Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
© 2012 Cisco and/or its affiliates. All rights reserved.
Cisco Identity Services Engine and ASA Next-Generation Firewall Services
June, 2013
Hermann Demian Product Sales Specialist [email protected]
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
Security Challenge
Security Intelligence Operations (SIO)
Cisco ASA 5500 Series
Cisco Cisco Identity Services Engine (ISE)
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3
pieces of new malware
per second 4
web sites compromised 1,071,291
Countermeasures are less effective
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4
36% search engines 22%
Online video 13%
Advertisements
20% Social networks
0% 10% 20% 30% 40%
Search Engine
Online Video
Ads
Social Network
Hits to Top Web Properties
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5
Search Engines vs. Counterfeit Software
27x more likely to deliver malicious content
Online Advertisements vs. Pornography
182x more likely to deliver malicious content
Online Shopping vs. Counterfeit Software
21x more likely to deliver malicious content
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7
Disconnect with corporate IT
“our employees obey the policies on personal use”
don’t obey policies,
40% say that company policy forbids
using company-owned devices for
personal activities.
71%
50% of IT professionals believe:
almost 3 out of 4
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8
China
1 in 5 students claim becoming a Hacker is life Goal
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9
http://www.cisco.com/en/US/prod/vpndevc/annual_security_report.html
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10
Security Challenge
Security Intelligence Operations (SIO)
Cisco ASA 5500 Series
Cisco Cisco Identity Services Engine (ISE)
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12
A Proactive Protection Against New Threats
Ad Agency HQ in London
ISP Datacenter in Moscow
8:00 GMT Sensor Detects New Malware
8:07 GMT Sensor Detects New Botnet
8:10 GMT All Cisco Customers Protected
Global Threat Telemetry
Global Threat
Telemetry
8:03 GMT Sensor Detects Hacker Probing
Bank Branch in Chicago
Higher Threat Coverage, Greater Accuracy, Proactive Protection
Cisco SensorBase
Threat Operations Center
Advanced Algorithms
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13
Unmatched Cloud-Based Global Threat Intelligence
Visibility Control
0010 010 10010111001 10 100111 010 000100101 110011 01100111010000110000111000111010011101 1100001110001110 1001 1101 1110011 0110011 101000 0110 00 0111000 111010011 101 1100001 11000 111010011101
0010 010 10010111001 10 100111 010 000100101 110011 01100111010000110000111000111010011101 1100001110001110 1001 1101 1110011 0110011 101000 0110 00 0111000 111010011 101 1100001 11000 111010011101 Cisco SIO
1.6M GLOBAL SENSORS
75TB DATA RECEIVED PER DAY
150M+ DEPLOYED ENDPOINTS
35% WORLDWIDE EMAIL TRAFFIC
13B WEB REQUESTS
WWW
ESA ASA WSA
AnyConnect ScanSafe IPS
WWW
Email Web Devices
IPS Endpoints Networks
24x7x365 OPERATIONS
40+ LANGUAGES
600+ ENGINEERS, TECHNICIANS AND RESEARCHERS
80+ PH.D.S, CCIE, CISSP, MSCE
$100M+ SPENT IN DYNAMIC RESEARCH AND
DEVELOPMENT
3 to 5 MINUTE UPDATES
5,500+ IPS SIGNATURES PRODUCED
8M+ RULES PER DAY
200+ PARAMETERS TRACKED
70+ PUBLICATIONS PRODUCED
Info
rmation
Actio
ns
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15
Security Challenge
Security Intelligence Operations (SIO)
Cisco ASA 5500 Series
Cisco Cisco Identity Services Engine (ISE)
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16
World’s most widely deployed firewall
