Unifying Cyber Defenses: How Hybrid Mesh Firewalls Shape Modern Security

The traditional castle-and-moat model of cybersecurity is outdated due to the evolving perimeter caused by remote work and fluid data access. Organizations must integrate security at every touchpoint. The proliferation of IoT devices increases entry points for cybercriminals, necessitating a unified approach to endpoint security.

Advanced technologies like AI and quantum computing are transforming cybersecurity, making threats more sophisticated and encryption standards vulnerable. The convergence of technologies, such as networked sensors and big data, expands the attack surface while improving AI capabilities for both attackers and defenders. The increasing sophistication of cyberattacks, as seen in incidents like the SolarWinds hack and Colonial Pipeline attack, highlights the need for proactive, integrated security strategies.

Critical infrastructure vulnerability, regulatory considerations, and the necessity of collaborative security practices underscore the importance of a Unified Security Platform to provide adaptive defenses and foster a security-conscious culture within organizations. The Hybrid Mesh Firewall emerges as a vital component in this landscape, offering the flexibility and comprehensive protection required to meet modern cybersecurity challenges. Before we delve into “What is Hybrid Mesh Firewall”, let us discuss a few customer problems:

Key problem areas for customers

1. Misconfigurations and vulnerability exploitation

One of the most significant issues plaguing organizations is the prevalence of misconfigurations and the exploitation of these vulnerabilities. Despite having multiple security products in place, the risk of human error and the complexity of managing these systems can lead to critical security gaps.

2. Rapid attack execution

The speed at which cyber-attacks can be executed has increased dramatically. This necessitates even faster defense responses, which many traditional security setups struggle to provide. Organizations need solutions that can respond in real-time to threats, minimizing potential damage.

3. Hybrid environments

The modern workforce is distributed, with employees working from various locations and using multiple devices. This hybrid environment requires robust protection that is enforced as close to the user or device as possible. The conventional approach of backhauling remote user traffic to a central data center for inspection is no longer viable due to performance, scalability, and availability constraints.

The emergence of SASE has transformed how network and security solutions are designed, providing connectivity and protection for a remote workforce. However, the shift to distributed controls has become inevitable, presenting its own set of challenges. Many customers deploy best-of-breed security products from different vendors, hoping to cover all bases. Unfortunately, this often results in a complex, multi-vendor environment that is difficult to manage.

4. Siloed security management

Managing security across different silos, with multiple teams and solutions, adds to the complexity. Each system must operate effectively within the principles of Zero Trust, but ensuring consistent performance across all products is challenging. Security systems need to work cohesively, but disparate tools rarely interact seamlessly, making it hard to measure and manage risks comprehensively.

The hybrid mesh firewall solution

Hybrid mesh firewall platforms enable security policy enforcement between workloads and users across any network, especially in on-premises-first organizations. They offer control and management planes to connect multiple enforcement points and are delivered as a mix of hardware, virtual, cloud-native, and cloud-delivered services, integrating with other technologies to share security context signals.

By unifying various firewall architectures, Hybrid Mesh Firewalls ensure consistency and coherence, proactively identifying gaps and suggesting remediations for a holistic approach to network security.

Benefits of hybrid mesh firewalls

1. Unified security management: By consolidating various security functions into a single platform, Hybrid Mesh Firewalls simplify management and reduce the likelihood of misconfigurations. Administrators can oversee and configure all aspects of network security from one place, ensuring that no critical security gaps are overlooked.
2. Proactive threat identification and remediation: The platform continuously monitors the network for vulnerabilities and misconfigurations, such as when a team managing the Secure Service Edge (SSE) solution inadvertently allows direct access to a risky file-sharing site. In such cases, the firewall promptly alerts the admin and provides a remediation flow, ensuring only low-risk apps access the internet directly while other traffic is securely tunneled. This proactive approach prevents incidents before they occur, safeguarding the network from potential threats like data exfiltration or malware infiltration.
3. Real-time response: With the capability to respond in real-time to threats, Hybrid Mesh Firewalls ensure that security measures keep pace with the speed of attacks. This rapid response capability is crucial for minimizing damage and maintaining business continuity.
4. Zero trust enforcement: Each component of the security system operates independently but within the overarching principle of Zero Trust. This means that the endpoint protection software on a remote user’s device functions correctly, regardless of the firewall configuration at the data center, and vice versa. Every element of the security infrastructure works to ensure that trust is never assumed and always verified.

