Tweet

Modern corporate networks are under increasing pressure to support a wider variety of applications thanks to mobile and cloud computing, desktop virtualization plus video traffic having skyrocketed. Not only are bandwidth rates increasing from 1 to 10 to 40 GbE, but most importantly network services are needed to manage and support a different application portfolio mix and network access methods. Network services such as firewalls, WLANs, network diagnostics and monitoring plus application performance acceleration are needed to deliver a consistently excellent user experience. Cisco recently announced an upgrade to its popular Catalyst 6k with the availability of the Supervisor 2T that included re-vamped high performance service modules to deliver these network services. Goyal, product line manager at Cisco Systems joins me to discuss which network services need to be available in modern networks.

Download “A Comprehensive Testing of Cisco Systems Catalyst 6500 Sup2T” report here.

Listen to the Podcast

Tweet

It seems like every week or so there is news of a massive cyber attack where criminals get away with stealing credit card and other personal data on the order of tens of millions of individual records. Sony, Bank of America, Epsilon, Nintendo, the International Monetary Fund, the US Senate and CIA are but a few of the targets for high-profile cyber attacks that took place in 2011. According to a recent study by the Ponemon Institute, “cyber attacks have recently become more harsh and recurrent. At least 90% of the IT practitioners surveyed claimed that they had experienced one or more cyber breaches within the last year, and 89% of these respondents could not identify the source of these breaches.”

To mitigate and avoid these breaches and protect credit card information, the Payment Card Industry (PCI) Security Standards Council issued PCI Data Security Standard (DSS) 2.0 in late 2010. The emphasis of PCI DSS 2.0 is two-fold: 1) provide increased protections not addressed in the previous standard (i.e., wireless and virtualized infrastructure) and 2) maintain compliance. As all of the breached organizations above were in compliance at some time but failed to maintain it, this exposed their customers to hackers and ultimately being breached. In short PCI DSS 2.0 is about being vigilant about maintaining security.

In the data center, virtualized servers are now defined within PCI and guidance is given on how to secure them given that all hypervisors are deemed insecure. In addition, wireless detection methods were expanded to address the variety of retailer capabilities.

IT business leaders who support any organization that stores, processes or transmits credit card data are required to ensure PCI 2.0 compliance not only during an assessment but continually to avoid the fate of the above-mentioned organizations. The key to a successful PCI assessment is to simplify this major effort. Some tech firms are assisting this effort through validation and assessment of compliance prior to installation. In this Research Note, we review Cisco’s PCI Solution 2.0 as it offers a unique network-based approach that is comprehensive, holistic and end-to-end. It has been tested in a simulated retail environment and assessed for compliance by a Qualified Security Assessor, QSA, and Verizon Business.

Cisco’s PCI Solution 2.0

The Cisco PCI Solution 2.0 is built on network security best practices, proven Cisco products and partner technologies that meet Payment Card Industry security standards. Because PCI covers many parts of the network, no single product or technology meets all PCI technology requirements. Therefore Cisco’s updated PCI Solution 2.0 is an architectural approach that maps to the updated PCI DSS 2.0 requirements. This comprehensive perspective allows retailers to see the bigger picture to prepare and design across the relevant parts of the enterprise. Cisco’s PCI Solution 2.0 is a holistic approach as it spans an end-end architecture.

Cisco’s approach provides templates and services that simplify PCI compliance. This simplification enables customers to maintain compliance year round, not just during assessments. Detailed information, including product configurations from validation efforts, is included in the Cisco PCI Solution 2.0 Design and Implementation Guide (DIG) to provide additional guidance and best practices.

Simplifying PCI Compliance

As a first step toward simplifying compliance, Cisco recommends segmenting the IT infrastructure and isolating cardholder data from the rest of the network. As with any complex problem, breaking a problem down into smaller solvable pieces reduces the complexity and simplifies the solution. Cisco’s approach reduces the scope of audit via network segmentation. Without network segmentation, the entire IT infrastructure is in PCI scope, which drives cost and complexity significantly upward. While segmentation sounds easy, it’s a bit more challenging in a virtualized data center infrastructure.

PCI Compliance in the Virtualized Data Center

Most IT business leaders are challenged with complex PCI audits within virtualized infrastructure as well as rogue wireless access detection. These two areas, virtualized infrastructure and rogue wireless access detection, tend to be the two largest pain points. Confusion around virtualization and security has existed for several years until the PCI standards body clarified that all hypervisors are considered insecure. With so many organizations having virtualized their data centers, this detail results in extra compliance considerations to protect cardholder data. Before virtualization, traditional infrastructure could be easily protected with a firewall appliance, as this device was placed directly in the path of traffic. In highly-virtualized environments, traffic is not as well-behaved, offering IT managers a challenge to restrict cardholder data.

Cisco’s Virtual Security Gateway (VSG), along with its Nexus 1000k virtual switch, intercepts and steers traffic to either VSG or firewall appliances before it gains access to cardholder data, providing a means for segmentation and access restriction in virtualized data centers.

Therefore to be PCI DSS 2.0 compliant, both physical and virtualized infrastructure need to secure and restrict access to cardholder data. Cisco does this with both its own VSG solution as well as with technology partners such as EMC, VMware, VCE and HyTrust.

Rogue Wireless Access Detection

Rogue access point detection is a PCI requirement. Even if a merchant does not use wireless technology within its stores, it still must have a method for detecting unauthorized access points that may have been inadvertently or maliciously deployed. The PCI Council expanded the flexibility of the requirement to allow for several methods, including Wireless IDS and NAC/802.1x to detect rogue wireless access points.

Unified Wireless and Cisco’s Identity Services Engine (ISE) technology offer technical solutions for these methods that have been validated by Verizon Business to successfully address these requirements. In addition, Cisco offers CleanAir technology, which monitors the entire frequency spectrum, surpassing the security requirements of PCI.

Risk Management

While a portion of PCI compliance is addressed through technology, it’s also addressed with process and compliance audits. One of the largest challenges is to maintain compliance between audits. Many retailers seek the lowest cost solution to achieve PCI compliance during the audit, but this may very well be penny wise and pound foolish. For example, some retailers conduct a visual inspection of Ethernet switches quarterly to ensure that unauthorized wireless access points are not connected into the corporate network, thereby opening a door to rogue access. The difficulty of this approach is that quarterly physical scans only work during inspection day. The day after the quarterly scan someone can plug in a wireless access point, putting the site and cardholder data at risk until the next quarterly inspection. A more continuous and secure approach is the implementation of wireless IDS, IPS, CleanAir and ISE, where every single wave is monitored and wireless devices plugged into the corporate network are detected assuring continual PCI compliance.

How to Approach PCI Compliance?

PCI can be an overwhelming topic. How do IT and small business leaders approach PCI compliance? To simplify PCI, Cisco offers three recommendations.

Recommendation One: Reduce PCI Scope. Scope means all systems and people that are touching cardholder data (i.e., firewalls and IT administrators). Are there people accessing cardholder data who shouldn’t be? If they are, then remove their access by restricting access to the systems that contain cardholder data. Are there systems or applications or networks that are touching cardholder data that don’t need to? Segment and narrow the scope of the Cardholder Data Environment (CDE) with network addressing and filters to decrement the risk as much as possible. If the CDE is smaller, the cost of the audit will be smaller as will be the complexity of maintenance. Standardizing network and system architectures across branches can also decrease cost and complexity as it allows auditors to sample same store/branch footprints and data center designs.

Recommendation Two: Secure the Perimeter. With a new smaller PCI scope implemented, the perimeter of that scope needs to be secure. Firewalls configured to only allow business-justified access to the cardholder data environment and IDS need to be installed. In addition, administrative access to this environment needs to be locked down to the bare minimum with complete logging for audit trails.

Recommendation Three: Maintain and Simplify. It’s not good enough just to segment and reduce the scope of cardholder data and then protect the perimeter. IT business leaders need to maintain and simplify their PCI recommended implementation. Cisco’s solution utilizes RSA technology to provide real-time alerts, tuned logs and compliance management dashboards that assist in maintaining compliance. The firms mentioned in the opening paragraph were all in compliance at some point in time, but they were not when they were breached. So take these requirements seriously.

Implementing a PCI Solution 2.0

The above three recommendations will go a long way toward reducing cost and keeping an organization’s systems PCI compliant. Cisco has made a huge commitment in its thoughtful approach to PCI DSS 2.0 compliance where it offers an end-end architecture that has been assessed and documented. A critical element of the Cisco PCI Solution for Retail 2.0 is Cisco network architecture and validated network designs. Cisco network architectures have been designed for stores, enterprise data centers and the Internet edge to support e-commerce operations, store employees, customers and teleworkers. Cisco’s PCI solution also supports wireless 3G technology deployments and multiple store formats, including pop-up stores, and convenience stores, in addition to typical small, medium and large stores.

Cisco’s PCI Solution 2.0 offers thought leadership for those seeking to simplify their PCI deployments; Cisco’s new PCI DIG is an in-depth, roadmap for organizations looking to achieve PCI compliance. It addresses technologies such as virtualization, wireless and mobile payments. As the number of high profile and alarming plus brazen cyber attacks occur, IT business leaders would be well-served to review Cisco’s PCI Solution 2.0 and Design and Implementation Guide.

Tweet

By Ted Ritter Senior Research Analyst, Nemertes Research

The data center is undergoing tectonic shifts with virtualization the primary cause. Everything is moving faster within the data center—moving at the speed of virtualization—putting centers into a state of transition from physical to virtual, which can be long, complex and messy. At the same time, security models remain largely static, anchored by physical security devices. Not only does this put the organization at greater risk, it also puts in jeopardy the core benefits of virtualization. To address this, organizations need a security architecture delivering agile security and supporting the physical infrastructure, the virtual infrastructure, and all the transitional states in between the two. This requires a new security model seamlessly integrating existing security controls for physical infrastructure with comparable security controls for the virtual infrastructure. This new model requires virtualization security.

Get the White Paper

Tweet

Cisco recently launched its SecureX architecture that extends perimeter-based network security to secure modern IT, recognizing the huge growth in mobile and cloud computing. SecureX is a multi-layer architecture built upon Cisco’s AnyConnect client, its global footprint in real-time threat intelligence found in SIO (Security Intelligence Operation), Cisco TrustSec, including policy servers of NAC manager and server appliances, ASA firewall and the security enforcement features of its switches and routers. SecureX is an architecture to Cisco’s network security products and service to work together in an effort to create deeper defenses and contain exploit infestation if, and when, they occur. Fundamental to SecureX is the concept of “context aware” policy across the enterprise, including remote endpoint devices, centralized policy creation with distributed security device and network enforcement. SecureX provides for innovation injection points through APIs (Application Programming Interfaces) for management and SIEM or Security Information and Event Management. In this Lippis Report Research Note, we explore SecureX with a focus on how context increases defenses and keeps IT assets safer.

SecureX offers something for everyone…such as a simpler, yet richer, management model for SecOps, deeper levels of security for users within and outside the corporate network, centralized policy creation that extends beyond the corporate firewall, and increased protections for users as they utilize mobile endpoints to access corporate and cloud-based applications. IT business leaders should be pleased with better protections and compliance tools, especially as their vulnerabilities increase with mobile endpoints seeking network access growing.

SecureX is not just about extending security to mobile devices but to capturing contextual information in the use of policy creation. Contextual information includes user and device identity plus location, login time of day, plus which specific applications users attempt to access too, and this information is not only collected upon login but during their entire network connected session. Context aware policy allows IT leaders to use this information in the creation of policy with the end result of either allowing or denying access to IT resources, independent upon endpoint device and method of which access is attempted. And this context aware policy attribute of SecureX, over time, will be extend beyond normal data traffic streams to apply consistent unified policies to application, video or voice traffic also.

And while SecureX is security, in reality, it’s bigger than just security, because security is a necessary integrated attribute to enable mobility, video, voice and web collaboration, etc. To create a secure IT environment, IT services need to interact with security services with minimum to no user intervention that steals productivity. In short, SecureX seeks to make Cisco security and network devices work better together through context aware policy so access and deny decisions are improved, and are built upon so that anomalistic behavior remediation is automated post access through traffic monitoring.

Use cases have changed dramatically since a new tier of computing has emerged, that being smartphones and tablets. For example, a laptop could be plugged into an iPhone, which is streaming video into the corporate network. The network should be able to differentiate between data traffic, video traffic, phone traffic and even iPhone application traffic, then monitor all of those traffic types for behavior so if a Virtual Machine (VM) is launched on the laptop, the network recognizes this new entity and performs a new series of monitoring. Security needs to be much smarter as the combinations and permutations of acceptable user behavior are fundamentally changing.

