SASE Model | Zero Trust Identity
In today's ever-evolving digital landscape, the need for robust cybersecurity measures is more critical than ever. Traditional security models are being challenged by the growing complexity of threats and the increasing demand for remote work capabilities. This blog post delves into the SASE (Secure Access Service Edge) model, highlighting its significance in achieving zero trust identity and enhancing overall security posture.
The SASE model combines network security and wide-area networking (WAN) capabilities into a unified cloud-based service. It integrates security functions like secure web gateways, data loss prevention, firewall-as-a-service, and more, with WAN capabilities such as SD-WAN (Software-Defined Wide Area Networking). This convergence allows organizations to simplify their security architecture while ensuring consistent protection across all endpoints.
Zero trust is an essential principle within the SASE model. Unlike traditional security models that rely on perimeter-based defenses, zero trust operates on the assumption that no user or device should be inherently trusted. Instead, access is granted based on dynamic factors such as user behavior, device health, and contextual data. This approach minimizes the attack surface and strengthens overall security.
Identity as the New Perimeter: In the SASE model, identity becomes the new perimeter. By adopting zero trust principles and leveraging technologies like multi-factor authentication, biometrics, and continuous monitoring, organizations can ensure that only authorized users with verified identities gain access to sensitive resources. This shift from network-centric security to identity-centric security enables a more granular and robust approach to protecting critical assets.
Strengthening Security with SASE and Zero Trust Identity: Bringing together the SASE model and zero trust identity strengthens an organization's security posture in multiple ways. By integrating security and networking functions into a unified service, organizations can enforce consistent security policies across all endpoints, regardless of their location. This approach enhances visibility, mitigates risks, and allows for more efficient incident response.
Implementing the SASE model with zero trust identity brings several benefits. These include improved threat detection and response capabilities, reduced complexity in managing security infrastructure, enhanced user experience through seamless and secure access, and increased agility to adapt to changing business needs. Furthermore, the consolidation of security functions in the cloud reduces operational costs and simplifies maintenance.
Conclusion: The SASE model, with its focus on zero trust identity, revolutionizes the way organizations approach cybersecurity. By shifting the security paradigm from perimeter-based defenses to identity-centric protection, businesses can adapt to the evolving threat landscape and ensure a higher level of security. Embracing the SASE model and zero trust identity is a proactive step towards safeguarding critical assets and empowering secure digital transformation.Matt Conran
Highlights: SASE Model | Zero Trust Identity
Understanding the SASE Model
The SASE model, coined by Gartner, combines network security and wide area networking (WAN) capabilities into a unified, cloud-native platform. It revolves around converging networking and security functions, enabling organizations to simplify their infrastructure while enhancing security and performance. By consolidating various security services like secure web gateways, firewall-as-a-service, data loss prevention, and more, the SASE model offers a holistic approach to protecting networks and data.
To implement the SASE model effectively, it is crucial to understand its key components. These include secure access, network security functions, cloud-native architecture, and global points of presence (PoPs). Secure access ensures that users can connect to resources securely, regardless of location. Network security functions encompass various security services, including firewalling, secure web gateways, and zero-trust network access. The cloud-native architecture leverages the scalability and agility of the cloud, while global PoPs enable organizations to achieve optimal performance and low latency.
The adoption of the SASE model brings many benefits to organizations. First, it simplifies network architecture, reducing the complexity and costs of managing multiple security appliances. Second, regardless of location, it provides consistent and robust security across all users and devices. This is particularly valuable in today’s remote work and mobile workforce era. Additionally, the SASE model enhances performance by leveraging cloud-native technologies and global PoPs, ensuring seamless connectivity and reduced latency.
Cisco SASE with Cisco Umbrella
Once you have a SASE solution, you need to evolve it. The SASE model is unlike installing a firewall and configuring policies; you can add and enhance your SASE technology in many ways to increase your security posture. With Umbrella SASE, we are moving our security to the cloud and expanding this with the Cisco Umbrella platform and Zero Trust Identity from Cisco Duo. First, Cisco Umbrella provides the core SASE technology security functionality, such as DNS-layer filtering, and then Cisco Duo focuses on the Zero Trust Identity side.
Challenge: Traditional Security Devices
Firewalls and other security services will still have a crucial role, but we must modernize the solution, especially regarding encrypted traffic and applying policies on an enterprise-wide scale. It’s a good idea to start offloading functions to the SASE solution and replacing them with Umbrella SASE. The SASE model is more of a journey than a product you can switch on and could take 3 – 5 years.
Challenge: New Cloud Locations
The enterprise data center’s virtual private network (VPN) must remain. Even though most applications are SaaS-based, on-premise applications will still be around for compliance and security, or they will be more complex to offload to the Internet. This could be partner resources. We need a solution to satisfy all these access requirements: cloud and on-premises application access. So, we need VPN access to the enterprise data center’s enterprise application and protected DIA for SaaS-based applications.
Example Technology: IPS IDS
Understanding Suricata
Suricata is an open-source Intrusion Prevention System (IPS) and Intrusion Detection System (IDS) that offers real-time threat detection and prevention capabilities. It employs robust signature-based detection, protocol analysis, and behavioral monitoring to identify and block malicious network traffic.
Suricata seamlessly integrates with Security Information and Event Management (SIEM) solutions to enhance its effectiveness. This integration enables centralized log management, correlation of security events, and streamlined incident response. By aggregating and analyzing Suricata’s alerts within a SIEM, security teams gain valuable insights into potential threats and can swiftly mitigate risks.
