Cisco Identity Services Engine and ASA Next-Generation ...€¦ · DEVELOPMENT MINUTE UPDATES,500+ 8M+ 200+ PARAMETERS TRACKED 70+ PUBLICATIONS PRODUCED ... Bangalore Chicago Copenhagen

© 2012 Cisco and/or its affiliates. All rights reserved.

Cisco Identity Services Engine and ASA Next-Generation Firewall Services

June, 2013

Hermann Demian Product Sales Specialist [email protected]

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2

Security Challenge

Security Intelligence Operations (SIO)

Cisco ASA 5500 Series

Cisco Cisco Identity Services Engine (ISE)


pieces of new malware

per second 4

web sites compromised 1,071,291

Countermeasures are less effective


36% search engines 22%

Online video 13%

Advertisements

20% Social networks

0% 10% 20% 30% 40%

Search Engine

Online Video

Ads

Social Network

Hits to Top Web Properties


Search Engines vs. Counterfeit Software

27x more likely to deliver malicious content

Online Advertisements vs. Pornography


Online Shopping vs. Counterfeit Software




Disconnect with corporate IT

“our employees obey the policies on personal use”

don’t obey policies,

40% say that company policy forbids

using company-owned devices for

personal activities.

71%

50% of IT professionals believe:

almost 3 out of 4


China

1 in 5 students claim becoming a Hacker is life Goal


http://www.cisco.com/en/US/prod/vpndevc/annual_security_report.html




Security Challenge






A Proactive Protection Against New Threats

Ad Agency HQ in London

ISP Datacenter in Moscow

8:00 GMT Sensor Detects New Malware

8:07 GMT Sensor Detects New Botnet

8:10 GMT All Cisco Customers Protected

Global Threat Telemetry

Global Threat

Telemetry

8:03 GMT Sensor Detects Hacker Probing

Bank Branch in Chicago

Higher Threat Coverage, Greater Accuracy, Proactive Protection

Cisco SensorBase

Threat Operations Center

Advanced Algorithms


Unmatched Cloud-Based Global Threat Intelligence

Visibility Control

0010 010 10010111001 10 100111 010 000100101 110011 01100111010000110000111000111010011101 1100001110001110 1001 1101 1110011 0110011 101000 0110 00 0111000 111010011 101 1100001 11000 111010011101

0010 010 10010111001 10 100111 010 000100101 110011 01100111010000110000111000111010011101 1100001110001110 1001 1101 1110011 0110011 101000 0110 00 0111000 111010011 101 1100001 11000 111010011101 Cisco SIO

1.6M GLOBAL SENSORS

75TB DATA RECEIVED PER DAY

150M+ DEPLOYED ENDPOINTS

35% WORLDWIDE EMAIL TRAFFIC

13B WEB REQUESTS

WWW

ESA ASA WSA

AnyConnect ScanSafe IPS

WWW

Email Web Devices

IPS Endpoints Networks

24x7x365 OPERATIONS

40+ LANGUAGES

600+ ENGINEERS, TECHNICIANS AND RESEARCHERS

80+ PH.D.S, CCIE, CISSP, MSCE

$100M+ SPENT IN DYNAMIC RESEARCH AND

DEVELOPMENT

3 to 5 MINUTE UPDATES

5,500+ IPS SIGNATURES PRODUCED

8M+ RULES PER DAY

200+ PARAMETERS TRACKED

70+ PUBLICATIONS PRODUCED

Info

rmation

Actio

ns



Security Challenge





World’s most widely deployed firewall

Installed base of over 1 Million ASA’s globally

More than 15 years of market proven firewall capabilities

Single code base for all deployments

All managed in the same way with the same tools

PRSM

Virtual

ASA

Appliances

Blades


End of Sale Announced 18 March, 2013

Milestone Date

End-of-Life Announcement Date March 18, 2013

End-of-Sale Date Sep 16, 2013

Last Ship Date HW December 15, 2013

End of Service Contract Renewal Date:HW December 12, 2017

Last Date of Support September 30, 2018


Multi-Service

(Firewall/VPN and IPS)

