Lippis Report 188: Cisco Deepens the Visibility and Control Attributes of the SecureX Framework to Deliver Context-Aware Mitigation

SecureX is the network security framework that Cisco launched last year. The company has now deepened SecureX to bolster its ability to provide SecOps greater visibility of applications and network traffic, and control of network security resources to mitigate exploits faster and more effectively by providing context- aware security information brought on by Bring Your Own Device or BYOD plus cloud computing applications and services. Cisco achieves this through its new ASA-CX Context-Aware Security capabilities, expanded support for Security Group Tagging or SGT within TrustSec enabled devices, and the addition of device profiling functionality in the IOS of its routers, switches and wireless access points. All of this security technology works with its Identity Services Engine or ISE—Cisco’s identity and access control policy platform.

Cisco Systems Catalyst 6500 Sup2T VSS Throughput Performance

Visit the Link

One of the key differentiators of the Cisco SecureX framework is the power of its ability to mitigate threats. Much of that power is delivered through ASA CX, continued innovation in TrustSec plus ISE and extension of TrustSec services into the network infrastructure devices. There is no other industry player that offers this totality of threat protection.

Networks Become Context Aware via ASA CX

ASA CX and TrustSec offer important proof points of SecureX. ASA CX delivers context-aware security. Why is context so important to threat mitigation? Without context, security personnel have little information with which to judge the severity of a threat. It’s analogous to someone knocking on your front door at midnight and opening it with no lights on the porch. You just don’t know if it’s your child coming home late, having forgotten her keys, or a criminal with malicious intent. Do you really want to open the door and grant access to your home? Without the level of visibility provided by context awareness, SecOps has been forced to deny access to mobile devices and applications, since it lacked sufficient information to determine if granting access posed a potential threat.

The Emergence Of A Virtualization Stack For Cloud Ready Data Centers

Visit the Link

Today’s network and security management tools may provide security personnel with information regarding the type of device accessing a network—be it a mobile device, desktop, IP Phone, etc.—but they don’t have information concerning WHO is using the device as their view is relegated to an IP address and/or User ID. SecOps may have some sense of what the device is but its view is limited. Going back to our midnight-door-knocking analogy, they don’t know if it’s their child or a criminal at the door.

Enter context aware network security. Cisco ASA CX pulls information from the local network, SecureX technologies such as AnyConnect (Cisco’s secure mobility solution) and ScanSafe (Cisco’s cloud-based web security service), plus global threat information from Cisco Security Intelligence Operations or SIO. ASA CX then uses this information to provide end-to-end intelligence, so that SecOps can make informed security decisions. ASC CX combines all of this network intelligence to essentially turn on the porch light for SecOps by providing it with deep visibility into who and what is attempting to access the corporate network.

Alcatel-Lucent OmniSwitchTM 6900-X40

Visit the Link

SecOps will see exactly what device is trying to access the network, how that device is accessing the network (wired, wireless, 3G, VPN), where that device is located (inside or outside the network) and the person using the device. For example, SecOps may see a network access request from “Brian’s” cell phone. ASA CX provides SecOps with a full view of the device and user seeking network access and the applications he wishes to use. In this case, it can identify Brian’s cell phone number, device description such as an iPhone 4 running iOS 5.01 and what he’s trying to access. As a result, SecOps can make more intelligent security decisions and safely enable devices, applications and new use cases. As a result, IT business leaders can feel safe in allowing BYOD and all the productivity improvements it offers.

In addition, once a device has been profiled and a user has been authenticated, Cisco TrustSec is able to attach a security policy to the data coming from that device provided by the Cisco Identity Services Engine. So once that device is allowed onto the network, the network then enforces where it can go and what it can do, thereby extending perimeter access control to the entire distributed network environment.

Building an Intelligent Mobile Edge Network

Listen to the Podcast

Equipped with this level of visibility, SecOps is placed into a position where it can comfortably say “yes” to new devices and applications on the network, assuming they fall into corporate policy.

Rich Policy Language

Cisco Prime Security Manager, the management interface for ASA CX, allows SecOps to write security policies that match business security policies. Policies are created on ASA CX via simple written language such as “block application” or “block microapplication,” “allow posting to social network,” but “block games on social network,” etc.

Cisco Simplifies Network Virtualization via Easy Virtual Network

Listen to the Podcast

ASA CX generates detailed reports that articulate what is going on in the network, and how effective the policies are being implemented.

ASA CX recognizes a thousand applications plus some 75,000 micro-applications! This means that SecOps can create finely-tuned policy. For example, Facebook is a proverbial gray area application where it has traditionally not been viewed as a business application but there clearly are legitimate business uses for Facebook. Therefore, a policy can be written to allow marketing to view, text, and post videos on Facebook, but block Facebook games. Sales, on the other hand, may have view and text privileges only, while Finance access to Facebook is blocked, altogether.