Example: Zero Trust Technology
Understanding Port Knocking
Port knocking is a clever security technique that involves a series of connection attempts to predefined closed ports on a server. These connection attempts act as a secret knock, effectively “opening” the desired port for subsequent communication. By hiding the open ports, port knocking reduces the visibility of services to potential attackers, making it harder to exploit vulnerabilities.
One significant advantage of port knocking is its ability to mitigate brute-force attacks. Since the ports are closed by default, unauthorized access attempts are futile. Port knocking adds an extra layer of obscurity, making it challenging for attackers to identify open ports and devise attack strategies. This technique can be beneficial in environments with impractical or insufficient traditional firewalls.
Understanding Zero Trust Identity
Security Framework
Zero-trust identity is a security framework that operates on the principle of “never trust, always verify.” It challenges the traditional perimeter-based security model by assuming that no user or device should be inherently trusted, regardless of location or network environment. Instead, zero-trust identity emphasizes continuous authentication and authorization processes to ensure secure resource access.
Several key components need to be in place to implement zero-trust identity effectively. These include multi-factor authentication (MFA), robust identity and access management (IAM) systems, risk-based access controls, and comprehensive visibility and monitoring capabilities. Each component plays a crucial role in establishing a solid zero-trust identity framework.
The adoption of zero trust identity offers various benefits to organizations. Firstly, it significantly reduces the risk of data breaches and unauthorized access by implementing strict access controls and authentication methods. Secondly, zero trust identity enhances visibility into user activities, enabling quick detection and response to potential threats. Lastly, this approach allows for organizations to have a more flexible and scalable security infrastructure, accommodating the needs of a distributed workforce and cloud-based environments.
Zero Trust Identity
The identity-centric focus of zero trust uses an approach to security to ensure that every person and every device granted access is who and what they say they are. It achieves this authentication by focusing on the following key components:
- The network is always assumed to be hostile.
- External and internal threats always exist on the network.
- Network locality needs to be more sufficient to decide trust in a network. As discussed, other contextual factors must also be taken into account.
- Every device, user, and network flow is authenticated and authorized. All of this must be logged.
- Security policies must be dynamic and calculated from as many data sources as possible.
NSX Identity-Based Firewall
Understanding NSX IDFW
At its core, the NSX Identity-Based Firewall integrates seamlessly with VMware’s NSX platform, extending its security capabilities to include user identity as a primary factor in policy enforcement. Unlike traditional firewalls that rely on IP addresses, NSX IDFW allows administrators to create rules based on user identity, roles, and group membership. This approach offers a more dynamic and adaptable security posture, especially in environments with a high degree of user mobility and role changes.
### Key Features of NSX IDFW
**1. User-Centric Policies:**
NSX IDFW enables the creation of security policies that track user identities across the network. This means that policies can follow users as they move between devices or locations, ensuring consistent enforcement of security rules.
**2. Enhanced Visibility:**
With NSX IDFW, administrators gain deep visibility into user activity and network traffic. This visibility helps in identifying potential threats and anomalous behavior, allowing for quicker and more accurate response to security incidents.
**3. Simplified Management:**
The integration with directory services like Active Directory (AD) streamlines the process of policy creation and management. Administrators can leverage existing user groups and roles within AD to define firewall rules, reducing the overhead associated with manual policy configuration.
### Benefits of Implementing NSX IDFW
**1. Improved Security Posture:**
By focusing on user identity, NSX IDFW minimizes the risk of unauthorized access and lateral movement within the network. This is particularly beneficial in preventing insider threats and ensuring compliance with regulatory standards.
**2. Operational Efficiency:**
The ability to manage security policies based on user roles and groups simplifies administrative tasks and reduces the likelihood of configuration errors. This leads to more efficient and effective security operations.
**3. Scalability:**
NSX IDFW is designed to scale with your organization, accommodating changes in user roles, group memberships, and network topologies without compromising security or performance.
### Use Cases for NSX IDFW
**1. Remote Work Security:**
As remote work becomes the norm, securing access to corporate resources is paramount. NSX IDFW ensures that remote users are authenticated and authorized before accessing sensitive data, providing a robust layer of security for distributed workforces.
**2. Compliance and Auditing:**
For organizations subject to stringent regulatory requirements, NSX IDFW offers detailed logging and reporting capabilities. This helps in demonstrating compliance with standards such as GDPR, HIPAA, and PCI-DSS by providing a clear audit trail of user activity and access controls.
**3. Segmentation of Sensitive Data:**
By segmenting the network based on user roles and identities, NSX IDFW helps in isolating sensitive data and applications. This minimizes the attack surface and limits the potential impact of security breaches.
Example Product: Cisco Secure Network Analytics
In our increasingly interconnected world, network security is paramount. One of the leading solutions to ensure this is Cisco Secure Network Analytics (Cisco SNA). This powerful tool provides comprehensive visibility into network traffic, enabling organizations to detect and respond to threats swiftly. In this blog post, we will explore the various facets of Cisco SNA, its key features, and how it can transform your network security strategy.
#### Understanding the Core Features
Cisco SNA is designed with a plethora of features aimed at enhancing network security. At its core, Cisco SNA offers robust network visibility, advanced threat detection, and streamlined incident response. The tool collects and analyzes vast amounts of data from various sources, providing a holistic view of network activity. This data is then used to identify anomalies and potential threats, allowing security teams to take proactive measures.
