Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.
Cisco Security 
The Evolution Continues 
Tim Ryan, Security Consulting Systems Engineer – CCIE, CISSP 
US Public Sector
Agenda 
1. Next Generation Security Model 
2. ASA + Sourcefire = Next Gen FW / Gen 2 IPS 
3. Web Security / Filtering Revi...
The Next Generation Security Model 
Attack Continuum 
DURING AFTER 
BEFORE THE ATTACK: You need to know what's on your 
ne...
Challenges with Traditional ‘Defense-in-Depth’ Security 
Poor Visibility 
Undetected 
multivector and 
advanced threats 
S...
Integrated Threat Defense Across the Attack Continuum 
BEFORE 
Discover 
Enforce 
Harden 
Attack Continuum 
DURING 
Detect...
Introducing FirePOWER Services for ASA 
FirePOWER Services Blade 
ASA 
Proven Cisco ASA firewalling 
+ Industry leading NG...
Multilayered Protection – Next Gen FW + Gen2 IPS 
► World’s most widely deployed, 
enterprise-class ASA stateful 
firewall...
FirePOWER Services for ASA: Subscriptions 
FirePOWER Services for ASA Included * 
Appliance 
Feature 
Defaults 
Configurab...
Security Intelligence Black List Objects 
© 2013-2014 Cisco and/or its affiliates. All rights reserved. 9
Sourcefire on ASA Licensing 
© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10
Licensing Notes 
 Virtual or Physical FireSIGHT Management Center required 
 All FirePOWER Service device licenses are m...
Five Subscription Packages to Choose From 
for Each Appliance 
• 1 and 3 year terms 
• AVC is part of the default 
offerin...
FireSIGHT Management Center Sizing Guidance 
750 
FS750-K9 
1500 
FS1500-K9 
3500 
FS3500-K9 
© 2013-2014 Cisco and/or its...
FirePOWER Services Licensing Reference 
Component License Name and Features Enabled License Type Fulfillment 
FirePOWER 
S...
Sourcefire 
Gen2 IPS / Next Gen Firewall 
Features 
© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Co...
FireSIGHT 
What are the Key FireSIGHT Components? 
Network Discovery & Connection Awareness 
Host discovery 
Identifies OS...
Sourcefire FireSIGHT Technology 
FireSIGHT Discovery 
Discovery is reported 
to you by way of 
events 
• Connection events...
Sourcefire FireSIGHT Technology 
FireSIGHT Discovery 
By knowing the details of what’s running in your environment, the 
S...
Sourcefire FireSIGHT Technology 
FireSIGHT Discovery 
With FireSIGHT, IPS events are assigned an impact level 
• 0 – host ...
Anti-Malware Protection & the Attack Continuum 
BEFORE 
Control 
Enforce 
Harden 
DURING 
Detect 
Block 
Defend 
AFTER 
Sc...
Sourcefire Deployment Options 
Appliance, ASA, Virtual 
© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisc...
Model # 
60Gbps 8390* 
45 Gbps 8370* 
8290 
8270/8360* 
8260 
8250 
8140 
15Gbps 8350* 
8130 
8120/ (8150 > AMP) 
1.25Gbps...
Cisco ASA Product Family - Sourcefire Services 
Performance Specifications 
Performance and Scalability 
ASA 5515-X 
ASA 5...
Security for the Virtual World 
Virtual ASA - May 2014 – ver 9.2 
VMware Hypervisor (vSwitch & dvSwitch) 
Term-based licen...
ASAv PERFORMANCE 
Data Sheet Metric 1 vCPU 2 vCPU 3 vCPU 4 vCPU 
Stateful Inspection Throughput 
1 Gbps 1.2 Gbps 1.5 Gbps ...
Cisco Threat Defense System – 5000 Foot View BEFORE DURING AFTER Cisco Only 
Sandboxing 
NG Sandbox for Evasive Malware Au...
Cisco Security Portfolio 
IPS & NGIPS 
• Cisco ASA 5500-X IPS 
• Sourcefire Next Gen IPS 
• Sourcefire Virtual NGIPS 
Web ...
Web Filtering/Security Comparisons 
WSA, Sourcefire, CWS, Meraki 
© 2013-2014 Cisco and/or its affiliates. All rights rese...
Cisco Web Security Options 
Sourcefire Physical or Virtual 
• Inline: Next Gen IPS - 
Multi-port GE/10GE/40GE 
• Anti-Malw...
Feature Comparison -- Appliance 
Cisco WSA Sourcefire 
Antimalware Webroot, Sophos, McAfee & Now AMP Via Blacklist and AMP...
