security and virtualization in the data center
TRANSCRIPT
Cisco Confidential© 2015 Cisco and/or its affiliates. All rights reserved. 1
Security and Virtualization in the Data CenterRonnie Scott - CCIE 4099T-DC-13-I
May 19th 2016
In collaboration with
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
Housekeeping notesThank you for attending Cisco Connect Toronto 2016, here are a few housekeeping notes to ensure we all enjoy the session today.
• Please ensure your cellphones / laptops are set on silent to ensure no one is disturbed during the session
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3
Agenda
3
The New Security Landscape
Defense By Design
Bringing The Big Guns
Conclusion
Cisco Confidential 4© 2015 Cisco and/or its affiliates. All rights reserved.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5
Simplify and Unifysecurity solutions
Evolve while maintaining Security and Compliance
Stay ahead ofevolving threats
95% of firewall breaches
caused by misconfiguration*12% YoY growth of
devices 2014-2019
Over 100K new
threats per day
* Greg Young, Gartner Inc
PROVISIONING SCALABILITY PROTECTION
DataCenter Security Challenges
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6
Attacker Profiles
Organized Crime Out to make money
Needs organization to stay profitable
Typically smash-and-grab style or
drive-by
Graffiti and Activism Attack you for fame
To make a point
Can be a nuisance
Can also draw unwanted attention
State Sponsored Cyber Warfare Extremely advanced
Companies are generally at a
disadvantage
Hard to defend
A-Typical
Espionage Somewhere between Organized Crime
and Military
Could be state sponsored
Replicating Intellectual Property
Gain human intelligence
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7
Extortion
Data Manipulation
Card Not Present
IOT Zombies
BackdoorsKim Zetter – Wired Magazine, Jan 1, 2016
Th
e B
ig 5
-2016
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13
The Server Is Virtualized
13
• One Server - Multiple Guests
• Hypervisor abstractions hides hardware
• Partitioned system resources
• Application & OS encapsulation
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14
FinancialsCRM
Exchange ERP
OracleSAP
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15
Common Virtualization Concerns
15
• Physical Tools in a Virtual World
• Operations and Management Obfuscation
• Changes in Roles and Responsibilities
• Machine and Application Segmentation
Hypervisor
Initial Infection
Secondary Infection
Cisco Confidential 17© 2015 Cisco and/or its affiliates. All rights reserved.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19
Back to the basics … Ships in the night
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20
Cisco SAFE
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21
The VMDC Architecture
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24
But what our
customers want…
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25
…is the vision on the box.
(Not the one on the carpet)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26
SAFE Simplifies the Security Conversation One Step at a Time
Capability Phase Architecture Phase Design Phase
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27
WAN
Branch
Campus
Data Center
Edge
Break the Network into Domains
Security Domains per PIN
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28
DC Core
Mapping The Problem
WAN / Campus
Core
Campus
App 2
Web
App
App 1 AppWeb DB
Branch
Site
1
Site
2
Edge
Shared
Services
DNS
DHCP
SQL
SLB
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 29
Business Requirements Per DomainWhen done, try to rank by importance
Data Center
Protect Customer Data
Must be easy to operationalize
Support Role-based Network Segmentation
Measurable Security Increase
Example:
PCI Domain at Branch Office
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 30
Identify the Threats, Risks, and PolicyAlso, identify the mitigating capabilities that should be considered
Data Center Domain
Policy: Role-based Network
Segmentation
Risk: Lateral Spread of Breach
Threat: Exploitation of Trust
Example:
PCI Domain at Branch Office
Cisco Confidential 31© 2015 Cisco and/or its affiliates. All rights reserved.
Security Capabilities Design
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 32
Security Capabilities DesignExample
1. No Products
2. Vendor-agnostic
L2//L3 Network
Access Control +TrustSec
To Campus
Shared Services
Zone
Next-Gen Intrusion Prevention System
App Server
Zone
PCICompliance
Zone
DatabaseZone
Flow Analytics
Host-based Security
Load Balancer
Flow Analytics
Firewall
Anti-Malware
Threat Intell-igence
Access Control +TrustSec
Next-Gen Intrusion Prevention System
Next-Generation Firewall Router
L2//L3 NetworkFirewall VPN
Switch
Web Application Firewall
Centralized Management
Policy/Configuration
Visibility/Context
AnalysisCorrelation
Analytics
Logging/Reporting
ThreatIntelligence
VulnerabilityManagement
Monitoring
To Edge
Virtualized Capabilities
WAN
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 33
3. Identify existing capabilities
4. What are common missing
capabilities?
