Cisco Expands Next Gen Firewall Capabilities
Firewalls have long operated on the model of providing deep packet inspection in order to protect IT assets. Deep packet inspection, however, has often lacked a key attribute: context awareness. Cisco is now advancing its context awareness agenda with the release of the ASA CX upgrade for its hardware firewall portfolio.
The ASA CX is part of Cisco's overall SecureX initiative that was first announced a year ago. SecureX is now being expanded with enhanced capabilities to Cisco's TrustSec security architecture.
"The story on TrustSec is we're moving it forward deeper into the network and the objective is to have TrustSec as a pervasive service on the network," Bill McGee, manager for Cisco's Security Solutions team, told InternetNews.com. "It really strengthens the network's ability to recognized and protect itself against threats."
Cisco first announced the TrustSec initiative back in 2007. The general idea behind TrustSec is to be a super set of network access control (NAC) enabling identification and security control for all devices on a network.
Cisco is also delivering new software and hardware for the ASA firewall lineup that builds on TrustSec to provide more context awareness. The ASA CX software update is available for the Cisco's top-end ASA 5585 appliance and is being included on a new series of mid-range ASA devices.
McGee noted that with the ASA CX, Cisco can now do broad classification of Web based applications such as Skype and Facebook as well as the micro-applications that run inside of Facebook. For example, the ASA CX could enable a user to watch a video on Facebook, but block access to Farmville.
"Going deeper we can control how users interact with applications," McGee explained. "For example, a user can be blocked from uploading files to Facebook or from transferring files with Yahoo Instant Messenger."
The ASA platform is what is known in the industry as a next generation firewall (NGFW) as it also provides intrusion prevention system (IPS) capabilities. McGee noted that there are still some use cases where it makes sense for an enterprise to deploy a standalone IPS for extreme performance and scalability needs.
"Generally, these technologies (IPS and firewall) are converging, they really belong together," McGee said. "They are the peanut butter and jelly of border control."
One thing that the ASA series does not currently provide are full Web application firewall (WAF) capabilities. WAFs are intended to help protect enterprises and data centers from Web application vulnerabilities.
"The ASA doesn't do much in the area of Layer 5 traffic analysis looking at Ajax and XML traffic," McGee said. "A WAF isn't something that we don't have right now, though I know it's a device that we have on the shelf that we're looking at seriously."