IBM On A Smart Network Fabric

Listen to the Podcast

This level of granularity is great for application control, but Peer-to-Peer or P2P applications, such as Skype, that hop ports and protocols require special attention. Therefore, rather than requiring SecOps write fifty different policies to block Skype and fail because Skype will re-route to a different port or protocol, ASA CX enables SecOps to simply write “Block Skype.”

By defining policy in plain English, rather than with obscure firewall policy commands, policy creation has been abstracted to natural language to promote tighter integration between business policy and enforcement. This rich policy language allows SecOps to define policy simply, providing nearly unlimited degrees of freedom to place business process into policy based upon individual, group, device access, etc.

Multivendor Network Architectures, TCO and Operational Risk

Get the White Paper

Visibility and control are not mutually exclusive. As the old adage goes, “you can’t manage what you don’t measure.” ASA CX delivers end-to-end visibility by aggregating intelligence from SecureX and SIO; it provides granular control based largely on that visibility.


Cisco TrustSec is an architecture that consists of authentication, authorization, policy enforcement and value-added network services. The latest version of TrustSec provides visibility as to who, what, when and how devices are accessing the network. In addition, the TrustSec umbrella is now decoupling physical topology from user connectivity type, which provides greater network access options securely.

Arista Advanced Event Management

Get the White Paper

For example, consider a 900-site corporation that consists of nearly 1,000 VLANs. A mobile executive traveling to one of those 900 sites requires his/her office IT environment to follow him/her to keep productive. Typically, tracking an executive would require a VLAN that’s specific for the executive traffic class in all 900 sites. Firewalls would then use these 900 VLAN IP subnet ranges to authorize the executive traffic. This would require creating VLANs for every classification of user groups in the enterprise and implementing their associated IP subnets in to firewalls. With TrustSec and SGT, NetOps classifies users into groups but does not have to update firewalls with IPs/subnets as their firewall rules and security policy are defined via the abstraction of SGT. Thus, the executive is free to travel the corporation with his/her office IT available at every port he/she connects into without configuring firewalls.

Security Group Tagging or SGT

To achieve this level of secure mobility, Cisco has introduced SGT. During an 802.1x handshake, a 16-bit policy tag is assigned to the user/device pair by inserting it into the device’s data packets which then follows the pair throughout a corporate network. The SGT is linked to context-based access authorization policy for that user/device. Therefore, when that user/device requests access to certain resources, whether Internet or corporate based, the network identifies the tag and permissions associated with it, including such dynamic elements as where the user/device is located and how he/she/it is connecting to the network, granting or denying IT resource access independent upon geographic location and network port. SGTs are much like employee badges that allow or deny access to buildings and resources.

Your World Has Changed Is It time to Think about Unified Communications?

Get the White Paper

SGT scales very well with over 65,000 available tag categories that can be blended dynamically depending on a set on contextual information. In addition group tags enable efficient use of tag space as one tag category can provide an element of access authorization to a large number of employees based on their role within the organization. TrustSec secures an IT infrastructure for mobility through the support of TrustSec embedded in Cisco routers, switches and wireless access points. TrustSec allows users to access the network without regard to network access type and geographic location—be it in a Starbucks, campus, remote office, home office, etc. In conjunction with Cisco’s ISE, TrustSec delivers network wide visibility into every user and device on the network, and granular control over what network resources they can access.

Consider Avani. She is using both her corporate-provided laptop connected into a wired connection as well as her iPad connected wirelessly. As long as tags and associated policies are defined and allowed for the laptop and iPad, then Avani will be granted access. Even though Avani is using the same user ID and password, Cisco TrustSec may provide very different levels of network access for each device, based on policy, allowing her iPad to only access email, for example, while allowing her laptop to access additional internal resources.

A Massive 40GbE Test Report on the Extreme Networks BlackDiamond® X8Data Center Switch

Get the White Paper

In addition to tag-based geographic and network access type independence, the Cisco ISR G2 and ASR, as well as its wireless access devices also support SGT that includes both policy tagging and tag enforcement functionality on these platforms. Therefore, SecureX is evolving so that SecOps can centrally define policy and expand its enforcement from wired to wireless, and even VPN access, independent upon geographic location.

Cisco’s investment in SecureX with ASA CX and expanded TrustSec device profiling plus SGT within its family of network devices offers increased BYOD, cloud computing application and services access, as well as application visibility and control. All of this together makes Cisco the only firm to deliver such a rich set of context-aware security in the industry, allowing IT business leaders to reap the benefits of BYOD and cloud securely.

Comments are closed.