Security Capabilities DesignExample
L2//L3 Network
Access Control +TrustSec
To Campus
Shared Services
Zone
Next-Gen Intrusion Prevention System
App Server
Zone
PCICompliance
Zone
DatabaseZone
Flow Analytics
Host-based Security
Load Balancer
Flow Analytics
Firewall
Anti-Malware
Threat Intell-igence
Access Control +TrustSec
Next-Gen Intrusion Prevention System
Next-Generation Firewall Router
L2//L3 NetworkFirewall VPN
Switch
Web Application Firewall
Centralized Management
Policy/Configuration
Visibility/Context
AnalysisCorrelation
Analytics
Logging/Reporting
ThreatIntelligence
VulnerabilityManagement
Monitoring
To Edge
Virtualized Capabilities
WAN
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 34
Interconnected Enclaves
Web
ServerWeb
Server
Permit TCP/80 (HTTP) Permit TCP/22 (SSH)
Permit Web
to App
Web
Group
DB
serverDB
server
DB
Group
App
ServerApp
Server
App
GroupPermit App
to DB
Deny All
Inter-Zone
Firewall
Intra-Zone
FirewallIntra-Zone
Firewall
Web
ServerWeb
Server
Permit TCP/80 (HTTP) Permit TCP/22 (SSH)
Permit Web
to App
Web
Group
DB
serverDB
server
DB
Group
App
ServerApp
Server
App
GroupPermit App
to DB
Deny All
Inter-Zone
Firewall
Intra-Zone
FirewallIntra-Zone
Firewall
Web
ServerWeb
Server
Permit TCP/80 (HTTP) Permit TCP/22 (SSH)
Permit Web
to App
Web
Group
DB
serverDB
server
DB
Group
App
ServerApp
Server
App
GroupPermit App
to DB
Deny All
Inter-Zone
Firewall
Intra-Zone
FirewallIntra-Zone
Firewall
BBI
Data Center
Core
DMZCampus
ACLs/
Firewall
ACLs/
Firewall
AMP or
IDS
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 35
Shared Services
Web
ServerWeb
Server
Permit TCP/80 (HTTP) Permit TCP/22 (SSH)
Permit Web
to App
Web
Group
DB
serverDB
server
DB
Group
App
ServerApp
Server
App
GroupPermit App
to DB
Deny All
Inter-Zone
Firewall
Intra-Zone
FirewallIntra-Zone
Firewall
Web
ServerWeb
Server
Permit TCP/80 (HTTP) Permit TCP/22 (SSH)
Permit Web
to App
Web
Group
DB
serverDB
server
DB
Group
App
ServerApp
Server
App
GroupPermit App
to DB
Deny All
Inter-Zone
Firewall
Intra-Zone
FirewallIntra-Zone
Firewall
Web
ServerWeb
Server
Permit TCP/80 (HTTP) Permit TCP/22 (SSH)
Permit Web
to App
Web
Group
DB
serverDB
server
DB
Group
App
ServerApp
Server
App
GroupPermit App
to DB
Deny All
Inter-Zone
Firewall
Intra-Zone
FirewallIntra-Zone
Firewall
Data Center
Core
Permit TCP/5000-5010
Backup
Server
Inter-Zone
Firewall
Backup
Server
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 39
Inside The Enclave
Web
ServerWeb
Server
Permit TCP/80 (HTTP) Permit TCP/22 (SSH)
Permit Web
to App
User
Web
Group
DB
serverDB
server
DB
Group
App
ServerApp
Server
App
GroupPermit App
to DB
Deny All
Inter-Zone
Firewall
Intra-Zone
FirewallIntra-Zone
Firewall
Perimeter
Firewall
AMP or
IPS
SLB
WAAS
SLB
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 40
Architecture PhaseAssign capabilities to devices
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 41
Building the SolutionLower-level designs with the details
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 42
Physical vs. Virtualized
Web
ServerWeb
Server
Permit TCP/80 (HTTP) Permit TCP/22 (SSH)
Permit Web
to App
Web
Group
DB
serverDB
server
DB
Group
App
ServerApp
Server
App
GroupPermit App
to DB
Deny All
Intra-Zone
Firewall
Intra-Zone
Firewall
Web
ServerWeb
Server
Permit TCP/80 (HTTP) Permit TCP/22 (SSH)
Permit Web
to App
Web
Group
DB
serverDB
server
DB
Group
App
ServerApp
Server
App
GroupPermit App
to DB
Deny All
Intra-Zone
Firewall
Intra-Zone
Firewall
Web
ServerWeb
Server
Permit TCP/80 (HTTP) Permit TCP/22 (SSH)
Permit Web
to App
Web
Group
DB
serverDB
server
DB
Group
App
ServerApp
Server
App
GroupPermit App
to DB
Deny All
Intra-Zone
Firewall
Intra-Zone
