comparison of next-generation firewall services on...
TRANSCRIPT
Comparison of Next-Generation Firewall Services on ASA and IOS
BRKSEC-1024
Victor Lam
CCIE #21365, CCDP, CCVP, CISSP
Systems Engineering Manager
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-1024 Cisco Public
Comparison of Next-Generation Firewall Services on ASA and IOS
Session Abstract
3
Cisco's Next Generation Firewall (NGFW) is a natural evolution of the stateful
firewall which provides advanced capabilities such as application filtering and
identity-aware access control. This breakout session compares the ASA and IOS
implementations of NGFW services. We will explain the different architectural
components and how these services can be deployed to provide more granular
security control to your network.
This session is targeted at firewall, network, and security engineers who already
possess a good understanding of how firewalls work and want to learn more
about Next Generation Firewall services on different platforms.
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-1024 Cisco Public
Cisco Live 2014
• BRKNMS-1040 - Application Visibility and Control: Managing AVC and iWAN
with Cisco Prime infrastructure
• BRKSEC-2008 - Deploying Secure Branch and Edge Solutions
• BRKSEC-1030 - Introduction to the Cisco Sourcefire NGIPS
• BRKSEC-2024 - Deploying Next Generation Firewall Services on the ASA
• BRKSEC-2695 - Building an Enterprise Access Control Architecture using ISE
and TrustSec
Relevant Related Sessions
4
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-1024 Cisco Public
Next Generation Firewall – A Definition
“Next Generation Firewalls (NGFWs) blend the features of a standard firewall
with quality of service (QoS) functionalities in order to provide smarter and deeper
inspection. In many ways a Next Generation Firewall combines the capabilities of
first-generation network firewalls and network intrusion prevention systems (IPS),
while also offering additional features such as SSL and SSH inspection,
reputation-based malware filtering and Active Directory integration support.”
Source: http://www.webopedia.com/TERM/N/next_generation_firewall_ngfw.html
5
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-1024 Cisco Public
Next Generation Firewall – A Definition
• Traffic Prioritization & Policing
• Deep Packet Inspection
• Addition to Traditional Firewalls and IPS
• Decryption
• Reputation-based Malware Filtering
• Identity Integration
Source: http://www.webopedia.com/TERM/N/next_generation_firewall_ngfw.html
6
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-1024 Cisco Public
Agenda
• IOS & IOS-XE
– Network-Based Application Recognition
– Cloud Web Security
– Identity Services Engine
• ASA-X
– Broad Application Visibility and Control
– Web AVC
– Identity-Based Firewall
• Summary & Design Recommendations
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-1024 Cisco Public
Next Generation
NBAR
IOS NBAR 150+ signatures
SCE Classification
Many more signatures
Advanced Classification techniques
Day Zero Classification
1000+ signatures
Innovations IPv6 Traffic Classification
Nested Traffic Classification
Field Extraction, Attributes
Common Application Library
Custom App with HTTP and URL
Network-Based Application Recognition (NBAR2)
9
NBAR technology 10+ years
NBAR2 is a complete classification engine rebuild
Cross platform protocol classification mechanism, both IPv4 & IPv6
Custom application recognition flexibility
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-1024 Cisco Public
NBAR2 Deployment
• Discover applications going across interfaces
– ip nbar protocol-discovery
• Match applications or application groups in QoS class-map and policy-map for action (e.g., shape, police, etc.)
