One of the most commonly used – yet misunderstood – terms in all of network security is the “next generation firewall”. When we look under the covers, we see that most “next generation” firewalls are still relatively limited, providing only application and user ID awareness. Visibility into how the network is being used might produce a report that may make for a curious read. But there’s so much more going on in your network, app and ID just don’t go far enough to help administrators with actionable security enforcement. For example, knowing which interns are the heaviest Facebook users is one thing; knowing that the majority of their network traffic is due to video uploads to Facebook – and having the ability to disallow those uploads – is quite another.
Think of it this way. In scenarios that require additional context beyond what can be provided by a classic firewall, current next generation firewalls still lack the level of visibility required for administrators to make intelligent security decisions. I liken it to a knock at your door at midnight, and the porch light is out. How many of us would open the door anyway, without knowing who or what is on the other side? Of course, the safest thing to do is to keep the door closed and locked, rather than opening it to a potential threat. That’s exactly what so many firewall administrators are doing today – in fear of opening the network to unknown attacks, they say “no” to users, applications, devices, and new use cases that can tremendously improve the efficiency of the organization.
Unfortunately, the behavior with “next generation” firewalls isn’t much different. Though our porch light may be on now, it’s dim and we can’t see much out of the peephole in the door. What’s more, we only have two options – either completely open the door or leave it completely closed. This is because next generation firewalls don’t offer the level of granularity required, so entire applications must be allowed or denied. Think of a complex application with an array of micro-applications such as Facebook; current next generation firewalls on provide administrators with the capability to “allow” or “deny”, without the additional granularity to “Allow Facebook, but deny Farmville”.
As a result, we still have to be weary of opening the door, since we can’t truly know who or what is out there. Bottom line, unless we’re sure, it’s still safer to say “no”. That means saying no to the growing number and types of devices that are being used to access the corporate network, including iPhones, iPads, and Android devices; it also means locking down applications such as Facebook and Twitter, which have legitimate business uses. So not only is having to always say “no” a dark, lonely place to be – it also puts an artificial cap on corporate productivity!
Going back to our example of a knock at our door, ASA CX is like looking through a picture window at noontime, rather than the peephole at midnight. While the firewall itself is powerful, what really makes ASA CX so exceptional compared with current “next generation” firewalls is its capability to gather extraordinary amounts of intelligence from throughout the local and global network, including deep application visibility; identity of users, as well as the devices they are using to access the network; and proactive, reputation-based threat protection backed by global correlation. It makes this intelligence available in a simple, intuitive interface. This, in turn, enables administrators to truly understand what’s happening throughout the network, so that they can make more informed security decisions and write more effective policies. As a result, they can strike a real balance between flexibility and control!
So now that we know what true visibility really is, who would still settle for making decisions based on looking through the peephole at midnight?
The Global Certification Team is proud to have a presence at RSA 2012 at the Moscone Center in San Francisco!
We will be taking part in several talks and presentations, including the following:
The CC Forum Interim Steering Committee -- This time will be used for both the Terms of Reference working group and the Governance working group.
Open Group Trusted Technology Forum (O-TTF). The O-TTF is developing a set of best practice requirements and recommendations for Supply Chain Security, that when practically applied, create a business benefit in terms of reduced risk of acquiring tainted or counterfeit products for the technology acquirer.
“Lock it down or Free it Up” -- Special keynote address by Christopher Young, Senior Vice President, Security and Government Group, Cisco -- Wednesday February 29, 3:10 p.m.
Be sure to check out this link for the live stream of the Keynote addresses.
We are looking forward to meeting with our peers from around the globe. If you are attending any of the above workshops or talks, look for us!
Forensic analysis of IOS images can be a tricky science, due in part to the diversity in IOS image versions and branches. Between IOS 11 and IOS 12.4, over five thousand different images were built, a quarter of which belong to the 12.2 train. Some IOS trains are in more widespread use than others, just as some hardware platforms are more popular than others, but even when narrowing down by feature-set or hardware, there is a large diversity of images. There are however, some steps that can be taken, both while the IOS device is running, as well as offline, that can help determine the integrity of an IOS image.
The New York Times’ Nicole Perlroth filed an alarming account of government and corporate network vulnerabilities that comes across like a briefing dossier read by James Bond aboard a Heathrow-Beijing flight. But it does the good work of putting a critical technology issue before a broad audience.
“Traveling Light in a Time of Digital Thievery” (NYT, Feb. 10) details extraordinary counter-espionage precautions taken in China by prudent travelers and their organizations. Many now leave their usual notebooks, smartphones and tablets safe at home. Some say a device taken into China is never again permitted to touch their corporate network.
Last year at the RSA security show, Cisco announced the SecureX security strategy. SecureX is designed to help organizations address security from a holistic perspective, rather than a siloed approach, using an integrated framework of innovative new security devices blended with the security-aware network. This approach allows organizations to truly address critical issues like BYOD and the consumerization of network enabled devices, the transition to virtualized data centers and cloud-based computing, the flood of data coming from social media sites and the use of new high-bandwidth services such as video collaboration, and the spread of sophisticated new attacks aimed at your organization’s soft spots. Cisco also announced powerful new tools to increase the reach and efficacy of security. The first was the addition of context awareness to security and network devices to add real granular control over users and devices. We also announced a powerful new policy-based solution, the Cisco Identity Services Engine, which allows organizations for the first time ever to truly take control of security policy creation, deployment, enforcement, and management. Next, we announced the broadening of our Security Intelligence Operations that allows us to fine tune our entire family of security solutions in real-time with actionable data gathered from hundreds of thousands of sensors located across the globe. Cisco SIO is now the largest threat telemetry service in the world. And in the year since that announcement we have continued to deliver innovative new devices and technologies designed to address security issues, from the endpoint, across the edge and branch, and out across the virtualized data center and cloud environments. So this year, at RSA 2012, Cisco will announce our plans to continue to drive innovation and revolutionize security through our SecureX strategy. For those of you heading out to this year’s event, here is a sneak peek at what you can expect: Read More »