comparison of next-generation firewall services on...

Comparison of Next-Generation Firewall Services on ASA and IOS

BRKSEC-1024

Victor Lam

CCIE #21365, CCDP, CCVP, CISSP

Systems Engineering Manager

© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-1024 Cisco Public

Comparison of Next-Generation Firewall Services on ASA and IOS

Session Abstract

3

Cisco's Next Generation Firewall (NGFW) is a natural evolution of the stateful

firewall which provides advanced capabilities such as application filtering and

identity-aware access control. This breakout session compares the ASA and IOS

implementations of NGFW services. We will explain the different architectural

components and how these services can be deployed to provide more granular

security control to your network.

This session is targeted at firewall, network, and security engineers who already

possess a good understanding of how firewalls work and want to learn more

about Next Generation Firewall services on different platforms.


Cisco Live 2014

• BRKNMS-1040 - Application Visibility and Control: Managing AVC and iWAN

with Cisco Prime infrastructure

• BRKSEC-2008 - Deploying Secure Branch and Edge Solutions

• BRKSEC-1030 - Introduction to the Cisco Sourcefire NGIPS

• BRKSEC-2024 - Deploying Next Generation Firewall Services on the ASA

• BRKSEC-2695 - Building an Enterprise Access Control Architecture using ISE

and TrustSec

Relevant Related Sessions

4


Next Generation Firewall – A Definition

“Next Generation Firewalls (NGFWs) blend the features of a standard firewall

with quality of service (QoS) functionalities in order to provide smarter and deeper

inspection. In many ways a Next Generation Firewall combines the capabilities of

first-generation network firewalls and network intrusion prevention systems (IPS),

while also offering additional features such as SSL and SSH inspection,

reputation-based malware filtering and Active Directory integration support.”

Source: http://www.webopedia.com/TERM/N/next_generation_firewall_ngfw.html

5

http://www.webopedia.com/TERM/N/next_generation_firewall_ngfw.html



• Traffic Prioritization & Policing

• Deep Packet Inspection

• Addition to Traditional Firewalls and IPS

• Decryption

• Reputation-based Malware Filtering

• Identity Integration


6



Agenda

• IOS & IOS-XE

– Network-Based Application Recognition

– Cloud Web Security

– Identity Services Engine

• ASA-X

– Broad Application Visibility and Control

– Web AVC

– Identity-Based Firewall

• Summary & Design Recommendations

IOS & IOS-XE Application Recognition


Next Generation

NBAR

IOS NBAR 150+ signatures

SCE Classification

Many more signatures

Advanced Classification techniques

Day Zero Classification

1000+ signatures

Innovations IPv6 Traffic Classification

Nested Traffic Classification

Field Extraction, Attributes

Common Application Library

Custom App with HTTP and URL

Network-Based Application Recognition (NBAR2)

9

NBAR technology 10+ years

NBAR2 is a complete classification engine rebuild

Cross platform protocol classification mechanism, both IPv4 & IPv6

Custom application recognition flexibility

http://images.google.fr/imgres?imgurl=http://www.clikphoto.com/2003/Customers/images/Siebel.Logo.JPG&imgrefurl=http://www.clikphoto.com/2003/Customers/links.html&usg=__dY-YhzjlqXwgaBUa3GI7LkIC8nE=&h=137&w=363&sz=4&hl=fr&start=1&sig2=jRZ_dNmSZXrDAJLEkmINsA&um=1&tbnid=q54bb4J2TD1_uM:&tbnh=46&tbnw=121&prev=/images?q=siebel+logo&hl=fr&safe=off&rlz=1T4GGLL_frFR328FR328&um=1&ei=CeHBSv6xGdi7jAfDrYHfBQ

http://images.google.fr/imgres?imgurl=http://4.bp.blogspot.com/_UZImdYAiry8/Sb9qYmN0llI/AAAAAAAAPtc/a_qXEx69CB0/s400/oracle_logo.jpg&imgrefurl=http://vectorlogo.blogspot.com/2009/03/oracle-logo-eps.html&usg=__TTg6bQ4L8aDCa2kKWUD3Q4YWewM=&h=161&w=400&sz=7&hl=fr&start=3&sig2=xj4d94noyf1kS0Adw6tzJA&um=1&tbnid=LLEUA6II6jNxiM:&tbnh=50&tbnw=124&prev=/images?q=oracle+logo&hl=fr&safe=off&rlz=1T4GGLL_frFR328FR328&um=1&ei=FeHBSvDVKsjKjAeGsfDoBQ

