Problem solve Get help with specific problems with your technologies, process and projects.

Cisco network appliance security: Does 'self-defending' network stack up?

Cisco has for years touted its concept of a "self-defending" network, but what does it actually entail? In this expert response, Anand Sastry explains what "self-defending" means (at least, according to vendors), and whether it's really possible.

Cisco Systems Inc. for several years has touted its vision of the "self-defending" network. What would you say are the key technical concepts behind Cisco's philosophy, and, as of now, has it been a success?
My takeaway from Cisco Systems Inc.'s vision of "self-defending" network appliance security is that it is a tightly coupled collection of appliances that address security all the way up the network stack. The goal is to provide an integrated platform that adapts to the changing threat landscape and supports collaboration among the various components to provide effective protection and ease of management.

A possible architecture for a self-defending network could include (please note that I have focused on the Cisco platform but other best-of-breed solutions are possible as well): A regular 6500 chassis can be configured to house a firewall blade (ACE/FWSM), an IPS module (IDSM2), content management modules and, potentially, a dedicated Web application firewall (ACE WAF). This provides a platform to protect against signature-based network- and application-level attacks, at the same time providing for zero-day protection through an endpoint security product. The data correlation and analysis of data from each of those appliances is achieved using Cisco's Security Monitoring, Analysis and Response System, or MARS, which is Cisco's proprietary security information event management (SIEM) product.

A typical proactive mitigation example could involve the security agent detecting suspicious activity on a host PC, which it then forwards to the MARS platform. The MARS platform then collaborates with the IPS module to monitor flows to and from that endpoint and cut off any potential attacks.

One thing to keep in mind, however, is that you do not have to be Cisco-centric in building a "self-defending" stack that incorporates the devices listed above. The key to having an effective multi-vendor "self-defending" stack is to ensure each security point product is able to collaborate with the others. This collaboration can be quite complicated and difficult, given that most vendor platforms are either point products built on a closed platform, or are built to support their own integrated security stacks. An example of an open platform that supports multiple vendor security products is Crossbeam X-series platform.

This was last published in July 2010

Dig Deeper on Network device security: Appliances, firewalls and switches

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.