Just the facts…Sergeant Joe Friday is a LAPD detective with Dragnet.
Slide 11: SecureX Architecture Image- Cisco SecureX takes the elements outlined in the Security Architecture Model and blends them to provide an integrated and collaborative approach to securing the entire distributed network, from the data center to to most remote worker. - It starts with a trusted infrastructure of secured and tuned devices. The network is far more than plumbing, but becomes the core of both your network services and security. - The network provides real-time information for visibility into what is happening on the network, context-based information about such things as where devices are located, what resources they are attempting to access, etc. - This is the who, what, when, where and how that then allows for enhanced control of the environment so that granular security decisions to be made with precision. - This context-based information can then be used not just at the network layer, but can be shared to contribute to a variety of enforcement points, either integrated into network devices, operating as an overlay appliance, or even into the cloud. - Core to this is the ability to centrally create policy about who and what can access the network, and how resources are used, across a wide spectrum of scenarios, including time, place, device, groups, etc. - And then, take this centralized policy and push it across the entire networked environment for distributed enforcement. - This allows for consistent security implementation (including consistent access control for users, devices, and guests) across network zones, branch offices, remote workers, virtualized devices, remote workers, and cloud-based services. - APIs allow Cisco to expand our solutions with the addition of a rich ecosystem of partners that can provide critical information and services into the network, and/or gather information in order to provide granular, detailed information about what is happening. - Critical management tools and services, as well as highly trained partners specializing in network security, simplify the entire experience for customers. - The final wrapper around this is Cisco’s industry-leading global security intelligence services. By analyzing vast amounts of real-time data across a spectrum of traffic, including web, email, network, cloud, and endpoints, Cisco is able to identify and deliver critical, real-time security updates to network and security devices to protect organizations from threats as they are occurring, as well as reputation-based information in order to significantly enhance the accuracy and effectiveness of local tools analyzing network traffic.
Slide 11: SecureX Architecture Image- Cisco SecureX takes the elements outlined in the Security Architecture Model and blends them to provide an integrated and collaborative approach to securing the entire distributed network, from the data center to to most remote worker. - It starts with a trusted infrastructure of secured and tuned devices. The network is far more than plumbing, but becomes the core of both your network services and security. - The network provides real-time information for visibility into what is happening on the network, context-based information about such things as where devices are located, what resources they are attempting to access, etc. - This is the who, what, when, where and how that then allows for enhanced control of the environment so that granular security decisions to be made with precision. - This context-based information can then be used not just at the network layer, but can be shared to contribute to a variety of enforcement points, either integrated into network devices, operating as an overlay appliance, or even into the cloud. - Core to this is the ability to centrally create policy about who and what can access the network, and how resources are used, across a wide spectrum of scenarios, including time, place, device, groups, etc. - And then, take this centralized policy and push it across the entire networked environment for distributed enforcement. - This allows for consistent security implementation (including consistent access control for users, devices, and guests) across network zones, branch offices, remote workers, virtualized devices, remote workers, and cloud-based services. - APIs allow Cisco to expand our solutions with the addition of a rich ecosystem of partners that can provide critical information and services into the network, and/or gather information in order to provide granular, detailed information about what is happening. - Critical management tools and services, as well as highly trained partners specializing in network security, simplify the entire experience for customers. - The final wrapper around this is Cisco’s industry-leading global security intelligence services. By analyzing vast amounts of real-time data across a spectrum of traffic, including web, email, network, cloud, and endpoints, Cisco is able to identify and deliver critical, real-time security updates to network and security devices to protect organizations from threats as they are occurring, as well as reputation-based information in order to significantly enhance the accuracy and effectiveness of local tools analyzing network traffic.
