Cisco Blogs

Think You Know What’s Going on in Your Network? Think Again!

February 28, 2012 - 15 Comments

One of the most commonly used – yet misunderstood – terms in all of network security is the “next generation firewall”. When we look under the covers, we see that most “next generation” firewalls are still relatively limited, providing only application and user ID awareness. Visibility into how the network is being used might produce a report that may make for a curious read. But there’s so much more going on in your network, app and ID just don’t go far enough to help administrators with actionable security enforcement. For example, knowing which interns are the heaviest Facebook users is one thing; knowing that the majority of their network traffic is due to video uploads to Facebook – and having the ability to disallow those uploads – is quite another.

Think of it this way. In scenarios that require additional context beyond what can be provided by a classic firewall, current next generation firewalls still lack the level of visibility required for administrators to make intelligent security decisions. I liken it to a knock at your door at midnight, and the porch light is out. How many of us would open the door anyway, without knowing who or what is on the other side? Of course, the safest thing to do is to keep the door closed and locked, rather than opening it to a potential threat. That’s exactly what so many firewall administrators are doing today – in fear of opening the network to unknown attacks, they say “no” to users, applications, devices, and new use cases that can tremendously improve the efficiency of the organization.

Unfortunately, the behavior with “next generation” firewalls isn’t much different. Though our porch light may be on now, it’s dim and we can’t see much out of the peephole in the door. What’s more, we only have two options – either completely open the door or leave it completely closed. This is because next generation firewalls don’t offer the level of granularity required, so entire applications must be allowed or denied. Think of a complex application with an array of micro-applications such as Facebook; current next generation firewalls on provide administrators with the capability to “allow” or “deny”, without the additional granularity to “Allow Facebook, but deny Farmville”.

As a result, we still have to be weary of opening the door, since we can’t truly know who or what is out there. Bottom line, unless we’re sure, it’s still safer to say “no”. That means saying no to the growing number and types of devices that are being used to access the corporate network, including iPhones, iPads, and Android devices; it also means locking down applications such as Facebook and Twitter, which have legitimate business uses. So not only is having to always say “no” a dark, lonely place to be – it also puts an artificial cap on corporate productivity!

Today’s announcement of Cisco ASA CX Context-Aware Security changes all of this by extending the ASA platform with unprecedented visibility and control. ASA CX uses the Cisco SecureX framework to gain end-to-end network intelligence from the local network using Cisco AnyConnect Secure Mobility, and to gain near-real-time global threat information from Cisco Security Intelligence Operation (SIO). As a result, ASA CX empowers enterprises to finally say “yes” to applications, devices, and the evolving global workforce while maximizing protection and control.

Going back to our example of a knock at our door, ASA CX is like looking through a picture window at noontime, rather than the peephole at midnight. While the firewall itself is powerful, what really makes ASA CX so exceptional compared with current “next generation” firewalls is its capability to gather extraordinary amounts of intelligence from throughout the local and global network, including deep application visibility; identity of users, as well as the devices they are using to access the network; and proactive, reputation-based threat protection backed by global correlation. It makes this intelligence available in a simple, intuitive interface. This, in turn, enables administrators to truly understand what’s happening throughout the network, so that they can make more informed security decisions and write more effective policies. As a result, they can strike a real balance between flexibility and control!

So now that we know what true visibility really is, who would still settle for making decisions based on looking through the peephole at midnight?

For more information, visit or the following video.

In an effort to keep conversations fresh, Cisco Blogs closes comments after 60 days. Please visit the Cisco Blogs hub page for the latest content.


  1. Thanks for a great post. Sadly in most companies the policy based security in firewalls are set at allow all and monitor nothing. That is terrifying but none the less a fact in companies without proper attention to it security. The ASA products are great but without skilled technitians to set up the right monitoring and policies most firewall only function as a comon router. Your point in this posting, as I see it, is spot on. Thanks again.

    • Thank you for the great comment, John. It just goes to show, regardless of the topic, simplicity is key!

    • As a businessman is just ask myself how can i assess another companies secure measures. Thats one of my biggest problem in this field. Because with all these clouds etc we interact with a lot of other companies and potential share high value information. Whats your thought about this problem?

  2. Ok, that's what I wanted to know. But still I feel a mix of Layer 3 & 4 & 7 would be the best way to create an effective policy, e.g. allow any microsoft application deny destination port 135 If that is possible on ASA-CX everything seems to be fine but if I had to split the policy across two devices nothing is fine.

    • Well, then you're in luck ... you can create all of your policies on the single device - and manage them all with Cisco Prime Security Manager (the management tool for ASA CX).