Strong Inbound Web Protection 
W 
W 
W 
Time of Request 
Cisco® SIO 
Time of Response 
URL Filtering 
Reputation Filter 
D...
Cisco IronPort Dynamic Vectoring and Streaming (DVS) Engine 
Webroot 
Sophos 
IRONPORT 
DVS ENGINE 
McAfee 
Policy Managem...
WSA: Malware Detection and Protection 
Phone-home 
Domains 
Phone-home IPs, 
Subnets, CIDRs 
Malware Detection 
(Layer 4 T...
Explicit Forward Mode vs. Transparent Mode 
Explicit Mode 
• Client directs traffic to proxy server 
• Requires no network...
Positioning CWS Against WSA and ASA NGFW 
 CWS is best positioned with customers who: 
 Have a distributed network with ...
Authentication, Authorization, Accounting 
Cisco Identity Services Engine 
Authentication, Authorization, and Accounting 
...
Identity and Context-Centric Security for Policy Enforcement 
WHERE 
SECURITY POLICY ENFORCEMENT MONITORING AND REPORTING ...
Identity Services Engine Features 
•Centralized Policy Enforcement 
•RADIUS Server - AAA 
•Secure Group Tagging 
•Posture ...
Access Control System Must Support All Connection Methods 
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ...
Detailed Visibility into System Operations 
© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Restricted...
ISE Session Log – Session Tracking & Searching 
Disconnect Device Search: user / device 
© 2013-2014 Cisco and/or its affi...
BEFORE DURING AFTER 
© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Restricted 53
Evolving Roles of ISE and MDMs 
Enterprise 
App Distribution 
& Mgmt 
Data 
Backup 
Enterprise 
App Policy 
Inventory/Cost...
ISE Integration with 3rd-Party 
MDM Vendors 
 MDM device registration via ISE 
– Non registered clients redirected to 
MD...
© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Restricted 56
Hotspot 
Guest Flow #1 
Acceptabl 
e Use 
Policy 
I promise 
to be 
good. 
I 
Agr 
ee 
44:6D:77:B4:FD: 
01 
44:6D:77:B4:FD...
Self Service with SMS 
optional optional 
Goal: Get them on the Internet as long as you have a 3rd 
party identifier that ...
Self Service with Email Verification 
Fill In A Simple Form Check Your Email Connect to WFI 
hansolo 
nerfherder 
© 2013-2...
Sponsored Flow 
Hi! Can I get 
on your Wi- 
Fi? 
Sure. I just 
need a little 
information. 
Print, email 
& SMS 
credentia...
TrustSec Enabled Network Segmentation 
Campus and Branch Segmentation 
Business Drivers include 
PCI for Financial data, H...
The Next Generation Security Model 
BEFORE 
DURING AFTER 
Detect 
Block 
Defend 
Control 
Enforce 
Harden 
Scope 
Contain ...
Thank you.
Cisco security the evolution continues
Cisco security the evolution continues
Cisco security the evolution continues
Cisco security the evolution continues
Cisco security the evolution continues
Prochain SlideShare
Chargement dans…5
×

Cisco security the evolution continues

16 843 vues

Publié le

CLLE FL 092014

Publié dans : Technologie
  • DOWNLOAD THAT BOOKS INTO AVAILABLE FORMAT (2019 Update) ......................................................................................................................... ......................................................................................................................... Download Full PDF EBOOK here { http://bit.ly/2m6jJ5M } ......................................................................................................................... Download Full EPUB Ebook here { http://bit.ly/2m6jJ5M } ......................................................................................................................... Download Full doc Ebook here { http://bit.ly/2m6jJ5M } ......................................................................................................................... Download PDF EBOOK here { http://bit.ly/2m6jJ5M } ......................................................................................................................... Download EPUB Ebook here { http://bit.ly/2m6jJ5M } ......................................................................................................................... Download doc Ebook here { http://bit.ly/2m6jJ5M } ......................................................................................................................... ......................................................................................................................... ................................................................................................................................... eBook is an electronic version of a traditional print book that can be read by using a personal computer or by using an eBook reader. (An eBook reader can be a software application for use on a computer such as Microsoft's free Reader application, or a book-sized computer that is used solely as a reading device such as Nuvomedia's Rocket eBook.) Users can