…this time from Cisco. I’ve stumbled upon a 2008 slide deck from them that introduces the new “Cisco Self-defending Network V3.0″. In particular, there’s a section about the “Cisco ASA 5500 Series” that shows how much effort Cisco marketing people (and, in this case, engineers as well) put in coming up with their bulls**t. Two notable examples:
Any Cisco voice/video communications encrypted with SRTP/TLS can now be inspected by Cisco ASA 5500 Adaptive Security Appliances: TLS signaling is terminated and inspected, then re-encrypted for connection to destination (leveraging integrated hardware encryption services for scalable performance).
So now what I thought was a secure tunnel between me and the other person is, in fact, cut in half at a potential interception point liable to be controlled by hackers, all of this thanks to the “Adaptive Security Appliance”. And as if this were not enough, it is obvious that for this scenario to work the Cisco people had to make their appliances open to man-in-the-middle attacks. Wow.
Advanced Web Traffic Security: Protects Networks from Web-based Threats.
- Provides powerful regular expression (regex) matching capabilities to detect administrator customizable strings and optionally block, rate limit, and/or log traffic.
- Deep inspection services provide businesses control over what actions users can perform when accessing websites.
- Performs RFC compliance checking for protocol anomaly detection.
- Provides MIME type filtering and content validation capabilities.
This sounds so much like an IDS from the nineties. Using (powerful) reg-ex’s, RFC compliance enforcement, and MIME filtering does not sound to me “advanced Web traffic security” . It’s what we were doing 20 years ago.
Then, there’s a section about the “Cisco Security Agent”, a software agent that you install on each box:
Intercepting Actions on the Endpoint: Application calls to the operating system are intercepted in real-time, and dynamic decisions are made to allow/deny actions.
Guys, it’s called “behavioral blocking”, it’s been tried for at least 10 years by a number of companies (including Symantec and Microsoft), and I have never seen it work. You might pull it off, though.
And finally, Cisco wants you to know that the agent has been…
Validated by PCI auditor to address PCI 1.1 DSS Requirements
…which apparently for Cisco is supposed to be a cool thing to say.



