect of cyber security. Whether you are reading an article, joining a conversation or preparing for a presentation or certification in the realm of cyber security, you may not be completely perplexed by these acronyms when you come across them and become more familiar with them. For situational purposes, I organized the acronyms into categories where I have seen them used frequently and included related links for each of them.

Network Infrastructure

AAAAuthentication, Authorization, and Accounting. This is a set of actions that enable you to control over who is allowed access to the network, what services they are allowed to use once they have access, and track the services and network resources being accessed.

ACL/tACL/iACL/VACL/PACLAccess Control List. ACLs are used to filter traffic based upon a set of rules that you define. For ACLs listed with a prefix (for example, t=transit, i=infrastructure, V=VLAN (Virtual Local Area Network), P=Port)), these ACLs have special purposes to address a particular need within the network.

FW/NGFW/FWSM/ASASM: Firewall/Next Generation Firewall/Firewall Service Module/Adaptive Security Appliance Services Module. These products provide a set of security features designed to govern the communications via the network. Cisco provides firewall features as a dedicated appliance or hardware module that can be added to a network device such as a router.

IPS: Intrusion Prevention System. Typically, this is a network appliance that is used to examine network traffic for the purposes of protecting against targeted attacks, malware, and application and operating system vulnerabilities. In order to ensure the effectiveness of a Cisco IPS device, it  should be maintained using Cisco’s IPS subscription service.

DNSSECDomain Name System (DNS) Security Extensions. That’s right, we have an acronym within an acronym. These are the specifications for security characteristics that make it possible to verify the authenticity of information stored in DNS. This validation makes it possible to provide assurances to resolvers that when they request a particular piece of information from the DNS, that they receive the correct information published by the authoritative source. Read More »

Tags: , , , , , , , , ,

Identity and Device Aware IT Platforms Make Life Easier

Life is generally a lot easier when you have all the facts.  Especially if those facts are actually accurate.  Nowhere does this ring more true than in the life of an IT professional.

Often times a day in an IT shop is a lot like that grade school game of telephone where information gets passed down the line but gets distorted (or is just plain wrong) because no single player has the complete context.  This scenario gets played out everyday in the IT infrastructure where siloed operations, monitoring and policy platforms only work from the information they possess.  But that information is generally just a snapshot viewed through the bias of that system’s siloed purview.  As a result, mistakes get made, security is substandard or perhaps even dysfunctional, and everything from configuration to event management and investigation takes far longer than it should.  Net-net – time is wasted, costs increase, and many things still don’t work that well.  Read More »

Tags: , , , , , ,