http://images.google.fr/imgres?imgurl=http://elbconsultingllc.com/images/SAP-Logo.jpg&imgrefurl=http://elbconsultingllc.com/index.html&usg=__ttrD8hVR0ZecJBAgUc1jjcxqsZQ=&h=551&w=945&sz=36&hl=fr&start=1&sig2=eDSzYadbfwaGzGedWvK1-g&um=1&tbnid=9f5hdQ6CnNYH3M:&tbnh=86&tbnw=148&prev=/images?q=sap+logo&hl=fr&safe=off&rlz=1T4GGLL_frFR328FR328&um=1&ei=reDBSv2WCZa7jAfWrvXgBQ

http://images.google.fr/imgres?imgurl=http://www.nowhereelse.fr/wp-content/docs/youtube-logo5.jpg&imgrefurl=http://www.nowhereelse.fr/youtube-live-video-streaming-12525/&usg=__MyBsEJIR3joE8gm-rBq5Wel1qGA=&h=428&w=570&sz=33&hl=fr&start=1&sig2=z2krQGjzyqJMHPDfVwLLvg&um=1&tbnid=RKDnixEb39ds5M:&tbnh=101&tbnw=134&prev=/images?q=video+streaming+logo&hl=fr&safe=off&rlz=1T4GGLL_frFR328FR328&um=1&ei=0czJSp79EcSD4QaBkoTHAQ


NBAR2 Deployment

• Discover applications going across interfaces

– ip nbar protocol-discovery

• Match applications or application groups in QoS class-map and policy-map for action (e.g., shape, police, etc.)

– match protocol

• Flexible Netflow (FNF) or other features to report application name

– match or collect application name

10


NBAR2 Key Features

• Application Attributes and Categorization

• Custom Application Enhancement

• Advanced Classification Techniques

• NetFlow Integration

• Field Extraction Support

• In-Service Application Definition Update

• Common Application Library Across Platforms

11


NBAR2 Application Attributes and Categorization

• Grouping of applications based on various characteristics/properties

12

• Application-Group • Category • Sub-Category

• Peer-to-Peer • Tunnel • Encrypted

IOS#show ip nbar attribute application-group

<SNIP>

Groups : skype-group

: qq-group

: wap-group

: vnc-group

: capwap-group

: ldap-group

: icq-group

: vmware-group

: ftp-group

: sqlsvr-group

: ipsec-group

: banyan-group

: gtalk-group

: bittorrent-group

<SNIP>

IOS#show ip nbar attribute category

<SNIP>

Groups : newsgroup

: instant-messaging

: net-admin

: trojan

: email

: file-sharing

: industrial-protocols

: business-and-productivity-tools

: internet-privacy

: social-networking

: layer3-over-ip

: streaming

: location-based-services

: voice-and-video

<SNIP>

IOS#sh ip nbar attrib sub-category

<SNIP>

Groups : routing-protocol

: license-manager

: terminal

: remote-access-terminal

: inter-process-rpc

: network-protocol

: epayement

: voice-video-chat-collaboration

: file-sharing

: internet-privacy

: p2p-file-transfer

: authentication-services

: streaming

: network-management

<SNIP>


NBAR2 Application Attributes and Categorization What attributes does an application have?

13

IOS#show ip nbar protocol-attribute citrix

Protocol Name : citrix

category : business-and-productivity-tools

sub-category : terminal

application-group : other

p2p-technology : p2p-tech-no

tunnel : tunnel-no

encrypted : encrypted-yes

IOS#show ip nbar protocol-attribute webex-meeting

Protocol Name : webex-meeting

category : voice-and-video

sub-category : voice-video-chat-collaboration

application-group : webex-group


tunnel : tunnel-no


IOS#

Pre-defined Attributes

IOS-XE#show ip nbar protocol-attribute citrix

Protocol Name : citrix

application-group : other

category : business-and-productivity-tools



sub-category : desktop-virtualization

tunnel : tunnel-no


NBAR2 Application Attributes and Categorization What applications belong to a particular attribute?