#### Advanced Threat Detection Capabilities
One of the standout features of Cisco SNA is its advanced threat detection capabilities. Leveraging machine learning and behavioral analytics, Cisco SNA can identify unusual patterns and behaviors that may indicate a security breach. This proactive approach helps in catching threats before they can cause significant damage. Additionally, Cisco SNA integrates with other Cisco security products, enhancing its ability to correlate data and provide deeper insights.
#### Streamlined Incident Response
In the event of a security incident, time is of the essence. Cisco SNA excels in this area by providing tools that streamline the incident response process. The platform offers detailed alerts and actionable intelligence, enabling security teams to quickly understand the scope and impact of an incident. Moreover, with its intuitive interface, Cisco SNA makes it easier for teams to investigate and remediate threats efficiently.
#### Real-World Applications and Benefits
Organizations across various industries have successfully implemented Cisco SNA to bolster their network security. From financial institutions to healthcare providers, the benefits of Cisco SNA are evident. By providing real-time visibility and advanced threat detection, Cisco SNA helps organizations protect sensitive data, maintain regulatory compliance, and ensure the integrity of their networks. The result is a more secure and resilient IT infrastructure that can withstand the evolving threat landscape.
Example: Security Scan with Lynis
Lynis is an open-source security auditing tool that assesses the security of Linux and Unix-based systems. It performs a comprehensive scan, analyzing various aspects such as configuration settings, software packages, file integrity, and user accounts. By conducting an in-depth examination, Lynis helps identify potential vulnerabilities and provides recommendations for remediation.
Starting Endpoint Security
Understanding User Authentication
User authentication is the cornerstone of identity security in Linux. By implementing robust authentication protocols, such as password-based authentication or public critical infrastructure (PKI), users can validate their identities and gain access to the system. Multifactor authentication (MFA) adds an extra layer of security by combining different authentication methods, further fortifying the system against unauthorized access.
Access controls play a vital role in securing identity within Linux. By utilizing mechanisms like file permissions, ownership, and access control lists (ACLs), administrators can regulate user privileges and restrict unauthorized access to sensitive files and directories. Furthermore, the least privilege (PoLP) principle should be applied, granting users only the necessary permissions to perform their designated tasks and minimizing potential security risks.
Understanding SELinux
SELinux, short for Security-Enhanced Linux, is a security module integrated within the Linux kernel. It provides a robust framework for mandatory access controls (MAC) and fine-grained access control policies. Unlike traditional Linux access control mechanisms, SELinux goes beyond simple user and group permissions, enabling administrators to define and enforce highly granular policies.SELinux plays a vital role in enhancing zero-trust endpoint security. Enforcing MAC policies and implementing strong access controls ensures that each endpoint adheres to the principle of least privilege. SELinux helps mitigate the potential damage by limiting the attacker’s capabilities even if an endpoint or credentials are compromised.
Understanding Endpoint Security
Endpoint security protects individual devices or endpoints that connect to a network. These endpoints include desktop computers, laptops, servers, and mobile devices. The primary goal of endpoint security is to prevent unauthorized access, detect potential threats, and respond to any security incidents promptly.
Address Resolution Protocol (ARP) plays a vital role in endpoint security. It maps an IP address to a corresponding MAC address within a local network. By maintaining an updated ARP table, network administrators can ensure that communication within the network remains secure and efficient.
Proper route configuration is another critical aspect of endpoint security. Routes determine how data packets are transmitted between different networks. By carefully configuring routes, network administrators can control traffic flow, prevent unauthorized access, and mitigate the risk of potential attacks.
Netstat, a command-line tool, provides valuable insights into network connections and statistics. Using Netstat, network administrators can monitor active connections, identify potential security threats, and take appropriate measures to safeguard their endpoints. Regularly analyzing Netstat output can help detect suspicious activities or abnormal behavior within the network.
Detecting Authentication failures in logs
Understanding Syslog
Syslog is a standard protocol for message logging. It enables various devices and applications to send log messages to a central syslog server. The server is a centralized log repository, facilitating easy management and analysis. By tapping into syslog, security analysts gain access to a wealth of information about system events, network traffic, and potential security incidents.
Auth.log, short for authentication log, is a file specific to Unix-based systems. It records all authentication-related events, such as successful and failed login attempts, password changes, and user authentication errors. Analyzing the auth.log can provide crucial insights into potential security breaches, unauthorized access attempts, and suspicious user behavior.
Example Product: Cisco Meraki
### Introduction to Cisco Meraki
In today’s fast-paced digital world, managing complex network infrastructures can be a daunting task. Enter Cisco Meraki, a cloud-based network management platform that promises to simplify and enhance the way businesses handle their networking needs. Whether you’re a small business or a large enterprise, Cisco Meraki offers a comprehensive solution that can streamline operations and boost productivity.
### Why Choose Cisco Meraki?
Cisco Meraki stands out in the crowded field of network management solutions for several reasons. First and foremost, it offers a user-friendly interface that allows IT administrators to manage and monitor their entire network from a single dashboard. This centralized approach not only saves time but also reduces the likelihood of errors. Additionally, Cisco Meraki’s platform is designed to scale seamlessly, making it an ideal choice for businesses of all sizes.
### Key Features of the Cisco Meraki Platform
Cisco Meraki comes packed with features that are designed to meet the diverse needs of modern businesses. Some of the standout features include:
– **Cloud Management**: With Cisco Meraki, you can manage your network from anywhere in the world, as long as you have internet access. The cloud-based dashboard provides real-time visibility and control over your entire network.
– **Security**: Security is a top priority for Cisco Meraki. The platform includes built-in security features such as firewalls, intrusion detection, and content filtering to protect your network from threats.