So how does this fit in with the broader Cisco?Cisco has a philosophy of a “One Cisco” architecture –And for enterprise and commercial customers – it centers on Collaboration, Data Center/Virtualization, and Borderless NetworksEssentially this means that all of Cisco’s technologies are aligned to one of these three architectures – and they are not mutually exclusive.Borderless Networks has capabilities that encompass all architectures – for example, security and policy. And when you look at all three architectures, there are areas of overlap where each architecture
The changing business environment is also shifting user expectations of IT. The Cisco Connected World Report shows greater demand for the ability to work from anywhere with the user’s device of choice, while using video and rich media to enhance communications. Simultaneously, the report showed that IT is struggling with the performance and security implications associated with the proliferation of mobile devices and the delivery of a dynamic networked organization. 60% believe they don’t need to be in the office to be productive66% would accept a lower-paying job (10%) for more work flexibility45% work an extra 2-3 hours a day since they are able to work outside of the office (additional 25% work 4+ hours)45% of IT professionals unprepared to make workforces more mobile57% of IT professionals said security is the biggest challenge in supporting a mobile and distributed workforce
The CSO and Security team’s ultimate goal is to help the organization:Keep bad stuff out of their environmentKeep good stuff (critical assets) protected no matter where they resideBe “inbounds” or compliant with requirements for the businessFocus on consistent policies and controls, risk mitigation, auditing, reportingKeep critical services running and protected no matter whatEnsure at the application level, at the network level, and at data centerEnable productivity and innovation securelyImplement cost controls and footprint reduction when designing and implementing security solutions
Threat intelligence is a critical component of any security strategy and architecture as the threats we face become more and more sophisticated. Effectively defending against the latest threats requires visibility, information and intelligence about the threats that exist, and control, the ability to use that information to eliminate the risk. Attackers are targeting users’ trust and social media usage to deliver blended threats very effectively. The use of just local data and signature-based detection is not effective in delivering proactive protection against today’s threats and attacks. And worst of all, once users have been infected, undetected malware can change security configurations, steal data and provide ongoing remote access to systems.Attackers are targeting user trust around Facebook, beneficial due to its pervasive use with over 500 million users. Facebook is only growing in popularity, and criminals find it easy to fool people into thinking they’re downloading legitimate updates instead of dangerous malware. And as users access Facebook from many different devices, especially mobile devices, the risk is even greater. An example of this is Koobface. Koobface (or Facebook backwards) has been around for some time but continues to evolve. The Koobface worm hijacks a machine, by relying on a user to click through a link to download an update or visit a site. It will prompt the user with a message such as have you seen this video, upon which clicking prompts the user to download the latest update to their flash or video player, which is actually malware being installed onto their system. Without the latest threat intelligence on blended threats, users are likely to be infected with malware.Beyond social media, Criminals can make their exploits more successful by using names and brands that victims trust. In this case attackers use what appear to be legitimate message about updates from Microsoft to trick users into installing malware. In January, criminals sent emails that pretended to alert people to critical security updates from Microsoft. The email message was supposedly signed by Steve Lipner, who is actually a senior director of security engineering strategy at Microsoft – so recipients were led to believe the message was legitimate. Users were told to download what they thought were security patches. But what they actually downloaded was a corrupt ZIP file with malware. Since Microsoft is a such a trusted brand, we expect to see many more malware threats that use the company’s name to target unsuspecting users. These attacks often have the sophistication to disable security software on the host, change remote access permissions, and even change UI components to make it more difficult to remove or become aware that a host is compromised.And beyond sophistication, the threat intelligence needs to be very proactive and timely. Attackers are quick to put the latest national disaster, rise or fall of a pop star sensation or sporting event to use to lure users into taking action that can lead to a successful attack and installation of malware. Often these attacks are not only timely, but also new and sophisticated enough that they evade traditional signature only based detection, and require better, up to date global threat intelligence to quickly and effective identity and block the threat. A good example of this is the scam emails and websites created after the Haiti earthquake in 2010. This underscores how quickly criminals can and will jump on trends – they knew their potential victims would be aware of the disaster in Haiti. The scammers sent out fake emails supposedly from charities asking for donations for earthquake victims. Victims who clicked on the donation link in the email were taken to a fake website where they would enter credit card information. If you scanned these messages and websites solely for content, which is the outdated way to identify threats, you would not have blocked these scam messages. Threat intelligence is very effective at identifying these complex and blended threats and blocking them across multiple methods, whether it is via email, web or intrusion prevention.