purchase an eBook on diskette or CD, but the most popular method of getting an eBook is to purchase a downloadable file of the eBook (or other reading material) from a Web site (such as Barnes and Noble) to be read from the user's computer or reading device. Generally, an eBook can be downloaded in five minutes or less ......................................................................................................................... .............. Browse by Genre Available eBooks .............................................................................................................................. Art, Biography, Business, Chick Lit, Children's, Christian, Classics, Comics, Contemporary, Cookbooks, Manga, Memoir, Music, Mystery, Non Fiction, Paranormal, Philosophy, Poetry, Psychology, Religion, Romance, Science, Science Fiction, Self Help, Suspense, Spirituality, Sports, Thriller, Travel, Young Adult, Crime, Ebooks, Fantasy, Fiction, Graphic Novels, Historical Fiction, History, Horror, Humor And Comedy, ......................................................................................................................... ......................................................................................................................... .....BEST SELLER FOR EBOOK RECOMMEND............................................................. ......................................................................................................................... Blowout: Corrupted Democracy, Rogue State Russia, and the Richest, Most Destructive Industry on Earth,-- The Ride of a Lifetime: Lessons Learned from 15 Years as CEO of the Walt Disney Company,-- Call Sign Chaos: Learning to Lead,-- StrengthsFinder 2.0,-- Stillness Is the Key,-- She Said: Breaking the Sexual Harassment Story That Helped Ignite a Movement,-- Atomic Habits: An Easy & Proven Way to Build Good Habits & Break Bad Ones,-- Everything Is Figureoutable,-- What It Takes: Lessons in the Pursuit of Excellence,-- Rich Dad Poor Dad: What the Rich Teach Their Kids About Money That the Poor and Middle Class Do Not!,-- The Total Money Makeover: Classic Edition: A Proven Plan for Financial Fitness,-- Shut Up and Listen!: Hard Business Truths that Will Help You Succeed, ......................................................................................................................... .........................................................................................................................
       Répondre 
    Voulez-vous vraiment ?  Oui  Non
    Votre message apparaîtra ici
  • Best presentation that provide details about CISCO firewall. With this eommerce platform businesses can purchase online configuration services for CISCO firewall. Visit Sancuro on https://www.sancuro.com/services/cisco-firewall-subscription-license-activation to purchase Cisco firewall Subscription Licence activation easily.
       Répondre 
    Voulez-vous vraiment ?  Oui  Non
    Votre message apparaîtra ici

Cisco security the evolution continues

  1. 1. Cisco Security The Evolution Continues Tim Ryan, Security Consulting Systems Engineer – CCIE, CISSP US Public Sector
  2. 2. Agenda 1. Next Generation Security Model 2. ASA + Sourcefire = Next Gen FW / Gen 2 IPS 3. Web Security / Filtering Review 4. Access Control Technology - ISE © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
  3. 3. The Next Generation Security Model Attack Continuum DURING AFTER BEFORE THE ATTACK: You need to know what's on your network to be able to defend it – devices / OS / services / applications / users (FireSight) Access Controls, Enforce Policy, Manage Applications And Overall Access To Assets. Network Endpoint Mobile Virtual Cloud Access Controls reduce the surface area of attack, but there will still be holes that the bad guys will find. ATTACKERS DO NOT DISCRIMINATE. They will find any gap in defenses and exploit it to achieve their objective © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3 3 BEFORE Detect Block Defend Control Enforce Harden Scope Contain Remediate What Device Types, Users & Applications should be on the Network? Point in time Continuous
  4. 4. Challenges with Traditional ‘Defense-in-Depth’ Security Poor Visibility Undetected multivector and advanced threats Siloed Approach Increased complexity and reduced effectiveness Manual and Static Slow, manual, inefficient response © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4
  5. 5. Integrated Threat Defense Across the Attack Continuum BEFORE Discover Enforce Harden Attack Continuum DURING Detect Block Defend Firewall/VPN NGIPS Security Intelligence Web Security AFTER Scope Contain Remediate Advanced Malware Protection Visibility and Automation Granular App Control Modern Threat Control Retrospective Security IoCs/Incident Response © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5
