Internal Access from Cisco Any Device

 

Step 1: Focus on Network-Based Malware Controls

A corporate-owned device is an important tool in maintaining corporate data security and integrity. Cisco does an outstanding job of protecting our managed-hosting environments by installing and managing multiple layers of defence on our corporate-owned and deployed computers—including antispam, antispyware, managed antivirus, host-based intrusion prevention, and patch management. However, as Cisco shifts away from managed hosting environments and corporate-owned devices, those same controls must move away from the endpoint and be built into the managed network. Cisco currently uses such tools as the Cisco IronPort Web Security Appliance (WSA), the Cisco IronPort Email Security Appliance (ESA), and Cisco Intrusion Prevention Systems (IPSs) in addition to third-party-developed protection for NetFlow, zero-day malware protection, and event management tools, among others, to protect our network (refer to Figure 4).

A security proxy such as the Cisco IronPort WSA at the Internet edge significantly reduces incoming threats from wired and wireless networks. While satisfying the network security requirements of the Cisco Any Device strategy, the Cisco IronPort WSA deployment also protects the business. In its initial deployment in Cisco Internet gateways in the Eastern United States, the WSA blocked more than 3,000,000 malicious transactions5 over a period of 45 days6.

The Cisco IronPort ESA is an email gateway with industry-leading threat prevention for spam, viruses, malware, and targeted attacks. It incorporates outbound controls with data-loss prevention, acceptable-use policy enforcement, and message-based encryption. Shifting email security into the network not only protects a variety of devices, it also improves productivity. For example, in one month, the Cisco IronPort ESA blocked 280 million7 email messages to Cisco.com addresses—88 percent of the total attempted messages.

Cisco also relies on the detection capabilities of Cisco IPS for intelligence monitoring and alerting across our networks. Cisco IT and security can quickly operationalize any intelligence on threats, allowing us to identify and respond without dependency on the endpoint. Because Cisco IPS is available in dedicated appliances or integrated into Cisco firewall, switch, and router platforms, it is deployed in every Cisco location around the world. This coverage allows the Cisco Computer Security Incident Response Team (CSIRT) to act quickly on any incidents that arise across the entire network. As Cisco IT shifts from leased and managed devices to user-provided devices, the ability to closely inspect the network layer becomes paramount. With diminishing visibility into devices, investment should be made in technologies that provide comprehensive, real-time situational awareness of threats at the network layer.

Step 2: Strengthen Device Access Control

In the past, the Cisco CSIRT relied heavily on IT systems—such as inventory, asset management, and host management systems—to link devices involved in incidents to users. If a device had been compromised, the Cisco CSIRT could look it up in hardware and software inventory systems, tie it to a particular user, and communicate with that user to remediate the problem. This solution is not possible in an Any Device world. The Cisco CSIRT has significantly retooled IT systems for the Any Device strategy, for example, linking Dynamic Host Configuration Protocol (DHCP) records and MAC addresses with application login and not device login information to help determine user identity.

In the near future, the Cisco TrustSec® architecture—which provides policy-based access control, identity-aware networking, and data integrity and confidentiality services—will help to solve this problem. Through the 802.1x protocol, the Cisco TrustSec network login identifies users and associates them with their devices. It also enables Cisco to provide differentiated access in a dynamic network environment and enforces compliance for an expanding array of consumer and network-capable devices. For example, Cisco TrustSec technology can take advantage of the trusted device security baseline. When devices are regarded as trusted, they are granted full access to corporate resources on the internal network. Moreover, the Cisco Identity Services Engines (ISE) platform—Cisco’s consolidated identity and access-control solution—provides the next-generation architecture for identity and policy management.