14

IOS#show ip nbar attribute sub-category voice-video-chat-collaboration

[SNIP]

fring-video Fring Video, video conversations on mobiles

fring-voip Fring Voip, voice conversations on mobiles over IP

google-plus google-plus, social networking web and mobile application

groove groove

gtalk Base google-talk protocol

gtalk-video Google Talk Video Call

gtalk-voip Google Talk voice

iax Inter-Asterisk eXchange

icq I seek you (ICQ), Instant Messaging Protocol

irc Internet Relay Chat

irc-serv IRC-SERV

ms-lync MS-Lync, a unified communications platform

ms-lync-audio MS Lync Audio flows classification

ms-lync-media DEPRECATED, see ms-lync-video and ms-lync-audio

ms-lync-video MS Lync video calls classification

msn-messenger MSN Messenger IM, Status Messages, News and Gaming

msn-messenger-video MSN Messenger Video

msnp msnp

netwall for emergency broadcasts

ntalk ntalk

philips-vc Philips Video-Conferencing

secure-irc irc protocol over TLS

silc silc

skype Skype Peer-to-Peer Internet Telephony Protocol

[SNIP]

Attribute Type

Attribute Name


NBAR2 Custom Application Enhancement

router(config)#ip nbar custom my_payroll http host

server1.example.com id 60001

router(config)#ip nbar custom my_doc_mgmt http url

doc host server2.example.com id 60002

router(config)#ip nbar custom my_software_rep http

url software host server2.example.com id 60003

Custom App Server URI BW Resp. Time

My Payroll server1.example.com - 2M 100ms

My Doc. Mgmt. server2.example.com /doc 1M 250ms

My Software Rep. server2.example.com /software 5M 30sec

NBAR supports custom application by port or values in payload

Custom application match on HTTP URL and/or Host

Custom Enterprise Application

server1.example.com

/doc – Documentation

/software - Software

Cisco Prime Assurance

Cu

sto

m A

pp

lica

tio

n

De

fin

itio

n &

Re

po

rt

server2.example.com

Custom App Selector ID

15


Modular QoS Traffic Classification NBAR2 Integration with IPv4 and IPv6

16

VPN VPN

Headquarters

BR BR BR BR

WAN2 (Flex VPN)

WAN1 (DMVPN)

IPv4 Native IPv6

WAN2 (IPVPN, DMVPN)

class-map match-any peer2peer

match protocol kazaa2

match protocol gnutella

match protocol fastrack

What traffic?

policy-map limit-p2p

class peer2peer

bandwidth percent 10

How to treat

the traffic?

interface Serial1

service-policy input limit-p2p

Where to

apply?

Stateful classification for creating policies for v4/v6 traffic, simplifying policy management

Discover applications using NBAR2

Supports both input and output traffic

Customer Partner Branch


Modular QoS Traffic Classification Simplified Policies using NBAR2 Attributes

17

Discover applications using NBAR2

Category, sub-category, device-type, etc.

class-map my-class

match protocol attribute category filesharing

What

traffic?

policy-map limit-p2p

class my-class

bandwidth percent 10

How to treat

the traffic?

interface Serial1

service-policy input limit-p2p

Where to

apply?

VPN VPN

Headquarters

BR BR BR BR

WAN2 (Flex VPN)

WAN1 (DMVPN)



Modular QoS Traffic Classification Simplified Policies using NBAR2 Attributes

18

class-map match-any p2p-class

match protocol kazaa2

match protocol attribute application-group bittorrent-group

match protocol attribute sub-category p2p-networking

Match on applications or pre-defined attributes

class-map match-any excluded-apps

match protocol skype

match protocol viber

class-map match-all voice-video-chat-app

match protocol attribute sub-category voice-video-chat-collaboration

match not class-map excluded-apps

Exclude Viber and Skype from sub-category

voice-video-chat-collaboration

VPN VPN

Headquarters

BR BR BR BR

WAN2 (Flex VPN)

WAN1 (DMVPN)