– match protocol
• Flexible Netflow (FNF) or other features to report application name
– match or collect application name
10
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-1024 Cisco Public
NBAR2 Key Features
• Application Attributes and Categorization
• Custom Application Enhancement
• Advanced Classification Techniques
• NetFlow Integration
• Field Extraction Support
• In-Service Application Definition Update
• Common Application Library Across Platforms
11
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-1024 Cisco Public
NBAR2 Application Attributes and Categorization
• Grouping of applications based on various characteristics/properties
12
• Application-Group • Category • Sub-Category
• Peer-to-Peer • Tunnel • Encrypted
IOS#show ip nbar attribute application-group
<SNIP>
Groups : skype-group
: qq-group
: wap-group
: vnc-group
: capwap-group
: ldap-group
: icq-group
: vmware-group
: ftp-group
: sqlsvr-group
: ipsec-group
: banyan-group
: gtalk-group
: bittorrent-group
<SNIP>
IOS#show ip nbar attribute category
<SNIP>
Groups : newsgroup
: instant-messaging
: net-admin
: trojan
: file-sharing
: industrial-protocols
: business-and-productivity-tools
: internet-privacy
: social-networking
: layer3-over-ip
: streaming
: location-based-services
: voice-and-video
<SNIP>
IOS#sh ip nbar attrib sub-category
<SNIP>
Groups : routing-protocol
: license-manager
: terminal
: remote-access-terminal
: inter-process-rpc
: network-protocol
: epayement
: voice-video-chat-collaboration
: file-sharing
: internet-privacy
: p2p-file-transfer
: authentication-services
: streaming
: network-management
<SNIP>
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-1024 Cisco Public
NBAR2 Application Attributes and Categorization What attributes does an application have?
13
IOS#show ip nbar protocol-attribute citrix
Protocol Name : citrix
category : business-and-productivity-tools
sub-category : terminal
application-group : other
p2p-technology : p2p-tech-no
tunnel : tunnel-no
encrypted : encrypted-yes
IOS#show ip nbar protocol-attribute webex-meeting
Protocol Name : webex-meeting
category : voice-and-video
sub-category : voice-video-chat-collaboration
application-group : webex-group
p2p-technology : p2p-tech-no
tunnel : tunnel-no
encrypted : encrypted-yes
IOS#
Pre-defined Attributes
IOS-XE#show ip nbar protocol-attribute citrix
Protocol Name : citrix
application-group : other
category : business-and-productivity-tools
encrypted : encrypted-yes
p2p-technology : p2p-tech-no
sub-category : desktop-virtualization
tunnel : tunnel-no
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-1024 Cisco Public
NBAR2 Application Attributes and Categorization What applications belong to a particular attribute?
14
IOS#show ip nbar attribute sub-category voice-video-chat-collaboration
[SNIP]
fring-video Fring Video, video conversations on mobiles
fring-voip Fring Voip, voice conversations on mobiles over IP
google-plus google-plus, social networking web and mobile application
groove groove
gtalk Base google-talk protocol
gtalk-video Google Talk Video Call
gtalk-voip Google Talk voice
iax Inter-Asterisk eXchange
icq I seek you (ICQ), Instant Messaging Protocol
irc Internet Relay Chat
irc-serv IRC-SERV
ms-lync MS-Lync, a unified communications platform
ms-lync-audio MS Lync Audio flows classification
ms-lync-media DEPRECATED, see ms-lync-video and ms-lync-audio
ms-lync-video MS Lync video calls classification
msn-messenger MSN Messenger IM, Status Messages, News and Gaming
msn-messenger-video MSN Messenger Video
msnp msnp
netwall for emergency broadcasts
ntalk ntalk
philips-vc Philips Video-Conferencing
secure-irc irc protocol over TLS
silc silc
skype Skype Peer-to-Peer Internet Telephony Protocol
[SNIP]
Attribute Type
Attribute Name
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-1024 Cisco Public
NBAR2 Custom Application Enhancement
router(config)#ip nbar custom my_payroll http host
server1.example.com id 60001
router(config)#ip nbar custom my_doc_mgmt http url
doc host server2.example.com id 60002
router(config)#ip nbar custom my_software_rep http
url software host server2.example.com id 60003
Custom App Server URI BW Resp. Time
My Payroll server1.example.com - 2M 100ms
My Doc. Mgmt. server2.example.com /doc 1M 250ms
My Software Rep. server2.example.com /software 5M 30sec
NBAR supports custom application by port or values in payload
Custom application match on HTTP URL and/or Host
Custom Enterprise Application
server1.example.com
/doc – Documentation
/software - Software
Cisco Prime Assurance
Cu
sto
m A
pp
lica
tio
n
De
fin
itio
n &
Re
po
rt
server2.example.com
Custom App Selector ID
15
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-1024 Cisco Public
Modular QoS Traffic Classification NBAR2 Integration with IPv4 and IPv6
16
VPN VPN
Headquarters
BR BR BR BR
WAN2 (Flex VPN)
WAN1 (DMVPN)
IPv4 Native IPv6
WAN2 (IPVPN, DMVPN)
class-map match-any peer2peer
match protocol kazaa2
match protocol gnutella
match protocol fastrack
What traffic?