So where does this monitoring come from? Is it centralized, distributed, within appliances, in the cloud? The answer is all of the above. It’s in the network infrastructure and highly distributed. The SIEM ecosystem plays a role, TrustSec provides monitoring as does SIO, ASA, IPS, etc. The network infrastructure itself is monitoring behavior that’s outside of parameters/rules/policy that have been established for each network connection, and can take defined action when anomalistic behavior is identified. With monitoring and enforcement being so highly distributed, the chances of capturing anomalistic behavior increases significantly. Anomalistic behavior can occur anywhere, so depending upon where alerts are triggered, what type of traffic is involved, the kind of device being used, the location, the identity of the user, the time of day, etc., it’s this contextual information that adds color to tripping anomalistic behavior and remediation options.

SecureX is much like Cisco’s self-defending network concept, but with a global perspective and tools to extend contextual base security to the Cloud, virtualized environments and out to the growing mobile workforce. And this extension of security services is the biggest challenge with which IT business leaders struggle. IT leaders want to push context aware policy into their virtualized datacenters, their Cloud(s) and to mobile users, because it solves a large set of security problems. In fact, security concerns is one of the primary gating factors limiting enterprises from deploying these new innovative IT services that offer favorable business processes outcomes.

Context Is Fundamental to Access Decisions

We already have perimeters and defenses within the enterprise, but IT has gone mobile, thanks to smartphones, iPads, tablets, etc. Also, applications are selectively moving into the Cloud as well. SecureX is a security architecture delivering control to SecOps and IT business leaders to extend their IT services to mobile workers, enabling them to embrace a new tier of computing and a new way of application delivery via the Cloud.

SecureX adds the concept of context aware policy to the principles of visibility and control as context provides insight into threats as employees are working outside of defined enterprise perimeters. The type of context that’s important includes identity—such as who are you, where are you located, the device that you’re using and can I trust the device—and what resources are you seeking to access. All of this contextual information needs to be considered when a firewall is determining network resources it will allow access to. In addition, contextual information may also instruct the network to enforce encryption on a session based on who you are and where you’re trying to go.

Policy Driven

To make contextual information work, a policy wrapper needs to surround context elements of personal identity, device identity, location, time of day and application access request. That is empowering the network to being able to create a uniform policy, such that the network is able to intelligently negotiate a variety of context options that are being considered when individuals attempt to access IT resources. This is the perfect job for a policy appliance.

To add context information to firewall decisions, Cisco is leveraging key pieces of its security product portfolio. For example, its TrustSec architecture provides access control plus encryption, which is the first and most critical piece of context information. Within access control, a device’s security posture is assessed, the end user is identified, and their device is profiled, all of which is used to make an intelligent decision to grant or deny network access. In addition, the network can “tag” a user’s data stream, so that as the stream transverses throughout the enterprise IT infrastructure, the network can enforce defined policy independent upon the stream’s destination(s). For example, once the user has passed access control, should this user decide to search for a payroll server location, the network may recognize that he/she is not allowed access, thanks to defined policy, and the network can drop the requests and log the event. This set of sequences is a benefit of TrustSec.

Access Control and Contextual Information

With trusted systems on the inside of an enterprise network providing enforcement through policy of mostly fixed endpoints, such as desktops and IP phones, the question on most IT business leaders’ minds is how to extend these protections to the exponentially-growing mobile community and non-user network devices. IT leaders are confronted with an increasing number of both mobile endpoints and non-user endpoints, such as printers, video surveillance, wireless access points, etc., attempting to access their network and IT assets. To protect IT assets, IT leaders are seeking a process in which all devices connecting to the network, independent upon inside or outside the perimeter, are profiled to analyze device function and apply appropriate policy. For example, an IP camera may be identified during profiling and then a policy applied that allows IP cameras to transmit data, but not allowed to request data. In addition, during post access control, the network then monitors the IP camera to assure policy is applied while the IP camera is connected to the network.

This type of contextual information to build another level of defense is also extended to the virtualized data center environment. For example, once a virtual server comes online, policy can be applied to it, which is then communicated to the entire infrastructure. Policy may allow a virtual server to pass traffic between VMs on a select number of hypervisors. In addition, these VMs may also recognize that the new virtual server can do X and Y with these VMs but not Z. This level of control granularity enables SecOps to define virtual environment behavior in a meaningful way.

The Network Can Be the Firewall

Clearly policy management is an integral component of SecureX. To define policy, Cisco offers the Cisco TrustSec solution, which can be deployed using the NAC Appliance or with a network-centric 802.1X strategy, combined with the Access Control Server. These solutions offer posture assessment, remediation and quarantine functionality. Device profiling for non-authenticating devices such as IP Cameras, printers, WLAN access points, etc., are placed on guest services with triple-A services. The aggregate of these features with the ability to create centralized policy that can be pushed out to the entire network infrastructure creates, in essence, a highly-distributed firewall. If a firewall’s job is to allow or deny access to IT resources, then SecureX turns the entire network into a highly-distributed firewall, where every component of the network is now analyzing and processing traffic.

Enforcement and Layers of Context

Context aware policy enforcement is performed with network infrastructure such as network switches, routing, firewalls, IPS, VPN, etc. There are layers of context: who are you, and should you be allowed to go to this website; or who are you, and what should I do with the types of email that you’re creating, or the traffic you’re generating based on who you are? It’s a meta context environment that asks, “Who are you in a dynamic environment?” In this dynamic environment, a higher-level policy may ask, “When you’re inside the network, there’s one set of rules. But if you leave the network, policy moves and perhaps changes with you.” For example, an exchange between two users may be allowed while both are inside the network. The network could allow certain content to pass between the users. But if one moves outside the network, then the network could stop some content from moving between them. Another example of enforcement due to anomalistic behavior could be a user logging in from within his/her New York network while another login request comes in from the same user located in Shanghai, China; the network needs to make a decision about which one of these users is authentic, and what action to take upon both users.

Networking Is Much More than a Connectivity Service

Enforcement is performed in both security appliances and network infrastructure. This elevates the network beyond a connectivity service to a secure IT service where it provides visibility, context and control, thanks to SecureX. When a network utilizes 802.1X for access control, the network is not only providing connecting, but also enforcement, for example. A SecureX network is creating and analyzing policy tags, performing enforcement of policy, dynamically identifying new devices, monitoring traffic, communicating with policy server(s) and making decisions about which access rules to apply to a device.

Protecting Mobile Users

The key architectural approach to SecureX is that the mobile device is equipped with a thin client, that being AnyConnect with the heavy processing burden of threat intelligence, mitigation and enforcement left in the Cloud or at the corporate head-end. Cisco’s AnyConnect plays an important role in SecureX to protect mobile devices as it leverages a huge resource of threat intelligence. SIO collects and analyzes traffic of approximately 5 billion emails per day, 3 billion Web requests per day and 700,000 network sensors or IPS; expand that to include approximately 100 million endpoint devices that are equipped with an AnyConnect client, and SecureX provides the most comprehensive real-time threat intelligence telemetry and mitigation to endpoints.

All of these numbers can be boiled down through a few examples. Consider a user—with a laptop equipped with an AnyConnect client—is attempting to log into her/his corporate network. At the point of login, the network will identify the user, her/his role and which resource she/he is attempting to access. For example, Bill from finance is requesting access to the payroll server. Policy may be defined as Bill can only have access while he’s inside the network perimeter, but not outside. Further, if Bill’s inside the network perimeter, policy may dictate that access to financial servers are encrypted via MACsec. No need for Bill to take any action, as a MACsec tunnel is established automatically as a matter of policy.

Mobile Internet Browsing

Consider an AnyConnect iPhone mobile user browsing the Internet with Cisco’s ScanSafe dynamically managing the Web interaction. With the endpoint’s VPN connection terminated on an ASA firewall, behavior is monitored. If anomalistic behavior occurs, such as malware activity traversing terminated VPN connections, ASA, in conjunction with ScanSafe and SIO, can extract that information and analyze it. In the event that a virus is propagating on iPhone-based smartphones, SecOps can be notified with a message such as “This is a warning. There’s something big happening on iPhone smartphones, and it’s happening in this part of the world. SIO is analyzing this information, will create and distribute a signature fix shortly.” This type of message can be pushed to all AnyConnect VPN terminating devices: “There’s an iPhone virus coming on. SecOps is blocking it for the moment, and in the next few minutes, we’ll distribute a signature to destroy this virus.”

A SecureX Ecosystem Is in the Works

There are two innovation inject points into SecureX to enable an ecosystem for management and SIEM. The management API offers an approach to a wider and consistent management view of network and security resources. SecOps often requested a super management platform where visibility and control is available from one tool. Unfortunately there is just too much information to display in one management window. But if multiple management tools/windows consulted the same policy data and shared this information, then a more consistent view of network assets can be obtained. An API to enable this type of information sharing would enable NetOps to manage its switched environment and be able to control not only switches, but also gain visibility in a security context of what policies have been applied to that switch. This concept can be extended to all network element management where they share policy information.

While not detailed in Cisco’s SecureX architecture, Cisco did announce a new SIEM ecosystem last month as it placed CS-MARS in end-of-life. This SIEM ecosystem will contribute to the contextual element of SecureX. For example, there are a number of ecosystem partners in place providing sophisticated types of analysis as they deepen their interaction with Cisco’s network infrastructure products. These partners collect and gather real-time alarm information and are correlative to global SIO. The combination of Cisco’s SecureX and its SIEM ecosystem will be able to span threat intelligence from local machines to the global footprint of SIO, offering an expanse of security information that can be put to work to protect assets and mitigate threats once detected. These real-time local and global threat intelligence assets can also be interfaced with a policy engine to not only identify and control devices requesting network access, but to monitor behavior within and outside a corporate network.

The value benefit to a SIEM ecosystem and SIO feeding real-time global information to a policy server is best described through example. Should a device suddenly begin behaving anomalistically, the network can automatically identify the device and its closest switch, and take action, such as lock the device and redirect it to a remediation server. That is, SecureX will be able to perform infection containment and control, thanks to adding real-time local intelligence to the policy sever, thereby changing policy on the fly based upon contextual information.

SecureX is Cisco’s latest attempt at integrating security deep into the network infrastructure as this infrastructure expands to mobile devices, cloud service providers and virtualized infrastructure. Its core component is context aware policy that is centrally administrated with enforcement highly distributed. SecureX is a modern security architecture for a new age of mobile and cloud computing.

Tweet

By Cisco Systems

There are three major trends sweeping through the enterprise: the rapid rise of the consumerized endpoint, the onset of virtualization and cloud computing, and the growing use of high-definition video conferencing. Each of these critical technologies is transforming business—and forcing a fundamental shift in how security is developed and deployed. In this white paper, Cisco describes its SecureX architecture and how it has evolved IT security so that IT leaders can enjoy the benefits of these IT trends securely.

Get the White Paper

Tweet

There are powerful market forces changing IT delivery. IT application delivery is becoming increasingly centralized thanks to data center server virtualization plus mobile and cloud computing. Desktops are being virtualized, too, thanks to network speeds that deliver low latency and high bandwidth, creating a thin client user experience that is indistinguishable from a thick client but at lower desktop management cost. One serious implication of this concentration of IT in data centers is that a new IT security model is needed as mobility brings greater threat exposure while virtualization changes traffic patterns and the rules of security appliance placement. In this Lippis Report Research Note, we present a new model for IT security in the virtualized mobile and cloud-computing era.

Users are demanding IT support commercial mobile computing platforms in the enterprise market, driving nearly exponential growth of these devices within corporations. And while commercial mobile computing use, that is Apple’s iPhone/iPad and Android smartphones and tablets, rises, it’s pushing applications, data and IT critical resources into private and public data center cloud facilities. In short, IT is shifting toward both mobile and cloud computing simultaneously, as the two are inextricably linked. Factor in the need for geographically and time independent access to IT services on any end point device, and you have the making of a major shift of centralizing application delivery to geographically dispersed end points that can scale globally.

This pull to centralize IT applications is driven by technology innovation of mobile and cloud computing with financial and performance gains afforded virtualization. But while there are material business benefits to this IT transition, there are risks too. Threats continue to increase, especially as mobile computing expands the diameter of access to data center resources. Virtualization provides huge efficiency benefits but changes the way in which security devices, such as firewalls, need to work to secure applications.

For example, traditional network services are frequently placed in-line or in the flow of traffic, that is firewall, IPS, VPN tunneling etc., forming a line of layer 4-7 network services. But as applications are virtualized, their movement may take them out of the path of traffic flow, thus creating difficulty to maintain network services to Virtual Machines (VMs) and their applications. In most data centers, a mix of physical and virtual network services is emerging as well as a mix of virtual servers and physical servers based upon old and new investment. What IT business leaders demand is that their investment in physical and/or virtual network services support both virtualized and non-virtualized applications, so they may extract the highest value from their IT dollars and that the same level of security services are applied to both virtualized and non-virtualized applications. This is a hard problem to solve and requires new thinking in network security.

The New Approach to Network Security

Before we dive into security architecture, a new approach to network security thinking is in order. Traditionally, network security was based upon the hard-shell and soft-core concept; that being, build a perimeter of firewalls and IPS equipment creating a hard shell around IT assets, but keep the internal network free of security services—that is a soft core. Then security layering was added to this model by offering defenses in depth to harden the soft core. While these approaches are still valid, thinking needs to be expanded in step with the directions of IT.

