You hear a lot about zero trust microsegmentation these days and rightly so.
While a host-based enforcement approach is immensely powerful because it provides access to rich telemetry in terms of processes, packages, and CVEs running on the workloads, it may not always be a pragmatic approach for a myriad of reasons.
These reasons can range from application team perceptions, network security team preferences, or simply the need for a different approach to achieve buy-in across the organization.
Long story short, to make microsegmentation practical and achievable, it's clear that a dynamic duo of host and network-based security is key to a robust and resilient zero trust cybersecurity strategy.
Earlier this year, Cisco completed the native integration between Cisco Secure Workload and Cisco Secure Firewall delivering on this principle and providing customers with unmatched flexibility as well as defense in depth.
Use case #1: Network visibility via an east-west network firewall.
The integration between Secure Workload and Secure Firewall enables the ingestion of NSEL flow records to provide network flow visibility, as shown in Figure 1.
Use case #2: Microsegmentation using the east-west network firewall.
The integration of Secure Firewall and Secure Workload provides two powerful complimentary methods to discover, compile, and enforce zero trust microsegmentation policies.
Policy discovery and analysis: Automatically discover policies that are tailored to your environment by analyzing flow data ingested from the Secure Firewall protecting east-west workload communications.
Policy enforcement: Onboard multiple east-west firewalls to automate and enforce microsegmentation policies on a specific firewall or set of firewalls through Secure Workload. Policy compliance monitoring: The network flow information, when compared against a baseline policy, provides a deep view into how your applications are behaving and complying against policies over time.
Figure 2: Host-based and network-based approach with Secure Workload. Use case #3: Defense in depth with virtual patching via north-south network firewall.
Virtual patching is typically done by leveraging the Intrusion Prevention System of Cisco Secure Firewall.
The key capability, fostered by the seamless integration, is Secure Workload's ability to share CVE information with Secure Firewall, thereby activating the relevant IPS policies for those CVEs.
The Secure Workload agents installed on the application workloads will gather telemetry about the software packages and CVEs present on the application workloads.
A workload-CVE mapping data is then published to Secure Firewall Management Center.
This would allow you to control any potential performance impact on your IPS. Finally, the Secure Firewall Management Center then runs the 'firepower recommendations' tool to fine tune and enable the exact set of signatures that are needed to provide protection against the CVEs that were found on your workloads.
Once the new signature set is crafted, it can be deployed to the north-south perimeter Secure Firewall.
Flexibility and defense in depth is the key to a resilient zero trust microsegmentation strategy.
With Secure Workload and Secure Firewall, you can achieve a zero-trust security model by combining a host-based and network-based enforcement approach.
This Cyber News was published on feedpress.me. Publication date: Fri, 15 Dec 2023 13:13:05 +0000