Installed base of over 1 Million ASA’s globally
More than 15 years of market proven firewall capabilities
Single code base for all deployments
All managed in the same way with the same tools
PRSM
Virtual
ASA
Appliances
Blades
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17
End of Sale Announced 18 March, 2013
Milestone Date
End-of-Life Announcement Date March 18, 2013
End-of-Sale Date Sep 16, 2013
Last Ship Date HW December 15, 2013
End of Service Contract Renewal Date:HW December 12, 2017
Last Date of Support September 30, 2018
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18
Multi-Service
(Firewall/VPN and IPS)
Pe
rfo
rma
nc
e a
nd
Sc
ala
bil
ity
Data Center Campus Branch Office Internet Edge
ASA 5585-X SSP-40 (20 Gbps, 200K cps)
ASA 5585-X SSP-20 (10 Gbps, 125K cps)
ASA 5585-X SSP-10 (4 Gbps, 50K cps) ASA 5555-X
(4 Gbps,50K cps)
NEW ASA 5545-X (3 Gbps,30K cps)
NEW ASA 5525-X
(2 Gbps,20K cps)
NEW ASA 5512-X (1 Gbps, 10K
cps)
NEW
ASA 5515-X (1.2 Gbps,15K cps)
NEW
ASA 5585-X SSP-60 (40 Gbps, 350K cps)
ASA 5510
(300 Mbps, 9K cps)
ASA 5510+
(300 Mbps, 9K cps)
ASA 5520
(450 Mbps, 12K cps)
ASA 5540
(650 Mbps, 25K cps)
ASA 5550
(1.2 Gbps, 36K cps)
Firewall/VPN Only
SOHO
ASA 5505 (150 Mbps, 4K cps)
ASA Service Module (16 Gbps, 300K cps)
Comprehensive Solutions from SOHO to the Data Center
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19
AS
A C
X C
on
text-
Aw
are
Securi
ty
Clo
ud W
eb
Se
cu
rity
Secure
Rem
ote
Access
Botn
et T
raffic
Filt
er
Intr
usio
n
Pre
ven
tion
(IP
S)
Stateful inspection and next-generation security
Multiple security services without sacrificing performance
Selling the comprehensive security solution
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20
IPS and Reputation Filtering in Action
Step 1:
The sensor base network
within the Cisco SIO
gathers telemetry data
from other sensors
across the world
Step 2:
Cisco 5500-X IPS Service
gets updated reputation
filter list; influences policy
decisions (deny or drop
attacker, etc.)
Step 3:
Alerts go out to the security
teams for prevention,
mitigation,
and remediation
Cisco ASA 5500-X IPS Service Filter
Internet
Cisco® Security Intelligence Operations
1 2
3
Local Connectivity
Worldwide Visibility
Cisco ASA 5500-X
Cisco IPS 4300
Internet
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21
Fast Deployment
Complete malware protection
Roaming/Remote user protection
Number of CWS user depends on size of ASA
Needs a separate license
Internet
Cloud Web
Security
VPN
Employees
Cisco ASA
Branch Office
Employees
Cisco ASA
Headquarters
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22
Current Datacenters
Bangalore
Chicago
Copenhagen
Dallas
Frankfurt
Hong Kong
London
Miami
New York Metro
Paris
San Jose
Singapore
Sydney
Tokyo
Zurich
Planned Datacenters
Brazil
Canada (E), (W)
Dubai
Mexico
South Africa
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23
Cisco ASA Software Release 9.0 includes integration with Cisco Cloud Web Security (formerly ScanSafe)
Web Security (Block malware and viruses)
Anti-malware protection
Web content analysis
Script emulation
Web Filtering (Block unwanted content)
Web Usage Controls
Application Visibility
Bi-directional control
Centralized Reporting
Secure Mobility
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25
facebook-secure-login.com
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26
AnyConnect Secure Mobility Client
Internet bound web communications
Internal communications
Cisco Cloud Security
Service
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27
FLEX LICENSE
Good for Emergencies & Time Based.