Firewall
Web
ServerWeb
Server
Permit TCP/80 (HTTP) Permit TCP/22 (SSH)
Permit Web
to App
Web
Group
DB
serverDB
server
DB
Group
App
ServerApp
Server
App
GroupPermit App
to DB
Deny All
Intra-Zone
Firewall
Intra-Zone
Firewall
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 43
Virtualized vs. Virtualization
Web
ServerWeb
Server
Permit TCP/80
(HTTP)
Permit TCP/22
(SSH)
Permit Web
to App
Web
Group
DB
serverDB
server
DB
Group
App
ServerApp
Server
App
GroupPermit App
to DB
Deny All
Intra-Zone
Firewall
Intra-Zone
Firewall
Web
ServerWeb
Server
Permit TCP/80
(HTTP)
Permit TCP/22
(SSH)
Permit Web
to App
Web
Group
DB
serverDB
server
DB
Group
App
ServerApp
Server
App
GroupPermit App
to DB
Deny All
Intra-Zone
Firewall
Intra-Zone
Firewall
Web
ServerWeb
Server
Permit TCP/80
(HTTP)
Permit TCP/22
(SSH)
Permit Web
to App
Web
Group
DB
serverDB
server
DB
Group
App
ServerApp
Server
App
GroupPermit App
to DB
Deny All
Intra-Zone
Firewall
Intra-Zone
Firewall
Web
ServerWeb
Server
Permit TCP/80
(HTTP)
Permit TCP/22
(SSH)
Permit Web
to App
Web
Group
DB
serverDB
server
DB
Group
App
ServerApp
Server
App
GroupPermit App
to DB
Deny All
Intra-Zone
Firewall
Intra-Zone
Firewall
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 44
Cloud Provisioning
Stack
Automation and Orchestration
Web
ServerWeb
Server
Permit TCP/80 (HTTP) Permit TCP/22 (SSH)
Permit Web
to App
Web
Group
DB
server DB
server
DB
Group
App
ServerApp
Server
App
GroupPermit App
to DB
Deny All
Inter-Zone
Firewall
Intra-Zone
FirewallIntra-Zone
Firewall
Web
ServerWeb
Server
Permit TCP/80 (HTTP) Permit TCP/22 (SSH)
Permit Web
to App
Web
Group
DB
server DB
server
DB
Group
App
ServerApp
Server
App
GroupPermit App
to DB
Deny All
Inter-Zone
Firewall
Intra-Zone
FirewallIntra-Zone
Firewall
Web
ServerWeb
Server
Permit TCP/80 (HTTP) Permit TCP/22 (SSH)
Permit Web
to App
Web
Group
DB
server DB
server
DB
Group
App
ServerApp
Server
App
GroupPermit App
to DB
Deny All
Inter-Zone
Firewall
Intra-Zone
FirewallIntra-Zone
Firewall
Web
ServerWeb
Server
Permit TCP/80 (HTTP) Permit TCP/22 (SSH)
Permit Web
to App
Web
Group
DB
server DB
server
DB
Group
App
ServerApp
Server
App
GroupPermit App
to DB
Deny All
Inter-Zone
Firewall
Intra-Zone
FirewallIntra-Zone
Firewall
Self-Service
Orchestration
Automation
Cisco Confidential 45© 2015 Cisco and/or its affiliates. All rights reserved.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 46
Network-Integrated,
Broad Sensor Base,
Context and Automation
Continuous Advanced Threat
Protection, Cloud-Based
Security Intelligence
Agile and Open Platforms,
Built for Scale, Consistent
Control, Management
Security Solutions Strategic Imperatives
Network Endpoint Mobile Virtual Cloud
Visibility-Driven Threat-Focused Platform-Based
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 47
Web-zone Fileserver-zoneApplication-zone
Hypervisor
Nexus 7000
Nexus
1000V Primary VLAN 20
VRF
VLAN 20
UCS
VLAN 100Isolated
VLAN 200
IsolatedVLAN 300
Community
Layer 2 Segmentation
• Isolate VMs in shared Layer 2 subnet
• Limit communication to Layer 3 gateway
• ACLs block unwanted communication
PVLANs for Physical and Virtual Isolation
.1Q Trunk
47
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 48
ACI SecurityAutomated Security With Built In Multi-Tenancy
Security AutomationEmbedded Security
• White-list Firewall Policy Model
• RBAC rules
• Hardened CentOS 7.2
• Authenticated Northbound API (X.509)
• Encrypted Intra-VLAN (TLS 1.2)
• Secure Key-store for Image Verification
• Dynamic Service Insertion and Chaining
• Closed Loop Feedback for Remediation
• Centralized Security Provisioning & Visibility
• Security Policy Follows Workloads
Distributed Stateless Firewall
