Cisco has become the largest network security provider in the industry. Its self defending network strategy, and the adaptive threat defense and network admission control (NAC) initiatives offer both thought leadership and the broadest range of products in the security industry. What Cisco is doing is putting ?¬¢‚Äö?ᬮ??¨automated?¬¢‚Äö?ᬮ¬¨?? protections into the network to defend against the harmful effects of viruses, worms and exploits propagating throughout an enterprise network. I´ve spent some time with Cisco´s security experts and what´s impressive is the depth and breadth of their thinking. In short, Bill Gates and Steve Ballmer should personally thank John Chambers for the investment he is making in network security to fix what is mostly a Microsoft inflicted industry problem. But that´s a topic for Nick´s blog www.lippismedia.com.

The status quo of mitigating attacks once they occur is that IT staff are distracted from nearly every other activity until they contain the exploit, patch and cleanse end systems and servers within their networks. This process can take days, depending on the scale of the exploit and cost real operational dollars, not to mention loss of revenue, opportunities, productivity and perhaps even worse, corporate credibility. As we all know the speed and number of new exploits being unleashed into the Internet is growing only at uncontrolled levels. The status quo will just not work to stop today´s sophisticated hackers and malicious employees. Firewalls help keep out intruders and filter exploits from entering an enterprise from the Internet. IDS/IPSs help identify intruders and DoD attacks as they enter the enterprise network and send alarms, a lot of alarms.

Anti-virus software helps keep end systems virus- and worm-free. But these point solutions alone cannot protect an enterprise from the onslaught of exploits being thrown at corporate networks. An all-encompassing approach to network security is needed.

Enter Cisco. A key part of Cisco´s network security strategy is the deployment of client software on desktops. Its innovative behavioral protection technology within Cisco Secure Agent (CSA) and Cisco Trust Agent (CTA) offer a key benefit; they stop exploits at end systems before they start propagating throughout the network and infecting other end-points. In conjunction with CSA and CTA, Cisco´s network admission control initiative (NAC) working in concert with CTA challenges an end-point´s conformance, defined by policy management, before network admission is allowed. NAC strives to reduce the number of exploits that enter into the network, thus dampening ?¬¢‚Äö?ᬮ??¨infection amplification?¬¢‚Äö?ᬮ¬¨?? and giving time back to IT staff to be more proactive in their security management.

But no system will be 100% protected and client software plus admission control is not enough to realize proactive security management. Admission control in combination with adaptive threat defenses will be the basis for defending networks and systems against malicious exploits. To protect networks and systems from attack or to minimize their effects, adaptive threat defense technology is evolving in two complementary directions: vertically and horizontally. By vertically I mean that security products which were brought to market as single purpose appliances are being bundled into a set of security functions within one appliance. In the beginning, firewalls were offered on special purpose hardware as were IDS/IPS, VPN, NBAD (network based anomaly detection) and other security products. The vertical movement toward adaptive threat defense is increasingly integrating firewalls, IDS/IPS systems, VPNs (both IPSec and SSL), etc., into one appliance. This integration allows for greater software collaboration between security elements, lowers cost of acquisition and streamlines operations. For example, alarms stemming from the IDS function inspecting VPN flows could cause the firewall software to take action and change its rules to block this VPN flow. More on vertical adaptive threat defense in a moment.

In horizontal adaptive threat defense, a network becomes more responsive to a broad set of possible attacks and threats by security functions working together as a system. In this model the network would have the power to shut down or compartmentalize segments, VLANs, end-points, ports, flows, etc. In short the network is very adaptive and powerful in its ability to automate the mitigation of attacks in near real time. The important ingredient in horizontal threat defense is a shift from relying upon signature based defenses toward ?¬¢‚Äö?ᬮ??¨behavioral?¬¢‚Äö?ᬮ¬¨??. Most exploits have a defined signature that can be identified and mitigated against. This is what your anti-virus software is doing when you download updates: it´s importing new definitions and signatures of known exploits so they can be recognized on your system and deleted before they do harm. The problem with the signature based defense approach is that hackers have won this arms race. There are just too many exploits to keep up with. Also, an exploit such as Code Red was able to get by undetected by signature based defenses. To make the point, CERT, the Center of Internet Security Expertise, a federally funded research and development center operated by Carnegie Mellon University, has stopped counting the number of incidents reported on internet-connected systems. So how do you defend against a dizzying number of seemingly exponential exploits coming at your network? The answer? Look for bad behavior. And that´s just what Cisco´c CSA does, in addition to providing a distributed personal firewall and application lockdown capability.