The threat environment presents two challenges, protecting against attack targeted at or coming from internal users as well as protecting from attack from outsiders. As hackers become industrialized, meaning that they are organized and deliberate in their efforts, and that they operate from an actual for-profit business model, their efforts to break into and steal data, resources, personal information, and even electronic funds, goods, and services are becoming increasingly sophisticated. These threats are not only from the outside, but increasingly, are aided, or even initiated, by insiders.Traditional, legacy security solutions are poorly suited to address these new threats. They exist in siloed environments with no ability to see behaviors within a larger context, nor to leverage the network in order to better mitigate events. Signature-based solutions are becoming irrelevant as polymorphic threats are able to self-modify their code to avoid signature-matching security approaches. More often than not, these solutions also impede an organization’s ability to deploy new mobility or collaboration solutions because as the edges of the network blur these devices become even less effective.We need to have visibility into these inside and outside actions and apply greater context to effectively protect from successful attacks.
Instead, defending against this escalating attack environment requires proactive defense-in-depth that relies on the collaboration between security and network devices to increase visibility into the network and network traffic, and sophisticated control that allows the secured network to stop an attack at its source, whether inside the network, outside the network, or even in the cloud. It requires the ability to see users, devices, and events within a context that informs the sort of security that needs to be applied. Is the user inside or outside the network? Is the device healthy? Where are they located? What sort of connection do they have? What resources are they trying to access? It needs to understand the who, what, where, when and how.Cisco security solutions provide security across the entire spectrum of access methods. Not only do they provide traditional security services such as firewalling, IPS, or web or email protection, but they are designed to extend those services to the sorts of critical business applications and services organizations are running or are considering deploying. Cisco security solutions understand voice traffic, video traffic, data traffic, application traffic etc. and can coordinate with the network to inspect, secure, and manage them. Security can be deployed as high-performance appliances and is also integrated into network devices to provide a web of security that spans across the entire infrastructure.Security solutions such as the Cisco ASA, IPS, Email, Web, ScanSafe, and ISE appliances are updated with real-time threat information from Cisco SIO. The Cisco policy services platform creates unified and consistent security policy across security devices, network devices, and cloud and virtualized services.Finally, Cisco network devices themselves are designed with powerful security and communications tools to defend against a variety of threats, including the ability to protect themselves from control plane overflows, denial of service attacks, traffic management, or man in the middle attacks. They also provide real-time local network information to security devices using such things as NetFlow to ensure that security devices are able to synchronize themselves against attacks, collaborate with the network, and adapt to threats as the context of users, devices, and data changes.
The 5585 was designed from the beginning for flexibility and simple scalability. Since it is a passive chassis we have the ability to offer a variety of firewall and IPS modules at various perofrmance and capacity levels to match your needs. You can start out with a slower module and as your needs increase you can easily replace it without having to remove the chassis or worry about changes to your configuration or policy. Simply swap out the existing module for a faster one and reload your existing config and policy and you are ready to go.Now lets take a look at the performance numbers for these four modules. Since performance is very dpendant on the enviroment the product runs in and the policy defined in it we typically list perofrmance in one of three ways. Best case (though not realistic), IMIX which is a router standard that is a more accurate interperation of performance based on different packet types and sizes and EMIX wich is a uniqe mix based on an even more realistic test of mixed multi protocol application access. We have teamed up with breaking point to ensure we have the most accurate performance numbers we can get.The numbers listed here are for EMIX. We also publish our IMIX and best case numbers in our data sheets as well. Those numbers are even higher with the highest end module being 40 Gbps for example. So when you do a data sheet comparison be sure you look at the apples to apples numbers. Some vendors don’t publish anything expect their best case number because in a realistic environment they can see a drop of 60-70% from their best case numbers.Designed to scale.Perf measured in three ways, Best, IMIX, EMIX
Another key difference is the way ASA-SM and FWSM connect to the supervisor. FWSM uses a 6 port internal etherchannel across the backplane. ASA-SM connects using a single connection which prevents the unbalanced load issues found with the FWSM etherchannel backplane connection.ASA-SM also contains many of the features that ASA has and FWSM does not. These include many IPv6 features, Multicast routing features, Botnet Traffic Filter, etc.