MOBILE
ADD-ON
LICENSE
at minimum
cost
MOBILE
ADD-ON
LICENSE
at minimum
cost
DEDICATED LICENSE
ESSENTIALS LICENSE
At minimum cost
Basic Remote Access Connectivity
OR
ADVANCED
ENDPOINT
ASSESSMENT
PREMIUM LICENSE
Posture Assessment and Clientless for Remote Access
SHARED LICENSE
Premium Licenses Shared by Multiple ASAs
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 29
Provides detection and automatic blocking of call-home & command/control traffic between bots and the bot master
Scans all traffic, all ports, and all protocols
Detects infected clients by tracking rogue “phone-home” traffic
Time-based only, licensed per year, per appliance
You have a 52-week Botnet Traffic Filter license installed on two units. The combined running license allows a total duration of 104 weeks
Required Version: 8.2(1)+ (Detection), 8.2(2)+ (Blocking)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 30
Application
Visibility &
Control
URL Filtering Web Reputation
(Cisco SIO)
Industry’s most widely deployed stateful inspection FW & remote
access solution
NG
FW
S
Softw
are
A
SA
So
ftw
are
AVC subscription WSE (Web Security Essentials) subscription
PRSM: Centralized Reporting and Management
Shipping since
Jul 2012
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 31
WHAT
75,000+ MicroApps
MicroApp Engine
Deep classification
of targeted traffic
App Behavior
Control user interaction
with the application
Broad…
… classification
of all traffic
1,000+ apps
Visit http://asacx-cisco.com
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 32
Security Challenge
Security Intelligence Operations (SIO)
Cisco ASA 5500 Series
Cisco Cisco Identity Services Engine (ISE)
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 33
Current Methods Simply Don’t Scale
What devices are on your network now?
Do you have consistent enforcement across your network?
Are you always compliant?
How do you secure Mobile Data, Applications, Devices, and Users?
Can you implement policy across Network boundaries?
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 34
NAC Guest Server
Guest Lifecycle Management
Device Posturing
Device Profiling
Authentication, Authorization Accounting
Identity Service Engine
Access Control Solution
NAC Manager NAC Server
NAC Profiler NAC Collector Standalone appliance or licensed as a module on
NAC Server
Cisco Confidential © 2010 Cisco and/or its affiliates. All rights reserved. 35
All-in-One Enterprise Policy Control
Who What Where When How
Virtual machine client, IP device, guest, employee, and remote user
Cisco® ISE
Wired Wireless VPN
Business-Relevant
Policies
Replaces AAA and RADIUS, NAC, guest management, and device identity servers
Security Policy Attributes
Identity
Context
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 37
Identity Differentiators
Monitor Mode
Flexible Authentication
Sequence
IP Telephony Support
Support for Virtual Desktop
Environments
Cisco Catalyst® Switch
Network Device
802.1X
IP
Phones Authorized
Users
Guests
MAB and Profiling Web Auth
Authentication Features
IEEE 802.1x MAC Auth Bypass Web Authentication
Tablets
Consistent identity features supported on all Catalyst switch models
Authentication and Authorization
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 40
Personal iPad Policy
[restricted access]
Access Point
Printer Policy
[place on VLAN X]
CDP LLDP DHCP MAC
Printer Personal iPad ISE
CDP LLDP DHCP MAC
DEVICE PROFILING
For wired and wireless networks
POLICY
Access
Point
DEPLOYMENT SCENARIO WITH CISCO DEVICE SENSORS
COLLECTION Switch Collects Device Related Data and Sends Report to ISE
CLASSIFICATION ISE Classifies Device, Collects Flow Information and Provides Device Usage Report
AUTHORIZATION ISE Executes Policy Based on User and Device
Efficient Device
Classification
Leveraging
Infrastructure
The Solution
Device Profiling
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 41
Wired,
Wireless,
VPN User
Temporary Limited
Network Access Until
Remediation Is Complete
Non-
Compliant
Sample Employee Policy:
• Microsoft patches updated
• McAfee AV installed, running, and current
• Corp asset checks
• Enterprise application running
Challenge:
• Understanding health of device
• Varying level of control over devices
• Cost of Remediation
Value:
• Temporal (web-based) or Persistence Agent
• Automatic Remediation
• Differentiated policy enforcement based on role
Posture Assessment
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 42
Guest Policy
Guests
Web
Authentication
Wireless or Wired Access
Internet-Only Access
Provision:
Guest Accounts via Sponsor Portal
Notify:
Guests of Account Details by Print, Email,
or SMS
Manage:
Sponsor Privileges, Guest Accounts and
Policies, Guest Portal
Report:
On All Aspects of Guest Accounts
Internet
Guest Access
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 43
Identity Profiling
VLAN 10
VLAN 20
Wireless LAN Controller
DHCP
RADIUS
SNMP
NetFlow
HTTP
DNS
Cisco®
ISE
Unified Access Management
IEEE 802.1X EAP User Authentication
1
HQ
2:38 p.m.