Beyond remote work: Securing workloads everywhere

The need for robust security extends beyond the realm of remote work. Modern organizations are leveraging a mix of private and public cloud environments to run their workloads. Whether it’s a private data center, a public cloud provider like AWS or Azure, or even multiple public clouds, the security landscape becomes increasingly complex.

Hybrid Mesh Firewalls are designed to secure workloads regardless of their location. This approach ensures that security policies are consistently applied across all environments, whether on-premises, in a single public cloud, or across multiple cloud providers.

Securing hybrid workloads:

1. Consistent policy enforcement: By providing a unified platform, Hybrid Mesh Firewalls ensure that security policies are consistently enforced across all environments. This eliminates the risk of discrepancies that can arise from using different security products in different locations.
2. Integrated visibility and control: With integrated visibility into all network traffic, Hybrid Mesh Firewalls allow administrators to monitor and control security policies from a single interface. Centralized management is crucial for identifying and mitigating risks across diverse environments.
3. Scalability and flexibility: As organizations grow and their infrastructure evolves, Hybrid Mesh Firewalls offer the scalability and flexibility needed to adapt to new requirements. Whether adding new cloud environments or scaling up existing ones, the firewall platform can grow with the organization.

Conclusion

The need for Hybrid Mesh Firewalls has never been more critical. As organizations navigate the complexities of a distributed workforce, hybrid environments, and the ever-evolving threat landscape, a unified, proactive, and real-time approach to network security is essential. Hybrid Mesh Firewalls offer the consistency, control, and comprehensive protection needed to secure modern hybrid environments effectively. By addressing the key problem areas of misconfigurations, rapid attack execution, and siloed security management, they provide a robust solution that meets the demands of today’s cybersecurity challenges and beyond.

Source: cisco.com

Continue reading

New Networking Capabilities on Cisco Intersight

Bringing simplicity to complex hybrid cloud operations is the fundamental goal of Cisco Intersight. With a SaaS form factor, which alleviates the burden of installation and ongoing maintenance, Intersight provides comprehensive visibility, consistent day-to-day operations, and automated orchestration to ensure infrastructure is secure and compliant across all hybrid assets. In addition to the cloud SaaS option, we also provide a Connected Virtual Appliance (CVA) or a fully air-gapped Private Virtual Appliance (PVA) options to run on-premises.

To start, Cisco Intersight focused on the management and operations of compute, storage, and virtualization domains from a single cohesive user interface. The compute domain includes Cisco UCS servers and 3rd party servers, the storage domain includes Cisco HyperFlex, NetApp, Pure Storage, and Hitachi, and the virtualization domain spans VMware ESXi, and Amazon Web Services. We are very happy to extend Intersight’s management capabilities to the network domain. Cisco Nexus 9000 series data center switch support is now made generally available in Intersight platform.

What’s new?

Here are few things you can start doing at the get-go with these newly introduced capabilities:

1. Network visibility and operations: Like servers and storage arrays you can view and monitor your ethernet switches from the Intersight unified user interface and benefit from up-to-date network inventory knowledge. L2 neighbors view extends this infrastructure view beyond the switch itself to the identities of devices connected to the respective switch.

2. Cross-domain orchestration: You can construct end-to-end workflows for routine cross-domain orchestration functions such as provisioning a server in a particular VLAN and enabling respective switch ports, or consistently deploy private cloud infrastructure configuration to servers, switches, and storage arrays. Think NTP/DNS/Syslog/SNMP servers and MTUs across the network.