NetFlow and NBAR Integration

19

Interface

Source IP Address

Source Port

Destination Port

Traditional NetFlow

Monitors data in Layers 2 thru 4

Applications classification by Port or

Port/IP Address

Flow information who, what, when,

where

NBAR

Examines data from Layers 3 thru 7

Utilizes Layers 3 and 4 plus packet

inspection for classification

Stateful inspection of dynamic-port

traffic

Packet and byte counts

Protocol

Link Layer

Header

Deep Packet (Payload) Inspection

ToS NetFlow

NBAR

Destination IP Address

IP Header

TCP/UDP

Header

Data Packet


show flow mon My_monitor cache

IPV4 SRC ADDR IPV4 DST ADDR APP NAME Hostname URL

=============== ============== ============= =============== ===========

10.0.1.1 10.0.1.2 nbar http www.google.com /news

router(config)# flow record My_record

router(config-flow-record)# match application name

router(config-flow-record)# collect application http host

router(config-flow-record)# collect application http url

router(config)# flow monitor My_monitor

router(config-flow-monitor)# record My_record

router(config)# interface gig1/1

router(config-if)# ip flow monitor My_monitor input

NBAR Field Extraction into Flexible NetFlow

20

News

NBAR extracts fields from flows and exposes it into Flexible NetFlow

Field export to external receivers may require the IPFIX protocol as the exporter definition


In-Service NBAR Application Definition Update

21

PDLM

(e.g.,

bittorrent.pdlm

citrix.pdlm)

Protocol Pack

P

DL

M

PD

LM

PD

LM

NBAR2 ip nbar pdlm <path_to_pdlm_file>

ip nbar protocol-pack

<path_to_protocol_pack>

IOS#show ip nbar protocol-pack active

Active Protocol Pack:

Name: Advanced Protocol

Pack

Version: 7.1

Publisher: Cisco Systems Inc.

NBAR Engine Version: 18

State: Active

IOS-XE#show ip nbar protocol-pack active

Active Protocol Pack:

Name: Advanced Protocol

Pack

Version: 10.0

Publisher: Cisco Systems Inc.

NBAR Engine Version: 18

Creation Time: Mon Mar 10 2014

File: bootflash:pp-adv-

asr1k-154-2.S-18-10.0.0.pack

State: Active

New IOS and IOS XE releases ship with new PDLs (Protocol Description Language): show ip nbar version

PDLM defines updates or new application

Bundle of multiple PDLMs will be released as protocol pack: show ip nbar protocol-pack


Cisco Prime Infrastructure Monitor QoS Performance

22

Top Applications over Time

QoS Class Map Statistics

QoS Queue Drops

QoS Pre/Post Traffic Rate

Cisco IOS Cloud Web Security (CWS)


Branch Office: ISR G2 + CWS Enterprise branches using split tunneling to Internet

24

Cisco ISR G2 with

Cloud Web Security

Cisco IOS Firewall

Cisco IOS IPS

POS Local

LAN

Guest

Users

Wired Security Zone

Wireless Security Zone

IPsec VPN

Head Office

Internet

Secure Split Tunneling

Cloud Web Security

• Consistent policy, security,

and reporting for all users

• Faster deployments and

less complexity


ISR G2 + CWS Benefits

25

• No HTTP proxy settings changes for the web browsers

• Authentication

– Single Sign-On with LDAP and AD

– NTLM, HTTP Basic

• Cloud Web Security Portal configuration, provisioning, and reporting

• ISR Connector works with other IOS Security services (e.g., FW, IPS, VPN)


ISR G2 + CWS Functionality

• IOS (universal) images with security feature set (SEC) licenses

• Platforms: 880, 890, 19XX, 29XX and 39XX/E ISR G2; (Not on IOS XE)

• Decryption/re-encryption of HTTP/HTTPS traffic

• Outbreak Intelligence and malware scanning

26

router(config)# parameter-map type content-scan global

router(config-profile)# server scansafe primary name proxyABC.scansafe.net port http 8080 https 8080

router(config-profile)# server scansafe secondary name proxyXYZ.scansafe.net port http 8080 https 8080

router(config-profile)# license 7 <CWS_license>

router(config-profile)# source interface GigabitEthernet0/1

router(config-profile)# timeout server 30

router(config-profile)# server scansafe on-failure block-all

router(config)# int g0/0

router(config-if)# content-scan out


Cloud Web Security: Web Category Filters

27


Cloud Web Security: Application Behavior Filters

28


Cloud Web Security: Preconfigured IDs

29

Identity Services Engine (ISE)


Cisco Identity Services Engine (ISE) All-in-One Enterprise Policy Control

Who What Where When How

VM client, IP device, guest, employee, remote user

Wired Wireless VPN

Business-Relevant

Policies

Security Policy Attributes

Identity

Context


ISE Live Session Log Real-time Authentication/Authorization Visibility and Control

Send CoA

directly from here

ASA Next Generation Firewall Services


Cisco ASA-X Next Generation Firewall

Active & Passive Authentication

Application Visibility & Control (Broad and Web)

