I am a member of a field advisor board for security products at Cisco. One of the charters of this role is to provide the various security business units(BUs) with customer feedback on the feature and product requests they most desire. This process, among several others, helps ensure that the security product BUs at Cisco are developing features that customers are asking for. This input is used by the BU’s to help prioritize which features will be developed first. Otherwise known as the product feature roadmap.
As an example, a feature request can be one that makes you more secure, makes the product easier to manage, allows for better monitoring/debugging, expands product-product collaboration (ala self-defending network type features), or maybe you just need an increase in performance on a security platform.
The security products that are in scope for this can be found on this page. Products like ASA, IPS, IOS security, NAC, VPN, CSA, management, and MARS are definitely in scope.
In order to get as much customer input as possible into this process I thought it would make sense to ask you for your input too. So, what features would you like to see developed in Cisco security products? For each feature request I’ll need the platform type (i.e. ASA), short description of the feature (i.e. Timeframe based ACL rule expiry that is native to ASA and doesn’t require CSManager 3.2) , and a brief reason why you want the feature (i.e. We don’t currently use CSManager to manage our ASA’s but find lots of value in it’s rule expiry feature. We would like this feature to be added to the ASA code natively. We have contractors and business partners that only need access to our network for a limited timeframe, usually one month. Rule expiry will automate our manual ACL removal process we have today, thus making us more secure.)
It would also be nice if you included your company name, but that is optional.
You can either email the request directly to me at or post it on the blog.
Now’s your chance to get your feature requests heard. Fire away!
The opinions and information presented here are my personal views and not those of my employer.
Jamey Heary, CCIE No. 7680, is a security consulting systems engineer at Cisco. He leads its Western Security Asset team and is a field advisor for Cisco's global security virtual team. Jamey is the author of the recently published Cisco NAC Appliance: Enforcing Host Security with Clean Access. His areas of expertise include network and host security design and implementation, security regulatory compliance, and routing and switching. His other certifications include CISSP, CCSP, and Microsoft MCSE. He is also a Certified HIPAA Security Professional. Jamey has been working in the IT field for 14 years and in IT security for 9 years.
|
|
Hm This is an interesting
Hm
This is an interesting subject, we all know Cisco products are great so can you make something good better?
I don’t have a lot of experience with defensive way of thinking
So I would recommend an ios based port scanner. It would greatly improve the test part of the security cycle.
I mean when you finish securing you can instantly search for open ports
and see if your ACL’s do what you expected or if your ips rules are triggered.
Maybe a crazy idea , I don’t know but hey its just a though
Forgive me anyway if I am missing something!
ios port scanner
Now that's one I've not heard before. I like the creative thinking. It seems users are always trying to find better ways to test their IPS and firewall rulesets. Cisco already has IOS based packet and route generator code so I would think making this a scanner would be doable. The issue might be that the packet gen code is it's own IOS load and doesn't run with typical router code simultaneously.
IPv6 security features are really needed
i would recommend since cisco really lacks features here:
IPv6 feature parity withj IPv4 especially :
-IPv6 IOS firewall ALGs (supports just FTP now)
-ASA stateful failover for IPv6
-GET VPN and DMVPN IPv6 support
-VPN client/EasyVPN native IPv6 support
and
VPN clients for mobile devices (windows mobile, symbian, linux, android)
Improvements
ASA Active/Active VPN
ASA NetFlow
ASA DMVPN Support
ASA GETVPN Support
Better ASA Documentation
Specifically all types of NAT
More configuration examples
Failover license option
Probably more but that is a bit o' work for the developers right now.
RE: improvements
Excellent list Tim. Many of these are on my personal wish list as well. ASA netflow support is already here with 8.1 and ASA5580 line. It will soon be available in more of the ASA product line. ASA DMVPN support would be great, I really like DMVPN technology and wish that the ASA could play in that space as well.
For more config examples see here (their are over 125 of them on this site alone)http://www.cisco.com/en/US/products/ps6120/prod_configuration_examples_list.html
For better documentation on NAT can you give some more detail around that? Might make for a good blog article.
-Jamey
Improvements
Oh, likely my biggest issue I would like to see changed is the ACS interface. THAT is the worst interface I have seen since Netscape Navigator 1.0. It was ok in it's time but sheesh. Difficult to remember where stuff is and a 3rd grader GUI makes it seem like a poor product. Actually, ACS or ACS SE is a great product suffering from a poor interface.
There are SO many options that Wizards would be a useful option. I like the concentrator interface, perhaps menu tree's would be a possible interface update into this century anyhow. IPS ME or ASDM style interface might be a reasonable update as well.
NAT on the ASA/Pix is a complicated subject. There are many different types and methods of use. The doc CD (yeah, I am using the legacy but you use what you know) does not include NAT Outside and really doesn't have very good examples of everything.
I would like to see examples of each way of using NAT / Global / Static / Outside etc. You can use static options to control syn limitations. You can use ACLs and Dynamic or Static Policy NAT. If you have nat-control disabled but use NAT on an interface pair then NAT is required for any host to make connections through that pair.
ASA NAT contains a lot of flexibility and complexity. It would be great to see listings of all of the different ways of solving issues and the rules that you must comply with for that method.
Thanks,
Tim
MORE
I thought of another one or two. A syslog tool and log analysis tools that are not MARS. Not the capabilits of MARS either, just decent functionality.
Mars might be ok for some, but it would be nice to have a toolset that small business can load up and use without spending a big chunk of money.
A cheap log appliance might be usful as well, or build an appliance (Cheap) with MARS light and better interface.
Modifying the MARS interface with the IPS ME treatment would be great as well.
Still reading THESE????
Still reading these responses or is the iPhon more interesting? ;-)
Still here
I'm still reading these for sure. In fact I've put all of the responses I've gotten so far into a spreadsheet. I'll use it, along with any additional responses to help push many of these ideas through.
-Jamey
Roadmaps would be COOL.
As a longtime Cisco evangelist and partner company consultant, I would really like to see product roadmaps for the security products.
Not ALL of that stuff needs to be secret. As a matter of fact, I have seen customers make large purchases when product roadmaps defined what new features were getting built-in and when.
I know we have all seen M$FT sell vaporware based upon drool factor.