– **Scalability**: Whether you have one location or hundreds, Cisco Meraki can scale to meet your needs. The platform supports a wide range of devices, from wireless access points to security cameras.
– **Ease of Use**: The intuitive interface makes it easy for IT administrators to configure and manage their network without needing extensive training or expertise.
### Real-World Applications
Cisco Meraki is not just a theoretical solution; it has practical applications across various industries. For example, in the education sector, schools and universities use Cisco Meraki to provide secure and reliable internet access to students and staff. In retail, businesses leverage the platform to optimize their store operations and enhance customer experiences. Healthcare organizations use Cisco Meraki to ensure secure and compliant network access for both patients and healthcare providers.
Related: Before you proceed, you may find the following posts helpful:
SASE Technology with Zero Trust Identity
When you think about it, surface challenges must be solved by examining recent trends. For a start, historically, most of the resources lived in the data center, and we could centralize our security stack. However, with users accessing the network anywhere, we have public cloud apps with different connectivity metrics to understand. In addition, we now have an internet/cloud-centric connectivity model. So, we need to re-think to facilitate these new communication flows.
As a first step, you don’t need to throw out all your network and security appliances and jump to the SASE model. For an immediate design, you can augment your on-premises network security appliance with Umbrella SASE DNS-layer security. DNS-layer security is a good starting point with Cisco Umbrella. It would be best if you made some slight changes to this.
This way, you don’t need to make any significant architectural changes to get immediate benefits from SASE and its cloud-native approach to security.
Example Product: What is Cisco Cyber Vision?
Cisco Cyber Vision is a cybersecurity solution tailored specifically for industrial networks. Unlike traditional IT security tools, Cyber Vision is engineered to understand the unique protocols, devices, and architectures found in ICS and OT environments. It provides real-time visibility into network traffic, detects anomalies, and helps prevent cyber threats that could disrupt critical industrial processes.
#### Key Features of Cisco Cyber Vision
Cisco Cyber Vision offers a range of features that set it apart from other cybersecurity solutions:
– **Comprehensive Network Visibility:** It maps out the entire industrial network, identifying all connected devices and their communication patterns. This visibility is crucial for detecting unauthorized devices and ensuring compliance with security policies.
– **Anomaly Detection and Threat Intelligence:** Using advanced algorithms and threat intelligence feeds, Cyber Vision can detect unusual behaviors and potential threats in real-time. This proactive approach helps in mitigating risks before they can cause significant damage.
– **Integration with IT Security Tools:** Cyber Vision seamlessly integrates with existing IT security tools, providing a unified view of both IT and OT environments. This integration simplifies the management and response to security incidents across the entire organization.
– **User-Friendly Interface:** The intuitive dashboard and reporting tools make it easy for security teams to monitor the network, analyze threats, and generate actionable insights.
#### Benefits of Implementing Cisco Cyber Vision
Implementing Cisco Cyber Vision in industrial networks offers several compelling benefits:
– **Enhanced Security Posture:** By providing detailed visibility and real-time threat detection, Cyber Vision strengthens the overall security posture of industrial networks, reducing the risk of cyberattacks.
– **Operational Continuity:** With its ability to detect and respond to threats quickly, Cyber Vision helps maintain the continuity of critical industrial processes, minimizing downtime and financial losses.
– **Regulatory Compliance:** Many industries are subject to stringent cybersecurity regulations. Cyber Vision assists organizations in meeting these requirements by providing comprehensive monitoring and reporting capabilities.
– **Cost-Effective Solution:** By integrating with existing IT security tools and providing a user-friendly interface, Cyber Vision reduces the need for additional resources and training, making it a cost-effective solution for industrial cybersecurity.
#### Implementation Strategies
Successfully implementing Cisco Cyber Vision involves several key steps:
1. **Network Assessment:** Conduct a thorough assessment of the existing industrial network to identify all devices, communication patterns, and potential vulnerabilities.
2. **Integration Planning:** Develop a plan for integrating Cyber Vision with existing IT security tools and processes, ensuring a seamless transition.
3. **Deployment and Configuration:** Deploy Cyber Vision sensors and configure them to monitor critical network segments. Customize the dashboard and alerts to suit the specific needs of the organization.
4. **Continuous Monitoring and Improvement:** Regularly monitor the network using Cyber Vision, analyze threat data, and make continuous improvements to the security posture based on the insights gained.
SASE Technology with Zero Trust Identity
You can then further this SASE model to include Zero Trust Identity with, for example, Cisco Duo. With Cisco Duo, we are moving from inline security inspection on the network to securing users at the endpoint or the application layer. An actual Zero Trust Identity strategy changes the level of access or trust based on contextual data about the user or device requesting access.
Now, we are heading into identity as the new perimeter. Identity, in its various forms, is the new perimeter. The new identity perimeter needs to be protected with other mechanisms you may have in your existing environments.
We have identity sprawl with potentially unprecedented access, making any of the numerous identities a high-value target for bad actors to compromise. For example, in a multi-cloud environment, it’s common for identities to be given a dangerous mix of entitlements, further extending the attack surface area security teams need to protect.
Note: The issue with VLAN-based segmentation is large broadcast domains with free-for-all access. This represents a larger attack surface where lateral movements can take place. Below is a standard VLAN-based network running Spanning Tree Protocol ( STP ). Zero trust and microsegmentation close the gap and reduce the chance of lateral movements.
Identity attacks are hard to detect
Nowadays, bad actors can use even more gaps and holes as entry points. With the surge of identities, including humans and non-humans, IT security administrators face the challenge of containing and securing the identity sprawl as the attack surface widens.
