Cisco's Unified Security
Page 1 of 1
Cisco's Secure Wireless Solution is the latest move by the San Jose, California-based company to continue its push to unify wired and wireless, this time with a focus on security. It combines use of various items: a Network Admission Control (NAC) Appliance, ASA Firewall, Cisco Security Agent (CSA) software, IPS Software, Secure ACS server and Cisco Secure Services Client.
Chris Kozup, manager for mobility solutions at Cisco, says, "The industry has come a long way on the quality of security for wireless... what we haven't delivered is unification of the security in wireless and also in wired. Ultimately, customers want a common security framework and architecture for their enterprise network."
Kozup says the NAC Appliance enforces the "client/device posture" by checking to see that computers have the latest anti-virus, spyware and patch definitions installed. This requires a software applet to be running in the background on the hardware. Without the latest software, the hardware is quarantined until it is up to date.
"That has historically existed in the wired world," Kozup says. "Wireless is just transport. The integration we have allows for a wireless client to come in and let the controller handle the authentication direction with the appliance."
Other features of the Secure Wireless Solution include wired/wireless wireless intrusion detection (IDS) and intrusion prevention services (IPS), which now check the physical and application layers on both parts of the network before a rogue can get access. That can include the corporation's own users, who may have been traveling and used an untrusted network. "The IPS box will instruct the controller to send a 'client shun,' a disassociate request, so it can't get on the physical layer," says Kozup. Coupled with the location services Cisco now offers, "We can then find, through the console, where it is in the facility," he says.
Kozup says that protection for a network has three pillars: how you encrypt data in transit so it's not compromised, protecting the corporate back-end IT systems so the WLAN isn't just a backdoor entry route (handled with IDS/IPS), and also protecting data that's mobile. "Not data in transit, but data stored on a mobile device, not even necessarily in use," he says.
For that, the CSA handles the host protection as a personal client firewall that helps enforce the network's policies on how a user connects. "CSA lets us detect whether the device is connected to the wired network, and if it is, disable the wireless adapter," Kozup says. "You avoid being the bridge between wired and wireless." The software can also prevent any ad-hoc network sessions where a rogue user may try to force an association with your device.
Right now, the support is limited to Windows-based laptops and handhelds, plus Cisco's own products like the Unified Wireless IP Phone 7920. "We're on the train moving toward this grand unification nirvana," says Kozup. "We're very clear that our customers are seeing an increasing number of devices with different operating systems, and they need to apply the services across those as well. Stay tuned in terms of that broader ability to cover all different types of clients." One of the ways they'll handle that, probably, will be to work with silicon vendors to support Cisco Compatible Extensions (CCX), which could integrate the CSA.
Cisco bought out Meetinghouse last year and has integrated its 802.1X authentication supplicant, so it'll work across wired and wireless networks using the ACS server. "We deliver a unified authentication framework, irrespective of how it connects," says Kozup.
Finally, Kozup says the Secure Wireless Solution is designed from the ground up to handle regulatory requirements, specifically the headaches of keeping up with Sarbanes-Oxley, HIPAA and PCI. The latter is all about credit card security in retail, and has very strict wireless requirements, such as the need for quarterly wireless scans of a retailer's environment. Cisco did designs on this with Intermec (which builds handhelds for retailers), and tested with CyberTrust.
"You can't be compliant [with PCI] with just a secure box," says Kozup. "Securing corporate data is about the whole view, and validating all the parts together, so wired and wireless both meet the needs." He adds, "We're not just stringing parts together, but testing on the back end and validating that in our environment, and documenting it for the real world."