A year Cisco put forward its vision called SecureX about how it would devise ways that its network products, first its firewalls, would be able to capture information related to user devices, especially tablets and smartphones, to exert context-based security control. Today, Cisco took the first step to deliver on that vision while acknowledging more needs to be done.
At the start of the RSA Conference 2012, Cisco unveiled ASA CX Context-Aware Security, a next-generation firewall which lets administrators set security controls over user devices and network resources related to more than 1,000 applications (Facebook being but one) and many tens of thousands of granular elements within those applications, whether it be video, games, or shopping to provide visibility into application use and highly customisable access control. Cisco also reiterated its strategy is also to build this type of functionality not just into its firewalls but into its Catalyst switches and wireless switches.
"The wireless switches from Cisco will be able to say, 'that's an iPad, that's a phone," said Russell Rice, Cisco director of product marketing during a media and analyst event.
The idea behind amassing a substantial amount of technical detail about smartphones and tablets and their application usage is to give IT managers a way to decide whether specific devices should be granted network access — for instance, some companies may permit 'Bring Your Own Device' for use at work, and some may not. Components called the Identity Services Engine and TrustSec together are used for policy enforcement at the firewall point, blocking or allowing user devices to do specific things.
Rajneesh Chopra, director of product management, provided a demo of ASA CX firewall, saying it will tell you the "who, what, when, where and how" about devices. He said it will tell you about applications, such as whether anyone is uploading videos to Facebook. And it will supply fine-grained URL filtering.
Settings policies on the firewall is easy and specific
A demo of ASA CX showed how it was tracking user activity related to Web categories, destinations, applications and whether off-limits activities were attempted. Setting policy would be as simple as writing a business policy, such as "Block interns from games," Chopra noted.
The SecureX framework is also supposed to be able to aggregate threat information from Cisco AnyConnect Secure Mobility and real-time threat data from the global Cisco Security Intelligence Operation to provide security alerts.
As part of its ASA CX-unveiling event, Cisco invited a handful of corporate customers to face an audience of analysts and media to provide their take on corporate security, especially the "Bring Your Own Device" issue.
One Cisco customer, Nick Young, network support manager for Four Seasons Healthcare in the United Kingdom, said in his situation, "the business is telling me, 'now I'm going to bring my iPad in, I'm the manager.' We have to allow people to put things on, and that's where Cisco comes in." He said products like ASA CX should be a help in providing visibility into these BYOD devices and exerting fine-grained controls.
Analysts attending the ASA CX unveiling were generally congratulatory about the next-generation firewall and how Cisco is putting real product behind the SecureX concept.
"Last year it was just logos and big ideas," says IDC analyst Phil Hochmuth. "Now we have the instruction manual that comes with SecureX."
"This makes a lot of sense. And it's good to see them coming out and deploying a next-generation firewall," says Gartner analyst Neil MacDonald about ASA CX.
Firewalls and gateways as security appliances
Cisco's new senior vice president of the security and government group, Chris Young, joined just last November after the departure of Tom Gillis, formerly vice president of security technologies business unit, who had spearheaded the SecureX idea. Young acknowledged he couldn't take credit for it, but indicated his approval, saying "it makes perfect sense to me."
Young, formerly senior vice president and general manager at VMware, appears likely to lead Cisco into adapting security products to be optimised for virtualised environments.
Young said Cisco should be developing firewalls and web gateways - maybe even an intrusion-prevention system - adapted as security appliances that would run in virtualised environments. Despite his tenure at VMware, Young claims to hold no particular hypervisor bias, and in fact wants Cisco to be hypervisor-agnostic in what it does, supporting more than just VMware platform. "Open source hypervisors are popular as well," he noted.
In addition to its ASA-CX next-generation context-aware firewall, Cisco also introduced the Cisco ASA 5500-X Series of midrange security appliances intended for Internet edge deployment for small to large enterprises. These are also expected to use the SecureX approach. They include the ASA 5512-X at 1Gbps throughput; the ASA 5515-X at 1.2Gbps; the ASA 5525-X at 2Gbps; the ASA 5545-X at 3Gbps; and the ASA 555-X at 4Gbps.
Cisco also announced it has updated the Cisco CCNA security and CCNP Security certifications for training that includes Cisco ASA adaptive security appliance v. 8.3 and 8.4 software, Cisco AnyConnect 3.0 and IPSec clients, EtherChannel and new firewall features.