|
Cisco Creates Converged Threat Mitigation and VPN Device to Simplify Network Security
Source: Cisco Systems - Posted May 3rd, 2005 12:27 PM EDT
By Charles Waltner, News@Cisco
Even though network security threats are becoming more onerous and complex by the day, it doesn't mean network defenses have to be.
Cisco Systems' answer to this conundrum is the Adaptive Security Appliance (ASA) 5500 series. Cisco created the ASA 5500 to address both the growing dangers of network threats and the increasing costs and complexities of protecting networks against those threats.
The ASA 5500 series is the industry's first full-featured, converged, multi-function network security device. The ASA encompasses the industry-leading capabilities of Cisco's firewall, virtual private network (VPN), intrusion prevention, and network anti-virus technologies. But the ASA 5500 goes far beyond the sum of its parts. By combining all these technologies into one device, the ASA 5500 can provide unprecedented coordination of the security efforts for each of these technologies.
Also, by unifying all these technologies on a single, low-cost platform, Cisco has now made it operationally and economically feasible for its customers to deploy comprehensive security to more points on their networks. And the Cisco ASA 5500 does all of this without slowing the flow of traffic, thanks to its state-of-the-art traffic processing technologies and innovated software architecture.
While the ASA 5500 simplifies network security, it was far from simple to build. There's a reason why a device like this has never been made. It is terribly complicated to combine four security technologies into one box without losing performance or functions. The project took over two years while requiring coordinated efforts among individual engineering groups that previously had worked separately on Cisco's stand-alone firewall, VPN, intrusion prevention, and network anti-virus technologies. At the center of this major effort were software development managers Kevin Wiley, Dario Calia, Victor Volpe, and Steve DeJarnett, each responsible for weaving together a different aspect of the ASA 5500's impressive technical tapestry.
"Starting the project was perhaps the most daunting moment," DeJarnett says. "Developing a product of this sophistication and array of features demanded the very best out of all the team members."
But thanks to an assortment of innovations and more than a dash of dogged determination from the ASA 5500 project's coalition of engineers, Cisco's customers can now deploy comprehensive security throughout their networks without becoming overwhelmed by a bewildering array of security devices.
Scott Pope, manager of security and VPN product marketing for Cisco, says rapidly escalating networking security concerns have spurred an increasing array of security devices. Unfortunately, network managers simply cannot deploy a full assortment of products to every node of a network, especially small sites such as remote offices. Purchasing and maintaining so many devices has been a great strain to budgets, staffs and networks. "One customer put it best by telling us his network was collapsing under the weight of all the security appliances he now had to manage," Pope says.
Pope says Cisco customers also told his team they liked using firewalls but they wanted them to do more, basically stop more bad traffic-such as worms, viruses and unwanted applications--from passing through their network perimeters. "So our customers really like the idea of boosting their security, but they want to do that with as few devices as possible," Pope says.
And the ASA 5500 does just that. The converged security appliance provides a vast treasure chest of security tools, including network-based worm and virus mitigation, spyware/adware protection, traffic micro-inspection, application fire-walling, hacker/intrusion prevention, denial-of-service prevention, access control, on-device security event correlation, and wide-ranging VPN support, including IPSec and SSL, among dozens of others. Well, you get the idea.
Most importantly, the efforts of each device within the ASA 5500 are far more coordinated than they would be as stand-alone security appliances. Thanks to the ASA 5500's modular and flexible method for managing and coordinating the flow of network traffic through the machine, the ASA 5500 can do things that simply were not possible before.
For example, the ASA 5500 provides a far more sophisticated intrusion prevention service and threat mitigation capability because it better coordinates its efforts with the device's VPN operations. Typically, intrusion prevention and other threat mitigation technologies cannot read the encrypted traffic running on a VPN. But with VPN and intrusion prevention running on the same box, the VPN can decrypt the traffic for the IPS to examine and then re-encrypt it and send it on its way, Kevin Wiley explains That way, VPN traffic does not pass into the network without first being fully parsed by the ASA 5500's intrusion prevention and threat mitigation services. "By creating a way these two devices can coordinate their security work, we have made both of them even more effective and blocked another way hackers and malware can enter a network," Wiley says.
While the ASA 5500 boosts network security through new capabilities, it is making it possible for organizations to afford more security. Cisco customers can buy and deploy the ASA 5500 for significantly less than what it would cost to buy and deploy individual devices that perform all the functions of the 5500. Also, fewer devices to manage means lower costs, and Cisco has designed the ASA 5500 to make management as streamlined-and cost effective-as possible.
Companies don't have to use all the features of the ASA 5500. But, importantly, a single management interface handles all of the device's features, helping organizations lower their training overhead. "It's one device and one operational interface to learn, rather than three separate devices and interfaces," says DeJarnett, who spearheaded the creation of the management system for the ASA 5500. "We wanted the interface to be familiar to customers who have used our stand alone products while also creating a management console that supports the breadth of threat mitigation and VPN options offered by the ASA 5500. But that was no easy task given all the possible combinations of security features available on this machine."
This challenge extended throughout the development of the Cisco ASA 5500. As Victor Volpe notes, combining all the capabilities of three fully developed, industry-leading devices into one new device was complex, to say the least. "Our team had to converge dozens of sophisticated capabilities from three mature, market-leading products," he says. "We had a long "to do" list."
For hardware performance, the team turned to an array of advanced chips for decoding encrypted traffic, sniffing out bad data, and running all the communications among the ASA 5500's four primary security operations. By designing an integrated data path architecture, the device can harness the power of any and all of the powerful chips for whatever task is needed.
Dario Calia says many of the team's most satisfying victories were in creating the technologies that manage and coordinate the ASA 5500's multifaceted capabilities. That required designing one policy engine for the entire device and a new operations kernel, basically the nerve center for the machine.
"We wanted to redefine what a security appliance could do so we made sure we took the extra steps necessary to make that happen," Calia says.
Technically and logistically it was far from a sure thing to bring all the power and capabilities of Cisco's best security devices into one appliance. But the team managed just that and then some. Certainly, it was no routine assignment, but thanks to their efforts, deploying and managing comprehensive networking security can now be much simpler for Cisco's customers.
Charles Waltner is a freelance journalist in Oakland, Calif.
|
Copyright © 1998-2008, ITPRONTO.COM. | Latest 100
< 30 minutes | 
< 2 hours | 
> 2 hours