While other “next-generation” firewalls allow you to add application and user awareness to firewalls…ASA CX is the only firewall that allows you to enforce security based on the complete context of a situation. This context includes the identity of the user (who), the application or web-site that the user is trying to access (what), the location of the access’ origin (where), the time of access (when) and the device - type, OS version and ownership - used for the access (how).While other “next-generation” firewalls depend on primitive methods like static risk ratings assigned to applications…ASA CX is the only firewall that combines web reputation with context-awareness to enable safe access to applications. Web Reputation uses the world’s largest threat analysis system, Cisco Security Intelligence Operations (CSIO), to block malicious transactions within genuine applications.This context and threat awareness is built on the solid classic firewall capabilities of ASA, a proven stateful inspection firewall with an installed base of more than a million appliances.With the widest networking portfolio, Cisco will be able to offer these capabilities as an appliance, as (in future) as part of secure routers, as blades in switches, and as part of a virtual firewall.So with ASA CX, you get industry’s deepest feature set, on proven Cisco technology.
While other “next-generation” firewalls allow you to add application and user awareness to firewalls…ASA CX is the only firewall that allows you to enforce security based on the complete context of a situation. This context includes the identity of the user (who), the application or web-site that the user is trying to access (what), the location of the access’ origin (where), the time of access (when) and the device - type, OS version and ownership - used for the access (how).While other “next-generation” firewalls depend on primitive methods like static risk ratings assigned to applications…ASA CX is the only firewall that combines web reputation with context-awareness to enable safe access to applications. Web Reputation uses the world’s largest threat analysis system, Cisco Security Intelligence Operations (CSIO), to block malicious transactions within genuine applications.This context and threat awareness is built on the solid classic firewall capabilities of ASA, a proven stateful inspection firewall with an installed base of more than a million appliances.With the widest networking portfolio, Cisco will be able to offer these capabilities as an appliance, as (in future) as part of secure routers, as blades in switches, and as part of a virtual firewall.So with ASA CX, you get industry’s deepest feature set, on proven Cisco technology.
First Generation – Packet FiltersSecond Generation – Stateful Packet Filters. Credit to Nir Zuk from Check Point, but first developed by AT&T Dave Presetto, Janardan Sharma, and Kshitij Nigam – circuit level firewallsThird Generations – Application Layers FirewallThird Generations – Deep Packet InspectionsDPI ApplicationDPI granular application
Where you need coarse, organization-wide or subnet-based rules, IP address-based rules are still valid. But where you need granular, user-specific rules, IP addresses are no longer a good proxy for users due to user mobility and dynamic assignment of IP addresses.The primary mechanism by which “next-generation” firewalls identify users is through a User-ID Agent. The User-ID Agent collects user-to-IP address mapping information from the Active Directory security logs and provides it to the firewall for use in security policies and logs. ASA CX supports this mechanism of user identification through an Active Directory Agent. This user identification mechanism is useful mainly to get visibility into user traffic, or to apply controls on non-critical traffic. For critical access control decisions, customers especially in highly regulated industries like Finance and Healthcare do not like to rely on user-to-IP address mapping, because the log information could be stale, rendering the user identification obtained through this mechanism unreliable. To address this problem, ASA CX supports true authentication schemes like NTLM and Kerberos. When these schemes are used, clients (like browsers) authenticate users seamlessly, without asking users to fill in credentials in an authentication prompt. These schemes are secure because they never send the password in the traffic. Authentication is done using a challenge-response method, based on the credentials used to login to the endpoint. In fact Kerberos is the default authentication mechanism on Active Directory 2000 and above. ASA CX provides you the flexibility to use Active Directory Agent or NTLM / Kerberos for different types of traffic.In future, ASA CX plans to integrate with TrustSec so that administrators can leverage the device and user identity that is already available in the network. With Cisco TrustSec, you can identify and tag traffic from employees, contractors, guests, and so on. You can leverage these tags on the TrustSec-enabled Cisco switches to control campus access, and on ASA CX to control access across the perimeter. As an example, you can use TrustSec to limit the Guest traffic to a Guest network, and use ASA CX to specify the narrow list of applications or web sites that the guests are allowed to access. No other firewall vendor is able to provide such diverse access control methods.