Modern day network security architecture needs to defend, extend, prevent and comply. By defend, we mean mitigate threats as the number of exploits/malware, etc., continue to rise. Network security services need to be extended to support virtualized data centers as well as mobile users and cloud-computing facilities. Network services need to prevent business loss, be it data loss prevention and business continuity. And lastly network security needs to assure compliance of government legislation/regulation/orders to mitigate risks of non-compliance.

Applying this new thinking in network security to major user behavior scenarios and IT assets creates both a broad security blanket that is also deep. For example, systemic across the enterprise, progressive IT business leaders are developing cloud security, desktop virtualization security and, for those engaged in on-line transactions, a PCI solution. These three security services support IT assets in need of protections, such as application security, mobile user experience security, virtualization security, service security such as encryption plus infrastructure security, e.g., firewall, IPS, VPN.

Cisco’s Data Center Virtualization Security Approach

There are only a few IT firms that can deliver the depth and breadth of this type of a security approach. These firms are Cisco, IBM, HP, Microsoft, Oracle and perhaps CA. For this Research Note, we focus on Cisco as it possesses all the technologies to deliver on a broad data center virtualization security solution. In the above example, Cisco’s ScanSafe would provide email and web application security. Its AnyConnect mobile client provides mobile security for VPN and cloud access. Service security is delivered via TrustSec, an architecture providing policy, identify and encryption services. For infrastructure security, its ASA (or Adaptive Security Appliance) security product combines firewall, IPS and VPN, while infrastructure security services are also embedded in its switch and router product lines. While all of the above products have been in production for some time, Cisco has launched an innovative approach to solving one of the biggest virtualization security problems, and that is to virtualize firewall services and to steer traffic to it as application flow changes from in-line to off-line as occurs when applications become virtualized.

Virtual Security Gateway

Within Cisco’s Unified Network Services (UNS) umbrella of products, it has launched its data center firewall called VSG or Virtual Security Gateway, and provided it management and policy services via its VNMC or Virtualized Network Management Center software. VSG is an example of a virtual service node, as compared to physical ASA security appliance. The key underpinning technology to VSG is the Nexus 1000V and vPATH, which enable traffic to be re-routed or steered to the virtual firewall nodes…more on this below.

VSG is a proof-point of Cisco’s ability to solve the firewall problem within virtualized infrastructure; that is how to provide firewall services to flows destined to and between various VMs. vPATH, a software module within the Nexus 1000V softswitch, steers traffic to VSG, which blocks or allows traffic flow to its destination. Further, VSG assures that the correct network security service is applied, and a VM’s policies follow it as it moves between physical servers. VSG policy is centrally managed through the VNMC umbrella management platform.

By inserting vPATH technology/software into the Nexus 1000V virtual switch, hypervisors and VM’s traffic is re-directed as needed to deliver network services, such as firewall.

vPATH

In the case of VSG, through VNMC, policy is created to define what type of traffic needs to be redirected, and then what action to take upon that traffic once it arrives at the firewall. As traffic reaches a server or Nexus 1000V, it is intercepted as it’s destined for a particular VM by vPATH, which redirects it to VSG for inspection. VSG then performs its network security service, then forwards the traffic, if allowed, to its destination just like a firewall appliance operates. vPATH intercepts traffic and sends it to VSG while VSG performs its security service and decides if traffic will be forwarded to the destination VM.

Fast Path

vPATH also benefits from a concept called fast path. Fast path is similar to a cut-through method in that once traffic has been forwarded to VSG for firewall services, for example, the remaining traffic flow, it’s routed directly to its VM destination. Note that fast path can be utilized for most network services. Fast path obviates the need to route all traffic through VSG once the first packet of the flow has been processed by the firewall. Therefore, all traffic does not require packet-by-packet inspection, speeding up flows and reducing processing and latency.

For example, if the first packet of a flow passes through VSG without alteration then the rest of the flow should pass uninspected as the security rules are the same. However, this wouldn’t be the case for an IPS system, where the entire payload is inspected to assure there is no malware residing in the flow.

A key benefit of vPath is that it intelligently steers traffic via flow classification and redirection to associated VSGs to implement security policies in a virtual environment. Fast path offload: Policy enforcement of flows are offloaded by VSG to vPath thanks to Fast path and deliver improved efficiency and performance of firewall services to virtualized applications. These capabilities, along with physical firewalls, help IT leaders to regulate how virtualized and non-virtualized applications receive firewall services. In addition, as VMs move between physical servers, firewall settings do not need to change as they follow the VM move within the data center. Thus VSG is mobility aware and is VLANs and topology agnostic enabling flexibility not seen before in virtualized data center environments.

Going back to the need for a modern approach to network security, the combination of Cisco’s ASA, VSG, AnyConnect and Security Intelligence Operations or SIO start to deliver the attributes of defend, extend, prevent and comply to IT business leaders concerned with protecting modern IT business assets. For example, AnyConnect 3.0 provides security services for remote and mobile end points via client software on laptops, tablets and smartphones with centralized policy control. In short, AnyConnect provides protections against the increased network diameter afforded by mobile and cloud computing. SIO is one of the most comprehensive and globally expansive threat detection services that update Cisco IPSs with exploit signatures in near real time, thanks to its global threat correlation service. SIO is based upon over 1 million sensors (Cisco IPS) distributed around the globe from which it sends and receives updates and is staffed with over 500 security experts.

So as servers and applications are virtualized and computing goes mobile and to the cloud, a new modern approach to network security is taking hold. With Cisco, its network security architecture and products of ASA, VSG, AnyConnect and SIO span the new nature of borderless IT to offer business leaders protections as they manage their business and exploit the value created by this new cycle in Information Technology.

Tweet

In an effort to offer a multi-vendor SIEM (Security Information and Event Management) solution, Cisco is placing its SIEM product, CS-MARS, in end-of-life and in its place, offering the industry its first SIEM ecosystem. Cisco acquired MARS six years ago in December 2004. MARS provided traditional event management and security monitoring along with limited forensic capabilities and compliance reporting. But the market demanded a broader cross-vendor SIEM solution rather than a SIEM focused primarily on Cisco products. In response Cisco has launched a SIEM ecosystem to support deep event monitoring, forensics and compliance reporting across a heterogeneous enterprise network. IT has also expanded the role of its Cisco Security Manager or CSM to support policy management and troubleshooting across a wider range of Cisco products. In this Lippis Report Research Note, we examine the new distribution of security responsibilities that now stretch across Cisco CSM and its new SIEM ecosystem with an eye toward stronger defense of IT assets.

IT business leaders were requesting Cisco develop deeper forensics and compliance across multiple areas within MARS. But the MARS architecture was not designed for such long-term storage, long-term data indexing and look-ups required for conducting forensics and compliance in a manner that IT business leaders are demanding. So in June of 2010, Cisco launched a SIEM ecosystem to provide a scalable and cross-vendor approach for IT business leaders to conduct deep forensics and compliance capabilities. Real-time security monitoring capabilities, which MARS provided, are being blended into the CSM.

CSM started as a policy manager for multiple Cisco devices such as routers, switches, firewalls, VPN, IPS, etc. But Cisco recently announced its 4.1 image for CSM that incorporates security-monitoring capabilities that enable policy troubleshooting. For example, essentially event logs will flow into CSM. CSM will determine if a stream of event logs rise to the level of a security problem or if it needs to make policy changes and execute those changes in real time via a closed-loop system. CSM does not deliver forensics or long-term compliance reporting. This is province of the Cisco SIEM ecosystem.

The SIEM Ecosystem

Both MARS and CSM have been missing the capability to conduct broad multi-vendor security monitoring, compliance reporting and forensics in a heterogeneous vendor environment. In fact, most, if not all, security vendors are guilty of this. Clearly market reality dictates that most enterprise IT organizations utilize multiple devices and/or software that contribute to IT security defense.

Therefore, to align its security products and IT defense approach with the reality of the market, Cisco has started a SIEM ecosystem consisting of the five largest SIEM suppliers. The five vendors in the ecosystem are RSA, ArcSight, LogLogic, Splunk and netForensics. Cisco’s exit of the SIEM market has created the opportunity for it to partner with these top SIEM providers covering 75% +/- of the enterprise market.

The power of a SIEM is to accept logs from multiple devices and make sense of them, meaning it weaves them together by way of correlation. The larger the number of log streams to a SIEM from various security appliances, the greater its ability to correlate. The goal of a SIEM is to gather data from all deployed security appliances, which ends up delivering an exponential lift with respect to the security intelligence gain obtained from correlating large streams of data.

With the Cisco SIEM ecosystem, Cisco is now able to deliver heterogeneous capabilities that cover security monitoring analysis, compliance and forensics capabilities, and some specifically, LogLogic, deliver long-term log management capabilities. To assure confidence that Cisco security and networking equipment interoperate with these five SIEM suppliers, Cisco has conducted extensive interoperability testing with each supplier. This is key for IT business leaders who have an operational SIEM deployed need to be assured that either the introduction of a new SIEM or security device will interoperate with their existing SIEM. This is key for Cisco CS-MARS customers who will be looking to transition to a new SIEM. Note that end-of-life is a multi-year process so co-existence and transition are important attributes for the ecosystem to contain.

Conduit between SIEM and Cisco Security Products

The interface or conduit that enables information transfer between Cisco products and its SIEM partners is device specific. The interface could be SysLog, SDEE or Security Device Event Exchange, and depends upon what conduit the end security device uses, be it an IPS, firewall, switch, router, etc. The conduits have not evolved yet, although at some point in time, they may.

The Interoperability, Validation and Testing Lab

To demonstrate Cisco interoperability, Cisco has created a Cisco-compatible logo, which a partner earns after they have passed through what is called the “IVT Lab” meaning Interoperability, Validation and Testing Lab. One of the key outputs of the IVT Lab is interoperability assurance plus license rights to display the Cisco-compatible logo, and a set of deployment guides to assist a Systems Engineer (SE) or an IT security department to deploy a partner’s SIEM product alongside Cisco’s firewalls, switches, routers or email plus web security products, etc. The detailed deployment guides offer various configurations of the SIEM ecosystem partners and Cisco products.

To gain the Cisco-compatible logo, a partner needs to be tested against Cisco security products, which are approximately eight devices in its latest software versions. These include Cisco Cross-Device, Firewall, IPS, ASA, E-mail Security Appliance (ESA), Web Security Appliance (WSA), etc. The Cisco-compatible logo says that each partner has been tested for that set of core security devices. Over time Cisco plans to test SIEMs across the entire Cisco security product line.

The IVT Lab and associated Cisco-compatible logo essentially level-sets SIEM partners so all have validated and verified support for core Cisco security products. From a support perspective, Cisco’s TAC can take the lead on support. Cisco has developed relationships with its ecosystem partners by tying them into its TAC processes. In the event that SECOPS has an issue with, say, Splunk or RSA, Cisco TAC has a streamlined process that places customers in touch with the right person at RSA, Splunk and its other partners.

Greater Defense through Faster Innovation Absorption

Clearly Cisco products bring value to their ecosystem partners. For example, Cisco’s firewall team produces the number one firewall in the world, developing features or functionality nearly every quarter or at least twice a year.

Before the ecosystem was in place, a lag between Cisco innovation launch and SIEM ability to support new features was common. For example, SIEM vendors may not understand what the new features are meant to do or how they’re used. Therefore, as part of the SIEM ecosystem, Cisco is committing to assure that as new innovations/features are rolling out across its security portfolio, SIEM partners understand how Cisco recommends they be used which will speed SEC OPS innovation absorption.

Pulling It All Together

Cisco’s new approach to heterogeneous network security is based upon an ecosystem of SIEM providers that it provides interoperability testing, new feature training, TAC support and deployment guides. The SIEMs will aggregate event logs from a wide range of Cisco and other company security appliances to deliver cross-vendor IT forensics and compliance reports. Cisco’s CSM is the policy manager and troubleshooting platform going forward and will enjoy expanded support of Cisco’s security products. Therefore, policy management and troubleshooting services will be delivered through CSM, while the SIEM ecosystem delivers broader cross-vendor IT forensics, event monitoring and compliance reports.

IT business leaders are benefited with a broader multi-vendor approach to event monitoring, forensics and compliance reports as well as centralized policy management and troubleshooting of Cisco products. This new approach should increase IT defenses while simplifying the management of their Cisco security products.

Tweet

By Cisco Systems

Key Highlights

• 79% of clicks on “Here You Have” email occurred within the first three hours of the worm’s spread.
• During 3Q10, 7% of all Web malware encounters resulted from Google referrers, followed by Yahoo at 2%, Bing/MSN at 1% and Sina at 0.1%.
• Exploits targeted Sun Java increased from 5% of all Web malware encounters in July 2010 to 7% in September 2010.
• The Rustock Botnet was the highest occurring ROS event in 3Q10, at 21% of events handled during the report period.
• Peak Rustock activity occurred in late August 2010, declining in September 2010.