3. Management of Converged Infrastructure (CI) systems: Network domain capabilities facilitate creation comprehensive inventory for CI systems, such as FlexPod and elevate them as first-class citizens in the Intersight platform. Programmatic management of routine operations for these systems can be supported.

Cisco Intersight ethernet switch grid view

Cisco Intersight switch summary view

How it works?

Now you can onboard Cisco Nexus 9000 datacenter switches in NX-OS mode on Intersight. After claiming any Nexus 9K switches, Intersight presents rich inventory views including a summary, variety of switch hardware sub-systems, and switch configuration for that device.

Automate your network with the rest of the datacenter

Intersight Cloud Orchestrator (ICO) provides end-to-end orchestration and automated operations across the many infrastructure domains managed by Intersight. With Intersight workflow designer, you can construct cross-domain workflows in a no/low code environment using a curated Task Library of turnkey platform-integrated tasks and actions.

Intersight Task Library is inducted with a rich set of everyday switch management tasks for the Nexus 9000 datacenter switching family in NX-OS mode. These native tasks are backed by comprehensive inventory views, which deliver no-code experience for constructing and executing the cross-domain orchestration workflows. The task categories include basic system management tasks, comprehensive switch port management, and VLAN management. The granularity of these automation tasks is extended all the way to Create/Read/Update/Delete (CRUD) operations levels for the supported switch management objects. This allows you to construct automation workflows very closely aligned with your deployment.

Cisco Intersight switch port inventory view

Cisco Interisght switch L2 neighbor inventory view

Stay in control

You can effectively define and enforce your organization’s Role Based Access Control (RBAC) policies using Intersight Roles and Privilege Sets. Intersight has introduced two new Privilege Sets for Network Domain: Network Administrator and Network Operator. These Privilege Sets can be used to define appropriate Roles in the organization for governing the access to management functions of the network assets in Intersight. For example, a user with Network Administrator Privilege Set can only define and execute workflows using Network Task.

Getting Connected with Intersight

If you want to try it for yourself, you can create a free account on www.intersight.com and request a free trial of any Intersight capability, including orchestration. Feel free to onboard your Nexus 9000 switches and monitor those along with the compute and storage resources from a unified UI. End-to-end orchestration workflows supported by Nexus native task library, such as provisioning a server in a VLAN and turn-up respective switch ports, will help you reduce your Hybrid Cloud OpEx, deliver time-to-service acceleration, and reduce operational risks for everyday datacenter management operations.

Source: cisco.com

Continue reading

The SASE story II: How Cisco IT developed our SASE product amid an evolving industry landscape

As revealed in The SASE story, part I, the SASE model brings value to enterprise IT organizations looking to achieve connectivity and security resilience through a secure, efficient, hybrid architecture. In Part II, we’ll outline the journey we took to develop our Cisco SASE solution.

CloudPort: The precursor to SASE

Throughout the past decade, IT organizations have witnessed two significant trends: the migration of applications to the Cloud, followed by Hybrid Work. These trends caused IT leaders to think differently about how to better connect users to applications. Many — including Cisco IT — realized that networking and security problems can no longer be solved in isolation. To address this, Cisco IT embarked on a journey to build our own bespoke solution by combining different Cisco networking and security components, delivering SASE-like capabilities in an on-prem platform.

At a Cisco IT offsite in 2013, during a time when workloads were starting to migrate to the cloud, we drafted what is now the CloudPort vision on a hotel bar napkin. The plan was to deploy highly scalable networking and security hardware platforms in colocation facilities worldwide.

Initially, CloudPort was conceived in response to this Hybrid Cloud paradigm shift, providing us with the opportunity to strategically place our network edge directly with major ISPs and Cloud providers. Over time, we realized we could fuse security services directly into this architecture, which allowed us to bring together networking and security into a common platform. This was, effectively, a hardware- and co-lo-based precursor to current cloud-delivered SASE. The crux of this plan was that it allowed us to layer more and more services on top – offering similar capabilities (VPN, Firewall, Zero Trust Network Access, URL filtering, etc.) to what would become known as SASE.