What makes this worse is that security teams’ primary issue is that identity-driven attacks are hard to detect. How do you know if a bad actor or a sys admin uses the privilege controls?
Security teams must find a reliable way to monitor suspicious user behavior to determine the signs of compromised identities. For this, behavioral analysis must happen in the background, looking for deviations from baselines. Once a variation has occurred, we can trigger automation, such as with a SOAR playbook that can, for example, perform threat hunting.
Example: Social-Engineering Toolkit.
Credential harvester or phishing attacks aim to trick individuals into providing their sensitive login information through fraud. Attackers often create deceptive websites or emails resembling legitimate platforms or communication channels. These masquerading techniques exploit human vulnerabilities, such as curiosity or urgency, to deceive unsuspecting victims.
To execute a successful credential harvester attack, perpetrators typically utilize various methods. One common approach involves creating fake login pages that mimic popular websites or services. Unaware of the ruse, unsuspecting victims willingly enter their login credentials, unknowingly surrendering their sensitive information to the attacker. Another technique involves sending phishing emails that appear genuine, prompting recipients to click on malicious links and unknowingly disclose their login details.
The consequences of falling victim to a credential harvester attack can be severe. From personal accounts to corporate networks, compromised login information can lead to unauthorized access, data theft, identity theft, and financial fraud. Attackers often leverage their credentials to gain entry into other platforms, potentially compromising sensitive information and causing extensive damage to individuals or organizations.
Mitigating the Risks
Thankfully, several proactive measures can mitigate the risks associated with credential harvester attacks. First and foremost, user education plays a crucial role. Raising awareness about the existence of these attacks and providing guidance on identifying phishing attempts can empower individuals to make informed decisions. Implementing robust email filters, web filters, and antivirus software can also help detect and block suspicious activities.
One highly effective strategy to fortify defenses against credential harvester attacks is implementing two-factor authentication (2FA). By requiring an additional verification step, such as a unique code sent to a registered mobile device, 2FA adds an extra layer of security. Even if attackers obtain login credentials, they would still be unable to access the account without secondary verification.
Example Technology: Scanning Networks
Understanding Network Scanning
Network scanning analyzes a network to detect active hosts, open ports, and potential security weaknesses. It provides a comprehensive view of the network infrastructure and aids in identifying possible entry points for malicious actors. By performing network scans, organizations can proactively strengthen their cybersecurity defenses.
Port Scanning: Port scanning is one of the fundamental techniques used in network scanning. It involves probing a target system for open ports essential for establishing network connections. Tools like Nmap and Zenmap are commonly employed for port scanning, allowing security professionals to identify vulnerable services and potential attack vectors.
Vulnerability Scanning: Vulnerability scanning identifies weaknesses, flaws, or misconfigurations within network devices and systems. This technique provides valuable insights into potential security risks that attackers could exploit. Tools like Nessus and OpenVAS are widely used for vulnerability scanning, enabling organizations to prioritize and remediate vulnerabilities effectively.
Evolution to a SASE Model
The Internet: New Enterprise Network
We are stating that there has been a substantial evolution. The Internet is the new network, and users and apps are more distributed; the Internet is used to deliver those services. As a result, we have a greater dependency on the Internet, but the Internet’s reliability could be more consistent around the globe. For example, BGP is unreliable, and we always have BGP incidents. We need to look at other tools and solutions to layer on top of what we have to improve Internet reliability.
BGP operates over TCP port 179. BGP TCP Port 179 serves as the channel through which BGP routers establish connections and exchange routing information. The linchpin facilitates the dynamic routing decision-making process across diverse networks. However, due to its criticality, BGP Port 179 has become an attractive target for malicious actors seeking to disrupt network operations or launch sophisticated attacks.
Common Threats Targeting BGP TCP Port 179
BGP TCP Port 179, the backbone of internet routing, faces various security threats. From route hijacking to Distributed Denial of Service (DDoS) attacks, the vulnerabilities within this port can have severe consequences on network stability and data integrity. Understanding these threats is essential in implementing effective countermeasures.
Also, the cloud is the new data center. So, we no longer control and own the data and apps in the public cloud. Instead, these apps communicate to other public clouds and back to on-premises to access applications or databases that can’t be moved to the cloud. Not to mention the new paradigm to try and solve. We also reduce the types of applications on our enterprise network.
Most are trying to minimize custom applications and streamline SaaS-based applications. We can implement many SaaS-based applications. These applications are hosted in public and private clouds and accessed online. The service model is now accessible only via the public Internet. We also want the same experience at home as in the office. When I return to the office, all the network and security functions at home stay the same.
Example Product: Cisco Meraki
#### Simplified Network Management
Cisco Meraki’s cloud-based architecture revolutionizes how networks are managed. Traditional network management often involves complex hardware and software configurations. Meraki eliminates this complexity with a centralized, web-based dashboard. This intuitive interface allows IT administrators to manage the entire network from anywhere, even from a mobile device. With features like real-time network monitoring, configuration changes, and automatic updates, managing a network has never been easier.
#### Robust Security Features
Security is a top priority for any network, and Cisco Meraki excels in this area. The platform includes a range of built-in security features designed to protect against threats and ensure data integrity. Advanced security tools like intrusion detection and prevention, content filtering, and firewall protection are seamlessly integrated into the Meraki dashboard. Additionally, Meraki’s security appliances provide deep visibility into network traffic, allowing administrators to detect and mitigate potential threats proactively.