Download the report here

Get the White Paper

Tweet

By Cisco Systems and Splunk

This document is for the reader who:

-Has read the Cisco Security Information and Event Management and Borderless Networks Enterprise Deployment Guide
-Wants to connect Borderless Networks to a Splunk SIEM solution
-Wants to gain a general understanding of the Splunk SIEM solution
-Has a level of understanding equivalent to a CCNA® certification
-Wants to solve compliance and regulatory reporting problems
-Wants to enhance network security and operations
-Wants to improve IT operational efficiency
-Wants the assurance of a validated solution

Get the White Paper

Tweet

By Cisco Systems and RSA

This document is for the reader who:

-Has read the Cisco Security Information and Event Management and Borderless Networks Enterprise Deployment Guide
-Wants to connect Borderless Networks to a RSA SIEM solution
-Wants to gain a general understanding of the RSA SIEM solution
-Has a level of understanding equivalent to a CCNA® certification
-Wants to solve compliance and regulatory reporting problems
-Wants to enhance network security and operations
-Wants to improve IT operational efficiency
-Wants the assurance of a validated solution

Get the White Paper

Tweet

By Cisco Systems and nFX Cinxi One

This document is for the reader who:

-Has read the Cisco Security Information and Event Management and Borderless Networks Enterprise Deployment -Guide
-Wants to connect Borderless Networks to a nFX Cinxi One SIEM solution
-Wants to gain a general understanding of the nFX Cinxi One SIEM solution
-Has a level of understanding equivalent to a CCNA® certification
-Wants to solve compliance and regulatory reporting problems
-Wants to enhance network security and operations
-Wants to improve IT operational efficiency
-Wants the assurance of a validated solution

Get the White Paper

Tweet

By Cisco Systems and LogLogic

This document is for the reader who:

-Has read the Cisco Security Information and Event Management and Borderless Networks Enterprise Deployment Guide
-Wants to connect Borderless Networks to a LogLogic SIEM solution
-Wants to gain a general understanding of the LogLogic SIEM solution
-Has a level of understanding equivalent to a CCNA® certification
-Wants to solve compliance and regulatory reporting problems
-Wants to enhance network security and operations
-Wants to improve IT operational efficiency
-Wants the assurance of a validated solution

Get the White Paper

Tweet

By Cisco Systems and ArcSight

This document is for the reader who:

-Has read the Cisco Security Information and Event Management and Borderless Networks Enterprise Deployment Guide
-Wants to connect Borderless Networks to the ArcSight SIEM solution
-Wants to gain a general understanding of the ArcSight SIEM solution
-Has a level of understanding equivalent to a CCNA® certification
-Wants to solve compliance and regulatory reporting problems
-Wants to enhance network security and operations
-Wants to improve IT operational efficiency
-Wants the assurance of a validated solution

Download this deployment guide here:

Get the White Paper

Tweet

By HP Networking

Securing your LAN network infrastructure is challenging. Factors such as cost, network instability, risk of breach and ease of implementation all play an equal part in making the right decision to retrofit an insecure, albeit functional, LAN. This white paper outlines approaches to securing the network that we, at HP, know work, in addition to providing information about what we know does not work. Getting all of the correct pieces to fit together is not so easy, so we have also provided the necessary configuration specifics to help with securing some of those devices connected to your network that you may have forgotten about, such as network printers, VoIP phones and security cameras.

Find out how by downloading this white paper:

Get the White Paper

Tweet

One significant trend that has emerged during the current business/economic cycle is that IT projects that reduce cost are winners. This savings trend is as strong as I have experienced in my twenty-five years within the IT industry. In particular, it’s propelling data center consolidation, server virtualization and mobile computing projects. As enterprises consolidate data centers and miniaturize them with virtualization, cloud-computing providers are busy offering a new lower cost IT delivery economic model. In short, a new tier of computing has emerged were endpoint devices are mobile and applications are delivered via corporate data centers and cloud computing facilities. This new model of computing that also increases convenience and productivity is lacking in one important area; network security for both mobile endpoints and the ability of data center security appliances to keep up with application demand.

And keeping up with application demand is one of the most challenging tasks IT business leaders are encountering. Not only has information demand skyrocketed during this business cycle but content in the form of web pages has become dynamic, where a single page request opens a multitude of connections pulling content from various sources to satisfy user expectations of real time information access. For example, a single web page request can easily spawn more than fifty network connections over physical and virtual infrastructure placing extraordinary demands on network speed, latency, reliability and security. For the uninitiated, just point your browser to any of these sites—disney.com, cnn.com, nytimes.com, et al—and notice rich content in action. As the page is presented, it serves up video, photos, audio, rich text and more, all of which are pulled from various sources within a data center fabric over virtual and physical infrastructure. The calculus IT leaders are seeking to solve includes massive growth in information demand plus Brownian motion traffic flows, thanks to dynamic content plus densely packed data centers, thanks to virtualization. Even with consolidation and virtualization information/application, demand is forcing the overall data center market size to expand from 108 million sq. ft. in 2009 to a projected 117 million sq. ft. by year end 2010, according to Frost & Sullivan. Part of the solution to IT leaders’ calculus problem is found in a data center network fabric that supports millions of connections/session of east-west and north-south traffic flows securely.

To put the mobility trend into perspective, Apple sold over 3.3 million iPads in its first 3 months; the highest uptake of any endpoint device. Google activates 100,000 Android-based phones per day. Cisco recently announced its CIUS android-based table for business use with tight links to its unified communications (UC) and videoconference systems. Every major UC provider will be offering similar devices while traditional computer vendors serve up android-based tablets over the next few quarters. The iPad and Android tablet is a new tier of computing, which are driving users to access applications over mobile and wireless networks in addition to their wired and VPN networks.

And therein lays the rub. In today’s modern IT world, applications are being extended over multiple networks, e.g., wired, wireless, mobile and remote, where users shift their application access back and forth between these different network access methods and expect the same or consistent experience. Security is paramount to user experience and IT asset protection. While IT security executives have fortified their defenses of IT assets within corporate boundaries or perimeters, exponentially growing numbers of mobile endpoints being connected into corporate networks and data centers present significant security challenges that are unfortunately outside the control of IT.

The nature of mobile smart phone endpoints is to combine personal and business IT services, thereby creating a unique user experience. Part of that experience includes information access from a plethora of online destinations, such as public WIFI hotspots, SaaS applications, e.g., Salesforce.com, workday.com, netsuite.com, etc, corporate VPN, and a wide range of personal sites for social networking, banking, music, videos, news, communications, etc. Therefore, for every employee equipped with a mobile endpoint, security vulnerabilities and threats are opened unless IT mitigates with network security. Clearly mobile devices are becoming ubiquitous, and there are security solutions available, such as VPN support, data wipe after loss, cloud-based security services, etc. But mobile devices need a security solution that works in real time, meaning it’s always-on protection and provides comprehensive coverage.

For example, mobile endpoints, and thus corporate assets, need to be protected from users accessing the corporate network from insecure home WIFI networks and hackers. Internal applications need to be secured against attacks such as SQL injection/data leakage, request forgery/impersonation, cross site scripting/phishing, etc. SaaS access needs to be secure against unauthorized access, exposure from password reuse, layer 7 attacks and more. Also the same level of reporting for mobile users as wired users needs to be supported to assure activity/audit trail, regulatory compliance plus governance and reporting. In short, IT needs the same level of control over mobile endpoints as it does over devices within the corporate perimeter without ruining the mobile experience.

Mobile Endpoint Policy and Enforcement

The most important aspect of real-time mobile security is policy enforcement as it places control of corporate asset and SaaS access back into the hands of IT. Not only does policy and enforcement mitigate threats from being transmitted from mobile endpoints onto corporate networks, it makes them safer devices, too, by providing a means to adhere to corporate policy as corporate devices, even though they are used for business and pleasure. This is important as many mobile devices are purchased by employees, part of the huge consumerization trend that has been building over the last five years. With IT able to administer policy with a means of enforcement, mobile devices can deliver personal and business IT services. Employees may purchase mobile devices but if they require access to corporate IT, then the endpoint has to comply with corporate policy and IT needs a means to enforce such policy. In short, policy and enforcement enables IT to extend the corporate perimeter around mobile devices to creating a virtual perimeter around IT assets.

Consider the following example of policy and enforcement creating a virtual perimeter… A user may be accessing an SaaS application while at his/her desktop. This flow traverses the corporate firewall with associated policy and enforcement. When this user is outside the corporate perimeter, he/she could access the SaaS application directly without corporate policy or enforcement opening vulnerabilities. However, with mobile policy and enforcement, this same user could access the SaaS application with the same policy, enforcement and protections as available when within the corporate perimeter mitigating any vulnerability. Solutions to this usually require the mobile device to first pass through the corporate firewall or a security cloud service where IT controls policy before the user connects to the SaaS application.

New Security Performance Demands

With mobile endpoints under corporate IT policy and enforcement, this huge security vulnerability can now be managed and mitigated. At the same time that mobile devices are becoming ubiquitous, data center security appliances are failing to keep up with the huge demand for information and application access. As more compute power is concentrated into smaller spaces, traffic volume increases exponentially, and security appliances need to adjust accordingly.
Consider how web sites serve up a rich media web page. Every time a user requests a webpage, its server typically needs to request 50 to 100 different objects just to display the one webpage requested. Now consider a data center with thousands of servers and five-thousand connections per second of requests each spawning 50 to 100 server requests. The backend east-to-west traffic flows between servers are one to two orders of magnitude larger than the north-to-south user request flows with the combination of both flows being immense.

New Firewall/IPS Performance Metrics Needed

From a security point of view, not only is firewall throughput an important performance metric, but “connections per second” is becoming more important. A high number of “connections per second” supported assures IT that backend server flows are being screened without delaying user experience. In addition to the number of connections per second, another performance measurement is “maximum connections” supported per second to assure that the number of server-to-server flows to deliver a webpage can be securely delivered. The combination of throughout, connections per second and maximum number of connections can be defined as “true scale performance.” Typically a firewall can deliver hundreds of thousands of connections per second, but this is too slow for most demanding data centers by at least a factor of 2 to 3. Typical maximum number of simultaneous connections supported per firewall is around a few million, which is too low by at least a factor of 4 to 6. Also consider a more realistic throughput measurement other than a range of UDP packet sizes, which is common in the industry. Real world throughput performance numbers that represent a mixture of traffic profiles is a better measurement to assure throughout quoted is throughput experienced.
In addition to raw security performance, data center rack space too needs to be carefully managed as IT executives quickly start running out of rack space as they consolidate. Security appliances need to reduce their footprint as many appliances occupy 16 to 24 RU or a half rack of space and more consuming footprint, energy and cooling resources. Expect security appliances to start delivering on the above performance metrics at up to an 8th of their size or 2 RU high if not smaller.

Threat Protection

To assure this security infrastructure protects IT assets at the rate in which cybercriminals and hackers wish to penetrate it, the industry is serving up cloud-based threat protection. A few suppliers have launched cloud-based security services, which collect anomalistic data throughout the internet and corporate networks via sensors, analyze/correlate the anomalies with reputation scores and when a new exploit’s signature is detected, the cloud transmits mitigation code/signature updates to corporate IPSs. The speed in which this process takes place is a competitive differentiation. Those that send updates every five or so minutes have the best chance of mitigating exploits from cybercriminals which tend to change IP address every hour to avoid detection. IT business leaders will know when cloud-based threat protection becomes highly reliable. It’s at that point that suppliers will start offering “guaranteed protection” that incorporate penalties to suppliers if protection is penetrated.
Policy and enforcement of mobile devices creates a virtual perimeter while true scale performance enables security appliances to keep up with application demand and new traffic flow realities. Smaller security appliance footprint allows IT executives to maximize data center space while minimizing energy and cooling. Cloud-based threat protection keeps the security infrastructure updated in near real time with signatures to mitigate threats throughout the corporate and virtual perimeter. In short, IT business leaders gain control and manage mobile security vulnerabilities while delivering applications to users securely at speed with small footprint consumption. Mobile, data center consolidation and virtualization plus cloud computing are powerful trends rooted in economic efficiency and increased information demand. To maximize the value of these investments, a new security model is needed.

Tweet

By Cisco Systems

Today’s sophisticated, blended threats can exploit three or four different communications vehicles before they launch full-scale attacks on unprepared enterprise networks. This white paper, written for IT managers and executives, examines the new security risks for today’s borderless enterprise networks, and describes how cloud-based Cisco® Security Intelligence Operations and powerful, comprehensive reputation filtering capabilities built into Cisco security appliances and services can help you protect your network from known and unknown threats.

Find out how by downloading this paper.

Get the White Paper

Tweet

By HP Networking

As cyber threats across the globe continue to increase in number and sophistication, security and networking personnel must not only work harder but also smarter to stay ahead of malicious attacks. Sophisticated scanning, penetrating, and obfuscating tools and techniques are more widely available now more than ever before. Worst of all, hackers are now highly motivated to penetrate networks, applications, and databases to steal information that can quickly be sold for profit using botnets and other resources
they control.