  6. 6. Introducing FirePOWER Services for ASA FirePOWER Services Blade ASA Proven Cisco ASA firewalling + Industry leading NGIPS and AMP Cisco ASA with FirePOWER Services • Models: ASA 5585-X-SSP10, ASA 5585-X-SSP20, ASA 5585-X-SSP40, ASA 5585-X-SSP60 • FirePOWER Services HW Module Required • Add Licenses & Subscriptions • Models: ASA 5512-X, 5515-X, 5525-X, 5545-X, and 5555-X with SSD drive. • FirePOWER Services Software Module • Add Licenses & Subscriptions © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6
  7. 7. Multilayered Protection – Next Gen FW + Gen2 IPS ► World’s most widely deployed, enterprise-class ASA stateful firewall ► Granular Cisco® Application Visibility and Control (AVC) ► Industry-leading FirePOWER Next- Generation IPS (NGIPS) ► Reputation- and category-based URL filtering ► Advanced Malware Protection Cisco Collective Security Intelligence Enabled FireSIGHT Analytics & Automation Cisco ASA WWW URL Filtering (Subscription) Identity-Policy Control & VPN Advanced Malware Protection (Subscription) Intrusion Prevention (Subscription) Application Clustering & High Availability Network Firewall Visibility & Control Routing | Switching Built-in Network Profiling • Visibility over – Network, Device, Application, Threat Detection & Mitigation © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7
  8. 8. FirePOWER Services for ASA: Subscriptions FirePOWER Services for ASA Included * Appliance Feature Defaults Configurable Fail Open ✓ Connection/Flow Logging ✓ Network, User, and Application Discovery [4] ✓ Traffic filtering / ACLs ✓ NSS Leading IPS Engine ✓ Comprehensive Threat Prevention ✓ Security Intelligence (C&C, Botnets, SPAM etc) ✓ Blocking of Files by Type, Protocol, and Direction ✓ Basic DLP in IPS Rules (SSN, Credit Card etc.) ✓ Access Control: AVC - Enforcement by Application ✓ Access Control: Enforcement by User ✓ IPS and App Updates IPS Rule and Application Updates Annual Fee URL Filtering URL Filtering Subscription Annual Fee Malware Protection Subscription for Malware Blocking, Continuous File Analysis, Malware Network Trajectory Annual Fee * Included - Smartnet Required for Security Intell. Updates Routing ACL’s – Protocol Inspection VPN Termination Network Address Translation Next Gen IPS App Visibility / Control Advanced Malware Protection URL Filtering Base ASA Firewall Sourcefire Services © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8
  9. 9. Security Intelligence Black List Objects © 2013-2014 Cisco and/or its affiliates. All rights reserved. 9
  10. 10. Sourcefire on ASA Licensing © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10
  11. 11. Licensing Notes  Virtual or Physical FireSIGHT Management Center required  All FirePOWER Service device licenses are managed on the FireSIGHT Management Console. A license key from the FireSIGHT Management Center is required for registering PAKs  Licenses are specific to each ASA model and mapped to managed ASA devices  Subscriptions must be purchased on both elements of an HA pair  Term licenses have a start and end date, beyond the end date requires renewal to receive subscription updates.  Application Visibility and Control updates are included in SMARTnet Services  IPS subscription is a pre-requisite for Advanced Malware Protection (AMP) sub  SSDs are included in all new ASA FirePOWER Services hardware SKUs © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Restricted 11
  12. 12. Five Subscription Packages to Choose From for Each Appliance • 1 and 3 year terms • AVC is part of the default offering • AVC updates are included in SMARTnet • IPS is required before AMP or URL license can be added IPS URL URL AMP IPS AMP IPS IPS TA TAC TAMC URL URL TAM © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Restricted 12
  13. 13. FireSIGHT Management Center Sizing Guidance 750 FS750-K9 1500 FS1500-K9 3500 FS3500-K9 © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13 13 * Max number of devices is dependent upon sensor type and event rate Virtual FS-VMW-SW-K9 Max. Devices Managed* 10 35 150 Virtual FireSIGHT Management Center Up to 25 Managed Devices Event Storage 100 GB 125 GB 400 GB Max. Network Map (hosts / users) 2K/2K 50K/50K 300K/300K Also available: Lower-priced Virtual FireSIGHT Management Center offerings limited to 2 and 10 FirePOWER Services (only) devices managed (note: enforced by support!!). FS-VMW-2-SW-K9 FS-VMW-10-SW-K9 These special offerings do not manage FirePOWER Appliances. Events per Sec (EPS) 2000 6000 10000
