The first step to having an integrated security network solution is to create self-defending networks. Some vendors try to create a "self defending network" (SDN) by building security intelligence into the corporate network's fabric. The goal is to connect all of the point solutions (IDS, antivirus, firewalls, and access control) in an ecosystem, which enables a quick reaction to an attack, as our immune system is called into action when it detects a foreign substance. For example, an employee takes his laptop home and gets it infected with a virus while connected to the Internet. The next morning he plugs the infected system into your LAN. That virus has now bypassed all of your perimeter and remote access defenses. The user connects to your corporate headquarters and the widespread propagation of the new and deadly virus begins.
However, if you had deployed a Cisco self-defending network, this is what would happen:
- The laptop has a Cisco Security Agent (CSA) installed, which contains the Cisco Trust Agent
- The Trust Agent collects specific information about the system:
- Antivirus signature dates
- Patch level
- Hotfix level
- CSA version
- When the laptop attempts to access the network, the CSA sends the access device (router, switch, access point) the information collected by the Trust Agent
- The access device sends this information to the policy server
- The policy server decides to permit, deny, quarantine, or restrict access based on your defined policy
- The policy server identifies that the antivirus signatures have not been updated, so it sends the laptop to a quarantine zone
- The quarantine zone contains a remediation server, where the laptop receives its updated signatures
- The laptop attempts access to the network again and it is granted
The access device acts as a middle man, requesting this information from the end system and passing it on to policy servers, where the actual access decisions are made. If the policy server indicates that restricted access can be allowed, then access control lists are rolled out controlling what this device can or cannot access. If the server indicates that the device must be quarantined, then a VLAN is used which contains the remediation server.
Sounds great -- What are the downfalls?
Cisco claims their infrastructure uses existing investments in corporations' current environments. However, this is only true if a user uses all Cisco devices and if your current antivirus software and other point solution vendors are participating in this game. This will become more of a realistic solution if Cisco can convince more security product vendors to be compliant with their infrastructure design AND if Cisco can convince users to purchase more of their equipment.
This solution must also address all access methods from all of your end systems. This may include wireless, remote, dialup, VPN connections along with all WAN and LAN links. Again, if you are running in a purely Cisco shop, then you will be closer than other companies who use various products. However, just because you are an all Cisco shop does not necessarily mean that you have all of the components to "activate" a self-defending network. This initiative has really just begun and will be carried out in a phased approach. Therefore, you will have a lot more spending to do.
Phase I, released in June 2004 only covers Cisco routers communicating with the network's Trust Agents on end systems running Microsoft NT, XP, and 2000. The routers can enable ACLs to restrict communication for non-compliant systems, but cannot quarantine devices to segments that contain remediation servers. This phase also kicked off the collaborative efforts between Cisco, Network Associates, Symantec and Trend Micro.
In Phase II, Cisco switches will have the ability to quarantine noncompliant systems to VLAN segments, where remediation servers will be placed. These remediation servers will push the necessary policy components to the noncompliant systems. Remote access connections using IPSec will be supported along with additional operating systems in this phase as well.
In the following phases, Cisco will integrate support for other security products and appliances, as in wireless access points and firewalls.
Is Cisco the only choice?
Most likely. For a vendor to pull this off they must either have sophisticated agents on the different workstations, servers, and network devices that can understand and communicate with different heterogeneous devices. Or the vendor must be large enough to provide the different homogenous network devices with the intelligence built in and have the industry pull to convince other vendors to buy-in and participate with this type of solution, as Cisco is attempting. To date, the point solution vendors that are participating in Cisco's SDN are mainly antivirus solution providers, but Cisco is providing access to their APIs so that everyone can jump on the bandwagon. Their goal is to get patch management and other types of security vendors integrated.
Enterasys Networks and other vendors have some of the similar functions built into their network devices, as in embedded intrusion detection and prevention antivirus functionality, but these vendors will most likely not be able to gain true market share when competing with Cisco for developing a full self defending network.
So a self defending ecosystem type of network is a fascinating concept, but will most likely be riddled with many of the issues of our point solutions in the beginning -- false positives, self-imposed denial of service attacks, more man hours than any one expects, high costs, etc. Nevertheless, if this catches on, it will be a REAL evolutionary step in technology-based security and Cisco will be ahead in the game.
This was first published in November 2005