To learn how to defend IT assets and business reputation by download this paper from HP Networking.

Get the White Paper

Tweet

By Cisco Systems

Traditional security techniques are unable to respond to threats that can arise from anywhere. To protect today’s borderless networks, IT managers must adapt by implementing faster, smarter security measures that monitor the constantly changing global landscape. This white paper, written for IT managers and executives, examines the security risks and needs of borderless networks, details a systematic plan of action, and describes how Cisco can help implement threat defenses that will serve you today and for years to come.

Find out how by downloading this white paper

Get the White Paper

Tweet

By Cisco Systems

Spanning-Tree Protocol (STP) can be easily compromised by eavesdropping in a switched corporate environment, but this vulnerability can be mitigated using L2 security features that are available on the Cisco® Catalyst® 6500. STP Man in The Middle (MiTM) attack compromises the STP “Root Bridge” election process and allows a hacker to use their PC to masquerade as a “Root Bridge,” thus controlling the flow of L2 traffic. To understand the attack, the reader must have a basic understanding of the “Root Bridge” Election process and the initial STP operations that build the loop free topology. This paper provides an overview of the STP Root Bridge Election Process, STP MiTM Attack Guide and Mitigation Techniques for STP attacks.

Find out how by downloading this white paper

Get the White Paper

Tweet

By Cisco Systems

This paper provides a brief introduction to common security threats on IPv6 campus access networks and will explain the value of using First Hop Security (FHS) technology in mitigating these threats. An overview of the operational principle of FHS is provided together with some examples on how to enable FHS on Catalyst® 6500, 4500, and 3750 Series Switches. The target audience for this paper are network architects and network operation engineers.

Find out about FHS by downloading this Cisco whitepaper.

Get the White Paper

Tweet

Many IT leaders are striving to understand who is on their network and what they are doing. These are two simple questions and yet, in many cases, IT business leaders do not have a good way to answer them. And once IT leaders are able to obtain this information the question then becomes what else I can do with the data: obtain a history report, perform statistics for analysis and planning, generate compliance reports and much more. To tightly link business processes with networked applications, IT leaders need to wrap policy, identity and security around users and IT assets.

This is the essence of Cisco’s TrustSec; that TrustSec provides security services as its primary value proposition but the data and insight it generates assist IT business leaders with network design to meet future growth. Cisco’s TrustSec organizes and simplifies existing authentication and policy schema allowing administrators to configure and maintain identity-based access to IT resources while identifying and applying policy based on a user’s role in the organization. TrustSec also provides encrypted links between end-points and servers. TrustSec is an architecture which builds upon existing network services embedded into network infrastructure, addressing not only security issues but delivering certain business services too.

A key pillar of strength for TrustSec is its ability to create a consistent and unified set of policies across the entire network. Its second pillar is the ability to identify users; from the moment a user accesses the network, everything about this user is known and it follows them wherever they go. TrustSec identity is embedded in the traffic that the user generates, which goes well beyond initial Network Access Control (NAC) and offers unique design capabilities that we’ll discuss below. The third pillar is security, which is reflected in a number of areas such as NAC, encryption, etc.

TrustSec is an architecture delivering network access control, policy, identity and encryption. Policy is the glue that ties business processes to network behavior and thus TrustSec has expanded its role in policy creation. TrustSec policy is segmented into three areas:

Authentication: The foundation of the technologies is authentication as it defines user identity. Authentication is how TrustSec understands users; who they are, what roles they have in the organization and what type of credentials they possess as well as confirmation of these attributes. TrustSec provides multiple authentication approaches, such as 802.1x, web authentication and MAC authentication bypass (MAB). All three approaches are implemented and supported on Cisco Catalyst or Cisco Nexus switches. Cisco uses the term “Flexible Authentication” to represent these three methods. What’s unique about Cisco’s TrustSec authentication approach is that it is providing all three methods together and they are completely adjustable. What this means is that IT administrators can configure these authenticating methods in any sequence of their choice, in one place, to host all authentication configurations, greatly simplifying the process of configuration and change management. There is yet another TrustSec authentication method, namely appliance-based network authentication provided by the Cisco NAC Appliance. This method expands beyond LAN switches to include wireless and remote access as well.

A powerful feature is that once authentication is configured on a centralized policy server all switches receive this data, easing deployment while providing consistency and scale. No more authentication configuration on a per switch basis but rather a consistent policy is realized. For IT leaders not ready to implement Catalyst or Nexus switch policy enforcement but who would rather use an appliance there is an in- and out-of-band NAC appliance approach to policy enforcement.

Authorization: Once a user has been authenticated and their organizational role confirmed then services could be designed specifically for them, implemented via control mechanisms. It’s common in the industry to typically assign a VLAN or ACL for the user depending upon a layer 2 or 3 construct. TrustSec supports both VLAN and ACL implementations. What’s unique about TrustSec is that it allows IT administrators to create a security group tag or SGT. SGT essentially allows every single packet to be tracked throughout the entire infrastructure so user control is not relegated to the initial network entry point that VLAN and ACLs dictate. SGT enables user control and support deep down in the interior of the network. For example, to strictly control access to a critical file server, an IT administrator can enable SGT to filter network egress to that server for only those allowed access. The control point is on the switch so that when traffic leaves the switch trying to reach the file server, authorized users via SGT are able to egress.

Value-Added Services: With user authentication and authorization configured along with control, IT administrators can now design specified user services that are linked to business processes. Services such as IP telephony integration and IP phone end-points that need to be authenticated and authorized but are non-user devices, meaning that they don’t possess an 802.1x supplicant and there is no human behind the device. TrustSec utilizes aspects of 802.1x to authenticate and authorize the IP phone’s user taking into account various scenarios such as when the IP phone is powered down or its behind a PC, etc. Other services are guest access, device profiling, device posture and link encryption via MACSec, an IEEE standard that specifies how encryption may be used to secure links within local area networks.

TrustSec’s MACSec implementation is supported on the Nexus switches and on the new Cisco Catalyst 3560-X and 3750-X series switches that connect desktops, WLAN access points and laptops. In short, with MACSec supported on Nexus 7000 and Catalyst 3560-X and 3750-X switches Cisco is working towards full native layer 2 encryption as the Nexus switches are located in the data center while the Catalyst 3000s are closet switches connecting desktops. This is a welcome development for high security environments such as government agencies, certain research and development laboratories and other environments that require a higher level of security.

TrustSec Innovations
Cisco is announcing a set of new TrustSec features and innovations such as Security Group Access Control List that allows IT administrators to control group access based upon MACSec key technology. Security group Tag Exchange Protocol (SXP) is useful for Catalyst switches that do not have the processing power to support SGT today. So Cisco developed SXP to insure Cisco customers can use their existing Catalyst switches to participate in the overall SGT implementation. Flexible Authentication is another innovation for scenarios when end-points do not have an 802.1x supplicant and require access to an 802.1x network. Flexible Authentication offers web authentication which is useful for printers, guest access, etc.

Open Mode offers additional options or modes to being simply denied network access, a dramatic event when it occurs. Cisco TrustSec designed multiple modes to ease this transition. For example, monitor mode is like an audit mode. IT is able to monitor all users and their traffic thus allowing IT to view network dynamics before turning on 802.1x.

In addition to monitor mode there is ‘low impact’ mode. In this case 802.1x authentication is engaged but allows certain types of traffic to pass onto the network even if authentication denies access. This is useful for DNS or maintenance related network traffic; for example, allowing this specific traffic to pass even if it didn’t pass authentication. There are configurable options for “low impact” mode. There is also a “high security” mode where only authenticated users/devices are granted access.

Value-Added Services:

There are tools to automate the process of adding value-added services such as device profiling which recognizes defined end-points such as a printer which is very handy when the printer is moved, replaced or a new one is added, thus saving IT operations configuration time. Automated device profiling tracks devices by monitoring these end-points as they boot up on the network. TrustSec identifies that the new device is a printer, and then loads the printer policy placing the printer in the right VLAN, ACL or SGT; then it updates the device database, saving IT a lot of effort.

Guest services are now integrated with the Cisco NAC appliance guest server, streamlining guest account creation and user notification. The integration of guest services into the NAC Appliance allows report creation; for example, history tracking. Guest services now works in both 802.1x and NAC environments offering IT choice, convenience and simplified operations, an industry first. Thus any worker with authorization can create a guest account, reducing dependence on IT or the helpdesk which often fielded guest access requests.

Posture assessment provides device compliance status, such as which version of Anti-Virus, spyware scan, network configuration assessment, etc., which is added to authentication services.

Cisco has enhanced end-to-end troubleshooting and monitoring capabilities into TrustSec for 802.1x environments. When an 802.1x end-point attempts to access the network a string of exchanges occur between that end-point and the network. There is a protocol exchange to obtain user information while the authenticator or network switch transfers the information to the authentication policy server. During this protocol exchange between the three entities there could be a number of reasons why things do not work. Typically when things went wrong there was limited information available to IT administrators to troubleshoot and resolve the issue. To fix this problem TrustSec collects user supplicant information from the network, the policy server and switch as a log message, which is passed through certain algorithms or scripts to isolate the problem. This increased visibility enables quick problem identification and resolution, pin pointing the trouble to the switch configuration, supplicant issue or determining whether it’s simply a wrong password. These scripts are not only useful with troubleshooting, but also compliance as collected information can generate reports. These scripts are available in Cisco’s ACS 5.1 policy server.

Implementing TrustSec

There are currently two TrustSec deployment scenarios: 1) 802.1x and 2) Appliance based. In 802.1x environments ACS server is the policy server with Catalyst and Nexus switches providing enforcement with Radius as the control plane. In the appliance-based approach Catalyst switches provide enforcement, NAC Manager is the policy server while SNMP is the control plane. The appliance-based approach does not support SGT but it provides posture assessment which 802.1x does not.

TrustSec features and attributes are implemented across many Cisco products such as the Cisco Catalyst and Nexus switches providing policy enforcement and encryption services. Policy is defined in the Cisco ACS (Access Control System) while its key authentication and authorization are implemented in the NAC Manager, Server, Profiler and Guest Server. There are two TrustSec end-point clients, those being Cisco’s or any 802.1x supplicant and its NAC client. It’s not a stretch to see that Cisco will consolidate the end-point clients and policy components over time to minimize the number of appliances needed to fully utilize TrustSec. ACS already works with the NAC Profiler and Guest Server plus directory services such as active directory or LDAP. Knowing Cisco the NAC manager may also hold all this functionality for those who choose to deploy TrustSec in an appliance form factor. Over time these two TrustSec approaches will consolidate to one, allowing 802.1x and NAC users and devices connect to the network with one policy server, and either switch or appliance enforcement method leaving choice to IT departments. The end-point clients would fit nicely into Cisco’s AnyConnect client offering both LAN and remote security services in one client.

TrustSec has expanded to include 802.1x and NAC environments offering customer choice to either proceed with one approach or a combination of the two. TrustSec’s attributes are based on policy, identity and security. Over time we expect that many of the TrustSec attributes will be integrated into the network allowing its services to be ubiquitous throughout the corporate network fabric, significantly adding to corporate security architecture.

To make TrustSec truly successful Cisco should add more support for mobile and remote access end-points in addition to LAN-based end-points to the architecture. In addition video end-points will require TrustSec services too and will have to be supported. There are slight tradeoffs between 802.1x and NAC clients such as posture assessment and SGT support. These two client features should blend over time and converge into one to simplify TrustSec client software.

Tweet

With all the investment in IT security over the years, one would think that threats would have subsided; but they have only increased and largely increased with exploits and iframes (redirection on a reputable website to infect its visitors) up nearly by a factor of 2000 over the past two years. This has resulted in an increase in data theft Trojans over the same period by a factor of 6000, according to the 2009 ScanSafe Global Threat Report, enriching hackers and cybercriminals. What’s driving this exploit growth is that hackers and cybercriminals are automating successful techniques for mass website infection. In addition, hackers increasingly collaborate, sharing best practices to infect websites for personal gain. In short, IT and business leaders are not confronting individual hackers, but a community of cybercriminals working together to steal corporate data that is increasingly organized as a traditional business with suppliers, resellers and end users. And this community’s opportunities to attack individuals and corporations have only increased with the huge growth in mobile access and deep corporate reliance of web-based applications to automate business processes.

IT leaders, especially those in small- to medium-sized companies are at a disadvantage with limited and even decreased IT staff and capital budgets, making it difficult for them to keep up with an ever-increasing volume of threats and complex exploit profiles. To mitigate these fears and concerns IT leaders have been turning to Cloud Web Security offerings by Cisco, BlueCoat, Websense, McAfee and others. While limited at first to URL filtering, Cloud Web Security is becoming sophisticated enough to identify threats by analyzing content in a contextual basis. Further, Cloud Web Security is in essence a SaaS offering affording on premises and mobile threat defense by extending a corporate perimeter around its mobile workforce.