Due to proliferation of web-based applications (all traversing ports 80 and 443) and the port-hopping nature of several applications like Skype, ports are no longer a good proxy for applications.“Next-generation” firewalls address this by offering application-based visibility and control. However, merely classifying an application is no longer enough either. Now you must identify the “micro-applications” being used within a bigger application, and make the access controls decision based on all of these inputs.ASA CX offers very granular controls that allow administrators to create firewall policies that match the nuanced business needs of today. ASA CX not only identifies 1,000+ applications, but also identifies 75,000+ micro applications, like Farmville on Facebook. These micro applications are bucketed into easy-to-use categories so that firewall administrators can easily allow / deny access to the relevant parts of the application, for example, on Facebook these micro applications are categorized into business, community, education, entertainment, games, and so on. Similarly, other applications like Google+, LinkedIn, Twitter, iTunes etc are also broken down into micro applications.In addition to micro applications, ASA CX also identifies the application behavior, that is, what action is the user taking within that application. As an example, the Facebook Videos category identifies whether the user is uploading, tagging or posting a video. So an administrator may allow users to view and tag videos, but not allow users to upload a video. You could also deny any postings from users, effectively making Facebook read-only.
Only Cisco has an industry-leading firewall and secure web gateway.ASA CX uses the same URL filtering database as its web security solutions. This is Cisco-owned, unlike almost all other “next-generation” firewalls which use 3rd party URL filtering solutions. ASA CX allows you to create URL based rules for users and groups, creating differentiated access to the internet, unlike some other vendors that only allow 1 URL filtering policy for the enterprise.Cisco’s URL filtering database has industry-leading coverage and efficacy. It provides 65 URL categories and a comprehensive URL database that encompasses sites in more than 200 countries and more than 50 languages. Cisco SIO updates the database every five minutes, taking advantage of its visibility into more than a third of global Internet traffic to provide customers with the most effective and timely coverage. URL updates are sourced from automated web crawling and classification technologies, combined with manual classification from Cisco’s global categorization team of professional researchers. Periodic, automated aging out of unused domains and sites, along with regular updates of millions of new URLs, help maintain the industry’s highest-quality web filtering database. In addition, data from thousands of participating Cisco’s security appliances is delivered to Cisco SIO to classify uncategorized URLs. Any miscategorization requests are responded to quickly - often within minutes.
With users demanding access to data from anywhere, the choice for you is to either to keep your network very restrictive, which your business leaders do not like, or to fully open up access even if that makes your network more vulnerable.As an element of context, location can play an important role in determining whether the access request is legitimate or not. For example, if the CFO access the finance application from his laptop as well as iPad, maybe it is ok. However, the fact that the access from these two devices happened simultaneously from 2000 miles apart is a strong indication that one of the devices may be compromised.ASA CX allows you to create location-based policies. In the first release, you can create separate policies for local and VPN (AnyConnect) user traffic. As an example, you can allow access to a sensitive financial application from a local laptop, while denying access from a remote iPad.In future, the planned integration with TrustSec and Identity Services Engine (ISE) will allow you to set more granular policies based on where in the network you connected from. For example, if you are connecting from employee workstations in San Jose campus > Building H, you get a different level of access than if you were connecting from a lab environment.
According to a July 2011 Forrester Research survey(*), 60% of enterprises are enabling BYOD. There is tremendous pressure on security administrators to allow any time, any device access from anywhere. Often security administrators have little choice: they either keep the network closed, or open it up for all kinds of devices at the expense of security. A majority of them choose to open up network access, but this leads to complete loss of control over network access with absolutely zero visibility.Cisco security solutions like AnyConnect and Identity Services Engine (ISE) help customers enable BYOD securely.AnyConnect, installed on more than 100 mn endpoints, is the most ubiquitous VPN and secure mobility client in the market. It sends information about the device operating system and version, which ASA CX uses as elements of rich context for visibility and control.In near future, ASA CX will leverage even richer information from ISE, like device profile, device posture, 802.1x authentication information, and so on. This will allow customers to set differentiated policy, for example, restricting network access if the device is personally owned. This will complement TrustSec architecture which is used for campus access control. Leveraging the same information, ASA CX can be used for edge access control.None of the other firewall vendors combines such rich application and user controls with rich device information.NOTE: If a customer has neither AnyConnect nor ISE, ASA CX will extract the device operating system from the user agent parameter of HTTP traffic.* Reference: http://www.att.com/gen/press-room?pid=21555&cdvn=news&newsarticleid=32980&mapcode
25 devices is not a hard limit, it is a recommendation. This will be tuned after performance testing and before FCS.
