Cisco ASA CX - новый прикладной МСЭ

Editor's Notes

1. While other “next-generation” firewalls allow you to add application and user awareness to firewalls…ASA CX is the only firewall that allows you to enforce security based on the complete context of a situation. This context includes the identity of the user (who), the application or web-site that the user is trying to access (what), the location of the access’ origin (where), the time of access (when) and the device - type, OS version and ownership - used for the access (how).While other “next-generation” firewalls depend on primitive methods like static risk ratings assigned to applications…ASA CX is the only firewall that combines web reputation with context-awareness to enable safe access to applications. Web Reputation uses the world’s largest threat analysis system, Cisco Security Intelligence Operations (CSIO), to block malicious transactions within genuine applications.This context and threat awareness is built on the solid classic firewall capabilities of ASA, a proven stateful inspection firewall with an installed base of more than a million appliances.With the widest networking portfolio, Cisco will be able to offer these capabilities as an appliance, as (in future) as part of secure routers, as blades in switches, and as part of a virtual firewall.So with ASA CX, you get industry’s deepest feature set, on proven Cisco technology.
2. While other “next-generation” firewalls allow you to add application and user awareness to firewalls…ASA CX is the only firewall that allows you to enforce security based on the complete context of a situation. This context includes the identity of the user (who), the application or web-site that the user is trying to access (what), the location of the access’ origin (where), the time of access (when) and the device - type, OS version and ownership - used for the access (how).While other “next-generation” firewalls depend on primitive methods like static risk ratings assigned to applications…ASA CX is the only firewall that combines web reputation with context-awareness to enable safe access to applications. Web Reputation uses the world’s largest threat analysis system, Cisco Security Intelligence Operations (CSIO), to block malicious transactions within genuine applications.This context and threat awareness is built on the solid classic firewall capabilities of ASA, a proven stateful inspection firewall with an installed base of more than a million appliances.With the widest networking portfolio, Cisco will be able to offer these capabilities as an appliance, as (in future) as part of secure routers, as blades in switches, and as part of a virtual firewall.So with ASA CX, you get industry’s deepest feature set, on proven Cisco technology.
3. First Generation – Packet FiltersSecond Generation – Stateful Packet Filters. Credit to Nir Zuk from Check Point, but first developed by AT&T Dave Presetto, Janardan Sharma, and Kshitij Nigam – circuit level firewallsThird Generations – Application Layers FirewallThird Generations – Deep Packet InspectionsDPI ApplicationDPI granular application
4. Where you need coarse, organization-wide or subnet-based rules, IP address-based rules are still valid. But where you need granular, user-specific rules, IP addresses are no longer a good proxy for users due to user mobility and dynamic assignment of IP addresses.The primary mechanism by which “next-generation” firewalls identify users is through a User-ID Agent. The User-ID Agent collects user-to-IP address mapping information from the Active Directory security logs and provides it to the firewall for use in security policies and logs. ASA CX supports this mechanism of user identification through an Active Directory Agent. This user identification mechanism is useful mainly to get visibility into user traffic, or to apply controls on non-critical traffic. For critical access control decisions, customers especially in highly regulated industries like Finance and Healthcare do not like to rely on user-to-IP address mapping, because the log information could be stale, rendering the user identification obtained through this mechanism unreliable. To address this problem, ASA CX supports true authentication schemes like NTLM and Kerberos. When these schemes are used, clients (like browsers) authenticate users seamlessly, without asking users to fill in credentials in an authentication prompt. These schemes are secure because they never send the password in the traffic. Authentication is done using a challenge-response method, based on the credentials used to login to the endpoint. In fact Kerberos is the default authentication mechanism on Active Directory 2000 and above. ASA CX provides you the flexibility to use Active Directory Agent or NTLM / Kerberos for different types of traffic.In future, ASA CX plans to integrate with TrustSec so that administrators can leverage the device and user identity that is already available in the network. With Cisco TrustSec, you can identify and tag traffic from employees, contractors, guests, and so on. You can leverage these tags on the TrustSec-enabled Cisco switches to control campus access, and on ASA CX to control access across the perimeter. As an example, you can use TrustSec to limit the Guest traffic to a Guest network, and use ASA CX to specify the narrow list of applications or web sites that the guests are allowed to access. No other firewall vendor is able to provide such diverse access control methods.
5. Due to proliferation of web-based applications (all traversing ports 80 and 443) and the port-hopping nature of several applications like Skype, ports are no longer a good proxy for applications.“Next-generation” firewalls address this by offering application-based visibility and control. However, merely classifying an application is no longer enough either. Now you must identify the “micro-applications” being used within a bigger application, and make the access controls decision based on all of these inputs.ASA CX offers very granular controls that allow administrators to create firewall policies that match the nuanced business needs of today. ASA CX not only identifies 1,000+ applications, but also identifies 75,000+ micro applications, like Farmville on Facebook. These micro applications are bucketed into easy-to-use categories so that firewall administrators can easily allow / deny access to the relevant parts of the application, for example, on Facebook these micro applications are categorized into business, community, education, entertainment, games, and so on. Similarly, other applications like Google+, LinkedIn, Twitter, iTunes etc are also broken down into micro applications.In addition to micro applications, ASA CX also identifies the application behavior, that is, what action is the user taking within that application. As an example, the Facebook Videos category identifies whether the user is uploading, tagging or posting a video. So an administrator may allow users to view and tag videos, but not allow users to upload a video. You could also deny any postings from users, effectively making Facebook read-only.