The Web has become fundamental to business and the overall economy. The use of the internet has evolved from a static research tool to a dynamic communication platform, with corporate revenue directly linked to Web availability. Second, Web access is wide and varied in terms of end-points used, be it desktops, laptops, netbooks, smartphones, kiosks, etc., and networks providing access such as corporate networks, broadband, WLAN, hotspots. From a security point of view exploits infect corporate IT assets primarily through malicious content on web sites, email and blended email/web combinations. The Web will be used increasingly as the threat vector of choice by hackers and cybercriminals to distribute malware and perpetuate identity theft, financial fraud, and corporate espionage. As networks have become borderless, security vulnerabilities have increased by opening up doors or entry points that hackers can exploit, be those doors end-point devices, web sites, bad sections of web sites, applications, email, etc.

To mitigate these vulnerabilities IT leaders have deployed Web Security services in their enterprises in an effort to control which web sites employees’ access. But with the huge growth of laptops and smartphones, Cloud Web Security has been introduced beyond the corporate perimeter to protect all users and mobile devices too. Cloud Web Security threat prevention is getting much smarter by incorporating both content analysis with context offering, a powerful defense against zero-day exploits for all users regardless of location.

Cisco ScanSafe

To make these points, I focus on Cisco’s Cloud Web Security offering through their acquisition of ScanSafe. Prior to Cisco’s acquisition of ScanSafe, IDC’s “Worldwide Web Security 2009-2013 Forecast and 2008 Vendor Shares” ranked it as the worldwide market leader with over 30% share with Websense in second place at 7%. ScanSafe’s suite of services includes Web Malware Scanning, Web Filtering and Anywhere+ for roaming user protection. Unlike other solutions, which rely on URL databases and signatures to filter and identify malicious sites, ScanSafe, through its Outbreak Intelligence engine scans all Web requests in real time, so IT leaders receive comprehensive protection from all threats, including threats that appear before an anti-virus signature is available – and that’s a huge advantage.

What’s unique about Cisco ScanSafe is the sheer volume of data – billions of web requests daily – it processes for threat identification. The visibility gained from ScanSafe is also fed into Cisco’s Security Intelligence Operations (SIO) that incorporates data from IntelliShield, SensorBase and the huge footprint from participating Cisco customers who have opted into send their IPS appliance security data to SIO, creating the largest threat collection network on the planet. SIO’s broad threat collection and exploit mitigation dissemination will only increase the accuracy of the entire Cisco security portfolio, including ScanSafe.

Since ScanSafe is a Cloud Web Security service consisting of over 15 data centers deployed across the world, access is independent of geographic location. In essence a user connecting to the Web will have their traffic pass through one of ScanSafe’s data centers. In the ScanSafe data center the requested Web page is split into its basic components such as Java, PDF, Windows EXE, etc., and scanned within an analysis engine called Outbreak Intelligence for zero-day exploits via twenty-six specialized scanlets. The output of the scanlets is processed by a meta scanner that processes contextual information to decide if the content should be blocked or allowed to pass. This process of content scanning takes less than 5ms assuring user performance is not impeded. What’s impressive about ScanSafe is its scale. It sees billions of web requests per day and all of this scanning and filtering of traffic is captured within Outbreak Intelligence that provides real time harvesting of data that allows it to identify and stop an exploit well before anti-virus vendors can produce a signature and propagate it to their customers.

Signatures Defense Is Not An Effective Zero Day Threat Mitigation Technique

For example, during the Zeus Botnet and Gumblar exploit ScanSafe was blocking these exploits from propagating to clients well before anti-virus firms developed and distributed a signature. This lapse of time between exploit identification, signature development and mitigation is reduced to zero in ScanSafe’s Outbreak Intelligence, offering a much better approach to defense. Consider Gumblar, which first spiked near the 16th of April 2009 and took anti-virus vendors nearly a week to develop a signature, all the while ScanSafe was blocking it from clients. After anti-virus vendors released a Gumblar signature Gumblar traffic did indeed decline, but the hacker modified his/her exploit and near the 23rd of April Gumblar spiked again forcing the anti-virus vendors to identify it, analyze it, write a new signature and finally distribute it. During this time ScanSafe had been blocking the mutated Gumblar from its clients. This cycle continued for nearly six weeks starting from threat outbreak and included four hacker mutations and subsequent signatures until the anti-virus vendors delivered consistent protection.

The above is an example of ScanSafe’s ability to detect and block exploits in scale. The more content ScanSafe’s data centers scan the smarter its Outbreak Intelligence gets. This is important for two reasons. First in this market the suppliers with the largest market share are rewarded with the greatest visibility into exploits and thus offer the quickest and most potent defenses. Thus with its dominant share ScanSafe has a level of threat visibility that allows it to accurately and quickly mitigate exploits. Second since ScanSafe is a cloud-based service it can deliver a solution for on-premise and mobile users quickly and easily. This combination is not only powerful for large enterprises but for small- to medium-sized business as well, where IT skills and capital constraints had precluded them from offering the same protections as larger firms, until now. In fact the small to medium enterprise (SME) market can offer its employees the same level of protection as large enterprises when using ScanSafe.

ScanSafe’s data centers not only offer scale of processing but fault tolerance and redundancy are built into their design so that in the case of a data center outage, the data center that’s nearest in proximity is equipped with enough capacity to support all users without negatively impacting performance. ScanSafe has a track record of 100% availability over the past 7 years. For traveling mobile users their protection follows them anywhere in the world. For example a traveling mobile worker may deplane in Singapore connecting to the ScanSafe Singapore data center, but upon arrival in the U.K. the London data center will service this mobile user so that his/her policy is consistent worldwide while performance is maximized.

Reporting Is A Key ScanSafe Differentiator

ScanSafe reporting is arguably the most detailed in the market at analyzing web security threats and offers depth unattainable by enterprise system thanks to its position in the cloud. There are over 5000 customizable reports with 75 reporting attributes and 11 categories with comprehensive drill downs. This reporting flexibility allows administrators to define important data too. There are virtually no report design restraints offering great insight and visibility into web activity. The reports are based on a data warehouse infrastructure providing cumulative, trending and forensic reports being processed and maintained by ScanSafe’s storage, compute and network infrastructure. Its reporting is SaaS-based, meaning that IT leaders do not need to purchase or run reporting software on-premise. Reporting is key as IT leaders are provided with visibility for both on-premise and off-premises Web usage, offering them tools for charge back, forensics, application planning, etc.

Consistent or Different Policy

Policy is an enabler for IT leaders to gain control over Web use by in office and mobile workers. ScanSafe delivers IT leaders control knobs over content such as URL filtering, dynamic classifications of websites, end-user education through threat labeling of search engine results before employees click on links plus other traditional policy settings. In addition, ScanSafe’s Anywhere+ allows IT Security leaders to set flexible on- and off- premises policy. For example, in-office employees may have policy set for both acceptable use and malware prevention; however, off-premises employees may have policy set for malware prevention. As Anywhere+ becomes integrated with Cisco’s AnyConnect client, this capability will be pushed to the millions of users that use the AnyConnect client. Providing a consistent policy framework for on- and off-premises is a work in progress at Cisco, but they do have the product breadth to deliver on its implementation.

Cloud Web Security has primarily been focused on URL filtering as its primary control. But URL filtering has become less effective as a control or security technique due to large quantities of dynamic content delivered over the internet. URL filtering schemes are unable to identify different types of content within pages especially within Web 2.0 sites. This is where content analysis has blossomed as an accurate approach to identify every component of web page content that is attempting to traverse a corporate firewall or reach a mobile end-point independent of website categorization.

Cloud Web Security offerings are delivering a network approach to zero-day exploit mitigation that is faster and more accurate than traditional client-based anti-virus signature approaches. Cloud Web Security offerings that are based upon content analysis with a contextual basis are best positioned to mitigate exploits. As these offerings are cloud-based their use is naturally extended to static and mobile locations offering protection to both desktop and mobile users with consistent reporting and customizable policy creation. Another large benefit is that Cloud Web Security solutions are well within the reach of small- to medium-sized businesses, offering these firms an effective way to close the gap between effective defense and budget plus staff limitations. Cloud Web Security should be considered as part of IT’s overall arsenal to defend workers and corporate assets from hacker and cybercriminal threats.

Tweet

The Web Malware Pandemic

Just as the Internet, the Web, and the information age have revolutionized our businesses and our lives, these developments have also radically changed the face of crime. Computer and Internet crime are no exception. Today, computers factor in nearly every form of crime – from crimes facilitated by computers (credit card theft, for example), to crimes, which are specifically computer-to-computer (malware, for example), and to crimes in which computers play an incidental supporting role (i.e. an illegal gambling bookie that keeps computerized records). This paper addresses one single facet of cybercrime – the manipulation of Web content and Web technologies for criminal and/or for illicit gains

Find out how to defend Web traffic from cybercrime by downloading this paper

Get the White Paper

Tweet

THE WORLD’S LARGEST SECURITY ANALYSIS OF REAL-WORLD WEB TRAFFIC
By Cisco Systems

The ScanSafe Global Threat Report is an analysis of more than a trillion Web requests processed in 2009 by the ScanSafe Threat Center on behalf of the company’s corporate clients in over 80 countries across five continents. Our leading position of providing security in-the-cloud provides unparalleled insight in the real-world Web threats faced by the today’s enterprise; this report represents the world’s largest security analysis of real- world Web traffic.

Download it now here.

Get the White Paper

Tweet

By Cisco Systems

The traditional network and physical perimeter is no longer the only borderline to defend information security. Collaboration, IT consumerization, mobility, and new computing technologies are driving productivity gains while presenting renewed security requirements. There is greater pressure on IT to meet the demands of a dynamic workforce, both in terms of service delivery and security challenges. New solutions are needed to protect borderless networks and to help further improve business efficiencies in the mean time. Cisco® TrustSec is such a solution.

To find out how to protect your network with TrustSec download this white paper now

Get the White Paper

Tweet

Cisco’s TrustSec is architecture with its implementation spread across client software, infrastructure (Catalyst & Nexus) and policy (Access Control System and NAC appliance). Cisco has expanded TrustSec to incorporate 802.1x clients allowing IT leaders to mix and match NAC and 802.1x endpoints. TrustSec organizes and simplifies authentication and policy schema allowing administrators to configure and maintain identity-based access to IT resources while identifying and applying policy based on a user roles in the organization. TrustSec also provides encrypted links at the switch port level. Steven Song Security Business Manager in the Network Systems & Security group at Cisco Systems joins me to discuss TrustSec and how Cisco is expanding its services and importance for IT business leaders.

Listen to the Podcast

Tweet

By Cisco

As the Internet transforms from a static resource to a utility platform enabling two-way communications, malicious threats have increased in volume and shifted their focus toward the Web. Hackers are exploiting the vulnerabilities of an open and dynamic Web to distribute their malware rather than creating their own malicious websites. Web malware infection from reputable websites that have been compromised is now not only a reality, but is now the preferred route to infect victims. This change has made traditional methods of control such as anti-virus less effective and requires an alternative approach to security. This alternative approach is Cloud Web Security.

To understand Cloud Web Security download this white paper

Get the White Paper

Tweet

The Web is increasingly being used as the threat vector of choice by hackers and cybercriminals to distribute malware and perpetuate identity theft, financial fraud, and corporate espionage. Is exploit sophistication and complexity evolving beyond traditional end-point anti-virus mitigation? Is a network centric model a faster and more accurate approach to zero day threat defense where massive cloud computing resources are put to work identifying and mitigating complex, polymorphic threats designed to evade anti-virus software and are mitigated before they reach desktop or mobile end-points? Mark Guntrip, Product Manager at Cisco Systems joins me to discuss Cisco ScanSafe, a Cloud Web Security Offering and debate client- versus network-based zero day threat defense.

Listen to the Podcast

Tweet

No matter where you look today the structure of IT is fundamentally changing. Applications are increasingly being accessed from mobile devices along with traditional laptop, desktop and even kiosk machines. SaaS has taken off and is far more prevalent than most executives realize as they are acquired by line of business and divisional budgets, leaving many IT leaders blind-sided and out of control with their relevance coming into question. As a result corporate application portfolios are shifting in their mix under IT leaders from one of total control to partial control to none. In short, IT leaders are finding that the largest application growth in their corporation is coming from outside of their traditional perimeter and with no control knobs. In essence applications and networks are becoming borderless.

While borderless networks offer productivity improvements allowing work to follow individuals, IT leaders are concerned about its security implications, that being are corporate assets secure when applications are being accessed and used within and outside of corporate perimeter? Can IT leaders deliver the ease of use afforded by borderless networks securely? In this Lippis Report Research Note we review Cisco’s New AnyConnect approach to securing mobile devices, which promises invisible use along with safeguards, visibility, control and relevance for IT security leaders.