#### Scalability and Flexibility
One of the standout features of Cisco Meraki is its scalability. Whether you’re managing a single site or multiple locations worldwide, Meraki’s cloud-based architecture can easily scale to meet your needs. Adding new devices or expanding your network is straightforward, with zero-touch provisioning and automatic device configuration. This flexibility makes Meraki an ideal solution for growing businesses and enterprises with dynamic network requirements.
#### Enhanced User Experience
Cisco Meraki not only simplifies network management for administrators but also enhances the user experience. With seamless connectivity, high-performance Wi-Fi, and robust network security, end-users enjoy a reliable and secure connection. Meraki’s traffic shaping and application management features ensure that critical applications receive the necessary bandwidth, optimizing performance and productivity.
How To Approach The SASE Model?
How do you do this? Well, there are two ways. You can facilitate this with a bespoke platform, which can be self-managed with many on-premise network and security stacks, sticking the product together and then building your own PoPs. However, you can get away from this and consume this as a service from a SASE provider, so we have a cloud consumption model for all network and security services. This is the essence of the SASE model. Why not offload all the complexity to someone else?
A. Required SASE Technology: Encryption Traffic.
We have inline security services that inspect traffic and try to glean metadata about what is happening. The inspection was easy when we connected to a web page on port 80, and everything was in clear text. Inspection and seeing what the user was doing can be done with standard firewall monitoring. But now we have end-to-end encryption between the user device and the applications.
The old IDS/IPS and firewalls need help gaining insights into encrypted traffic. We need complete visibility at the endpoint and the application layer to have more context and understand if there is any malicious activity in the encrypted traffic. Also, appropriate visibility of encrypted traffic is more important than having control.
Example: IPSec VTI
IPSec VTI, or Virtual Tunnel Interface, is a modern method of implementing secure tunnels using the IPSec protocol suite. Unlike traditional VPNs that rely on static tunnels, IPSec VTI offers a dynamic and flexible approach. It creates a virtual interface on routers or firewalls, simplifying the process of establishing and managing secure connections. This method not only enhances security but also improves scalability and ease of configuration.
Simplified Configuration: One of the standout features of IPSec VTI is its ease of configuration. Unlike traditional VPN setups that can be complex and time-consuming, IPSec VTI allows for a more straightforward setup process. By creating a virtual interface, network administrators can manage security policies and routing more efficiently, reducing the likelihood of misconfigurations and associated vulnerabilities.
Enhanced Flexibility: IPSec VTI provides enhanced flexibility in network design. With VTIs, it becomes easier to implement complex routing scenarios and integrate with other network protocols. This flexibility is particularly beneficial for organizations with dynamic and rapidly changing network environments, allowing them to adapt quickly to new security requirements.
Improved Scalability: Scalability is a crucial factor for any growing organization. IPSec VTI shines in this regard by offering a scalable solution for secure communication. As the network expands, additional VTIs can be easily added without the need for significant reconfiguration. This makes it an ideal choice for businesses anticipating growth and needing a robust, scalable security solution.
B. Required SASE Technology: SIEM with Splunk and Machine Data
You will also need a SIEM tool. Splunk can be used as the primary SIEM tool and log collection from various data sources to provide insights and traffic traversing the network. Remember that machine data is everywhere and flows from all the devices we interact with, making up around 90% of today’s data. Harnessing this data can give you powerful security insights.
The machine data can be in many formats, such as structured and unstructured. As a result, it can be challenging to predict and process. There are plenty of options for storing data. Collecting all security-relevant data and turning all that data into actionable intelligence, however, is a different story.
Example Solution: Splunk
This is where Splunk comes into play, and it can take any data and create an intelligent, searchable index—adding structure to previously unstructured data. This will allow you to extract all sorts of insights, which can be helpful for security and user behavior monitoring. In the case of Splunk, it helps you quickly know your data. Splunk is a big data platform for machine data. It collects raw unstructured data and converts them into searchable events.
C. Required SASE Technology: Network Connectivity & Network Security
You want an any-to-any connectivity model, even though your users and applications are highly distributed. What types of technology do you need to have to support this? You need two essential things: network connectivity and security services. Network connectivity, such as SD-WAN for branch locations. With everything, you start with network connectivity, and then you can layer security services on top of this stack.
These services include BGP sinkhole, DNS protection, secure firewall, WAN encryption, web security, and Cisco Duo with zero-trust access. Many components need to work together, and you will use and manage many infrastructure components.
End Visibility & Policy Maintenance
We also need to have good visibility into the full end-to-end path. You can use your SASE technology with Cisco ThousandEyes for end-to-end visibility and tools to orchestrate all of this together. This has many challenges, such as building and operating these components together.
A better way is to have all these services available via one unified portal. For example, we can have network and security as a service, where you can add services you need on-demand to each Umbrella SASE PoP that is outsourced to a SASE provider. Some PoPs can filter the DNS layer, while others have the entire security stack. They turn functions on and off at will.
This should be wrapped up with policy maintenance so you can implement policy at any point, along with good scalability and multi-tenancy. Lowering the cost and employing the SASE can help, not to mention the skills used. With the SASE model, you can export it to experts and consume it.
The Issue of Provisioning
With the umbrella SASE PoP architecture, you can bring users closer to the application. Also, we can access a more modern and diverse toolkit by employing SASE technology. Remember that a big issue with on-premise hardware appliances is that we always overprovision, which can result in high management for handling traffic spikes that may only happen occasionally. When it comes to hardware-based solutions, we always overprovision them.