Profiling to Identify Device
2
6
Full or Partial Access Granted
Personal Asset
Company Asset
3
Posture of the Device
Policy Decision
4
5
Enforce Policy in the Network
Corporate
Resources
Internet Only
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 48
Cisco Secure Network Servers
Based on the Cisco UCS C220 Server, but designed for
Cisco Identity Services Engine (ISE)
Network Admission Control (NAC)
Access Control Server (ACS)
SNS-3415-K9 & SNS-3495-K9
No CD/DVD Drive (Boot From USB
Stick or CIMC)
Also available for
VMware
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 49
ISE Device Access Control
MDM Mobile Devices Security Control
• Device Profiling
• BYOD On-boarding
• Device Access Control
• Device Compliance
• Mobile Application
Management
• Securing Data at Rest
The New Way
MDM cannot ‘see’ non-registered devices to enforce device security – but the network can!
Best Practice Today
MDM: Mobile Device Management
ISE and MDM Enforced Mobile Device Compliance
• Forces on-boarding to MDM with
personal devices used for work
• Register but restrict access for
personal devices not managed by
MDM
• Quarantine non-compliant devices
based on MDM policy
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 50
• MDM device registration via ISE
o Non registered clients redirected to MDM registration page
• Restricted access
o Non compliant clients will be given restricted access based on policy
• Endpoint MDM agent
o Compliance
o Device application control
• Device Action from ISE
• Device stolen -> wipe data on client
Cisco Confidential © 2010 Cisco and/or its affiliates. All rights reserved. 51
Identity Services Engine for Centralized Control
Policy Management
Solution
Unified Network
Access Control
Turnkey BYOD
Solution
1st System-wide Solution
Deep network integration
System-wide Policy Control
from One Screen
Award Winning Product
’12 Cisco Pioneer Award
Over 400 Trained and
Trusted ATP Partners
Over 1,000 Wins—Year 1
Gartner 2013 NAC MQ
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 52
52 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 53
53 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
Trusted
WiFi
Authenticate User
Fingerprint Device
Apply Corporate Config
Enterprise Apps
Automatic Policies
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 54
54 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
WiFi
Trusted
Apply defined policy profiles based on:
Device Type
User
Location
Application
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 55
55 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
Trusted
WiFi
Electronic Medical Records
Mobile TelePresence
Instant Messenger
Yes No
Access: FULL
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 56
56 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
Is Mr. Allen’s lab work ready yet?
Not yet but i will let you know the
moment it arrives
Trusted
WiFi
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 57
57 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
Untrusted WiFi
Access: Limited
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 58
ISE Information: http://www.cisco.com/go/ise
Cisco TrustSec (SGA and certified solutions): www.cisco.com/go/trustsec
Application Notes and How-To Guides: http://www.cisco.com/en/US/solutions/ns340/ns414/ns742/ns744/landing_DesignZone_TrustSec.html
Design Zone—BYOD Reference Design: http://www.cisco.com/en/US/solutions/ns340/ns414/ns742/ns743/ns1050/own_device.html#~overview
Thank you.
"Security is a process, not a product" Andrew S. Tanenbaum