Cisco Blogs


Cisco Blog > Security

Taking Complexity Out of Network Security – Simplifying Firewall Rules with TrustSec

Bruce Schneier, the security technologist and author famously said, “Complexity is the worst enemy of security.”

We have been working with some customers who agree strongly with this sentiment because they have been struggling with increasing complexity in their access control lists and firewall rules.

Typical indicators of operational complexity have been:

  • The time that it can take for some organizations to update rules to allow access to new services or applications, because of the risks of misconfiguring rules. For some customers, the number of hours defining and actually configuring changes may be an issue, for other customers the biggest issue may be the number of days that it takes to work through change control processes before a new application is actually in production.
  • The number of people who may need to be involved in rule changes when there are high volumes of trouble tickets requiring rule changes.

Virtualization tends to result in larger numbers of application servers being defined in rule sets. In addition, we are seeing that some customers need to define new policies to distinguish between BYOD and managed endpoint users as part of their data center access controls. At the same time, in many environments, it is rare to find that rules are efficiently removed because administrators find it difficult to ascertain that those rules are no longer required. The end result is that rule tables only increase in size.

TrustSec is a solution developed within Cisco, which describes assets and resources on the network by higher-layer business identifiers, which we refer to as Security Group Tags, instead of describing assets by IP addresses and subnets.

Those of us working at Cisco on our TrustSec technology have been looking at two particular aspects of how this technology may help remove complexity in security operations:

  • Using logical groupings to define protected assets like servers in order to simplify rule bases and make them more manageable.
  • Dynamically updating membership of these logical groups to avoid rule changes being required when assets move or new virtual workloads are provisioned.

While originally conceived as a method to provide role-based access control for user devices or accelerate access control list processing, the technology is proving of much broader benefit, not least for simplifying firewall rule sets.

For example, this is how we can use Security Group Tags to define access policies in our ASA platforms:

KReganCapture

Being able to describe systems by their business role, instead of where they are on the network, means that servers as well as users can move around the network but still retain the same privileges.

In typical rule sets that we have analyzed, we discovered that we can reduce the size of rule tables by as much as 60-80% when we use Security Group Tags to describe protected assets. That alone may be helpful, but further simplification benefits arise from looking at the actual policies themselves and how platforms such as the Cisco Adaptive Security Appliance (ASA) can use these security groups.

  • Security policies defined for the ASA can now be written in terms of application server roles, categories of BYOD endpoints, or the business roles of users, becoming much easier to understand.
  • When virtual workloads are added to an existing security group, we may not need any rule changes to be applied to get access to those workloads.
  • When workloads move, even if IP addresses change, the ASA will not require a rule change if the role is being determined by a Security Group Tag.
  • Logs can now indicate the roles of the systems involved, to simplify analysis and troubleshooting.
  • Decisions to apply additional security services like IPS or Cloud Web Security services to flows, can now be made based upon the security group tags.
  • Rules written using group tags instead of IP addresses also may have much less scope for misconfiguration.

In terms of incident response and analysis, customers are also finding value in the ability to administratively change the Security Group Tag assigned to specific hosts, in order to invoke additional security analysis or processing in the network.

By removing the need for complex rule changes to be made when server moves take place or network changes occur, we are hoping that customers can save time and effort and more effectively meet their compliance goals.

For more information please refer to www.cisco.com/go/trustsec.

Follow @CiscoSecurity on Twitter for more security news and announcements.

Tags: , , , ,

Access Control with Cisco TrustSec: Moving from “IP Addresses” to “Roles and Attributes”

Today’s enterprise is a highly dynamic, and hyper connected environment where IT plays a critical role in connecting the users, devices, resources and corporate IT systems. Today’s employees are also highly mobile in nature and do not necessarily have a single workspace assignment. The IT departments are constantly being challenged by the organization’s Line of Business owners to keep up with the pace of rolling out new services to address market needs, while keeping up with user expectations.

At the same time, IT departments also are responsible for ensuring business continuity and an uninterrupted service. However, the toughest challenge that any IT organization faces is implementing a security architecture which not only satisfies the compliance and industry regulatory requirements, but also provides a sufficient amount of protection against unauthorized access, data breaches, etc.

The traditional way to implement a security architecture in this kind of an environment is by implementing security rules in Firewall for traffic traversing the network’s extranet/intranet or data-center perimeters. For implementing security policies within an organizations network, Identity-Based Networking using IEEE 802.1X is generally used. Read More »

Tags: , , , , , , , , , , , ,

Security: Front and Center at Cisco Live Cancun 2013

November 12, 2013 at 5:00 am PST

This year I was honored to be able to present and participate at Cisco Live Cancun, which took place last week. Many attendees from North, Central and South America and the Caribbean came to discover innovative ways that networking technologies can help them reach new markets and understand which solutions are right for their specific challenges.

Security was a hot topic this year!

Customers were able to connect with numerous experts for guidance and advice on security IT challenges that their company may be facing. Maintaining an appropriate security posture in “Bring Your Own Device” (BOYD) environments can be a challenge. This year I delivered a presentation about BYOD Security and Cisco’s TrustSec in an 8 ½ hour session titled “Bring Your Own Device – Architectures, Design and Operation” (TECRST-2020). Implementing BYOD requires a comprehensive solution that ensures the security and reliability of the network while enhancing user experience and productivity. The exponential growth of consumer devices and the need to maintain continuous connectivity to corporate and Internet resources has brought new challenges to corporate networks. Network managers struggle to provide adequate connectivity to employees while protecting corporate data. This session focused on the architecture and framework required to deploy the proper network infrastructure, security components and device management to support different endpoints, each with unique permissions into the network. A combination of lectures and live demos provided the information needed for customers to build an effective BYOD solution. The latest Cisco Validated Design guide (CVD) 2.5 for BYOD was covered highlighting different BYOD use cases, including TrustSec, converged access and the integration with Mobile Device Managers (MDM) to receive device posture information. Read More »

Tags: , , , , , , , , ,

Demystifying the Catalyst: Cisco Context Aware Secure Access (Security Group Tags – SGT) Technology

In this blog, let us take a look at how Catalyst access switches enable and enforce context aware access to IT resources.

Many types of devices, including laptops, smartphones, and tablets, are used by end users to connect to the network wired, wirelessly, and remotely through VPN. With bring your own device (BYOD) access, the devices can be personal or corporate owned. Every enterprise has policies that dictate who can access what applications and databases, when and how. Traditionally, IT manages the policy either by introducing appliances at points in the campus where users connect or by manually configuring all the access switches. Appliances incur additional capital and operational expenses, whereas manual configuration of the switches requires maintenance of every switch. Moreover, the network can carry traffic using Ethernet, IPv4, IPv6, or other technologies, so the configuration must keep up with changes in technology, which leads to higher operational complexity and costs.

Read More »

Tags: , , , , , , , ,

DCID Protection Level 3 and Multi-tenant Cloud

The former Director of Central Intelligence Directives 6/3 established specific protection levels based on an information system’s assessed level of concern. In 2008  The Office of the Director of National Intelligence (ODNI) began releasing Intelligence Community Directives (ICD) that were to eventually supersede the DCID. I’m no longer an active practitioner of Certification and Accreditation so it is unclear to me whether the ICD 500 series has actually superseded or cancelled the DCID 6/3. From my interactions over the past 18 months I’m thinking that the DCID 6/3 is still alive combined with specific ICD 500 guidance and 800-53. Regardless, in my opinion the DCID 6/3 offers some great legacy guidance for multi-tenant clouds.

Read More »

Tags: , , , , , , , , ,