  14. 14. FirePOWER Services Licensing Reference Component License Name and Features Enabled License Type Fulfillment FirePOWER Services Protect Enables FirePOWER Services (IPS and AVC Core Functionality) Perpetual License (Included) PAK claim certificate ships with Appliance/Upgrade License Control IPS IPS Subscription Service Contract (Purchase) Services support Contract only URL Filtering URL Filtering Subscription Term License (Purchase) PAK claim certificate ships with URL Subscriptions Malware Protection AMP Subscription Term License (Purchase) PAK claim certificate ships with AMP Subscriptions FireSIGHT Management Center FireSIGHT Network Awareness Perpetual License (Included) PAK claim certificate ships with Appliance/Software Download © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Restricted 14
  15. 15. Sourcefire Gen2 IPS / Next Gen Firewall Features © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15
  16. 16. FireSIGHT What are the Key FireSIGHT Components? Network Discovery & Connection Awareness Host discovery Identifies OS, protocols and services running on each host Reports on potential vulnerabilities present on each host based on the information it’s gathered Application identification FireSIGHT can identify over 1900 unique applications using OpenAppID Includes applications that run over web services such as Facebook or LinkedIn Applications can be used as criteria for access control User discovery Monitors for user IDs transmitted as services are used Integrates with MS AD servers to authoritatively ID users Authoritative users can be used as access control criteria © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16
  17. 17. Sourcefire FireSIGHT Technology FireSIGHT Discovery Discovery is reported to you by way of events • Connection events are recorded as every connection in a monitored network is seen • Host events are recorded when something new on a host is detected or a change to a host is detected Information about all the hosts in your environment is stored in host profiles © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17
  18. 18. Sourcefire FireSIGHT Technology FireSIGHT Discovery By knowing the details of what’s running in your environment, the Sourcefire System can produce a list of what vulnerabilities likely exist This allows the Sourcefire System to put intrusion events in context for more accurate and actionable alerting Which would matter more to you? • A code red attack against a host running Linux in your environment Or • A code red attack against a host running a vulnerable version of Windows in your environment © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18
  19. 19. Sourcefire FireSIGHT Technology FireSIGHT Discovery With FireSIGHT, IPS events are assigned an impact level • 0 – host not on monitored networks • 4 – no entry for the host in the network map • 3 – host not running the service or protocol that was attacked • 2 – host is running the service or protocol that was attacked • 1 – host is running the service or protocol that was attacked an a vulnerability is against the service or protocol is mapped to the host FireSIGHT also lets you fine-tune your IPS polices by recommending rules to protect against the known vulnerabilities in your environment © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19
  20. 20. Anti-Malware Protection & the Attack Continuum BEFORE Control Enforce Harden DURING Detect Block Defend AFTER Scope Contain Remediate Network Endpoint File Retrospection File Trajectory Contextual Awareness Control Automation File Retrospection File Trajectory Device Trajectory File Analysis Indications of Compromise Outbreak Control In-line Threat Detection and Prevention File Execution Blocking © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 29
  21. 21. Sourcefire Deployment Options Appliance, ASA, Virtual © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 31
  22. 22. Model # 60Gbps 8390* 45 Gbps 8370* 8290 8270/8360* 8260 8250 8140 15Gbps 8350* 8130 8120/ (8150 > AMP) 1.25Gbps 7125 7120 7115 500 Mbps 7110/ (7150 > AMP) 7030 7020 7010 Sourcefire Hardware Appliances IPS Throughput 40 Gbps 30 Gbps 20 Gbps 10 Gbps 6 Gbps 4 Gbps 2 Gbps 1 Gbps 750Mbps 250 Mbps 100 Mbps 50 Mbps Fixed Interfaces Modular Interfaces Stackable Appliances & SFR on ASA Managed via (Defense Center) FireSight Management Center Appliances-10, 35, 150 devices VM- 2, 10 or 25 devices SSL8200 SSL2000 SSL1500 AMP optimized Appliances 8150 – 2 Gbps AMP 7150 – 500 Mbps AMP © 2013-2014 Cisco and/or its affiliates. All rights reserved. 3333
  23. 23. Cisco ASA Product Family - Sourcefire Services Performance Specifications Performance and Scalability ASA 5515-X ASA 5525-X 1 RU Platforms ASA 5585-SSP60 ASA 5585-SSP40 ASA 5585-SSP20 ASA 5585-SSP10 ASA 5555-X ASA 5545-X Branch Office/Internet Edge 200Mbps - 2 Gbps: Firewall 100 – 725 Mbs: Next Gen IPS 30-160 Mbps: NGIPS, AVC, AMP 2 RU Platforms - 5585 Internet Edge/Campus/Data Center 2 – 20 Gbps: Firewall 1.2 – 6 Gbps: Next Gen IPS * Performance numbers to be finalized 650Mbps – 2.4 Gbps:NGIPS, AVC, AMP ASA 5512-X © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 34
