Cisco Advances Network Security for Physical and Virtual Networks
New ASA, IPS and Security Manager releases take aim at both physical and virtual security.
Sitting at the core of Cisco's Network security portfolio is its ASA platform, which consists of hardware and the operating system that runs on the device. Cisco is now updating its ASA software to version 9.0 as part of a new security rollout that also includes a virtual ASA appliance and an updated IPS hardware appliance.
The ASA 9.0 software improves both scalability as well as the inspection capabilities of the Cisco Firewall platform.
"We took our Firewall identity capabilities that include passive and active authentication and we've now added some of the Cisco TrustSec security group tags," Jeff Aboud, Program Marketing Manager, for Enterprise Network Security at Cisco, told Enterprise Networking Planet.
TrustSec is an technology that Cisco has been promoting since 2007 as a way to implement tag based network access control. According to Aboud, the idea with the ASA 9.0 integration is to provide more identity based and content visibility, so Cisco can provide next generation firewall capabilities at data center speeds.
In February of this year, Cisco announced a similar sounding offer known as the ASA CX, which also provides TrustSec integration. Aboud explained that the ASA 9.0 release is the core operating system, while the CX is an additional context aware module that works on top of it. He noted that in order to get application level control and visibility you still need the CX.
"What we've done with ASA 9.0 is we have taken all the identity awareness and the passive and active authentication and added to it security group tags from TrustSec," Aboud said. "That gives us more identity and device information."
ASA 1000V Cloud Firewall
To date, the ASA platform has been mostly concerned with physical hardware appliances. That is now changing with the release of the ASA 1000V Cloud Firewall. The ASA 1000V is built on top of Cisco's Nexus 1000V virtual switchto provide a firewall that will run in software.
"We have taken the mainstream ASA code and we have optimized it to work in virtual and cloud environments," Aboud said. "So you can have an ASA policy that you have written for the physical world and it will now translate and work in the virtual and cloud worlds."
While the ASA platform is a next generation firewall that can optionally provide IPS capabilities, Cisco also still has a standalone IPS product portfolio.
The new IPS 4500 series provides up to 10 Gbps of performance for inspected data with the potential to scale up to 20 Gbps in a future update.
As to why an organization might want to use an IPS instead of simply just using a Next Generation Firewall, Aboud said that there are still lots of different use cases.
"A firewall by its nature is like putting a beacon on the Internet saying 'here I am', " Aboud said. "With IPS deployment scenarios, you don't necessarily want someone to know that an IPS is in place protecting the network."
He added that the reason why Cisco has both a Next Generation Firewall as well as a standalone IPS is to support customer choice for whatever the deployment scenario requires.
Cisco Security Manager 4.3
From a management perspective, the new Cisco Security Manager (CSM) 4.3 release helps network security professionals to manage all their security devices. Among the new enhancements in the 4.3 release is increased efficiency for updating device images and policies.
In the final analysis, the overall goal with Cisco's latest set of security updates is to continue to support whatever network implementations are required.
"What we've done with our security architecture is make security an implementation decision," Aboud said. "So you don't have to bolt on security afterwards, instead we can put security when, where and how you need it."