Access control extends far beyond the simple static statements of a Cisco ACL or IP tables. The access control we deal with today comes with fancy names like Advanced Malware Protection or “Next-Generation.” If you work with Cisco devices that are part of the FirePOWER defense system you know what I’m talking about here. For example, the Cisco FirePOWER services module in the ASA can work with Cisco Advanced Malware Detection to send a file hash to a Cisco server in the cloud. From there, the Cisco server will respond with an indication that the file contains malware, or that its clean. If it contains malware then of course the access control rule would deny the traffic. If its determined that the traffic is clean it would allow the traffic.
In this situation discussed previously, the file itself is never sent over the wire, just a hash is sent. How is this at all helpful? Cisco gathers correlation data from customers around the globe. This data helps them to build their database of known threats, so when you send them a hash, its likely that they’ve already seen it and have run the file in a sandbox. They use advanced tools like machine learning to determine if the file is malicious. Then they catalog the file with a hash value so when you send a hash, they compare the hash, and there you have it! This is very low overhead in terms of processing data. What about the cases where Cisco doesn’t have any data on the file hash we’ve sent? This is where things get interesting in my opinion.
In this case, the file needs to be sent to Cisco. Once Cisco receives the file they run it in a sandbox. Using machine learning amongst other methods lets them determine if the file is doing something malicious or not. At this point they would catalog the information with a hash value so they don’t have to look at it again. This is all good, because we can usually get a quick response on wether something is good or bad, and our access-control rules can do their job. But here’s where a few questions could be raised. Aside from not having a hash for a file I’m sending or receiving, what determines that the file needs to be forward to Cisco? Do they log the file or discard it after the sandbox run of the file? I ask these questions because in my mind it’s realistic that all files could be sent to Cisco and cataloged meaning authorities could potentially subpoena that data from Cisco to see anything I’ve sent or received. If this is the case then our “Advanced Malware Detection” could also be “Advanced Privacy Deterioration.”
What are your thoughts? Is it a bad idea to get the cloud involved in your access-control policies or do we just trust the direction vendors are taking us?