Line Rate Security Enforcement
Open: Integrate Any Security Device
PCI, FIPS, CC, UC-APL, USG-v6
ACI Services
Graph
Micro-Segmentation
• Hypervisor Agnostic (ESX, Hyper-V, KVM*)
• Physical, Virtual Machine, Container
• Attribute Based Isolation/Quarantine
• Point and Click Micro-segmentation
• TrustSec-ACI Integration
Encryption
• Link MACSEC
• INS-SEC Overlay Encryption
• MKA, SAP
• GCM-AES-256/128-XPN
• GCM-AES-256/128
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 49
Segmentation begins with visibility
You can’t protect what you can’t see
Who is on the Network?
And what are they up to?
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 50
Make Fully Informed Decisions with Rich Contextual Awareness
Context
Who
What
Where
When
How
IP address 192.168.1.51
Unknown
Unknown
Unknown
Unknown
Bob
Tablet, iOS, v. 9.1x
Building 200, first floor
11:00 a.m. EST on April 10
Wireless
The right user, on the right device, from the
right place is granted the right access
Any user, any device, anywhere gets on
the networkResult
Poor Context Awareness Extensive Context Awareness
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 51
Visibility with Cisco Identity Services Engine (ISE)Discover Known and Unknown in Your Network
PARTNER CONTEXT
DATA
NETWORK / USER
CONTEXT
How
WhatWho
WhereWhen
CONSISTENT SECURE ACCESS POLICY ACROSS WIRED, WIRELESS and VPN
Access Policy
PxGrid
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 52
Flexible and Scalable Policy Enforcement
Switch Router DC FW DC Switch
Security Control Automation
Simplified Access Management
Improved Security Efficacy
access-list 102 deny icmp 76.176.66.41 0.255.255.255 lt 278 169.48.105.37 0.0.1.255 gt 968access-list 102 permit ip 8.88.141.113 0.0.0.127 lt 2437 105.145.196.67 0.0.1.255 lt 4167access-list 102 permit udp 60.242.95.62 0.0.31.255 eq 3181 33.191.71.166 255.255.255.255 lt 2422access-list 102 permit icmp 186.246.40.245 0.255.255.255 eq 3508 191.139.67.54 0.0.1.255 eq 1479access-list 102 permit ip 209.111.254.187 0.0.1.255 gt 4640 93.99.173.34 255.255.255.255 gt 28access-list 102 permit ip 184.232.88.41 0.0.31.255 lt 2247 186.33.104.31 255.255.255.255 lt 4481access-list 102 deny ip 106.79.247.50 0.0.31.255 gt 1441 96.62.207.209 0.0.0.255 gt 631access-list 102 permit ip 39.136.60.170 0.0.1.255 eq 4647 96.129.185.116 255.255.255.255 lt 3663access-list 102 permit tcp 30.175.189.93 0.0.31.255 gt 228 48.33.30.91 0.0.0.255 gt 1388access-list 102 permit ip 167.100.52.185 0.0.1.255 lt 4379 254.202.200.26 255.255.255.255 gt 4652access-list 102 permit udp 172.16.184.148 0.255.255.255 gt 4163 124.38.159.247 0.0.0.127 lt 3851access-list 102 deny icmp 206.107.73.252 0.255.255.255 lt 2465 171.213.183.230 0.0.31.255 gt 1392
Traditional Security Policy
Business
Policy
Software Defined Segmentation
Building a Policy Matrix
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 53
TrustSec Components
Access
Switch
Router DC FW DC Switch
HR Servers
EnforcementFin Servers
ISE DirectoryClassification
User /
Endpoint
Propagation
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 54
ISE Dynamically provisions TrustSec
Security Groups in APIC-DC
ACITrustSec
Security Groups External (Outside Fabric) EPGs
TrustSec Security Groups Provisioned in ACI
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 55
ISE dynamically learns EPGs and
VM Bindings from ACI fabric
ACI
VM1 VM1000TrustSec Domain
TrustSec
Internal (Inside Fabric) EPGsSecurity Group from APIC-DC
ACI Application Servers are Automatically Propagated to the TrustSec Domain
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 56
Assigning Security Groups
56
Dynamic Classification Static Classification