  24. 24. Security for the Virtual World Virtual ASA - May 2014 – ver 9.2 VMware Hypervisor (vSwitch & dvSwitch) Term-based licensing (vCPU, not socket) 4 CPU & 16 CPU Bundles only – until dec 14 100 user Trial version .ova file available 10 Interfaces (VMware Limitation) Up to 200 VLAN sub-interfaces 1000 VxLANs – SDN/ACI support 1-2 Gbps versions (cpu dependent) Hyper-V coming late 2014 Virtual Firewall Virtual IPS Remote VPN to ASAv Storage Virtual Access UCS Data security authenticate & access control Port security authentication, QoS features Virtual Firewall Real-time Monitoring Firewall Rules © 2010 Cisco and/or its affiliates. All rights Presentation_ID reserved. Cisco Confidential 35
  25. 25. ASAv PERFORMANCE Data Sheet Metric 1 vCPU 2 vCPU 3 vCPU 4 vCPU Stateful Inspection Throughput 1 Gbps 1.2 Gbps 1.5 Gbps 2 Gbps (Maximum) Stateful Inspection Throughput (Multi-Protocol) 500 Mbps 600 Mbps 750 Mbps 1 Gbps Concurrent Sessions 100,000 250,000 350,000 500,000 Connections Per Second 10,000 15,000 15,000 20,000 Packets Per Second (64 Byte) 450,000 500,000 600,000 700,000 VLANs 50 100 100 200 Cisco® Cloud Web Security Users 100 250 250 500 S2S IPSec IKEv1 Client VPN User 250 250 250 750 Sessions Cisco AnyConnect® or Clientless User Sessions 250 250 250 750 © 2010 Cisco and/or its affiliates. All Presentation_ID rights reserved. Cisco Confidential 36
  26. 26. Cisco Threat Defense System – 5000 Foot View BEFORE DURING AFTER Cisco Only Sandboxing NG Sandbox for Evasive Malware Auto-Remediation / Dynamic Collective Security Intelligence (CSI) Policies URL and IP Reputation Dynamic Outbreak Controls Malware File Trajectory Retrospective Detection Adaptive Security Host Trajectory Retrospective Analysis NGIPS Open APP-ID SNORT Open IPS Threat Hunting User Identity AV and Basic Protections Web—URL Controls Application Visibility Gen1 IPS Classic Stateful Firewall Correlated SIEM Eventing Incident Control System Vulnerability Management Behavioral Indications of Compromise Network Anti- Malware Controls (AMP) *Client Anti- Malware (AMP) NGFW Forensics and Log Management 1 Contextual Device, Network and End-Point Visibility Cisco and Others Management Interfaces n *Agent 2 © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 37
  27. 27. Cisco Security Portfolio IPS & NGIPS • Cisco ASA 5500-X IPS • Sourcefire Next Gen IPS • Sourcefire Virtual NGIPS Web Security • Web Security Appliance (WSA) • Virtual WSA • Cisco Cloud Web Security • CX Web Filtering Firewall & NGFW • Cisco ASA 5500-X Series • Cisco ASA 5585-X • Sourcefire Appliances Advanced Malware Protection • Cloud Based Analytics • FireAMP Windows • FireAMP Mobile • FireAMP Virtual • AMP Network appliance Passive - Device, OS & Application Fingerprinting Identity Services & Access Control • Cisco Identity Services Engine (ISE) • Cisco Access Control Server (ACS) Email Security • Email Security Appliance (ESA) • Virtual ESA • Cisco Cloud Email Security UTM • Meraki MX Serieis: Firewall, IPS, AVC, Anti- Malware, URL Filtering VPN • Cisco AnyConnect VPN • Site to Site VPN – ASA & Router Based Cisco SIO & Sourcefire VRT © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 38
  28. 28. Web Filtering/Security Comparisons WSA, Sourcefire, CWS, Meraki © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 39
  29. 29. Cisco Web Security Options Sourcefire Physical or Virtual • Inline: Next Gen IPS - Multi-port GE/10GE/40GE • Anti-Malware- Network & Agent based • Web filtering • Application control across all ports • SIO & VRT Threat Intelligence • Defense Center- Threat Detection Correlation view • Internet B/w from 50Mbps - 60 Gbps – High Performance Platform Meraki • Inline - Next Gen firewall plus Web filtering • Anti-Virus, IPS (Snort) • Cloud Managed • Application control across all ports • Traffic Shaping • Simple Configuration & Monitoring • CIPA- SafeSearch, YouTube for EDU • Internet B/W less than 1 Gbps Cloud Web Security (aka –ScanSafe) • Transparent Re-direct via Router, ASA, WSA, Anyconnect Agent (Win, mac) • Port 80/443 – SSL Decrypt • Anti Malware from Sourcefire & multiple malware scanners • Granular Filtering using Cisco Web usage control • Web security for mobile users without the need for VPN • SIO & VRT Threat Intelligence – Web Reputation • Dynamic Web Categorization • CIPA- SafeSearch, YouTube for EDU - per policy • Internet B/w – no Limit IronPort (Web Security Appliance) • Transparent Re-direct via WCCP or Browser Proxy • Port 80/443-SSL Decrypt • Anti Malware from Sourcefire plus Sophos & McAfee • DLP for Web • Granular Url Filtering CWUC • App Control • Central Logging or Splunk • Video/Audio bandwidth throttling – Media Apps • SIO & VRT Threat Intelligence – Web Rep • Dynamic Web Categorization & Caching • CIPA- SafeSearch, YouTube for EDU • Internet B/w – Depends on # of WSA’s & Requests / Sec. © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 40 Cisco Confidential – Redistribution Prohibited