SSL/TLS Decryption

HTTP Inspection

Web Reputation

URL Filtering

Reporting

Eventing

Layer 3, 4, and 7 Access Rules

Intrusion Prevention (IPS)

Main Features

34


Cisco ASA-X Classic Stateful Firewall + Next Generation Firewall

35

IP Fragmentation

IP Option Inspection

TCP Intercept

TCP Normalization

ACL

NAT

VPN Termination

Routing

TCP Proxy

TLS Proxy

AVC Multiple Policy

Decision Points

HTTP Inspection

URL Category/Reputation

CX

ASA

Botnet filtering

NGFW IPS


ASA 5585-X Hardware Architecture

36

NGFW SSP

ASA SSP

Two Hard Drives Raid 1 (Event Data)

10GE and GE ports Two GE Management Ports


ASA 5500-X Hardware Architecture

120 GB SSD (5585-X uses spinning 600 GB)

ASA will shutdown NGFW service when all storage removed

RAID only on 5545-X & 5555-X (and 5585-X)

Shares management port with ASA

Feature parity across all ASA platforms

37

I/O

Expansion Slot

Status LEDs Serial

Console USB

8 x 1GE Cu Ports

Redundant

Hot Swappable PSU Dedicated Mgmt Port (1GE)

ASA 5555-X


ASA Packet Flow Diagram

38

CPU

Complex

Fabric

Switch

NGFW

RegEx

Engine

NGFW

CPU

Complex

Fabric

Switch

Crypto

Engine

ASA

Ports

Ports

Backplane

10GE

NICs

10GE

NICs

All traffic ALWAYS enters

and exits the ASA

Red = ASA ingress

Yellow = Traffic matched for NGFW inspection

Green = Traffic allowed (ASA egress)


Packet Processing (Non-HTTP Traffic)

39

L3/L4 Check

Broad

AVC

Access Policy

Packet Egress (ASA)

Packet Ingress (ASA)

Service Policy – ASA

NGFW ingress

All traffic enters ASA, and if policy verdict is “allow”, it exits ASA, not NGFW.

All traffic hits the NGFW is subject to Broad AVC engine inspection.


Packet Processing (HTTP Traffic)

40

Packet Ingress (ASA)

Service Policy – NGFW Ingress

L3/L4 Check

Broad AVC

Web AVC Http

Inspector

Access Policy

Packet Egress (ASA)

If Broad AVC classifies traffic as HTTP/HTTPS, Web AVC inspection engine is applied.


Redirecting Traffic to ASA NGFW

ASA Modular Policy Framework

PRSM Monitor-only Mode

41

access-list CX extended permit ip any any

!

!

class-map cx_class

match access-list CX

!

!

policy-map global_policy

class inspection_default

<SNIP>

class cx_class

cxsc fail-open

ASA Web Application Visibility and Control (AVC)


Applications: Visibility with Control

App Behavior

Control user interaction with

the application

MicroApp Engine

Deep classification of targeted traffic

More than 150,000

MicroApps

Broad…

… classification of all traffic

More than 1200 apps Facebook

Skype

Farm

Ville

Yahoo

Linkedin

iTunes

YouTube

Google+


Malware Defense with Intelligence

Valid SMTP connection?

Bad or unwanted content?

Command & control site?

Hostile action?

Malicious content on the

endpoint?

WWW

Reputation Signatures

Signatures

Threat

Research

Domain

Registration

Content

Inspection

Spam Traps,

Honeypots,

Crawlers

Blocklists &

Reputation

3rd Party

Partnerships

Platform-Specific Rules & Logic

Cisco Security Intelligence Operations


Understanding Web Reputation Scores

46

Default web reputation profile

Suspicious

(-10 through -6) Not suspicious (-5.9 through +10)

-10 +10 -5 +5 0

Dedicated or hijacked sites persistently distributing key loggers, root kits and other malware. Almost guaranteed malicious.

Aggressive Ad syndication and user tracking networks. Sites suspected to be malicious, but not confirmed

Sites with some history of Responsible behavior or 3rd party validation

Phishing sites, bots, drive by installers. Extremely likely to be malicious.