Pe

rfo

rma

nc

e a

nd

Sc

ala

bil

ity

Data Center Campus Branch Office Internet Edge

ASA 5585-X SSP-40 (20 Gbps, 200K cps)


ASA 5585-X SSP-10 (4 Gbps, 50K cps) ASA 5555-X

(4 Gbps,50K cps)

NEW ASA 5545-X (3 Gbps,30K cps)

NEW ASA 5525-X

(2 Gbps,20K cps)

NEW ASA 5512-X (1 Gbps, 10K

cps)

NEW

ASA 5515-X (1.2 Gbps,15K cps)

NEW


ASA 5510

(300 Mbps, 9K cps)

ASA 5510+

(300 Mbps, 9K cps)

ASA 5520

(450 Mbps, 12K cps)

ASA 5540

(650 Mbps, 25K cps)

ASA 5550

(1.2 Gbps, 36K cps)

Firewall/VPN Only

SOHO

ASA 5505 (150 Mbps, 4K cps)

ASA Service Module (16 Gbps, 300K cps)

Comprehensive Solutions from SOHO to the Data Center


AS

A C

X C

on

text-

Aw

are

Securi

ty

Clo

ud W

eb

Se

cu

rity

Secure

Rem

ote

Access

Botn

et T

raffic

Filt

er

Intr

usio

n

Pre

ven

tion

(IP

S)

Stateful inspection and next-generation security

Multiple security services without sacrificing performance

Selling the comprehensive security solution


IPS and Reputation Filtering in Action

Step 1:

The sensor base network

within the Cisco SIO

gathers telemetry data

from other sensors

across the world

Step 2:

Cisco 5500-X IPS Service

gets updated reputation

filter list; influences policy

decisions (deny or drop

attacker, etc.)

Step 3:

Alerts go out to the security

teams for prevention,

mitigation,

and remediation

Cisco ASA 5500-X IPS Service Filter

Internet

Cisco® Security Intelligence Operations

1 2

3

Local Connectivity

Worldwide Visibility

Cisco ASA 5500-X

Cisco IPS 4300

Internet


Fast Deployment

Complete malware protection

Roaming/Remote user protection

Number of CWS user depends on size of ASA

Needs a separate license

Internet

Cloud Web

Security

VPN

Employees

Cisco ASA

Branch Office

Employees

Cisco ASA

Headquarters


Current Datacenters

Bangalore

Chicago

Copenhagen

Dallas

Frankfurt

Hong Kong

London

Miami

New York Metro

Paris

San Jose

Singapore

Sydney

Tokyo

Zurich

Planned Datacenters

Brazil

Canada (E), (W)

Dubai

Mexico

South Africa


Cisco ASA Software Release 9.0 includes integration with Cisco Cloud Web Security (formerly ScanSafe)

Web Security (Block malware and viruses)

Anti-malware protection

Web content analysis

Script emulation

Web Filtering (Block unwanted content)

Web Usage Controls

Application Visibility

Bi-directional control

Centralized Reporting

Secure Mobility



facebook-secure-login.com


AnyConnect Secure Mobility Client

Internet bound web communications

Internal communications

Cisco Cloud Security

Service


FLEX LICENSE

Good for Emergencies & Time Based.

MOBILE

ADD-ON

LICENSE

at minimum

cost

MOBILE

ADD-ON

LICENSE

at minimum

cost

DEDICATED LICENSE

ESSENTIALS LICENSE

At minimum cost

Basic Remote Access Connectivity

OR

ADVANCED

ENDPOINT

ASSESSMENT

PREMIUM LICENSE

Posture Assessment and Clientless for Remote Access

SHARED LICENSE

Premium Licenses Shared by Multiple ASAs


Provides detection and automatic blocking of call-home & command/control traffic between bots and the bot master