policy-map limit-p2p
class peer2peer
bandwidth percent 10
How to treat
the traffic?
interface Serial1
service-policy input limit-p2p
Where to
apply?
Stateful classification for creating policies for v4/v6 traffic, simplifying policy management
Discover applications using NBAR2
Supports both input and output traffic
Customer Partner Branch
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-1024 Cisco Public
Modular QoS Traffic Classification Simplified Policies using NBAR2 Attributes
17
Discover applications using NBAR2
Category, sub-category, device-type, etc.
class-map my-class
match protocol attribute category filesharing
What
traffic?
policy-map limit-p2p
class my-class
bandwidth percent 10
How to treat
the traffic?
interface Serial1
service-policy input limit-p2p
Where to
apply?
VPN VPN
Headquarters
BR BR BR BR
WAN2 (Flex VPN)
WAN1 (DMVPN)
Customer Partner Branch
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-1024 Cisco Public
Modular QoS Traffic Classification Simplified Policies using NBAR2 Attributes
18
class-map match-any p2p-class
match protocol kazaa2
match protocol attribute application-group bittorrent-group
match protocol attribute sub-category p2p-networking
Match on applications or pre-defined attributes
class-map match-any excluded-apps
match protocol skype
match protocol viber
class-map match-all voice-video-chat-app
match protocol attribute sub-category voice-video-chat-collaboration
match not class-map excluded-apps
Exclude Viber and Skype from sub-category
voice-video-chat-collaboration
VPN VPN
Headquarters
BR BR BR BR
WAN2 (Flex VPN)
WAN1 (DMVPN)
Customer Partner Branch
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-1024 Cisco Public
NetFlow and NBAR Integration
19
Interface
Source IP Address
Source Port
Destination Port
Traditional NetFlow
Monitors data in Layers 2 thru 4
Applications classification by Port or
Port/IP Address
Flow information who, what, when,
where
NBAR
Examines data from Layers 3 thru 7
Utilizes Layers 3 and 4 plus packet
inspection for classification
Stateful inspection of dynamic-port
traffic
Packet and byte counts
Protocol
Link Layer
Header
Deep Packet (Payload) Inspection
ToS NetFlow
NBAR
Destination IP Address
IP Header
TCP/UDP
Header
Data Packet
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-1024 Cisco Public
show flow mon My_monitor cache
IPV4 SRC ADDR IPV4 DST ADDR APP NAME Hostname URL
=============== ============== ============= =============== ===========
10.0.1.1 10.0.1.2 nbar http www.google.com /news
router(config)# flow record My_record
router(config-flow-record)# match application name
router(config-flow-record)# collect application http host
router(config-flow-record)# collect application http url
router(config)# flow monitor My_monitor
router(config-flow-monitor)# record My_record
router(config)# interface gig1/1
router(config-if)# ip flow monitor My_monitor input
NBAR Field Extraction into Flexible NetFlow
20
News
NBAR extracts fields from flows and exposes it into Flexible NetFlow
Field export to external receivers may require the IPFIX protocol as the exporter definition
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-1024 Cisco Public
In-Service NBAR Application Definition Update
21
PDLM
(e.g.,
bittorrent.pdlm
citrix.pdlm)
Protocol Pack
P
DL
M
PD
LM
PD
LM
NBAR2 ip nbar pdlm <path_to_pdlm_file>
ip nbar protocol-pack
<path_to_protocol_pack>
IOS#show ip nbar protocol-pack active
Active Protocol Pack:
Name: Advanced Protocol
Pack
Version: 7.1
Publisher: Cisco Systems Inc.