The context-aware capabilities are managed through the Cisco Prime Security Manager (PriSM).PriSM is built from the ground-up to address task-based workflows in a simple and efficient Web 2.0 based GUI.PriSM is available in two variants. The first is a web-based on device version that is integrated with the ASACX. The second is an off-box version that is typically used in situations where a network contains multiple ASACXs. The on-device version is identical to the off-box version except for the latter’s ability to manage multiple firewalls. Thus, from a security operator’s point of view, the experience of managing the ASACX is consistent irrespective of the management application variant – on-device or off-box – that the operator chooses.PriSM interacts with the firewalls in a schema-driven, standards-based fashion through REST API. In future, this will allow customers to write their own scripts or develop their own custom management application if they so choose.
Notes:Cisco’s portfolio is broader than any other. That helped build our market share and deployment coverage but those devices are very old.Furhter we recognize that we are trying to sell stand-alone IPSs that extend too far down in the speed continuum and not high enough.In March we replace the 4240 / 4255 / and 4260 with the 4345 and 4360. We drive lower level IPS to the integrated FW/IPS offerings that are in the 55xx family.The 4270 continues to be the only stand-alone IPS with 10G interfaces and fail-over. We continue to sell that until we deliver the Glen Rose product in the summer.
A recent Cisco Connected World Report shows that employees expect to have more flexible work options. For many, such flexibility is even more important than salary. IDC predicts that in 2012, the number of mobile devices is likely to reach 462 million, exceeding PC shipments.Such increased access methods and devices present major challenges for many organizations, as they try to maintain a high level of security while supporting productivity and work flexibility. Some specific challenges include:1) Mobile workers need access to resources on the internal network from anywhere, and they also need access to cloud-based services.2) The large number of user-owned mobile devices and many different types of these devices make it difficult for organizations to identify the devices and to ensure policy compliance.3) Without proper protection, data residing on the mobile devices becomes a high risk of corporate data loss as well as compliance violations.
Another key to making the experience seamless is by ensuring that the scanning elements are distributed throughout the network and not just at HQ—pressing out to the capillaries of the network through ISR integration; as well as in the cloud.The recent ScanSafe acquisition accelerates Cisco’s ability to deliver security services in the cloud. Over time, Cisco is planning to build a hybrid hosted model in which users will be able to attach to either a company-owned head-end or a cloud enforcement point—whichever provides the best user experience—while getting consistent policy enforcement and security.In the interim, customers have the choice of on-prem or cloud enforcement for their mobile users. For the cloud-based solution, the Anywhere+ client will re-direct web traffic to the Cisco-ScanSafe cloud for scanning and enforcement. In the near future, this client will converge with the AnyConnect client for a unified client footprint.Alternatively, customers can use the AnyConnect Secure Mobility client to connect to on-premise equipment for security. We’ll dig into this solution in more detail on the next slide.
Comprehensive device provisioningAutomated on premise MDM enrollment with appropriate device and application provisioningDetailed User and Device ContextHigh fidelity device info offer true visibility of what is connectedIncreased device details (OS version, serial number, etc) enhances policy decisioning.Increased Device and Application SecurityDevice tracking capabilities upon device loss
Why Cisco/network wins
A recent Cisco Connected World Report shows that employees expect to have more flexible work options. For many, such flexibility is even more important than salary. IDC predicts that in 2012, the number of mobile devices is likely to reach 462 million, exceeding PC shipments.Such increased access methods and devices present major challenges for many organizations. They need to maintain a high level of security while supporting productivity and work flexibility.Issues around these devices include: Making sure that users and devices are healthyEnsuring that devices are connected securely to servicesEnsuring that devices and users only have access to network resources appropriate to a number of context-based decisions, such as the user’s role, the kind of device being used, where is it located, what time is it, what sort of connection is being used, etc.The ability to provide consistent policy for any user or device, from the most remote endpoint, across the network, to the center of the data center.The ability to determine, based on policy, when and if data ought to be secured, and then being able to dynamically enforce data encryption.