Scans all traffic, all ports, and all protocols

Detects infected clients by tracking rogue “phone-home” traffic

Time-based only, licensed per year, per appliance

You have a 52-week Botnet Traffic Filter license installed on two units. The combined running license allows a total duration of 104 weeks

Required Version: 8.2(1)+ (Detection), 8.2(2)+ (Blocking)


Application

Visibility &

Control

URL Filtering Web Reputation

(Cisco SIO)

Industry’s most widely deployed stateful inspection FW & remote

access solution

NG

FW

S

Softw

are

A

SA

So

ftw

are

AVC subscription WSE (Web Security Essentials) subscription

PRSM: Centralized Reporting and Management

Shipping since

Jul 2012


WHAT

75,000+ MicroApps

MicroApp Engine

Deep classification

of targeted traffic

App Behavior

Control user interaction

with the application

Broad…

… classification

of all traffic

1,000+ apps

Visit http://asacx-cisco.com

http://asacx-cisco.com




Security Challenge





Current Methods Simply Don’t Scale

What devices are on your network now?

Do you have consistent enforcement across your network?

Are you always compliant?

How do you secure Mobile Data, Applications, Devices, and Users?

Can you implement policy across Network boundaries?


NAC Guest Server

Guest Lifecycle Management

Device Posturing

Device Profiling

Authentication, Authorization Accounting

Identity Service Engine

Access Control Solution

NAC Manager NAC Server

NAC Profiler NAC Collector Standalone appliance or licensed as a module on

NAC Server

Cisco Confidential © 2010 Cisco and/or its affiliates. All rights reserved. 35

All-in-One Enterprise Policy Control

Who What Where When How

Virtual machine client, IP device, guest, employee, and remote user

Cisco® ISE

Wired Wireless VPN

Business-Relevant

Policies

Replaces AAA and RADIUS, NAC, guest management, and device identity servers

Security Policy Attributes

Identity

Context


Identity Differentiators

Monitor Mode

Flexible Authentication

Sequence

IP Telephony Support

Support for Virtual Desktop

Environments

Cisco Catalyst® Switch

Network Device

802.1X

IP

Phones Authorized

Users

Guests

MAB and Profiling Web Auth

Authentication Features

IEEE 802.1x MAC Auth Bypass Web Authentication

Tablets

Consistent identity features supported on all Catalyst switch models

Authentication and Authorization


Personal iPad Policy

[restricted access]

Access Point

Printer Policy

[place on VLAN X]

CDP LLDP DHCP MAC

Printer Personal iPad ISE

CDP LLDP DHCP MAC

DEVICE PROFILING

For wired and wireless networks

POLICY

Access

Point

DEPLOYMENT SCENARIO WITH CISCO DEVICE SENSORS

COLLECTION Switch Collects Device Related Data and Sends Report to ISE

CLASSIFICATION ISE Classifies Device, Collects Flow Information and Provides Device Usage Report

AUTHORIZATION ISE Executes Policy Based on User and Device

Efficient Device

Classification

Leveraging

Infrastructure

The Solution

Device Profiling


Wired,

Wireless,

VPN User

Temporary Limited

Network Access Until

Remediation Is Complete

Non-

Compliant

Sample Employee Policy:

• Microsoft patches updated

• McAfee AV installed, running, and current

• Corp asset checks

• Enterprise application running

Challenge:

• Understanding health of device

• Varying level of control over devices

• Cost of Remediation

Value:

• Temporal (web-based) or Persistence Agent

• Automatic Remediation

• Differentiated policy enforcement based on role

Posture Assessment


Guest Policy

Guests

Web

Authentication

Wireless or Wired Access

Internet-Only Access

Provision:

Guest Accounts via Sponsor Portal

Notify:

Guests of Account Details by Print, Email,

or SMS

Manage:

Sponsor Privileges, Guest Accounts and

Policies, Guest Portal

Report:

On All Aspects of Guest Accounts

Internet

Guest Access


Identity Profiling

VLAN 10

VLAN 20

Wireless LAN Controller

DHCP

RADIUS

SNMP

NetFlow

HTTP

DNS

Cisco®

ISE

Unified Access Management

IEEE 802.1X EAP User Authentication

1

HQ

2:38 p.m.