  30. 30. Feature Comparison -- Appliance Cisco WSA Sourcefire Antimalware Webroot, Sophos, McAfee & Now AMP Via Blacklist and AMP Adaptive scanning Queue Yes No Zero-day protection / Threat Intelligence SIO-VRT VRT-SIO Botnet protection L4TM Botnet & CnC Blacklist Data loss prevention On-box data controls/ICAP with Third Party DLP Vendors Yes via Snort rule Reputation filtering Yes Yes URL classification Pre-defined & custom categories Yes Dynamic classification Yes No App visibility & control Extensive and granular Extensive SaaS controls Yes via SAML API support Detailed threat reporting Extensive Yes On-box reporting Yes Yes Off-box reporting Yes via M-Series Yes via Estreamer App Centralized admin Yes via M-Series Yes Deployment Methods WCCP or PAC files In-Line with all traffic Ports covered 80, 443 All
  31. 31. Strong Inbound Web Protection W W W Time of Request Cisco® SIO Time of Response URL Filtering Reputation Filter Dynamic Content Analysis (DCA) Signature-based Anti-Malware Engines Advanced Malware Protection Cloud WWWBlock WWWBlock WWWBlock WWWBlock Allow W W W Warn W W W W W W Partial Block Block WWWBlock W W W © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 42 Cisco Confidential – Redistribution Prohibited
  32. 32. Cisco IronPort Dynamic Vectoring and Streaming (DVS) Engine Webroot Sophos IRONPORT DVS ENGINE McAfee Policy Management • Deep content inspection - High-performance scanning • Multiple verdict engines • Webroot • Sophos • McAfee • Adaptive scanning is a decision engine - Decides how long an object can sit on the scanner queue • If the object times out is it marked as Unscannable • Unscannable objects can be blocked or allowed • Assigns each transaction a Risk Score based on: • Web Reputation Score • Content type • AV scanners available or licensed • AV scanner catch rate for the content type • AV scanner scanning cost NOTE: For a single policy group, you cannot use both Sophos and McAfee © 2013-2014 Cisco and/or its affiliates. All rights reserved. 43
  33. 33. WSA: Malware Detection and Protection Phone-home Domains Phone-home IPs, Subnets, CIDRs Malware Detection (Layer 4 Traffic Monitor) Phishing URLs & Domains Malware Signatures Comprehensive Security Solution Total signature set: over 150,000 Malware URLs & Domains Malware User Agents Malware Protection (Web Proxy) Widest Signature Set Available at Gateway © 2013-2014 Cisco and/or its affiliates. All rights reserved. 44
  34. 34. Explicit Forward Mode vs. Transparent Mode Explicit Mode • Client directs traffic to proxy server • Requires no network infrastructure to redirect client request • Proxy resolves hostname of target web server • Authentication is straight-forward • Client config must change (several options available) Transparent Mode • Client directs traffic to target web server • Network infrastructure (such as WCCP) redirects client request to proxy server • Client resolves hostname of target web-server • Authentication can be problematic © 2013-2014 Cisco and/or its affiliates. All rights reserved. 45
  35. 35. Positioning CWS Against WSA and ASA NGFW  CWS is best positioned with customers who:  Have a distributed network with remote branches with internet breakout points and do not want to backhaul internet traffic to main HQ  Require web protection for roaming users when off network without having to backhaul external traffic via VPN (CWS allows secure split tunnelling)  Have existing Cisco infrastructure or are considering purchasing/upgrading firewalls and routers for easy integration and redirection to the cloud  Have already invested or are going to invest in cloud services  Want a centralized web filtering policy for all users, static or roaming, at all locations, and at all times  Want a comprehensive insight into web activity through flexible reports, and do not want to install any local infrastructure for reporting capabilities Full positioning document: http://wwwin.cisco.com/data-shared/stg/pmtool/ASA_CX/ngfw_wsa_ss_positioning.pdf © 2013-2014 Cisco and/or its affiliates. All rights reserved. 46
  36. 36. Authentication, Authorization, Accounting Cisco Identity Services Engine Authentication, Authorization, and Accounting “Who” is Connecting, What Access Rights are Assigned to them, and Where is it Logged? © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 47
  37. 37. Identity and Context-Centric Security for Policy Enforcement WHERE SECURITY POLICY ENFORCEMENT MONITORING AND REPORTING Access Lists, Vlans, Security Tags © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 48 48 WHAT WHEN WHO HOW Identity Security Policy Attributes Centralized Policy Engine Business-Relevant Policies User and Devices Dynamic Policy & Enforcement MDM - External Integration
