cancel
Showing results for 
Search instead for 
Did you mean: 
Create Post

Are We Losing Control of Access Control?

Level 11

Access control extends far beyond the simple static statements of a Cisco ACL or IP tables.  The access control we deal with today comes with fancy names like Advanced Malware Protection or “Next-Generation.”  If you work with Cisco devices that are part of the FirePOWER defense system you know what I’m talking about here.  For example, the Cisco FirePOWER services module in the ASA can work with Cisco Advanced Malware Detection to send a file hash to a Cisco server in the cloud.  From there, the Cisco server will respond with an indication that the file contains malware, or that its clean.  If it contains malware then of course the access control rule would deny the traffic.  If its determined that the traffic is clean it would allow the traffic. 

In this situation discussed previously, the file itself is never sent over the wire, just a hash is sent.  How is this at all helpful?  Cisco gathers correlation data from customers around the globe.  This data helps them to build their database of known threats, so when you send them a hash, its likely that they’ve already seen it and have run the file in a sandbox.  They use advanced tools like machine learning to determine if the file is malicious.  Then they catalog the file with a hash value so when you send a hash, they compare the hash, and there you have it!  This is very low overhead in terms of processing data.  What about the cases where Cisco doesn’t have any data on the file hash we’ve sent?  This is where things get interesting in my opinion. 

In this case, the file needs to be sent to Cisco.  Once Cisco receives the file they run it in a sandbox.  Using machine learning amongst other methods lets them determine if the file is doing something malicious or not.  At this point they would catalog the information with a hash value so they don’t have to look at it again.  This is all good, because we can usually get a quick response on wether something is good or bad, and our access-control rules can do their job.  But here’s where a few questions could be raised.  Aside from not having a hash for a file I’m sending or receiving, what determines that the file needs to be forward to Cisco?  Do they log the file or discard it after the sandbox run of the file?  I ask these questions because in my mind it’s realistic that all files could be sent to Cisco and cataloged meaning authorities could potentially subpoena that data from Cisco to see anything I’ve sent or received.  If this is the case then our “Advanced Malware Detection” could also be “Advanced Privacy Deterioration.” 

What are your thoughts?  Is it a bad idea to get the cloud involved in your access-control policies or do we just trust the direction vendors are taking us?

22 Comments
MVP
MVP

Interesting.  I wonder how long it takes Cisco to process a file it hasn't seen before it issues a hash (good or bad) ?

This may be one of the better uses of the could...until someone figures out how to exploit it.

Level 14

I, for one , would prefer to keep my access control policies close to my chest.  However, I do see how sharing the knowledge of a malicious file would benefit others.

Level 9

Why would every file be sent to Cisco?  I could understand .exe files being sent, but .txt (or .doc/.docx for example)?  I don't believe that CISCO has the compute power available to process EVERY file sent across the net (maybe one day's worth in a year, if they are lucky).  This is beginning to sound like an internet hoax.....

Level 10

Can't this cloud that the file get sent to be local to your network under your management?  I don't know much about this product, but it is pretty vague about what it does with the file after it "sends it to a remote cloud". But if it's my cloud, then i'm not worried. I would HOPE the local device can figure out the hash for new files and just share that to the cisco security database.

I don't see how Cisco could have an interest in storing all that data when they could have each customer do the leg work for their own files, and just get the hash from them.
"Can Ensure Privacy

The AMP Private Cloud and management system is a single on-premises product that you install on your hardware through a self-contained virtual machine."

Cisco Advanced Malware Protection Virtual Private Cloud Appliance - Products & Services - Cisco

Level 11

Like the article, but I don't like the idea of having data sent automatically to a third party.  That to me is losing control, it may sound nice until it is exploited and unintended files are being sent without your knowledge or permission.

Level 20

Out with the dated legacy AAA and in with HP/Aruba Clearpass Policy Manager NAC, device profiling, certificates, integrated into AD GP... we'll see how it goes.  It seems to have promise with context aware granular access control.

MVP
MVP

Palo Alto has been doing this for years and has it pretty well sorted out, not had any issues with it.

Level 20

Yes in addition to the HP/Aruba wireless and clearpass we also have the Palo Alto on one side of two businesses that came together.  All Cisco on one side and Cisco plus core Palo Alto on the other.  The only concern I have about the Palo Alto that may be unfounded is not a lot of defense in depth when you have one giant switch that does everything L7 f/w, NAC, IPS/IDS, basically tries to replace what before were multiple devices.  I have an open mind about it though.  Glad to hear you haven't had any issues with it.

Lots of knee-jerk reacting happening.  In many ways, this is not new, it's just efficient.  If you received an infected file and simply accepted it, your systems would be compromised if they didn't recognize it with AV and quarantine or delete it.

