Application awareness has dominated the network security conversation in recent years, and lots of upstarts have pioneered next-generation firewalls that can make security decisions based on applications rather than ports and protocols. But Cisco has remained largely silent on its plans for a next-generation firewall… until now.
This week, Cisco Systems said it would go beyond application awareness to context awareness, with its new network security architecture, SecureX.
"We are switching from a security language of IP ports and protocols -- which was appropriate for when things were more static," said Kevin Kennedy, product manager at Cisco.
Now Cisco aims to address several technology trends complicating network security architecture, including virtualization, cloud computing, mobility and the proliferation of consumer devices.
The SecureX network security architecture understands "who a user is, how they're accessing the network, what device they are using and whether that device is owned by the company,” Kennedy said. “It understands what application they are trying to use … and where they are. Are they in the office or out of the office? It understands the [security] posture of the device. All these elements come together to allow rule and policy to be defined."
Firewalls are the focus of Cisco's initial SecureX launch, which begins with software updates to Cisco's Adaptive Security Appliance (ASA) 5000 series. But SecureX is also about the ability to distribute network security functionality, Kennedy said. Ultimately, enterprises will be able to deploy these security gateway capabilities on a variety of other platforms, including Nexus data center switches, Integrated Services Routers (ISR) and in the cloud.
SecureX gains this context awareness by combining data from TrustSec, Cisco's 802.1x-based access control technology; Cisco Security Intelligence Operations (SIO), a global security operations center that analyzes threats and provides signatures for them; and AnyConnect, Cisco's VPN client.
New network security architecture to roll out incrementally through 2011
Cisco will roll out context-awareness capabilities one bit at a time throughout 2011, beginning with visibility into device types and user location, followed by Lightweight Directory Access Protocol (LDAP) integration for user identity. Later in the year, Cisco will roll out application awareness, the core capability of a next-generation firewall, Kennedy said.
The SecureX network security architecture displays good marketing vision from Cisco, but whether it can execute on technology remains to be seen, said John Kindervag, senior analyst with Forrester Research.
"[SecureX architecture] is awfully tied into needing this TrustSec client. They're trying to do what people like Palo Alto and other application-level firewall vendors are already doing, but in order to bring it to market fast enough, they're having to augment their technology with clients," Kindervag said.
Cisco's apparent reliance on network flows that have been tagged with data by software agents worries Kindervag. Widely deployed client software could make the overall network security architecture challenging for enterprises to use unless Cisco offers strong, centralized management software, he said.
"I think it's going to be too hard to manage. It's the same as CSA [Cisco Security Agent]. Cisco had to end-of-life it, not because it wasn't a good product, but because it was too hard for customers to manage," he said.
Cisco also faces competition from other vendors that have already delivered next-generation firewalls and are moving on to offer more than application visibility.
Check Point introduced its 3D Security vision and its R75 appliance last week. This new appliance runs several software modules that deliver a similarly comprehensive set of security technologies in a single product: application visibility, identity awareness, data loss prevention and mobile access (SSL VPN and encryption for remote access).
Palo Alto announced a new technology partner program, which will allow its customers to extend Palo Alto's application visibility to products from third-party security vendors, such as ArcSight, NetWitness Corp., Q1 Labs, RSDA and Solera Networks.
Let us know what you think about the story; email Shamus McGillicuddy, News Editor.