  3. I had a look at and I don't understand how ASA-CX improves security by using an ASA. It seems I have to combine two different types of policies. The first one is my ASA policy which is based on ACLs like access-list 101 permit tcp any host eq ftp access-list 101 permit udp any any range 4500 4550 access-list 101 deny ip any any Now, ASA builts its forwarding decision depending on the values of certain protocol header fields. The second policy is the ASA-CX policy which says: allow any user any device access to ftp on allow any user any device to use skype deny all ASA-CX builts its forwarding decision depending on information of higher level protocols and data. I tried to combine the two policies and unfortunately I do not see any benefit. If ASA-CX works on top of ASA I only enforce that the port range 4500 4550 is used by skype. But is that a real benefit? Still I have to enforce a policy on the clients to use skype and the defined port range. However, I want to allow skype and I don't want to care about ports and protocols. Wouldn't it be better to drop ASA policy and have ASA-CX policy examining alle the traffic entering and leaving the network? What do you think?

    • This is a really good question ... I'm going to have one of our technical folks provide a more complete/detailed response, but to give you the "quick" answer, no, you don't have to layer your policies. ASA CX does, indeed, run on top of the ASA, so ASA is still the firewall component. What ASA CX does is extend the existing ASA capabilities by adding the layer 7 context-aware capabilities. However, you don't need to change or replace all of your existing ASA policies, nor do you have to "beef them up" with the new context-aware policies. Your existing Layer 3 / Layer 4 policies will continue to work, so if those are working well for you, there's no need to change anything. But if you need a layer 7 policy to achieve a specific goal (such as preventing specific traffic), then ASA CX can do that for you.

      • But when you say that "CX runs on top of ASA", can you please explain which models you can run CX on. Because what I have heard is that CX is only for the 5585-X model at the moment. True/false? Please read my notes on the subject: Best regards Jimmy Larsson

        • Hi Jimmy, Yes, at the moment, ASA CX is a full-slot hardware module, which runs in the ASA 5585-10 and 5585-20. However, in the near-term future, a software version of ASA CX will be released, which will be supported on the newly released ASA 5500-X Series midrange security appliances.

    • There are two options available with ASA CX. If you are already using Layer 3 & 4 rules on your ASA, you can keep those rules, and in addition to those rules add application aware policies to allow specific applications while blocking others. As you know it is not uncommon for customers to have hundreds or even thousands of access rules, so the advantage of this model is that there is no disruption to the current firewall deployment. On the other hand, if you would rather write policies based on Layer 7 inspection and not bother with Layer 3 & 4 rules, that's absolutely possible. You can write policies like - Allow Skype for XYZ users - Allow a, b and c applications for another set of users - And so on - Deny all With Layer 3 & 4 rules. Looks like scenario 2 fits your situation better, and ASA CX allows this scenario. The promise of ASA CX is that it does not force a particular model of thinking about application control on customers. You are free to choose the model that works for you. A different model may work for the same customer in two different deployment scenarios, and the firewall must be flexible enough to allow that. This may not apply to you but many customers want to slowly migrate from model 1 (leverage current firewall rules in the short term, while adding application control capabilities on top) to model 2 (all policies based on applications, users and devices) at their own pace.

      • I would like to add a comment to Navneets first sentence: "If you are already using Layer 3 & 4 rules on your ASA,..." Is there an alternative to Layer 3 & 4 ACLs on ASA? I never heard about that. However, I can't use the current policy anymore as soon as I am going to filter based on application because due to a policy on Layer 3 & 4 the application could be blocked. What I have to do then is troubleshooting on Layer 3 & 4 & 7 if a user asks me why skype doesn't work. So, from a practical point of view it is not very useful to run Layer 3 &4 policy combined with Layer 7 Policy. I just have to do a redesign of the policy.

        • This is a really good question, and unfortunately a bit beyond my level of expertis … I’m going to have one of our technical folks provide a response. Please tand by!

        • Response to abcd's post: Sure. In that case, use scenario 2 that I described above. Coming back to your original Q: >> Wouldn’t it be better to drop ASA policy and have ASA-CX policy examining all the traffic entering and leaving the network? In your scenario, you are exactly right. Don't use any Layer 3 / Layer 4 rules on the ASA. Ask ASA to leave everything alone for Layer 7 inspection. Use ASA CX to create a rule for Skype. As applications like Skype become more "business-usable", many customers would like to redesign their policy, start from scratch, and start creating application-based rules. In that scenario there will be no Layer 3 / Layer 4 rules on ASA which will block traffic. And ASA CX allows you to do that; part of this scenario was shown in the video demo above. You may want to contact your Cisco account team to get a more personalized demo of ASA CX, specifically how you can use Layer 7 for your rules.

  4. Well I agree with your point more organization restrict various apps to protect critical data and hamper potential malware attacks into their network but with the more advanced gadgets that allow work to be done on the go has triggered the need for authorising certain common apps that sometimes pose a threat to network. I hope ASA CX Context-Aware Security detect the potential suspicious activity in time to protect netwok from various threats.

    • Hi Usman, Yes, one of the key benefits of ASA CX is that it gains near-real-time global threat information from Cisco Security Intelligence Operation (SIO). As a result, it proactively protects against zero-day threats.