Ask the DC Security Expert: Three things to know about data center firewall application visibility and control

February 7, 2013 - 0 Comments

I recently interviewed Mike Geller, a 15-year Cisco veteran and a security architect, who focuses on securing infrastructure, devices, and services delivered by service and cloud providers to governments, enterprises, and end users. I asked Mike to discuss three key feature sets that firewalls should have today to enable users to securely access the applications in the data center. This topic is very timely as application control is quite the “in vogue” topic.

#1: Network Integration

Mike takes the position that security is an attribute of the network versus a siloed, bolt-on element. With applications delivered from a combination of the cloud, service provider or hosted data center (the on premise data center at the enterprise or the mobile endpoint), security is pervasive across all domains. Integrating security into the network fabric that is used to deliver key business applications is the only way to offer services at the size and scale of today and tomorrow. How do you approach full integration of security?  Let’s break it down. 

To properly deliver security services, two fundamental elements are applied:  visibility and control. Visibility refers to the ability to see and correlate information from the carrier cloud and then to measure deviation from that norm. Simply said, “If you can’t measure it, you can’t manage it.”  Sources of visibility come with traditional network measurements (NetFlow records, analytics, etc.), but the need to measure all aspects of a flow, from all elements of the carrier cloud to the application, has changed what data we collect and where we get it. When the telemetry is collected, a security controller will analyze it and determine, based on policy, what mitigation techniques and controls to apply.

Controls refer to the actions taken to mitigate an attack. Some controls are taken proactively, while others are applied after an attack takes place. In a zero day (0-day) attack where we don’t have a signature or fingerprint, deviations in known good behavior are identified by the security controller and action is taken to mitigate the attack or to obtain additional visibility. Day one attacks are threats where we have I have a signature or fingerprint and, quite often, a mitigation strategy. Available controls include modifications to the carrier cloud to apply per-hop quality of service changes to minimize the impact of an attack and also the application of physical and virtual security assets as close to the source of the threat as possible to minimize collateral damage.

Visibility and control properly applied to the advanced threats of today offer the carrier cloud a level of protection. We must continue to evolve and grow to keep our networks safe and resilient in the event of an attack.

When a firewall is bolted onto the network as an afterthought, it is considerably harder and less operationally efficient to share any of the network’s capabilities and visibility. Combinations of software and hardware elements that are properly coordinated deliver the controls that enterprises, governments and other customers require.

Cisco builds security intelligence into its routers and switches so that applications, devices, and user policies are not limited to firewalls but shared through the network and security enforcement—the goal being to mitigate threats as close to the source as possible, minimizing collateral damage of the attack. Firewalls and other security controls fit in as an extension of the network and communicate in plug and play fashion with routers and switches, making better decisions based on service-level commitments and requirements.

#2: Integrated Solutions Across Physical and Virtual

Next, the firewall needs to be integrated with virtual machine security as data centers are increasingly hybrid and applications spawn a mix of physical, virtual and cloud. Two solutions, software-defined networks and services delivered from a hosted model, are collapsing security perimeters right into the data center. This environment forces security professionals to change their focus and flexibility to statically (managed service) and dynamically (threat defense) deploy security assets, whether virtual or physical at the “right” place in the topology. As the security mix of virtual and physical continues to evolve, security solutions will be offered as service chains with multiple virtual and physical appliances that are coordinated to insure visibility and ease of troubleshooting.

Cisco is leading the evolution of security services by delivering the underlying foundation and architecture, visibility, and controls. Controls take the form of both physical and virtual security assets. The Cisco ASA 1000V and Virtual Security Gateway (VSG) leverage the broader ASA code line and are strongly tied in with the Nexus 1000v virtual hypervisor switch to integrate with vPath for service integration and mobility.

#3: Device Identity Awareness

Identity is a key part in protecting data and ensuring appropriate access and security to applications. Networks must be able to identify devices and take in attribute, such as location, and correlate with security threats and intelligence for accurate security policies regarding application usage in the data center.  We have new and existing ways to identify users in the networks we run today. Active Directory is one such a method. With the exponential growth of BYOD and extension of enterprise directories for single sign-on to applications run in the cloud, the integration of traditional firewall capabilities, web security, identity services, and intrusion protection based on reputation and other criteria is a natural evolution of security services. The distributed nature and diverse set of delivery options enable customers to deploy the “right” service in the “right” place, regardless of form factor. This is a key value proposition of the Cisco SecureX architecture.

To learn more about Cisco application awareness and Cisco firewall strategy read go to : Application aware routers(AVC):

ASA 9.0 release which includes TrustSec support:  and ASA-CX module support:

In an effort to keep conversations fresh, Cisco Blogs closes comments after 60 days. Please visit the Cisco Blogs hub page for the latest content.