  38. 38. Identity Services Engine Features •Centralized Policy Enforcement •RADIUS Server - AAA •Secure Group Tagging •Posture Assessment •Guest Access Services •Device Profiling •Monitoring •Troubleshooting •Reporting Free ACS 5.x License with order for: ISE Base License (min. 1000 device count) & a Physical ISE Appliance © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Restricted 49 49 Device Control Device Registration Wireless & Wired Supplicant and Certificatee Provisioning Mobile Device Management * Certificate Authority – AD, PKI, ISE 1.3 * Multi AD support * MDM integration & some functions in ISE
  39. 39. Access Control System Must Support All Connection Methods © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 50 50 ISE Policy Server VPN Cisco Prime Wired Wireless VPN Supports Cisco and 3rd-Party solutions via standard RADIUS, 802.1X, EAP, and VPN Protocols RADIUS 802.1X = EAPoLAN 802.1X = EAPoLAN SSL / IPsec WebAuth & MAC Bypass
  40. 40. Detailed Visibility into System Operations © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Restricted 51 5
  41. 41. ISE Session Log – Session Tracking & Searching Disconnect Device Search: user / device © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Restricted 52
  42. 42. BEFORE DURING AFTER © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Restricted 53
  43. 43. Evolving Roles of ISE and MDMs Enterprise App Distribution & Mgmt Data Backup Enterprise App Policy Inventory/Cost Management Classification/Profiling ISE MDM Enrollment & Registration Network Policy Enforcement Secure Network Access (Wireless, Wired, VPN) Context-Aware Access Control (Role, Location, etc.) Cert + Supplicant Provisioning Policy Compliance (Jailbreak, PIN Lock, etc.) Data Loss Prevention (Container, encryption, wipe) ISE 1.0 & 1.1 Native ISE functionality • Profiling • Authentication • Policy Enforcement ISE 1.1MR (Jul ‘12) Native ISE functionality • Enrollment/Registration • Self-Enroll Portal • Certificate Enrollment • Blacklisting ISE 1.2 ISE API for MDM’s • Additional device data • Policy compliance • Data wipe © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Restricted 54
  44. 44. ISE Integration with 3rd-Party MDM Vendors  MDM device registration via ISE – Non registered clients redirected to MDM registration page  Restricted access – Non compliant clients will be given restricted access based on policy  Endpoint MDM agent – Compliance – Device applications check  Device action from ISE – Device stolen -> wipe data on client v5.0 v6.2 v7.1 v2.3 MCMS © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Restricted 55 55 v7.0 SP3 v1.0 v4.1.10 v13.2 Patch 5
  45. 45. © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Restricted 56
  46. 46. Hotspot Guest Flow #1 Acceptabl e Use Policy I promise to be good. I Agr ee 44:6D:77:B4:FD: 01 44:6D:77:B4:FD:01 Day Ends Goal: Get them on the Internet with AUP acceptance no matter who they are and remember who they are next time so you don’t get in their way. © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Restricted 57
  47. 47. Self Service with SMS optional optional Goal: Get them on the Internet as long as you have a 3rd party identifier that proves who the user is. © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Restricted 58
  48. 48. Self Service with Email Verification Fill In A Simple Form Check Your Email Connect to WFI hansolo nerfherder © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Restricted 59
  49. 49. Sponsored Flow Hi! Can I get on your Wi- Fi? Sure. I just need a little information. Print, email & SMS credentials. Cool!
  50. 50. TrustSec Enabled Network Segmentation Campus and Branch Segmentation Business Drivers include PCI for Financial data, HIPAA Medical Data Medical Device Seperation within VLAN Access Control with Secure Group Access • Rules defined by business function & Roles • 80% + reduction over manual rules • Simple to add/remove rules Enterprise Wide • Topology-independent • Scalable • One Policy for Wired or Wireless
  51. 51. The Next Generation Security Model BEFORE DURING AFTER Detect Block Defend Control Enforce Harden Scope Contain Remediate Attack Continuum Network Endpoint Mobile Virtual Cloud AFTER THE ATTACK: Cross Device Information Sharing - Evolving invariably some attacks will be successful, and customers need to be able to determine the scope of the damage, contain the event, remediate, and bring operations Point back to in normal time Continuous Also need to address a broad range of attack vectors, with solutions that operate everywhere the threat can manifest itself – on the network, endpoint, mobile devices, virtual environments, including cloud
  52. 52. Thank you.

×