NBAR Engine Version: 18
State: Active
IOS-XE#show ip nbar protocol-pack active
Active Protocol Pack:
Name: Advanced Protocol
Pack
Version: 10.0
Publisher: Cisco Systems Inc.
NBAR Engine Version: 18
Creation Time: Mon Mar 10 2014
File: bootflash:pp-adv-
asr1k-154-2.S-18-10.0.0.pack
State: Active
New IOS and IOS XE releases ship with new PDLs (Protocol Description Language): show ip nbar version
PDLM defines updates or new application
Bundle of multiple PDLMs will be released as protocol pack: show ip nbar protocol-pack
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-1024 Cisco Public
Cisco Prime Infrastructure Monitor QoS Performance
22
Top Applications over Time
QoS Class Map Statistics
QoS Queue Drops
QoS Pre/Post Traffic Rate
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-1024 Cisco Public
Branch Office: ISR G2 + CWS Enterprise branches using split tunneling to Internet
24
Cisco ISR G2 with
Cloud Web Security
Cisco IOS Firewall
Cisco IOS IPS
POS Local
LAN
Guest
Users
Wired Security Zone
Wireless Security Zone
IPsec VPN
Head Office
Internet
Secure Split Tunneling
Cloud Web Security
• Consistent policy, security,
and reporting for all users
• Faster deployments and
less complexity
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-1024 Cisco Public
ISR G2 + CWS Benefits
25
• No HTTP proxy settings changes for the web browsers
• Authentication
– Single Sign-On with LDAP and AD
– NTLM, HTTP Basic
• Cloud Web Security Portal configuration, provisioning, and reporting
• ISR Connector works with other IOS Security services (e.g., FW, IPS, VPN)
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-1024 Cisco Public
ISR G2 + CWS Functionality
• IOS (universal) images with security feature set (SEC) licenses
• Platforms: 880, 890, 19XX, 29XX and 39XX/E ISR G2; (Not on IOS XE)
• Decryption/re-encryption of HTTP/HTTPS traffic
• Outbreak Intelligence and malware scanning
26
router(config)# parameter-map type content-scan global
router(config-profile)# server scansafe primary name proxyABC.scansafe.net port http 8080 https 8080
router(config-profile)# server scansafe secondary name proxyXYZ.scansafe.net port http 8080 https 8080
router(config-profile)# license 7 <CWS_license>
router(config-profile)# source interface GigabitEthernet0/1
router(config-profile)# timeout server 30
router(config-profile)# server scansafe on-failure block-all
router(config)# int g0/0
router(config-if)# content-scan out
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-1024 Cisco Public
Cloud Web Security: Web Category Filters
27
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-1024 Cisco Public
Cloud Web Security: Application Behavior Filters
28
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-1024 Cisco Public
Cloud Web Security: Preconfigured IDs
29
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-1024 Cisco Public
Cisco Identity Services Engine (ISE) All-in-One Enterprise Policy Control
Who What Where When How
VM client, IP device, guest, employee, remote user
Wired Wireless VPN
Business-Relevant
Policies
Security Policy Attributes
Identity
Context
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-1024 Cisco Public
ISE Live Session Log Real-time Authentication/Authorization Visibility and Control
Send CoA
directly from here
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-1024 Cisco Public
Cisco ASA-X Next Generation Firewall
Active & Passive Authentication
Application Visibility & Control (Broad and Web)
SSL/TLS Decryption
HTTP Inspection
Web Reputation
URL Filtering
Reporting
Eventing
Layer 3, 4, and 7 Access Rules
Intrusion Prevention (IPS)
Main Features
34
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-1024 Cisco Public
Cisco ASA-X Classic Stateful Firewall + Next Generation Firewall