• IP Address
• VLANs
• Subnets
• L2 Interface
• L3 Interface
• Virtual Port Profile
• Layer 2 Port Lookup
Common Classification for
Mobile Devices
Classification for Servers,
Topology-based assignments.
802.1X Authentication
MAC Auth Bypass
Web AuthenticationSGT
56
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 57
Nexus 1000V: SGT Assignment in Port Profile
• Port Profile
– Container of network properties
– Applied to different interfaces
• Server Admin assign Port Profiles
• VMs inherit SGT from port-profile
• SGT bound to the VM
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 58
Firewall Policy based on SGT
Security Group
definitions from ISE
Trigger FirePower
services by SGT policies
Can still use Network Object (Host,
Range, Network (subnet), or FQDN)
AND / OR the SGT
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 59
Evolution of Firepower and ASA
October 2013
Firepower AND
ASA
September 2014
ASA with Firepower Services
ON the ASA-5500-X and
ASA-5585-X
March 2016
Firepower Threat Defense
FOR the ASA-5500-X,
FP-4100, and FP-9300
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 60
Introducing FirePOWER 9300
FirePOWER 9300
Security Appliance
Ultra High Performance
High Port Density
Multi-Services
Flexible Programmability
Power Efficiency
Best in Class Price
&Performance
Per RU
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 61
Security Modules
• Two configurations
SM-36 “Extreme”: 72 x86 CPU cores (up to 80Gbps)
SM-24 “Enterprise”: 48 x86 CPU cores (up to 60Gbps)
• Dual 800GB SSD in RAID1 by default
• Built-in hardware Smart NIC and Crypto Accelerator
Hardware VPN acceleration
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 62
Introducing Virtual Security Gateway
• L2 transparent FW
• Inspection between L2 adjacent hosts
• Uses VMware attributes for policy
• L2 separation for East-West traffic
• One or more VSGs per tenant
• Based on Nexus 1000V vPathVirtual Hosts
Virtual Hosts
Virtual Hosts
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 63
Cisco ASAv Platforms
Cisco ASAv30 2 Gbps
Cisco® ASAv5
• ASA Code Base
• Hypervisor Agnostic
• Lab Edition license
Cisco ASAv10 1 Gbps
100 Mbps
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 64
Comparing Cisco Virtual Firewalls
Cisco ASAv Cisco VSG
Layer 2 and 3 modes Layer 2 mode
Dynamic and static routing No routing
DHCP server and client support No DHCP support
Site-to-site and RA-VPN No IPsec support
CLI and Cisco® ASDM, Cisco
Security Manager, and APICCisco Prime NSC
ASA CLI, SSH, and REST API Limited CLI and SSH configuration
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 65
Firepower Threat Defense (FTD)
Converged ASA+FirePOWER Image
FirePOWER capabilities + select ASA features
Firepower Management Center 6.0
Same subscriptions as FirePOWER Services
• Delivered via Smart Licensing only
Threat (IPS + SI)
Malware (AMP + ThreatGrid)
URL Filtering
Firepower Threat Defense 6.0
ASA features
Unified ASA / Firepower Rules and
Objects
ASA Dynamic and Static NAT
OSPFv2, BGP4, RIP, Static
Syn Cookies, Anti-Spoofing
ASA ALGs (fixed configuration)
VMware and AWS Support
Smart Licensing Support
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 66
Cisco StealthWatch SystemNetwork Reconnaissance Using Dynamic NetFlow Analysis
Monitor Detect Analyze Respond
Understand your network normal
Gain real-time situational awareness of all traffic
Leverage Network Behavior Anomaly detection & analytics
Detect behaviors linked to APTs, insider threats, DDoS, and malware
Collect & Analyze holistic network audit trails
Achieve faster root cause analysis to conduct thorough forensic investigations