Horizontal threat defense initiatives that leverage signature defenses with behavioral anomaly detection embedded in client software and vertical threat defense appliances are coming. But it will take a few business cycles for behavioral based horizontal threat defense to be realized as the technology is not fully ready, and for that matter neither are IT managers ready to use it. Yes, there are behavioral anomaly detection devices available today in both host and network based intrusion detection as well as anti-DDoS. These devices and software are very useful, but they are used to detect and alarm but not necessarily take action. A good exception is the Cisco (previously Riverhead) Guard and Detectors which eliminate DDoS attacks thanks to their anomaly behavior detection and unique method of dropping offending packets while allowing legitimate traffic to pass through. It´s the automated mitigation function that leaves network executives a bit uneasy right now. Network executives and CIOs have to gain confidence and trust with highly automated threat defenses before they turn on the auto-pilot. This trust will be gained over time. In short, it is going to take a few business cycles before IT and network executives become comfortable with high levels of adaptive mitigation which involve shutting down parts of the network to contain outbreaks. While broadly based horizontal adaptive threat defense mechanisms may be a 2006/2007 event, vertical consolidation of security features is well underway. In fact even today´s vertical adaptive threat defense appliances, when combined with behavioral defenses, will go a long way toward allowing network security administration to shift from a reactive to a proactive posture, giving staff proper time to schedule patches, contain outbreaks and get out of the security crisis mode of operation.

The above provides context to the two important security products Cisco announced at Interop last week: The ASA (Adaptive Security Appliance) and Phase II of its very popular Integrated Security Routers (ISR). In this Lippis Report we´ll take a look at ASA first as it represents a solid product example of vertically adaptive threat defense. In the next Lippis Report we´ll focus on the ISR Phase II.

ASA is an appliance that sits in the line of traffic. A typical configuration would place the ASA in between a LAN backbone and a router. It offers an advanced PIX firewall that can be virtualized into 25 logical firewalls; more on the design possibilities in a moment. The ASA also sports IPS, SSL and IPSec VPNs plus network based anti-virus protection. The VPN functionality is based upon Cisco´s VPN 3000. The key attribute and innovation here is the integration of all these security functions into one device. This both reduces acquisition cost by reducing the number of devices needed to purchase, and simplifies administration with a single management interface to configure and manage five security services through a unified policy framework. What I like about the ASA is its ability to support up to 25 logical impressions of its firewall. Two security firewall contexts/images are included to support an active/active failover. In the ASA, customers can purchase up to 5, 10, 20, 50 firewall images which vary by platform. In an enterprise, a network designer may choose to firewall departments such as finance from engineering, or firewall off certain applications from certain employees. In short, with a logical firewall, flexibility is realized to segment departments, users, data, work product, applications, etc., without physically placing firewalls in various locations around the enterprise. With both SSL and IPSec VPN support, most remote access scenarios are supported within the ASA. Knowledge workers working from home, linking in partners, branch office to branch office VPN tunnels and mobile workers VPNing into the corporate network can all be supported in the ASA.

The network based anti-virus protection provides virus mitigation, spyware, adware, malware detection and control plus malicious mobile code mitigation. The IPS provides broad attack detection, granular packet inspection, application control, and dynamic response to threats. All that adds up to the IPS providing assistance in application misuse and DoS/hacking known attacks. It is the totality of these five security services (firewall, SSL VPN, IPSec VPN, IPS and network based Anti-X) in one appliance and their ability to interwork that raises the protection and threat defense of an enterprise network. With all of these functions incorporated in the ASA, it is now capable of a higher level network security analysis, such as application layer inspection, protocol anomaly detection, heuristic analysis and generation of a ?¬¢‚Äö?ᬮ??¨traffic normalization?¬¢‚Äö?ᬮ¬¨?? profile.

As mentioned above, vertical adaptive threat defense products offer greater security with less administration and capital cost and the ASA delivers on that promise. The ASA 5500 series is three products which vary in performance and price. The 5510, 5520 and 5540 support 300Mbps, 450Mbps and 650Mbps for $3,495, $7,995 and $16,995 respectively. Each product is equipped with 4 triple speed 10/100/1000 ports, is packaged in a 1 RU high form factor, has an expansion slot for future use, and a 10/100 out of band management port. All products are diskless, eliminating disk crashes and maximizing uptime.

It´s the totality of Cisco´s network security efforts that separate it as a trusted networks leader. There is no other networking company that is approaching network security as comprehensively as Cisco. This observation is based upon products like CSA, Cisco Guard, the ASA and ISR Phase II, which we´ll discuss next time, and the Trusted Networks vision which Cisco is articulating and toward which it is building.

Posted 3 May 2005 at 7:23 am under Lippis Report. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.