Context-Aware Network Security

Defense in depth is a concept that is hard to argue with; put as many security mechanisms in place to make it difficult if not impossible for the bad guys to gain access to your network. Much of the security “sprawl” we see today is a direct result of this strategy – deploy the best access-layer security solutions, best data center security solutions, and best gateway security solutions and you’re good, right?

The problem as we’ve painfully discovered is that these security “silos” do a great job in their respective domains, but don’t share information very well. With the sophistication of today’s threats, relevant information is needed by all tools and platforms to enhance the overall security of the network.

In the past, we would use vendor supplied APIs to accomplish information sharing among different platforms. However, these APIs are complex, platform specific and don’t scale to the level of devices now hungering for additional information.

To address this challenge, Cisco Systems developed the Platform Exchange Grid, or pxGrid. pxGrid is an integration framework that provides the bidirectional sharing of contextual information with any platform within its Security Technical Alliance Ecosystem partners. Today, Cisco announced expanding their ecosystem partnership by adding Check Point to the “Firewall and Access Control” segment of the Security Technical Alliance program. (Cisco blog)

The addition of Check Point to the alliance program is a significant step towards breaking down the siloed approach of old to make security systems more responsive to the environments they are protecting. As a result, Check Point next-generation security platforms can now leverage rich information about users, devices, security group tags and more for context-aware security policies.

The integration utilizes pxGrid to integrate with Cisco’s Identity Services Engine (ISE). ISE is an identity and access control policy platform that helps organizations enhance infrastructure security and streamlines service operations by gathering and sharing real-time contextual data about networks, users and devices.

Check Point’s Identity Awareness Software Blade is now able to consume user identity, network privilege level and Cisco TrustSec Security Group Tags from ISE. This information can then be used across the Check Point Software Blade architecture to provide better network security tuned specifically for any organization’s needs.

Using ISE as the source of rich identity data for Check Point security policies delivers real-time identity data on a network-wide basis, not just for users/devices known to AD or LDAP. As a result, information is more accurate and encompasses any user or device authenticated to the network.

Today’s cyber criminals are stealthy, technically competent and persistent. To combat this trend, security platforms can no longer exist in their own silos. The exchange of relevant, rich contextual information among security systems delivers better overall network security. That is why Cisco and Check Point have teamed up to deliver advanced, context-aware security tuned to the needs of today’s enterprise networks.