35
IP Fragmentation
IP Option Inspection
TCP Intercept
TCP Normalization
ACL
NAT
VPN Termination
Routing
TCP Proxy
TLS Proxy
AVC Multiple Policy
Decision Points
HTTP Inspection
URL Category/Reputation
CX
ASA
Botnet filtering
NGFW IPS
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-1024 Cisco Public
ASA 5585-X Hardware Architecture
36
NGFW SSP
ASA SSP
Two Hard Drives Raid 1 (Event Data)
10GE and GE ports Two GE Management Ports
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-1024 Cisco Public
ASA 5500-X Hardware Architecture
120 GB SSD (5585-X uses spinning 600 GB)
ASA will shutdown NGFW service when all storage removed
RAID only on 5545-X & 5555-X (and 5585-X)
Shares management port with ASA
Feature parity across all ASA platforms
37
I/O
Expansion Slot
Status LEDs Serial
Console USB
8 x 1GE Cu Ports
Redundant
Hot Swappable PSU Dedicated Mgmt Port (1GE)
ASA 5555-X
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-1024 Cisco Public
ASA Packet Flow Diagram
38
CPU
Complex
Fabric
Switch
NGFW
RegEx
Engine
NGFW
CPU
Complex
Fabric
Switch
Crypto
Engine
ASA
Ports
Ports
Backplane
10GE
NICs
10GE
NICs
All traffic ALWAYS enters
and exits the ASA
Red = ASA ingress
Yellow = Traffic matched for NGFW inspection
Green = Traffic allowed (ASA egress)
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-1024 Cisco Public
Packet Processing (Non-HTTP Traffic)
39
L3/L4 Check
Broad
AVC
Access Policy
Packet Egress (ASA)
Packet Ingress (ASA)
Service Policy – ASA
NGFW ingress
All traffic enters ASA, and if policy verdict is “allow”, it exits ASA, not NGFW.
All traffic hits the NGFW is subject to Broad AVC engine inspection.
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-1024 Cisco Public
Packet Processing (HTTP Traffic)
40
Packet Ingress (ASA)
Service Policy – NGFW Ingress
L3/L4 Check
Broad AVC
Web AVC Http
Inspector
Access Policy
Packet Egress (ASA)
If Broad AVC classifies traffic as HTTP/HTTPS, Web AVC inspection engine is applied.
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-1024 Cisco Public
Redirecting Traffic to ASA NGFW
ASA Modular Policy Framework
PRSM Monitor-only Mode
41
access-list CX extended permit ip any any
!
!
class-map cx_class
match access-list CX
!
!
policy-map global_policy
class inspection_default
<SNIP>
class cx_class
cxsc fail-open
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-1024 Cisco Public
Applications: Visibility with Control
App Behavior
Control user interaction with
the application
MicroApp Engine
Deep classification of targeted traffic
More than 150,000
MicroApps
Broad…
… classification of all traffic
More than 1200 apps Facebook
Skype
Farm
Ville
Yahoo
iTunes
YouTube
Google+
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-1024 Cisco Public
Malware Defense with Intelligence
Valid SMTP connection?
Bad or unwanted content?
Command & control site?
Hostile action?
Malicious content on the
endpoint?
WWW
Reputation Signatures
Signatures
Threat
Research
Domain
Registration
Content
Inspection
Spam Traps,
Honeypots,
Crawlers
Blocklists &
Reputation
3rd Party
Partnerships
Platform-Specific Rules & Logic
Cisco Security Intelligence Operations
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-1024 Cisco Public
Understanding Web Reputation Scores
46
Default web reputation profile
Suspicious
(-10 through -6) Not suspicious (-5.9 through +10)
-10 +10 -5 +5 0
Dedicated or hijacked sites persistently distributing key loggers, root kits and other malware. Almost guaranteed malicious.
Aggressive Ad syndication and user tracking networks. Sites suspected to be malicious, but not confirmed
Sites with some history of Responsible behavior or 3rd party validation
Phishing sites, bots, drive by installers. Extremely likely to be malicious.