6. Only Cisco has an industry-leading firewall and secure web gateway.ASA CX uses the same URL filtering database as its web security solutions. This is Cisco-owned, unlike almost all other “next-generation” firewalls which use 3rd party URL filtering solutions. ASA CX allows you to create URL based rules for users and groups, creating differentiated access to the internet, unlike some other vendors that only allow 1 URL filtering policy for the enterprise.Cisco’s URL filtering database has industry-leading coverage and efficacy. It provides 65 URL categories and a comprehensive URL database that encompasses sites in more than 200 countries and more than 50 languages. Cisco SIO updates the database every five minutes, taking advantage of its visibility into more than a third of global Internet traffic to provide customers with the most effective and timely coverage. URL updates are sourced from automated web crawling and classification technologies, combined with manual classification from Cisco’s global categorization team of professional researchers. Periodic, automated aging out of unused domains and sites, along with regular updates of millions of new URLs, help maintain the industry’s highest-quality web filtering database. In addition, data from thousands of participating Cisco’s security appliances is delivered to Cisco SIO to classify uncategorized URLs. Any miscategorization requests are responded to quickly - often within minutes.
7. With users demanding access to data from anywhere, the choice for you is to either to keep your network very restrictive, which your business leaders do not like, or to fully open up access even if that makes your network more vulnerable.As an element of context, location can play an important role in determining whether the access request is legitimate or not. For example, if the CFO access the finance application from his laptop as well as iPad, maybe it is ok. However, the fact that the access from these two devices happened simultaneously from 2000 miles apart is a strong indication that one of the devices may be compromised.ASA CX allows you to create location-based policies. In the first release, you can create separate policies for local and VPN (AnyConnect) user traffic. As an example, you can allow access to a sensitive financial application from a local laptop, while denying access from a remote iPad.In future, the planned integration with TrustSec and Identity Services Engine (ISE) will allow you to set more granular policies based on where in the network you connected from. For example, if you are connecting from employee workstations in San Jose campus > Building H, you get a different level of access than if you were connecting from a lab environment.
8. According to a July 2011 Forrester Research survey(*), 60% of enterprises are enabling BYOD. There is tremendous pressure on security administrators to allow any time, any device access from anywhere. Often security administrators have little choice: they either keep the network closed, or open it up for all kinds of devices at the expense of security. A majority of them choose to open up network access, but this leads to complete loss of control over network access with absolutely zero visibility.Cisco security solutions like AnyConnect and Identity Services Engine (ISE) help customers enable BYOD securely.AnyConnect, installed on more than 100 mn endpoints, is the most ubiquitous VPN and secure mobility client in the market. It sends information about the device operating system and version, which ASA CX uses as elements of rich context for visibility and control.In near future, ASA CX will leverage even richer information from ISE, like device profile, device posture, 802.1x authentication information, and so on. This will allow customers to set differentiated policy, for example, restricting network access if the device is personally owned. This will complement TrustSec architecture which is used for campus access control. Leveraging the same information, ASA CX can be used for edge access control.None of the other firewall vendors combines such rich application and user controls with rich device information.NOTE: If a customer has neither AnyConnect nor ISE, ASA CX will extract the device operating system from the user agent parameter of HTTP traffic.* Reference: http://www.att.com/gen/press-room?pid=21555&cdvn=news&newsarticleid=32980&mapcode
9. We saw how complete context helps you build a much richer policy that goes beyond applications and users. Cisco has taken an architecture-based approach to combine what’s already known to the network, like user and device identity, with firewall-specific information like applications to give you complete context.In addition to context, only Cisco offers the industry’s leading threat awareness solution… (cont’d on the next slide)
10. Mention Skype during broad AVCData Loss Prevention DLP
11. 25 devices is not a hard limit, it is a recommendation. This will be tuned after performance testing and before FCS.
12. The context-aware capabilities are managed through the Cisco Prime Security Manager (PriSM).PriSM is built from the ground-up to address task-based workflows in a simple and efficient Web 2.0 based GUI.PriSM is available in two variants. The first is a web-based on device version that is integrated with the ASACX. The second is an off-box version that is typically used in situations where a network contains multiple ASACXs. The on-device version is identical to the off-box version except for the latter’s ability to manage multiple firewalls. Thus, from a security operator’s point of view, the experience of managing the ASACX is consistent irrespective of the management application variant – on-device or off-box – that the operator chooses.PriSM interacts with the firewalls in a schema-driven, standards-based fashion through REST API. In future, this will allow customers to write their own scripts or develop their own custom management application if they so choose.