Once you were infected you'd end up sending a copy of the suspicious file to two or more AV companies for analysis and clean-up.  After confirming the infection was something new, you'd have to wait for them to develop a fix and send it to you.   Certainly this took hours at best, and days at worst.

FirePOWER simply automates the process and speeds it up.

True, I anticipate negative reactions to the idea of EVERY FILE being sent to Cisco.

What's the alternative?  Become infected?  That's unacceptable.

MVP
MVP

Fewer files will be sent over time a hashes are created representing threats or not.

This is not unlike what riverbed  (www.riverbed.com) does for WAN optimization.

They cache files in appliances at a branch location so that you don't have to repeatedly send the file.

We did this for MSDS safety sheets and other required data files used in shipping product in a previous life. 

A hash or some other small data representation is created as part of the internet traffic for the file and if it is cached at the branch then the file is not resent. 

If the hashed file is not there then the new one is sent and cached. 

Level 20

I concur comparing a hash is much much easier than trying to send a file of any size anywhere!  I suppose hash collisions is a concern for some so don't use sha-1 and md5 then.  Use sha-256 to really be safe :^}

Level 20

If you're ever wanting every AV software developer to all have a new virus just run it through virustotal... It used to be that hackers used it see if their new exploits could fool all the AV engines... well the AV companies all use the data on the stuff that passes through virustotal now to update their engines.

Level 10

Why don't these vendors join forces and have a central database for all malware and malicious code that all firewall vendors access and update?

Why don't these vendors do the same for known Malware/malicious IPs?   Yes you can manually subscribe but why isn't this out of the box and subscription service (maybe have it as part of the annual maintenance contract?) that you can get?  I personally know of no vendor that offers this.  You have to manually sign up to something like Spamhaus or someone else...  Why?  For all this talk about cloud services this is one area that it would make sense and yet they are all operating in their own silos.  Really dumb if you ask me.  Sorry but Cisco alone or for that matter any other vendor alone can't do it.

Level 8

What determines what files are sent? Are they just files coming through the perimeter or any file crossing any Cisco device? I deal in nuclear and some of our stuff being sent to Cisco would cause issues for us and Cisco. I'm not sure what our IT Guys have set up this way, I do cyber research, I don't actually protect the network, so this is interesting to me in a few ways mostly academic. When it sends the file, not the hash, is it encrypted? Anything leaving your network should be just in case. How long do they retain a copy, if not determined to be malware is it deleted securely. How can I get confirmation of this that is suitable to pass an audit by our nuclear regulator?

Can I get a detailed list of what was passed from my network to theirs? again audit-able.

What about other industries are also looking at this security feature as a possible security issue?

Level 21

You are asking the right question alaskan​!  If security is ever going to have a chance to stand-up to the bad guys they need to start sharing information for the sake of making the whole much better.  The problem is each of these companies is a for-profit company and they want to be able to claim they have the better solution backed by the better threat intelligence. 

Imagine how powerful it would be if all of these vendors came up with a single protocol and database for capturing all of this data that could then be leveraged by users like us in the machine learning based appliances and applications that are managing our security!

Level 20

Interesting you say that byrona because recently the DoD and Intelligence community have been trying to do more of this sharing with corporate America for good security of all.  There is more sharing now than ever before and nothing wrong with some good competition but you're right then it comes down to what separates one companies product from the next guys?

Level 14

So, would we be talking about a common database like the CVE, Common Vulnerabilities and Exposures, database?  A repository of common malicious file signatures would be a great idea.  If implemented, it would have to be well secured though.  It would also have to have a repository of known good file signatures as well.  I can imagine signatures of known good files being submitted as malicious, thus causing a massive global Denial of Service created from inside everyone's network.

Level 7

I can't speak to Cisco's FirePower setup, but I do know that Palo Alto has a version of their GlobalProtect that you can run on-premise (so it's not sent to their cloud) but for non-government organizations / non Fortune 500, it's probably too expensive.

Level 10

We have Palo Alto firewalls and use Global Protect.  The cost isn't all that expensive compared to others.

I'm not sure what your comment about it being for non-government organizations though...?

As long as you purchase the firewalls and buy the licenses for Global Protect you can use them.  I did not see anything saying 'this is only for small businesses and non-government organizations in any of the docs nor did my Palo Alto rep tell me this..

Level 14

The problem with certain types of licensing is connectivity to the internet.  In the government, we maintain networks with different levels of classification.  You can't connect to a license server that resides on the internet, with a firewall that resides on a Secret network.  Sneakernet only.

Level 9

Even without load and not burdening which the network time to do this analysis?

MVP
MVP

Competing on hardware is boring, we need more widgets!

About the Author
Brandon Carroll, CCIE #23837 is the CEO of California based Global Config Technology Solutions, Inc, Tech Blogger, and Cisco Press Author. With over 15 years in IT, a few certifications, and a love for technical education you'll find him at Cisco Live, on the Packet Pushers Podcast, Twitter, and Google+.