Well managed, Responsible content Syndication networks and user generated content

Sites with long history of Responsible behavior. Have significant volume and are widely accessed


ASA NGFW File Filtering Profiles

Enable blocking of upload/download of specified MIME types (wildcards or specific sub types)

Can only be applied to policies with the ‘Allow’ action

End User Notifications are provided

47


ASA NGFW Controlling Web Application Behavior

Enforces policies where application access can be balanced with acceptable usage

HTTP and decrypted HTTPS application behavior can be controlled

Can only be enabled on ‘allow policies’

Controls can also be seen in the application database

48



49



50

ASA Identity-Based Firewall


ASA NGFW Identity Integration Passive Authentication Architecture

Active Directory

Domain Controller

Cisco Context Directory Agent

Server

Domain user

Cisco ASA + NGFW

User Login

Event

User Login Event

Security Log

(WMI)

Domain

Username/Realm

to IP Mapping

(Radius)

Domain username

and group

information

(LDAP)

Traffic controlled by Access Policies which leverage Identity

Internet

52

Summary & Design Recommendations



• Traffic Prioritization & Policing

• Deep Packet Inspection

• Addition to Traditional Firewalls and IPS

• Decryption

• Reputation-based Malware Filtering

• Identity Integration


54



Next Generation Firewall Services on IOS & ASA

55

Feature IOS (ASR & ISRg2) ASA

Traffic Prioritization &

Policing Modular QoS CLI ASA QoS

Deep Packet Inspection:

Non-HTTP NBAR2 NGFW Broad AVC

Deep Packet Inspection:

HTTP Application

NBAR2/

Cloud Web Security NGFW Web AVC

HTTPS Decryption Cloud Web Security NGFW TLS Proxy

Reputation-based

Malware Filtering Cloud Web Security Cisco SIO

Identity ISE Identity Firewall/NGFW

Management Prime Infrastructure Prime Security Manager


Design Recommendations

• ASA at Internet edge

– AnyConnect Secure Mobility

– Cisco SIO

• ASR 1000 (IOS-XE) at HQ WAN

– Site-to-site VPN options

– Application SLA assurance

• ISRg2 (IOS) at Branch

– Cloud Web Security

– UCS E-Series

56

ASR ASR

Headquarters

ISR ISR ISR ISR

WAN2 (Flex VPN)

WAN1 (DMVPN)

Cisco Security Intelligence Operations

Internet


ASA


Reference

• NBAR Protocol Library: http://www.cisco.com/en/US/docs/ios-xml/ios/qos_nbar/prot_lib/config_library/nbar-prot-pack-library.html

• NBAR Configuration: http://www.cisco.com/en/US/docs/ios-xml/ios/qos_nbar/configuration/15-mt/qos-nbar-15-mt-book.html

• IOS AVC Configuration: http://www.cisco.com/en/US/docs/ios/solutions_docs/avc/ios_xe3_9/avc_config.html

• ActionPacked! Networks: http://www.actionpacked.com/

• CA-NetQoS: http://www.ca.com/us/content/Integration/netqos.aspx

• InfoVista: http://www.infovista.com/

• ASA Next Generation Firewall Services: http://www.cisco.com/go/asacx

• ASA NGFW Applications Portal: http://tools.cisco.com/security/center/avc.x

• Security Intelligence Operations: http://www.cisco.com/go/sio

57

http://www.cisco.com/en/US/docs/ios-xml/ios/qos_nbar/prot_lib/config_library/nbar-prot-pack-library.html









http://www.cisco.com/en/US/docs/ios-xml/ios/qos_nbar/configuration/15-mt/qos-nbar-15-mt-book.html













http://www.cisco.com/en/US/docs/ios/solutions_docs/avc/ios_xe3_9/avc_config.html

http://www.actionpacked.com/

http://www.ca.com/us/content/Integration/netqos.aspx

http://www.infovista.com/

http://www.cisco.com/go/asacx

http://tools.cisco.com/security/center/avc.x

http://www.cisco.com/go/sio


Complete Your Online Session Evaluation

• Give us your feedback and you could win fabulous prizes. Winners announced daily.

• Complete your session evaluation through the Cisco Live mobile app or visit one of the interactive kiosks located throughout the convention center.

Don’t forget: Cisco Live sessions will be available for viewing on-demand after the event at CiscoLive.com/Online

58

https://www.ciscolive.com/online


Continue Your Education

• Demos in the Cisco Campus

• Walk-in Self-Paced Labs

• Table Topics

• Meet the Engineer 1:1 meetings

59

comparison of next-generation firewall services on...

Documents