Cisco Blogs

Security – more than just a stateful firewall!

February 24, 2009 - 5 Comments

Security is hot. It has always been. It will always be. If you look at IT-related spending security budget allocations usually tend to be among the highest. However, having spent nearly 15 years directly and indirectly in various security-related roles, I’ve observed it to be among the most misunderstood areas of technology as well one with the most number of preconceived notions.Interestingly, many organizations start taking their security requirements more seriously when they’ve been exposed to an attack of sorts. It could be a virus attack, denial-of-service, data compromise or theft. Though never an afterthought, security considerations are given more prominence after exposure to risk. Sometime back, while speaking at a Roadshow, I ran an impromptu survey with the attending audience in three cities before beginning my session. These were a random cross-section of customers from different verticals, varying business sizes and mostly those making business decisions. They were asked to provide a true/false response to the questions below. Some words were purposely bolded, to add a blind and make the responder think:- My organization is completely secure because I have a stateful firewall- Most security threats originate from outside the network and can be prevented by installing a firewall at every ingress path– Installing an self-updating anti-virus package on laptops is sufficient to prevent internal security breaches- Securing my IP data network, helps provide Secure voice-over-IP- Mobile phones cannot transmit viruses as they have to pass through service provider firewallsAny guesses what a majority of respondents answered? Interestingly, the bolded words which were incorporated as placebos threw most people off-track. Everybody had a hearty laugh when they saw the results. With so many organizations (including Cisco) spending millions of marketing dollars over a decade or more, creating security awareness, one would think people get what pervasive security is all about. They don’t, at least not yet. Organic education takes time, as opposed to threat-based education that provides shock value. You may see continued spending of these millions of marketing dollars over the next decade…:-)As Jimmy Ray Purser states in one of his earlier videos for the Cisco Developer contest, calling application developers to think secure,”security is a lot more than just a firewall”. As always, Jimmy Ray stimulates grey cells as only he can.The truth is -the nature, source and complexity of threats is evolving as we adopt different media for communication and bring different types of devices into the”network”. Today, in an IP-based environment, where mobile phones, microwave owens and video cameras are all different network-addressable devices jostling for attention, anything could be a source of threat, and should be treated accordingly. And there are other extremes. These are the people who just don’t trust anything. Here’s an anecdote. For most of us, AES may be inherently secure and widely adopted. However, a number of institutions are mandated not to believe it. They still have their own proprietary encryption algorithms, which they believe provide superior security. It is interesting to recollect that one of the reasons Cisco considered opening their routers, was a Eastern European government outfit requesting permission to port their own security algorithm on the Integrated Services Router instead of the standards-based ones that Cisco supports by default. They didn’t trust AES.Developers planning applications should think security from day one and not just application performance or functionality. Security shouldn’t be an afterthought. Network architects designing network infrastructure security should cross over and consider application security as well. Innovation is not just doing new things. Many times it is connecting the dots and seeing the bigger picture. Typically, we make assumptions about what we don’t know. Our assumptions are only right 50% of the time. Would you let your business be secure half the time?

In an effort to keep conversations fresh, Cisco Blogs closes comments after 60 days. Please visit the Cisco Blogs hub page for the latest content.


  1. Cisco has made progress on this issue with things like AutoSecure and Cisco Configuration Professional offering “TAC-approved” IOS Firewall configurations. AutoSecure provides a single command”” device lockdown process for ISRs that enables rapid implementation of security procedures without requiring extensive knowledge of Cisco IOS Software features. With just one command, you can instantly configure the security posture of your router and disable non-essential system processes and services. This is just one feature that helps to combat misconfigurations.”

  2. Siva, you just threw three acronyms in there 🙂

  3. With the CVO solution available with Zero Touch deployment, it really addresses a whole bunch of issues associated with initial (and ongoing) provisioning. With NFP type of technologies, one can enable greater security by turning on things only you need. (you can use CCP/SDM to enable NFP).Even though security is everyone’s job, Developers’ planning Security should consult/add security group consultants in their teams. This will help designing solutions that are more secure.

  4. Yes, operator misconfigurations are certainly a key issue that I’ve seen in the past as well. In fact, we say security is only as strong as the weakest link, and that link is usually the person who configures.That said, many vendors are taking steps to minimize operater error, through stringent reconfirmations before acceptance, having more secure defaults, training and hiearchical chain of command for policy committs. Admittedly, a lot of these are in place in larger enterprises, and not as much in smaller outfits, and mom-and-pop outlets.Cisco has been promoting zero touch out-of-the-box deployment solutions as well with our Cisco Virtual Office (CVO), Mobility solutions, UC solutions etc. I’ll see if I can get our security guys to pitch in and comment as well.

  5. We have spent a fortune on Security and Security consultants. Our division is the gatekeeper and I could not agree more. However you should focus on the misconfiguration errors and security implications. In a previous role we fired a consultant for misconfiguring our firewall and deviating from certified policies. Perhaps Cisco stuff is complex to configure though things have improved of late.