With SASE, we have the agility of a software-based model where we can scale up and down, which you can do with a hardware-based model. If you need more scale, you or your Umbrella SASE provider can introduce another Virtual Network Function (VNF) and scale this out in software configuration instead of a new hardware appliance.
Umbrella SASE – Starting
Start with DNS Protection
As a first SASE model step, we need DNS protection. This is the first SASE technology to be implemented with a SASE solution. Cisco Umbrella can be used here. Cisco umbrella is a recursive DNS service; you can get a lot of information from DNS requests, and a great place to start security. You can learn to see attacks before they launch, have the correct visibility to protect access anywhere, and block and stop threats before the connection.
Below is a recap on DNS. DNS, by default, uses UDP and works with several records.
DNS and TTL
DNS can be updated dynamically and has very little TTL. If you can interact with that traffic at a base level regardless of where the user is, you can see what they are doing. For example, you can see what updates happen if a malware attack occurs. DNS is very lightweight; we can protect the endpoint and block malware before attempting the connection.
Suppose someone clicks on a phishing link or malware calls back to a C&C server for additional attack information. In that case, that connection does not happen, and you don’t need to process this traffic across a firewall or other security screen stack that can add latency.
Connecting to Umbrella SASE does not cause latency issues. We can offload the hardware used to protect this and now put it into the cloud, and you don’t need the additional hardware to accommodate traffic spikes and growth protection at a DNS layer. Cisco Umbrella gives you accuracy at the DNS layer without any overhead. You can control this traffic and see what is going on to see who is and where. All of the traffic can be identified with DNS.
Gaining Insight: DNS
Point the existing DNS resolver to Cisco Umbrella, then connect users and get insight into DNS requests for on or off-the-network traffic. We start with passive monitoring, and then we go to deploy blocking. It would help if you did this without re-architecting your network with the ability to minimize false positives. Therefore, pointing your existing DNS to Umbrella, a passive change, is a good starting point. Then, enable blocking internally based on policy.
There is an enterprise network, and endpoints must point to internal DNS servers. You can modify existing internal DNS servers to have their traffic go to the Cisco Umbrella for screening. So the DNS query goes to Cisco Umbrella for internet-bound traffic, and then Cisco Umbrella carries the recursive DNS queries to the Authoritative DNS servers.
The Role of Clients and Agents
It would help to get an Umbrella client or agent on your endpoint. An agent on the endpoint will give you additional visibility. What happens when the users go home from the office? You want to maintain visibility, which can be achieved with an agent. What I like about SASE is that you can have an enterprise-wide policy in a few minutes. You can also increase your DNS performance by leveraging the SASE PoPs. The SASE PoPs should be well integrated with an authoritative DNS server.
In summary, there are two phases. First, you can start with a network monitoring and blocking stage with DNS-layer filtering and then move to the endpoint, gaining visibility and lowering your attack surface. Now, we are heading into the zero-trust identity side of things.
Zero Trust Identity
For additional security, we can look at Zero Trust Identity. This can be done with Cisco Dou, which provides Zero Trust Identity on the endpoint and ensures the device is healthy and secure. We need to trust the user, my endpoint, and the network they are on. In the past, we just looked at the IP as an anchor for trust. With zero trust, we can now have adaptive policies and risk-based decisions, enforce the least privilege with, for example, just-in-time access, and bring in a lot more context than we had with IP addressing for security.
Cisco Duo Technologies for Umbrella SASE
Duo’s MFA (multi-factor authentication) and 2FA (two-factor Authentication) app and access tools can help make security resilience easy for your organization with user-friendly features for secure access, strong authentication, and device monitoring. The following are some of the technologies used with Cisco Duo.
a. Multi-factor Authentication (MFA): Multi-factor authentication (MFA) is an access security product that verifies a user’s identity when logging in. Using secure authentication tools adds two or more identity-checking steps to user logins.
b. Adaptive Access: With adaptive access, we have security policies for every situation. Now, we can gain granular information about who can access what and when. Cisco Duo lets you create custom access policies based on role, device, location, and other contextual factors, so we can use much contextual information to make decisions.
c. Device Verification: Also, verify any device’s trust, identify risky devices, enforce contextual access policies, and report on device health using an agentless approach or by integrating your device management tools.
d. Single-Sign-On: Then we have single sign-on (SSO): Single sign-on (SSO) from Duo provides users with an easy and consistent login experience for any application, whether on-premises or cloud-based. With SSO, we have a platform that we connect to for access to all of our applications. Not just SaaS-based applications but also custom applications. CyberArk is good in this space, too.
Zero Trust Identity Technologies
Adaptive policies
First, adaptive policies. Cisco Duo has built a cloud platform where you can set up adaptive policies to check for anomalies and then give the user an additional check. This is like step-up authentication. Then, we move towards conditional access, a step beyond authentication. Conditional access goes beyond authentication to examine the context and risk of each access attempt. For example, contextual factors may include consecutive login failures, geo-location, type of user account, or device IP to either grant or deny access. Based on those contextual factors, it may be granted only to specific network segments.
Risk-based decisions
The identity solution should be configurable to allow SSO access, challenge the user with MFA, or block access based on predefined conditions set by policy. It would help if you looked for a solution that can offer a broad range of requirements, such as IP range, day of the week, time of day, time range, device O/S, browser type, country, and user risk level.
These context-based access policies should be enforceable across users, applications, workstations, mobile devices, servers, network devices, and VPNs. A key question is whether the solution makes risk-based access decisions using a behavior profile calculated for each user.