With mobility comes productivity. As users work anywhere through a wide range of devices or end-points business productivity accelerates. This has been the case with every cycle of computing, from mainframes, minis, PCs, internet-connected PCs to now mobility; a correlated significant jump in productivity at a macro-economic level occurred and the mobile computing cycle will be no different. But to cease this productivity IT leaders need to be comfortable with mobile computing security. And they do have a lot to be concerned about as securing a plethora of different devices accessing both corporate and Web/SaaS applications from a vast array of locations and network access methods is a challenge.

Three major mobile computing themes stand out:

Theme one: Increase Productivity: IT business leaders need employees to be productive, so they provide access to information, making that access as seamless as possible so employees obtain the tools they need and information they require to do their jobs. A central component to this is providing consistency between out-of-office and in-office IT experience.

Theme two: Deliver Mobile Security: Many IT leaders feel this way: “I built all of this infrastructure to protect my users when they’re sitting within the organization. When they leave and are remote what is protecting them and corporate assets? I protect them eight hours a day, then they go home with their laptop and get infected for 16 hours.” In short a disproportionate amount of security investment has been made within the corporate perimeter that needs to be extended to remote and mobile access.

Theme three: End-point Agnostic: Consumerization of the enterprise is forcing IT business leaders to not only support traditional remote devices such as laptops, but also IPhones, Android, Blackberry, netbooks and other end-points that are on the horizon such as the iPad. Consumerization is focusing IT business leaders to deliver seamless network access with always-on security and protection across a broad array of devices to enable business productivity.

Securing Mobile End-points With Existing Defense Techniques
From a security point of view, IT defense for mobile devices share many of the same concerns as securing fixed end-points. Unique to mobility is the security issue of lost mobile devices/end-points. To address this concern IT leaders typically need complementary product that can enforce PIN locks/encryption and support remote data wipe. Common to mobile and desktop security are concerns with acceptable use and threat protection. Malware plus web-based threats have spiked over the past 18 months, increasing threat awareness as business press coverage of exploits have expanded. IT leaders have data security on the top of their minds too. Therefore, access control, threat protection, data security, etc., are common security concerns to fixed and mobile computing with IT leaders and vendors seeking to expand/extend existing defenses to this new wave of computing.

Legacy VPNs Too Cumbersome: A New Generation of Remote Access Emerges
Clearly existing technologies such as Virtual Private Networks (VPN) is a remote access approach that seeks to provide a solution to mobile computing, but it falls short. The challenge with legacy VPNs is its cumbersome use model with multiple boxes to check, tokens and keys to exchange plus certificates to obtain. The process is not transparent and as a result is too painful to use resulting in legacy VPNs use only when absolutely necessary. This use difficulty is both a lost productivity opportunity and security vulnerability.

The vast majority of time a user is outside the corporate network its end-point is unconnected to that network and thus largely unprotected and invisible to IT. Laptops in essence have no security except perhaps a desktop anti-virus (AV) client, which is becoming less and less effective over time due to signature-based defenses lagging exploit propagation. Connectivity may even be so rare that end-points spend much of their time out-of-compliance on patch levels. SaaS makes the problem even worse. Many use SaaS applications such as Salesforce.com, et al., to conduct business-critical or business-relevant tasks by simply accessing these sites over the internet where IT doesn’t have visibility let alone control over these sessions. Most don’t use VPNs to access SaaS applications, which would route traffic through the corporate network, due to the use hassle.

With corporate applications having moved rapidly to both HTTP/Web/SaaS web security is an increasing threat breeding ground that requires a new defense model. There are web security solutions in the market such as Websense and BlueCoat, but their current models are limited to URL-filtering clients, which enforce approved URLs to each end-point. Further, their current operating system support for clients is limited to Windows XP omitting MAC OS X and smartphone mobile platforms. And while URL-filtering does provide limited acceptable use and malware security it does not address data loss, access control and thus full threat prevention, particularly given the nature and mechanism used by hackers to propagate threats today.

Enter Cisco AnyConnect Secure Mobility

To address mobile computing, Cisco has announced its Cisco AnyConnect Secure Mobility to combine access control and web security, which in essence creates a flexible perimeter around a corporation’s mobile end-points providing them the safeguards and security that desktop systems enjoy behind the corporate firewall. AnyConnect Secure Mobility combines Cisco’s AnyConnect client, Cisco’s ASA (VPN, Firewall, IPS, content switch appliance), IronPort (Web security), ScanSafe (Cloud Web Security), and SIO (Security Intelligence Operation) to deliver the next generation of remote access and security for mobile end-points.

While AnyConnect utilizes and integrates much of Cisco’s security technology, the real innovation is how the mobile client captures ease of use and simplicity, allowing users to access both corporate and Web/SaaS applications without the hassle of traditional VPNs for any type of end-point, be it laptop, smartphone, netbook, etc., while protecting corporate assets. In many cases the user experience will be far superior to existing remote access solutions as they don’t need to be concerned with network access type, be it VPN, internet, 3G, WLAN, 4G, etc. The hope is that AnyConnect will provide IT leaders with the assurances they need to enable employees to embrace mobile computing allowing their corporations to exploit its productivity advantages.

Making Remote Access Secure and Invisible

AnyConnect is a pervasive end-point controlling network access and security. The idea is that it fades away into the background, versus the very manual VPN configuration of today. AnyConnect decides where to connect and establishes the connection when the end-point needs to network. If a laptop or iPhone moves from WiFi to the 3G network, AnyConnect figures out what it needs to establish the connections. In addition, AnyConnect provides persistence, keeping all session state. The more intelligent AnyConnect gets over time the more it will fade into the background, being invisible to the user. Cisco is committing to a broad range of device support. Support for Windows XP, Vista, Windows 7, MAC OS X laptops has been made. Smartphones from Apple’s iPhone, Android and Windows Mobile are rapidly changing the enterprise mobility landscape which has been dominated by BlackBerry thus far and it seems logical that these end-points will be supported by Cisco at some point.

Flexible Policy Creation

For web security clients AnyConnect delivers an innovation around policy so that specific policies for remote workers can be distinguished and reported differently than desktop policies. This is important from a compliance point of view as IT leaders often set policy for workers within the network perimeter around “acceptable use” and from a compliance and liability standpoint IT leaders need to be concerned with “where” users go on the web. However, when an employee is home on their own time using their laptop to browse the internet, IT Security leaders don’t care “as much” about which web sites they visit, only that they are secure and protected from propagating threats. Therefore, AnyConnect allows IT Security leaders to set flexible on- and off-premises policy. For example, in-office employees may have policy set for both acceptable use and malware prevention; however, off-premises employees may have policy set for malware prevention.
Device Collaboration Takes Complexity Away From Mobile End-point

AnyConnect promises to deliver an end-to-end user experience, thanks to the engineering that Cisco has done to enable the above mentioned security products to collaborate between each other. One example of this value is during AnyConnect user authentication via the ASA configured for remote access VPN headend. The ASA authentication information along with the fact that the user is mobile is passed to the web security appliance so that both can apply the right policy without delivering another prompt to the user; thus allowing mobile-specific policy to be applied to the remote access session. For the mobile user this process streamlines their access as he/she is not greeted with two different screens (ASA and Web security) during authentication, just one.

Hybrid Hosting: The Way We Work

Backhauling internet destined traffic from remote sites over the corporate network is unfortunately more often done for security reasons. As many security leaders are requiring remote or mobile users to pass through the corporate perimeter to access SaaS applications and other Web content, application performance may suffer. AnyConnect performs performance optimization between VPN and Web access scenarios to significantly lower latency improving user experience even during backhaul scenarios. But as internet video traffic has skyrocketed there’s increased pressure and demand to maintain high user experience by allowing these flows to bypass backhauling and go straight to internet, or “enforcement points” such as a ScanSafe cloud. AnyConnect promises to seamlessly find the closest network attach point and optimal enforcement point, whether that’s the backhaul path, a ScanSafe cloud or even a Cisco ISR G2 running in a branch office equipped with web security capabilities. It’s logical that Cisco will release these capabilities over time.

Securing mobile/remote users via cloud-based services and desktop users with on premise security appliances have emerged as an important security design approach. Security services delivered to mobile and desktop users via on premises and cloud solutions respectively are what some call “hybrid hosting”. Policy consistency is important to a successful hybrid hosting implementation. That is the ability to define user access policy on one policy server and propagate it to on-premises and cloud providers, providing common enforcement, single consolidated reporting and a better user experience.

Key to hybrid hosting is the mobile client. Cisco has built connection intelligence into the Cisco AnyConnect Secure Mobility Client. AnyConnect manages connections by finding a trusted network, meaning assessing if the connection is a secure enforcement point. If an end-point is currently connected to an unsecured public internet link, but the user application requires a secure connection, Secure Mobility Client will find it without operator intervention. Optimal gateway detection is another feature that automatically finds the fastest gateway for VPN access and connects to it.

Security For Thin Client End-points: Full Context Awareness

As end-point devices become thinner and thinner, meaning devices with less processing power and memory, the harder it is to enforce security on the end-point. Laptops can run sophisticated AV and scanning software to protect the end-point, but this software will not run on iPhones, BlackBerries, Android, etc., as they don’t possess adequate resources to run the code. Therefore as end-points become thinner and their numbers balloon while threats continue to be more sophisticated and web-based the question is how to protect these devices and corporate IT assets from them if they become infected? The answer is to leverage the processing power that resides within the network. With the network providing security services on behalf of thin client mobile end-points, a consistency across devices is gained that is independent of end-point type. Malware or exploits are identified along with web site destinations, policy can be enforced, reporting is captured and in the process IT Security leaders gain visibility.

For web security AnyConnect has integrated Cisco’s Web Security Appliance, which provides malware security, acceptable use, access control, and data security for web traffic. By performing this in the network rather than the end-point it’s possible to obtain powerful security capabilities such as multiple layers of malware defense and web application controls which are very difficult to deliver, especially across a breadth of end-points via an end-point solution.

Malware defense includes Web reputation, which is delivered by Cisco’s Security Intelligence Operation (SIO), and is effectively a risk rating for how likely a specific Web object is to be hosting malware. Additionally, multiple AV signature sets are run in parallel on suspicious traffic providing better coverage than any single engine. Currently Cisco offers Webroot and McAfee, and is planning to offer Sophos in the near future.

For acceptable use, Cisco offers standard URL filtering. But URL filtering has become less effective as the number of pages on the Web is exploding, making it impossible for URL lists to keep up. To address this, Cisco dynamically categorizes web sites in real-time. In addition, Web 2.0 sites and tunneling applications mean that a URL filter is not enough to protect users or create meaningful policy. Enter application control. What Cisco has done to expose web traffic is build an engine that understands web traffic and applications that traverse within it. That is to be able to identify if the traffic is IM, WebEX, Facebook, Facebook chat, an application running on Facebook such as Mafia Wars, Twitter, streaming media, etc. With all traffic being distinguished Web Security Appliance’s application control can “block” or “allow” the traffic but more importantly provide greater policy granularity.

Consider this. An IT leader can develop a policy that allows chat on IM, but it’s a data security violation if a user attempts to send a file via IM. Or a user can participate in a WebEx session but he/she can’t relinquish remote control of his/her desktop because it’s a security violation. A user may be allowed to go to Facebook and read, but not post as this may be a potential DLP risk. Cisco’s AnyConnect Web Security Appliance offers this deep application control thanks to its parsing of web traffic and subsequent policy granularity.
It’s difficult if not impossible to obtain this level of security and policy enforcement even on a traditional mobile end-point like a laptop. Imagine trying to make it possible for all of those smartphones that are flooding into the enterprise; virtually impossible. This is the value of Cisco’s network-based approach.

With SaaS Growth, IT Managers May Become Less Relevant

With the large number of mobile devices that access SaaS applications that are out of an IT leader’s control and visibility, IT leaders have become concerned with their own relevance. Most SaaS purchases are in fact not from IT departments but from business unit or line of business managers. Therefore, IT becomes less relevant as IT leaders don’t see this surge in SaaS application use, how to secure it and protect existing IT assets from potential threats. As SaaS use grows so does this challenge to IT.

To address this challenge, Cisco is building in SAML (Security Assertion Markup Language) assertion into the Cisco IronPort Web Security Appliance, in addition to authenticating web traffic as it egresses the enterprise. IronPort already works with AD (Active Directory) and LDAP to authenticate users. Therefore, Cisco is adding the capability to create a SAML token, which will offer a better user experience by delivering single sign-on into SalesForce, WebEx, Concur, Google Docs, and all SaaS applications that support SAML.

SaaS Access Control

What this does for IT leaders is provide control back as IT can demand that their SaaS providers support SAML token, meaning that users can’t access the SaaS application directly but through the corporate network. So if a user is at home he/she can’t go directly to SalesForce.com and download a customer list onto his/her home PC or onto an unmanaged end-point. Users have to come back through the corporate infrastructure via AnyConnect to obtain their token. This provides IT leaders with both control and visibility independent upon where applications are hosted; be it in their data center or the cloud. With this link to all applications IT leaders can apply access control policy, data security policy and in the event of data loss or theft IT leaders now have granular forensic evidence too. With SAML token in IronPort, IT leaders have both control and great visibility that gives them the confidence to enable SaaS applications for workers and remain relevant. This is a huge point as many companies don’t know how many SaaS applications are being used. Cisco for example has over 350 SaaS application in use throughout their corporation, which is more than likely the rule rather than the exception.