Profiling to Identify Device

2

6

Full or Partial Access Granted

Personal Asset

Company Asset

3

Posture of the Device

Policy Decision

4

5

Enforce Policy in the Network

Corporate

Resources

Internet Only


Cisco Secure Network Servers

Based on the Cisco UCS C220 Server, but designed for

Cisco Identity Services Engine (ISE)

Network Admission Control (NAC)

Access Control Server (ACS)

SNS-3415-K9 & SNS-3495-K9

No CD/DVD Drive (Boot From USB

Stick or CIMC)

Also available for

VMware


ISE Device Access Control

MDM Mobile Devices Security Control

• Device Profiling

• BYOD On-boarding

• Device Access Control

• Device Compliance

• Mobile Application

Management

• Securing Data at Rest

The New Way

MDM cannot ‘see’ non-registered devices to enforce device security – but the network can!

Best Practice Today

MDM: Mobile Device Management

ISE and MDM Enforced Mobile Device Compliance

• Forces on-boarding to MDM with

personal devices used for work

• Register but restrict access for

personal devices not managed by

MDM

• Quarantine non-compliant devices

based on MDM policy


• MDM device registration via ISE

o Non registered clients redirected to MDM registration page

• Restricted access

o Non compliant clients will be given restricted access based on policy

• Endpoint MDM agent

o Compliance

o Device application control

• Device Action from ISE

• Device stolen -> wipe data on client

Cisco Confidential © 2010 Cisco and/or its affiliates. All rights reserved. 51

Identity Services Engine for Centralized Control

Policy Management

Solution

Unified Network

Access Control

Turnkey BYOD

Solution

1st System-wide Solution

Deep network integration

System-wide Policy Control

from One Screen

Award Winning Product

’12 Cisco Pioneer Award

Over 400 Trained and

Trusted ATP Partners

Over 1,000 Wins—Year 1

Gartner 2013 NAC MQ


52 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID



Trusted

WiFi

Authenticate User

Fingerprint Device

Apply Corporate Config

Enterprise Apps

Automatic Policies



WiFi

Trusted

Apply defined policy profiles based on:

Device Type

User

Location

Application



Trusted

WiFi

Electronic Medical Records

Mobile TelePresence

Email

Instant Messenger

Yes No

Access: FULL



Is Mr. Allen’s lab work ready yet?

Not yet but i will let you know the

moment it arrives

Trusted

WiFi



Untrusted WiFi

Access: Limited


ISE Information: http://www.cisco.com/go/ise

Cisco TrustSec (SGA and certified solutions): www.cisco.com/go/trustsec

Application Notes and How-To Guides: http://www.cisco.com/en/US/solutions/ns340/ns414/ns742/ns744/landing_DesignZone_TrustSec.html

Design Zone—BYOD Reference Design: http://www.cisco.com/en/US/solutions/ns340/ns414/ns742/ns743/ns1050/own_device.html#~overview

http://www.cisco.com/go/ise



http://www.cisco.com/go/trustsec

http://www.cisco.com/en/US/solutions/ns340/ns414/ns742/ns744/landing_DesignZone_TrustSec.html




http://www.cisco.com/en/US/solutions/ns340/ns414/ns742/ns743/ns1050/own_device.html

http://www.cisco.com/en/US/solutions/ns340/ns414/ns742/ns743/ns1050/own_device.html

Thank you.

"Security is a process, not a product" Andrew S. Tanenbaum

Documents

Cisco Identity Services Engine and ASA Next-Generation ...€¦ · DEVELOPMENT MINUTE UPDATES,500+ 8M+ 200+ PARAMETERS TRACKED 70+ PUBLICATIONS PRODUCED ... Bangalore Chicago Copenhagen