Accelerate network troubleshooting & threat mitigation
Respond quickly to threats by taking action to quarantine through Cisco ISE
*Cisco acquired Lancope Dec ‘15
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 67
Card Processor
Hacked
Server
POS Terminals
ASA
Firewall
Private
WAN
(trusted)
Credit Card
Processor
ASA
Firewall
Stores Data CenterU
pd
ate
s f
rom
PO
S S
erv
er
HT
TP
S
Credit Card Processing HTTPS
Internet
ISR G2
Routers
ISR G2
Routers
Wireless
AP
Wireless POS
C3850
Unified
Access
Network as a SensorHost Lock Violation and Suspect Data Loss
Public
InternetCompromised
Server
StealthWatch FlowCollector
StealthWatch Management
Console
Cisco ISE
Command and
Collect
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 68
AMP Everywhere Deployment AMPAdvanced Malware Protection
Deployment
OptionsEmail and Web
AMP for Networks
(AMP on
FirePOWER)
AMP for Endpoints AMP Private Cloud
Virtual Appliance
MethodLicense with ESA, WSA,
CWS, or ASA customersASA w/ FP, FP Appliances
Install lightweight
connector on endpoints
On-premises Virtual
Appliance
Ideal for New or existing Cisco
CWS, Email /Web Security,
ASA customers
IPS/NGFW customersWindows, Mac, Android,
and LinuxHigh-Privacy Environments
Details
ESA/WSA: Prime visibility into email/web
CWS: web and advanced malware protection in a cloud-delivered service
AMP capabilities on ASA with FirePOWER Services
Wide visibility inside
network
Broad selection of
features- before, during,
and after an attack
Comprehensive threat
protection and response
Granular visibility and
control
Widest selection of AMP
features
Anyconnect delivery
Private Cloud option for
those with high-privacy
requirements
For endpoints and
networks
PC/MAC Mobile Virtual
Meraki
Soon
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 69
PRODUCTS & TECHNOLOGIES
UmbrellaEnforcementDNS based security service protects any device, anywhere
InvestigateIntelligenceDiscover and predict attacks before they happen
OpenDNS Adds to Cisco’s Threat Prevention Portfolio
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 70
Advantages of a DNS-based Solution
ANY OPERATING SYSTEMWin, Mac, iOS, Android,
Linux, ChromeOS, and even
network devices and custom
operating systems
FAST AND SCALABLEExtremely efficient
query/response method
SIMPLE TO DEPLOYnetwork’s DHCP tells
every connected device
where to point DNS
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 71
Talos is the industry-leading threat intelligence organization. We detect and correlate threats in real time using the largest threat detection network in the world to protect against known and emerging cyber security threats to better protect your organization.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 72
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 73
Talos Research
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 74
Cisco Talos Security Intelligence & Research
IPS Rules
Malware
Protection
Reputation
Feeds
Vulnerability
Database
Updates
AEGIS™ Program
Private and Public
Threat Feeds
Sandnets
FireAMP™Community
300,000 detections added per day
Honeypots
Advanced Microsoft and Industry Disclosures
Crete Program100,000 True
Positive Events/Day
Snort and ClamAVOpen Source Communities
File Samples1,100,000 daily
SandboxingMachine Learning
Big Data Infrastructure
Threat Grid Community
Cisco Confidential 75© 2015 Cisco and/or its affiliates. All rights reserved.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 77
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 78
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 79
www.cisco.com/go/vmdc
www.cisco.com/go/safe
Thank you.
In collaboration with