The firewall has long been the mainstay of an enterprise's defense perimeter. To fight off modern-day threats, the firewall needs to be made “context-aware.” That is, it needs to extract the user and application identity, origin of the access and the type of device used for the access, and then permit or deny the access based on these attributes, in accordance with configured policy. In addition, the firewall must have the ability to detect and protect against emerging threats.
These are the capabilities that Context-Aware Security provides. Context-aware devices (CX devices) such as ASA CX let you enforce security based on the complete context of a situation. This context includes the identity of the user (who), the application or website that the user is trying to access (what), the origin of the access attempt (where), and the properties of the device used for the access (how). With ASA CX, you can extract the full context of a flow and enforce granular policies such as permitting access to Facebook but denying access to games on Facebook or permitting finance employees access to a sensitive enterprise database but denying the same to other employees.
The firewall is the right place to obtain the full context of the traffic flowing through the network. The firewall already sees all the traffic crossing the trust boundary between the enterprise network and the world at large.
As shown in the following figure, CX devices sit at the boundary between your network and the Internet or any other network from which protection is required. The devices regularly download signature and engine updates from the Cisco Security Intelligence Operations center, and use your Active Directory or OpenLDAP directories for user identity. You can optionally use the Cisco Context Directory Agent (CDA) or AD Agent to augment user identification (not shown). To configure the device, you log into it using a web browser (when configuring policies) or an SSH or Console client (when configuring device settings or doing basic system troubleshooting).
Figure 1. Context-Aware Security in the Network
Cisco Prime Security Manager (PRSM) fits in when you want to manage multiple CX devices. By adding your CX devices to the PRSM inventory, you can apply consistent policies among your devices. The PRSM web and CLI interfaces are identical to those of the single CX device, with the addition of multiple-device management capabilities, so you can quickly apply what you have learned about single device management to multiple devices.
As shown in the following figure, when managing multiple devices with PRSM, you log into PRSM instead of the individual devices. All configuration is done through PRSM and then deployed to the managed devices, and all events generated by managed devices are shown in PRSM. In addition, both the CX device and PRSM download signature and engine updates from the Cisco Security Intelligence Operations center, and interact with your AD/LDAP directories and optionally, CDA or AD Agent (not shown). The CX CLI remains available so you can do basic device-level troubleshooting, but you cannot use the CX web interface to change the device configuration without first removing the device from the PRSM inventory.
Figure 2. PRSM and CX in the Network