Cisco Releases Application Awareness, Visibility and Control functionality

Cisco Ironport Web Security Appliance adds Facebook, IM, P2P and other application controls

When I need an expert on web or email security I turn to my peer Garett Redelings. So when it came to writing about this topic I reached out to him. Garett was kind enough to write up the below article that describes in detail the new Application awareness, visibility and control features that were recently released in the Cisco Ironport Web Security Appliance product. If you have any comments for Garett please post them.

Cisco’s IronPort Application Visibility Controls – Not your Grandma’s Web Filtering Solution Many of us are very familiar with legacy web site filtering, otherwise known as URL filtering and categorization. The historical way of filtering user access to the Internet was either by URL or a combination of URL, IP address and potentially even regular expression rules. These groupings of websites often included category names like: Adult, Education, Heath, Webmail, Technology and so on. The number of categories, as well as the numbers of sites categorized, was often used as a benchmark measure of the quality of the web filtering product.

Figure 1 - Typical URL Categories While this type of categorization system was crude it was often effective at giving administrators the ability to control at a very high level what sites users could access and which of those they could not. This type of control over the Internet made HR and CXO types jump for joy as the Internet could be made “safe” again and companies could protect themselves from nasty lawsuits and other such foolishness. The next wave of controls brought many more features like the ability assign Internet privileges on a per-user or group basis. These updates were followed by additional enhancements such as granular options for controlling access to specific pages or locations within sites as well as additional categories and subcategories of websites. The race to categorize the content on the Internet was a well established numbers game between competing vendors. Cisco has continued to ramp up the features of the IronPort Web Security Appliance since acquiring IronPort back in 2007. The latest release of version 7.0 is no exception, bringing the one of the greatest feature releases for the product this year, Application Visibility Controls or simply AVC. The concept for AVC is simple, the dynamic and ever changing use of the Web demands more than just a simple filtering engine to detect and control user access to websites. More importantly, application filtering needs to detect how, and with what tools, users interact with those websites.

Figure 2 – Application Visibility Controls Web filtering solutions such as the IronPort WSA and other products in this space are implementing features to bridge the gap between historical URL filtering and the new genre of web applications being used today. The following data was gathered from my work in the field as a Consulting Systems Engineer for Cisco working with the IronPort product line. Cisco IronPort AVC technology: At the core the fundamental difference with Cisco’s IronPort AVC approach are three major design directives: 1. Application Visibility Controls should be flexible and independent of platform 2. AVC updates should be dynamic along with the Internet and website content 3. Features of AVC should focus and follow current Internet usage These three design points differentiate the Cisco solution in some significant ways in an effort to change the web application space from a game by numbers to one of dynamic adaptation. This begs the question, “Ok, so what’s the real difference with Cisco’s solution?” Flexible and Independent of Platform Perhaps the greatest problem with the web is that it’s changing all the time. Website content changes with the hour and often a majority of site content comes from other web servers that are owned and maintained by a completely separate entity, (think about the owners of billboards and the companies that pay to have their ads displayed). A database that categorizes websites is simply ineffective in this world and when it comes to application control, as it is static and therefore useless. Now consider how you use the Internet on a daily basis to access news sites, social networking, webmail, and blogs. At any given point in your day, you might update your location for online friends to see or post the latest random thought you had on your blog, all from an assortment of devices that use http and https. Perhaps during an average day you might even squeeze in some time to play a game or two in between web meetings with conferencing software from your mobile device or laptop. Control over such applications as games and web conferencing software that use http and https has to be flexible to handle how those applications might change with updates or new features. OS updates take months of engineering and QA resources to deliver even a beta version. Static systems that have hard coded detection mechanisms simply cannot react with a platform or OS update in enough time to keep up. Application detection needs to be built over a platform that allows for change that can keep pace with the latest versions that don’t require an OS update. Dynamic just like the Web With the unending stream of updates and enhancements to web content and web applications, the need to keep in lockstep with these releases is paramount to any web solution. This was a focal point of the new AVC controls of the IronPort Web Security Appliance. From social networking applications to games and instant messaging, maintaining close parity with the latest application features gives an advantage to any solution that can quickly deliver administrative controls. One of the latest examples of the dynamic nature of web applications is Facebook’s “Places. The Facebook Places feature, released in August this allows users to share where you are, connect with nearby friends, and even find local shop deals all based on your location. Users simply have to login to Facebook using their mobile device and then “check-in”. The Traditional filtering approach just can’t differentiate the Places activity based on the URL alone as the web communications are all traffic to and the “check-in” functionality is prolific throughout the Facebook website. With the release of the Places feature the option for many vendors was to release an OS or platform update, which as I mentioned before would take months to deliver. Cisco’s AVC feature was able to do this within weeks because of its dynamic signature update system. This engine works very much like how AV engines update their signatures and configuration available with simple to use check boxes. On the backend AVC is powered by the Cisco Security Intelligence Operation, which pulls data from email security, web security, IPS, IDS, and 3rd party web traffic feeds. This key feature gives Cisco the ability to see more data in real-time and use that data to drive updates and controls.

Figure 3 - Facebook Granular Controls

Figure 4 – Drill-Down Feature Settings Focus on the Users The final key point of Cisco’s Ironport AVC feature is its focus on the user and what they use most. Today people use Facebook, Twitter, games, IM, and filesharing apps more and more. These are the applications that the IronPort WSA focuses on. Cisco has less of a drive to cover legacy and obscure applications that just aren't used frequently by today's tech savvy users. Cisco’s security intelligence operations provides deep visibility into web traffic behavior and application types being used across the globe. This data is then used to tailor what applications need to be added to its AVC capabilities.

Figure 5 Sample Web Application Reporting Looking back, web filtering began as an acceptable use tool but has continued to morph into what Cisco calls “Internet Usage Policy”. This type of policy has more detailed malware filtering, security controls and access requirements vs. the broad sweeping URL categories of old. Together with regulatory compliance rules for financial, healthcare, and corporate industries, the days of one policy fits all are long gone. Internet usage needs to allow users to interact with specific applications on websites, such as blogs and web communities, but limit file sharing within Facebook for example. Additionally, administrators look for ways to implement common sense controls for outbound filtering as most data leaks and policy violations are often accidental as users send data between themselves over the web. It will be interesting to see how Cisco will continue to improve upon their Application Visibility Controls on the IronPort WSA. Certainly taking direction from customers’ usage is a great approach. However, the measure of success for any vendor in this space will most likely be the level, timeliness and depth of control offered for today's most common applications like Facebook, twitter, myspace, etc.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2010 IDG Communications, Inc.