The CloudPort solution was and is very effective – allowing us to securely interconnect the Cisco enterprise network with the outside world.  However, as technology evolved and business requirements changed, it started to pose some challenges:

◉ Due to the layered nature of the solution, it became complex to build and operate

◉ It required specialized skillsets, which became difficult to find in the industry

◉ After years of iteration, CloudPort became an amalgamation of different technologies and solutions we had layered together ourselves, so it became difficult to quickly adjust to increasingly agile business needs

Taking into account these challenges, we decided that it was time for a different approach.

A modernized “SASE” Hub

As a stepping-stone between CloudPort and fully Cloud-delivered SASE, Cisco IT’s Customer Zero team developed a modernized solution, branded the “CZ SASE Hub.”  Since we have the in-house expertise, and we needed to use physical appliances to meet scale requirements, we decided to deploy our own solution. For customers, this new version provides a simple, easy-to-operate, Zero Trust-ready platform, and will later allow for easier migration to SASE.

The CZ SASE Hub is SD-WAN centric, leveraging both Meraki and Viptela. This allows us to efficiently bring connectivity and policy to a central, easy-to-manage place in the network. By extending micro (Cisco TrustSec) and macro segments (SDA & SD-WAN VPNs) into Cisco Secure Firewall, we can enforce identity-based policies supporting our Zero Trust for the Workplace initiatives (SDA, TrustSec/ISE). In addition, we significantly improved our observability (DNA-C/vManage Assurance, ThousandEyes, DNA Traffic Telemetry Appliance) to make sure the platform is healthy and delivers a great experience to our end users.

This homegrown solution turned out to be much easier to deploy and operate, with a much smaller footprint. If we need to expand our footprint into different colocation facilities to meet new business demands, we will entertain using Cisco SD-WAN Cloud OnRamp for colocation or Secure Agile Exchange (SAE). These highly virtualized solutions offer the same capabilities with controller-based orchestration and integrations that offload a lot of the complexity.

Adopting Cloud delivered SASE

Although our do-it-yourself platform is doing mostly what we need it to do, it poses a few challenges. Building and operating a homegrown SASE-type solution remains complex and requires in-depth expertise of many different technologies.

To address these challenges, we look to move to a cloud-delivered SASE model. With this model we can outsource the complexity, allowing experts to build and operate the platform for us. We no longer have to deploy bigger-than-needed boxes to factor in potential future growth — we can now scale up and down when business needs change. Finally, SASE provides new security capabilities within a single offering, preventing us from having to deploy a multitude of standalone security tools. An added bonus? We believe SASE can result in cost optimizations.

Our aspiration is to migrate to Unified SASE for most of our network. These easy-to-order, easy-to-operate SASE solutions provide superb integrations among some of the best technologies (SD-WAN, Umbrella SIG, AnyConnect, ZTNA/Duo), all available through a unified services portal.

For the parts of our network where we don’t migrate to Unified SASE, we will adopt Disaggregated SASE. As a large enterprise customer, Cisco has complex use-cases that ask for a bit more flexibility. Disaggregated SASE is similar to Unified SASE in that it provides much better integrations between similar technologies, yet it allows for more customization to fit our specific needs. Disaggregated SASE deconstructs certain components of Unified SASE to allow for a more flexible, scaled deployment. For example, Cisco Secure Firewall Cloud Native (SFCN) allows a containerized deployment of Next-Generation Firewall in AWS. The customer can then combine this with custom deployments of SD-WAN, Umbrella, and Duo to create a distributed, scaled-out architecture to meet Enterprise needs.

Our ultimate aim is to drive a unified solution that is tenable for large-scale, complex environments like ours, and produce a reference solution that customers can easily replicate.

Source: cisco.com

Continue reading