Enforce Least Privilege and JIT Techniques
Secure privileged access and manage entitlements. For this reason, many enterprises employ a least privilege approach, where access is restricted to the resources necessary for the end-user to complete their job responsibilities with no extra permissions. A standard technology here would be Just in Time (JIT). Implementing JIT ensures that identities have only the appropriate privileges, when necessary, as quickly as possible and for the least time required.
A technology to enforce the least privilege is just-in-time (JIT) techniques that dynamically elevate rights only when needed. The solution allows for JIT elevation and access on a “by request” basis for a predefined period, with a full audit of privileged activities. Full administrative rights or application-level access can be granted, time-limited, and revoked.
Example Product: Cisco Secure Workload
**Understanding Cisco Secure Workload**
Cisco Secure Workload, formerly known as Cisco Tetration, is a cutting-edge security solution that provides comprehensive visibility and security for workloads across on-premises, public, and private cloud environments. By leveraging advanced analytics and machine learning, it helps organizations identify vulnerabilities, enforce security policies, and ensure compliance with regulatory standards.
Key Features:
– **Visibility:** Gain deep insights into application behavior and communication patterns.
– **Segmentation:** Implement micro-segmentation to control east-west traffic within the data center.
– **Policy Enforcement:** Automate and enforce security policies consistently across all environments.
– **Threat Detection:** Utilize machine learning to detect anomalies and potential threats in real-time.
**Enhancing Security through Micro-Segmentation**
Micro-segmentation is a pivotal feature of Cisco Secure Workload, providing granular control over network traffic. Unlike traditional perimeter-based security approaches, micro-segmentation focuses on securing individual workloads, regardless of their location. This approach minimizes the attack surface and limits the lateral movement of threats within the network.
Benefits of Micro-Segmentation:
– **Improved Security:** Isolate workloads to prevent the spread of malware and unauthorized access.
– **Compliance:** Ensure adherence to regulatory requirements by segmenting sensitive data.
– **Operational Efficiency:** Simplify network management and reduce the complexity of security policies.
**Leveraging Advanced Analytics and Machine Learning**
Cisco Secure Workload harnesses the power of advanced analytics and machine learning to detect and respond to threats proactively. By continuously monitoring network traffic and application behavior, it can identify deviations from normal patterns, flagging potential security incidents before they escalate.
Key Advantages:
– **Real-Time Threat Detection:** Identify and mitigate threats as they occur, reducing response times.
– **Behavioral Analysis:** Understand the baseline behavior of applications and detect anomalies.
– **Automated Response:** Enable automated responses to security incidents, minimizing manual intervention.
**Implementing Cisco Secure Workload in Your Organization**
Implementing Cisco Secure Workload involves several key steps, from initial assessment to full deployment and ongoing management. Here’s a high-level overview of the implementation process:
1. **Assessment:** Evaluate your current security posture and identify areas of improvement.
2. **Planning:** Define the scope of implementation, including specific applications and environments.
3. **Deployment:** Install and configure Cisco Secure Workload, integrating it with existing security tools.
4. **Policy Definition:** Create and enforce security policies tailored to your organization’s needs.
5. **Monitoring and Optimization:** Continuously monitor network traffic and refine policies to adapt to evolving threats.
Summary: SASE Model | Zero Trust Identity
Organizations face numerous challenges in ensuring secure and efficient network connectivity in today’s rapidly evolving digital landscape. This blog post delved into the fascinating world of the Secure Access Service Edge (SASE) model and its intersection with the Zero Trust Identity framework. Organizations can fortify their networks and safeguard their critical assets by understanding the key concepts, benefits, and implementation considerations of these two security approaches.
Understanding the SASE Model
The SASE Model, an innovative framework introduced by Gartner, combines network security and wide-area networking into a unified cloud-native service. This section explores the core principles and components of the SASE Model, such as secure web gateways, data loss prevention, and secure access brokers. The SASE Model enables organizations to embrace a more streamlined and scalable approach to network security by converging network and security functions.
Unpacking Zero Trust Identity
Zero-trust identity is a security paradigm emphasizing continuous verification and granular access controls. This section delves into its fundamental principles, including the concepts of least privilege, multifactor authentication, and continuous monitoring. By adopting a zero-trust approach, organizations can mitigate the risk of unauthorized access and minimize the impact of potential security breaches.
Synergies and Benefits
This section explores the synergies between the SASE Model and Zero Trust Identity. Organizations can establish a robust security posture by leveraging the SASE Model’s network-centric security capabilities alongside the granular access controls of Zero Trust Identity. The seamless integration of these approaches enhances visibility, minimizes complexity, and enables dynamic policy enforcement, empowering organizations to protect their digital assets effectively.
Implementation Considerations
Implementing the SASE Model and Zero Trust Identity requires careful planning and consideration. This section discusses key implementation considerations, such as organizational readiness, integration challenges, and scalability. Organizations can successfully deploy a comprehensive security framework that aligns with their unique requirements by addressing these considerations.
Conclusion: In conclusion, the SASE Model and Zero Trust Identity are two powerful security approaches that, when combined, create a formidable defense against modern threats. Organizations can establish a robust, scalable, and future-ready security posture by adopting the SASE Model’s network-centric security architecture and integrating it with the granular access controls of Zero Trust Identity. Embracing these frameworks enables organizations to adapt to the evolving threat landscape, protect critical assets, and ensure secure and efficient network connectivity.
- Fortinet’s new FortiOS 7.4 enhances SASE - April 5, 2023
- Comcast SD-WAN Expansion to SMBs - April 4, 2023
- Cisco CloudLock - April 4, 2023