One critical challenge SaaS presents is when employees leave or are terminated from their employer. How does IT remove access to these SaaS applications? It’s easy if there are only a few SaaS applications in use, but when the number of SaaS applications grows to the tens and hundreds the process becomes daunting and DLP vulnerabilities increase. With Cisco’s Web Application Controls IT can simply implement a zero day revocation; that is pull the terminated employee’s credential out of the AD and all access to every SaaS application is terminated.

What AnyConnect is offering IT leaders is the assurances and safeguards to say yes to employees to use the IT tools they desire, be it a laptop, iPhone, SaaS applications, Android, Blackberry, etc. For users, they get a simplified way to connect to applications independent upon where they are hosted along with the protections and safeguards once only available to them while in their offices behind the corporate perimeter. From a security leader perspective they get increased control and more security as AnyConnect extends out to that entire mobile workforce. Cisco’s AnyConnect promises to successfully thread the needle to avoid the typical tradeoffs that accompany security products such as security versus business process or security versus user experience. With AnyConnect IT leaders will be able to enable business mobility, increased user experience, and protect corporate assets through strong security services. In short the AnyConnect Secure Mobility Client offers a simple use model for mobile workers that leverages Cisco’s ASA, IronPort Web Security Appliance, SIO, and more then likely in the future ScanSafe, to wrap a corporate perimeter around its mobile workforce.

For existing Cisco customers that utilize ASA and WSA their implementation of AnyConnect is straightforward and the ability to absorb this innovation fast. These IT organizations would install AnyConnect Secure Mobility Client on end-points with required configuration changes to ASA and WSA. AnyConnect can be implemented piece meal too starting with AnyConnect Secure Mobility Client and ASA adding other security defenses when appropriate.

But to make AnyConnect a success Cisco needs to expand its smartphone support and prove that its AnyConnect Secure Mobility Client is indeed as simple and invisible as it claims. Also IT leaders will have to get comfortable with and trust the various enforcement points and its policy granularity. AnyConnect will have to work in conjunction with other security technology such as anti-malware engines, PIN locks and data encryption, plus remote data wipe to protect against lost devices. Look for Cisco to partner with others to deliver these aspects of mobile security. The key value proposition of AnyConnect is a simple yet powerful user experience. The success of AnyConnect rests upon Cisco’s ability to deliver on the promise of an exceptional user experience with an always-connected remote access and security architecture.

Tweet

IT leaders are not comfortable with mobile computing security. And they do have a lot to be concerned about as securing a plethora of different devices accessing both corporate and SaaS applications from a vast array of locations and network access methods is a challenge. Traditional VPN methods are too cumbersome for users and don’t factor the huge growth in SaaS application use. A new model for securing remote and mobile access is needed and Cisco has delivered one. Cisco just launched AnyConnect Secure Mobility Client that offers a simple use model for mobile workers that leverages Cisco’s ASA, IronPort Web Security Appliance, ScanSafe, and SIO to wrap a corporate perimeter around its mobile workforce. Kevin Kennedy, Product Marketing Manager at Cisco Systems discusses a new approach to securing mobile computing.

Listen to the Podcast

Tweet

No matter where you look today the structure of IT is fundamentally changing. Applications are being increasingly accessed from mobile devices along with traditional laptop, desktop and even kiosk machines. Applications are downloaded for free or a few dollars on mobile devices, while cloud computing and anything as a service offers a new approach to application delivery. As a result corporate application portfolios are shifting in their mix under IT leaders from one of total control to partial to none. In short, IT leaders are finding that the largest application growth in their corporation is coming from outside of their traditional perimeter and with no control knobs. In essence applications and networks are becoming borderless.

While borderless networks offer productivity improvements allowing work to follow individuals, IT leaders are concerned about its security implications, that being how do I secure corporate assets when applications are being accessed and used within and outside of corporate perimeters? Can IT leaders deliver the ease of use afforded by borderless networks securely? In this Lippis Report Research Note we offer an approach to securing networks without borders.

Traditionally security has taken the form of a perimeter environment where IT assets are housed in the data center under tight corporate control. This environment offers the ability to protect and control these assets. For example, remote access via VPN for employees, customers, suppliers and partners access can be managed as security is managed via firewall perimeter. This approach is the traditional security model and it will stay in place for a long time to come.

But IT is fundamentally changing. There is tremendous diversity in network access from a device, network type and geographic independence points of view. The explosion in device diversity accessing networks, be it smart mobile phones such as the iPhone, blackberry, Nexus One, Android or laptops, notebooks, desktop, readers and kiosk is challenging traditional IT security norms. Not too long ago IT leaders would distribute a corporate-approved computer with a locked corporate standard software image to employees as their IT tools. Not any longer; legitimate business applications have arrived for mobile devices and cloud computing scenarios offer new approaches to application development and delivery. In addition a richness and increased velocity of applications tunneling through Port 80 further challenges perimeter security and IT control. The new world of IT is device diversity, network access point diversity and application diversity, changing how IT leaders mitigate threats while enabling users freedom of access to applications without boundaries.

As device and application diversity flourish, data too is increasingly being distributed. This is very different from the early 2000s IT model and before that as data was centralized in data centers. What used to be stored in a data center and locked behind a firewall is shifting out into clouds. Salesforce.com offers a good example of how proprietary information such as sales leads and prospects are now outside a corporate perimeter and into a public cloud. Further, most corporations don’t know how much their employees are using clouds or SaaS offerings for mission critical business functions. One client conducted an internal survey asking business and IT leaders “how many kinds of SaaS cloud-based applications do you use?” The initial answer was “probably a dozen or so.” After an audit, the real answer was well over 300 SaaS applications were being used from ADP, engineering to Salesforce. The bottom line is that there are a tremendous number of applications already moving outside the data center and the question now being asked is how to protect corporate assets in this new IT environment.

The New World IT Order

With device, network access and application diversity booming along with distributed data, more and more of IT is happening outside the traditional corporate boundary or perimeter. The diversity trend while small in terms of overall corporate application use will only grow and may very well dominate typical corporate application portfolio mixes in the next five years. But in the mean time the traditional perimeter does not go away but needs to be a pillar in a more expansive overall approach to securing borderless networks.

Borders by nature define trust and create trust boundaries. The European Union has eliminated many borders such as walls, physical access, currency differences, etc., but what remains are rules, regulations, passports, etc. The EU reconfigured their boundaries to allow greater freedom of movement and trade. Networking is undergoing a similar transition as corporate defense shifts from a single perimeter to a set of pervasive fungible perimeters or trust boundaries where protection is pushed out to follow users around based on what application they are using, how network access is gained and on what device. Security services have to move in this direction as forcing the new world order of IT into an old world IT security model will not scale and defend corporate IT assets.

For example, IT leaders could choose to back haul all their internet connections to a central site but this will clog their enterprise network, drive up internet access bandwidth and routing requirements plus slow application performance. In addition with more and more devices such as mobile end-points, notebooks, etc., readers connect to the network differently than laptops, IP phones, desktops, etc., and thus don’t lend themselves to back hauling. Therefore, IT and business leaders are thinking about a need to provide IT delivery in the cloud, or maybe perhaps a virtual environment. A much more dynamic approach is needed for applying security in the new IT world order.

An Approach to Borderless Security

One approach is to utilize a family of existing security appliances including firewalls, IPS, web filtering, web security, email security, VPN, etc., as a security enforcement array. These appliances could be put to work to enforce existing and create new trust boundaries such as cloud security, the enterprise perimeter, mobile security, etc. The enforcement array can be segmented into four architecture components. Cisco is the only large IT company to embrace this approach thus far. Cisco breaks down a secure borderless network into 1) Borderless End Zone; 2) Borderless Internet; 3) Borderless Data Center; and 4) Borderless Policy.

The Borderless End Zone provides security services to end-point devices such as securing the end-point and obtaining secure network access. End-point security is increasingly important as a plethora of new mobile and innovative end points have emerged and are consumed in mass. One significant trend is that end-points are thin with little footprint or storage/memory for large security agent software. In addition mobile end-points access networks and IT assets differently than traditional laptops and desktops, requiring a different approach to protecting today’s powerful mobile devices that preserve the ease of user experience. A transparent VPN connection that is able to select an appropriate persistent network connection and apply the right kind of security independent of end point device without user intervention will go a long way to securing new thin and mobile end-points.

The second component is the Borderless Internet which plays a large enforcement array role by delivering real time threat protection, signatures, etc., to existing gateways, appliances and network infrastructure to make enforcement decisions. For example, even though users may be accessing cloud-based applications as simple as email and not even traversing back to their corporate premise, a borderless internet applies some of the same security policies and protections afforded to them within their enterprise to enforce what users can do and then protect them from exploits and threats. Expect to see large security portfolio moves into this enforcement array as the borderless internet develops.

The third security component of a secure borderless network architecture is a Borderless Data Center. Data center network security has become more critical, particularly as servers and soon I/O becomes virtualized. Data center security services such as firewalls, et al., are becoming virtualized, affording a wide range of threat protection without additional hardware. There is a new dynamic security model needed in the data center that allows security services to move without operational intervention when VM workloads are moved. To address dynamic security more security services are required in the hypervisor such as moving firewall features closer to the virtualization layer.

The fourth and last security component of a secure borderless network architecture is Borderless Policy including access control, acceptable use, data security and exploit mitigation. Policy has traditionally been focused on permissions and access control of resources within the corporate perimeter, but policy now needs to be pushed out across enterprise, internet and mobile networks to follow users and afford them policy enforcement. In other words, as users traverse outside their corporation using different devices, network access and a mix of applications how do IT leaders provide the same policy enforcement across a global network and ensure that access and data usage is appropriate while protecting users and corporate assets from exploits, threats and malicious websites, avoiding back haul into the corporate perimeter?

The main point of borderless policy is to enable IT leaders to make greater policy decisions that are pushed out across a global network that factors who, what, when, where and how a user accesses networked resources. Borderless policy will strive to provide ubiquitous control over how users are using IT assets across different devices. To achieve this, policy needs to be translated into code that a machine understands, can enforce, and then monitor.

Securing networks without borders needs to provide protections and enforce policy in a new set of use scenarios that are growing rapidly in their adoption and use within corporations. This is not to say that existing IT security is not critically important. None of today’s security appliances will be displaced or removed any time soon. Private data centers will be with us for decades as will the need for effective corporate perimeters. IT leaders want to leverage existing security investments to protect corporate IT assets when users access applications on mobile end-points, across and behind the perimeter. The Secure Borderless Network offers an approach of providing security, protection by setting new boundaries for a different IT use and delivery model that will only accelerate as the global economy continues its recovery.

Tweet

Garter has moved Cisco up to the Leaders Quadrant in its Magic Quadrant for 2009 Secure Web Gateways. Gartner reflected in their analysis that Cisco’s long-term focus on innovation and quality has resulted in market leadership. Garter identifies the following Cisco strengths.

On-Premise
* On-box malware prevention
* Performance & scalability
* DLP
* Real-time categorization

Cloud
* Simple management interface
* Reporting
* Ease-of-deployment
* Real-time categorization

Visit the Link

Tweet

Gartner has recognized Cisco as a Leader in the 2009 Magic Quadrant for SSL VPNs. Cisco has made the move from Visionary Quadrant last year to the Leaders Quadrant on the strength of its innovative AnyConnect VPN technology and direction. Here are a few items Gartner highlights in the report:

* Cisco is the only vendor to move from a non-leader position into
the Leaders’ Quadrant

* Cisco is forging the path as 10 of the surveyed vendors consider
Cisco a major competitive threat

* Cisco exceeded all other vendors in the number of new concurrent
SSL VPN seats in the period

* Gartner clients report that feedback and satisfaction with the
Cisco SSL VPN product have improved significantly

Visit the Link

Tweet

By Cisco Systems

The Cisco Annual Security Report provides an overview of the combined security intelligence of the entire Cisco organization. The report encompasses threat information and trends collected between January and December 2009. It also provides a snapshot of the state of security for that period, with special attention paid to key security trends expected for 2010.

Get the White Paper

Tweet

How we do IT is fundamentally changing. Applications are increasingly being accessed from mobile devices while cloud computing offers a new approach to application delivery. Case in point, the iPhone adoption rate is 8 times faster than AOL was! As a result corporate application portfolios are shifting in their mix of total IT manager control to partial control to none. IT leaders are finding that the largest application growth in their corporation is coming from outside of their traditional perimeter/firewall with no control knobs. In essence applications and networks are becoming borderless and as a result a new flexible security model is needed to reestablish boundaries. To address this industry concern, I talk with Fred Kost, Director Security Solutions for Cisco Systems about a new approach to securing networks without borders.

Listen to the Podcast