Well managed, Responsible content Syndication networks and user generated content
Sites with long history of Responsible behavior. Have significant volume and are widely accessed
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-1024 Cisco Public
ASA NGFW File Filtering Profiles
Enable blocking of upload/download of specified MIME types (wildcards or specific sub types)
Can only be applied to policies with the ‘Allow’ action
End User Notifications are provided
47
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-1024 Cisco Public
ASA NGFW Controlling Web Application Behavior
Enforces policies where application access can be balanced with acceptable usage
HTTP and decrypted HTTPS application behavior can be controlled
Can only be enabled on ‘allow policies’
Controls can also be seen in the application database
48
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-1024 Cisco Public
ASA NGFW Controlling Web Application Behavior
49
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-1024 Cisco Public
ASA NGFW Controlling Web Application Behavior
50
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-1024 Cisco Public
ASA NGFW Identity Integration Passive Authentication Architecture
Active Directory
Domain Controller
Cisco Context Directory Agent
Server
Domain user
Cisco ASA + NGFW
User Login
Event
User Login Event
Security Log
(WMI)
Domain
Username/Realm
to IP Mapping
(Radius)
Domain username
and group
information
(LDAP)
Traffic controlled by Access Policies which leverage Identity
Internet
52
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-1024 Cisco Public
Next Generation Firewall – A Definition
• Traffic Prioritization & Policing
• Deep Packet Inspection
• Addition to Traditional Firewalls and IPS
• Decryption
• Reputation-based Malware Filtering
• Identity Integration
Source: http://www.webopedia.com/TERM/N/next_generation_firewall_ngfw.html
54
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-1024 Cisco Public
Next Generation Firewall Services on IOS & ASA
55
Feature IOS (ASR & ISRg2) ASA
Traffic Prioritization &
Policing Modular QoS CLI ASA QoS
Deep Packet Inspection:
Non-HTTP NBAR2 NGFW Broad AVC
Deep Packet Inspection:
HTTP Application
NBAR2/
Cloud Web Security NGFW Web AVC
HTTPS Decryption Cloud Web Security NGFW TLS Proxy
Reputation-based
Malware Filtering Cloud Web Security Cisco SIO
Identity ISE Identity Firewall/NGFW
Management Prime Infrastructure Prime Security Manager
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-1024 Cisco Public
Design Recommendations
• ASA at Internet edge
– AnyConnect Secure Mobility
– Cisco SIO
• ASR 1000 (IOS-XE) at HQ WAN
– Site-to-site VPN options
– Application SLA assurance
• ISRg2 (IOS) at Branch
– Cloud Web Security
– UCS E-Series
56
ASR ASR
Headquarters
ISR ISR ISR ISR
WAN2 (Flex VPN)
WAN1 (DMVPN)
Cisco Security Intelligence Operations
Internet
Customer Partner Branch
ASA
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-1024 Cisco Public
Reference
• NBAR Protocol Library: http://www.cisco.com/en/US/docs/ios-xml/ios/qos_nbar/prot_lib/config_library/nbar-prot-pack-library.html
• NBAR Configuration: http://www.cisco.com/en/US/docs/ios-xml/ios/qos_nbar/configuration/15-mt/qos-nbar-15-mt-book.html
• IOS AVC Configuration: http://www.cisco.com/en/US/docs/ios/solutions_docs/avc/ios_xe3_9/avc_config.html
• ActionPacked! Networks: http://www.actionpacked.com/
• CA-NetQoS: http://www.ca.com/us/content/Integration/netqos.aspx
• InfoVista: http://www.infovista.com/
• ASA Next Generation Firewall Services: http://www.cisco.com/go/asacx
• ASA NGFW Applications Portal: http://tools.cisco.com/security/center/avc.x
• Security Intelligence Operations: http://www.cisco.com/go/sio
57
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-1024 Cisco Public
Complete Your Online Session Evaluation
• Give us your feedback and you could win fabulous prizes. Winners announced daily.
• Complete your session evaluation through the Cisco Live mobile app or visit one of the interactive kiosks located throughout the convention center.
Don’t forget: Cisco Live sessions will be available for viewing on-demand after the event at CiscoLive.com/Online
58
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-1024 Cisco Public
Continue Your Education
• Demos in the Cisco Campus
• Walk-in Self-Paced Labs
• Table Topics
• Meet the Engineer 1:1 meetings
59