What are the transformations.. And the specific challengesNeed to make this more impactful.Focus on three themes:Slide #1 Device Proliferation - 15 Billion devices by 2015 that will be connecting to your network - Every person has 3-4 devices on them that connects to the network - 40% of Staff are bringing their own devices to work2) Next Generation Workforce - Work is no longer a place you go to work - People are willing to take a pay cut as long as they are able to work from home - Globalization, acquisitions, increased competitiveness - Need anywhere, anytime, any device access3) Virtualization No content yet, just put placeholderSlide #2Device ProliferationHow do I ensure consistent experience on all devices? How and what do I support?How do I implement multiple security policies per user, device? What devices are on my networks? 2) Changing WorkforceAm I hindering my workforce to be competitive?How do I retain top talent?How do I ensure compliance with SOX, HIPAA, etc?Can I handle partners, consultants, guest appropriately? 3) VirtualizationHow do I know who is accessing my virtual desktop infrastructure?How do I secure access to my data across the cloud.. in a scalable wayCan I ensure compliance across geographic boundaries
What are the transformations.. And the specific challengesNeed to make this more impactful.Focus on three themes:Slide #1 Device Proliferation - 15 Billion devices by 2015 that will be connecting to your network - Every person has 3-4 devices on them that connects to the network - 40% of Staff are bringing their own devices to work2) Next Generation Workforce - Work is no longer a place you go to work - People are willing to take a pay cut as long as they are able to work from home - Globalization, acquisitions, increased competitiveness - Need anywhere, anytime, any device access3) Virtualization No content yet, just put placeholderSlide #2Device ProliferationHow do I ensure consistent experience on all devices? How and what do I support?How do I implement multiple security policies per user, device? What devices are on my networks? 2) Changing WorkforceAm I hindering my workforce to be competitive?How do I retain top talent?How do I ensure compliance with SOX, HIPAA, etc?Can I handle partners, consultants, guest appropriately? 3) VirtualizationHow do I know who is accessing my virtual desktop infrastructure?How do I secure access to my data across the cloud.. in a scalable wayCan I ensure compliance across geographic boundaries
What are the transformations.. And the specific challengesNeed to make this more impactful.Focus on three themes:Slide #1 Device Proliferation - 15 Billion devices by 2015 that will be connecting to your network - Every person has 3-4 devices on them that connects to the network - 40% of Staff are bringing their own devices to work2) Next Generation Workforce - Work is no longer a place you go to work - People are willing to take a pay cut as long as they are able to work from home - Globalization, acquisitions, increased competitiveness - Need anywhere, anytime, any device access3) Virtualization No content yet, just put placeholderSlide #2Device ProliferationHow do I ensure consistent experience on all devices? How and what do I support?How do I implement multiple security policies per user, device? What devices are on my networks? 2) Changing WorkforceAm I hindering my workforce to be competitive?How do I retain top talent?How do I ensure compliance with SOX, HIPAA, etc?Can I handle partners, consultants, guest appropriately? 3) VirtualizationHow do I know who is accessing my virtual desktop infrastructure?How do I secure access to my data across the cloud.. in a scalable wayCan I ensure compliance across geographic boundaries
The trustsec portfolio is now enhanced with the introduction of our new policy manager ISE.Policy decision point and the platform for delivery of services is ISEPolicy enforcement is our infrastructureFinally client capabilities (802.1X, MACSec) is integrated into the Anyconnect. Or customers can use native supplicants. The NAC posture agent will be integrated into AC in the 1H CY2012
Cisco has considerable investment in identity features on our infrastructure. A number of differentiators include monitor mode that allows you to authenticate users wthout enforcement. Another differentiator is flex auth, our ability to order authentication appropriately along with the right behavior when authentication fails. Interop with IP telephony and in VDI environments are also supportedThese features are delivered consistently across our entire switch portfolio, so whether you’re deploying a Cat 3K, 4K or 6K, the customer just has to select the right switch
Problems - Different kinds of device types appearing on the network (wired & wireless) : ipads, printers, phones etc - IT needs visibility into all devices - IT may choose to have different policy for certain kinds of devices (don’t allow ipad on the network) - IT needs assurance that a device conforms with its signature for security reasons
Device Profiling + IOS sensorSolution Components – ISE (Identity Services Engine) and Switch sensor (IOS SW that resides on 3k)Steps : Collection: A device (for example – a printer) gets plugged into a port on a switchSwitch detects a new device has been plugged inSwitch collects data related to the device (DHCP, LLDP, CDP, and MAC OUI data) by snooping on the traffic sent by the deviceSwitch sends collected data to ISE to aid ISE in device classification Classification :ISE uses rules engine to classify that device to be a printerISE provides a report of devices with device types : device MAC addr, device IP addr, switch port, device type etc Authorization:If IT has defined a policy for that device type - “Printer”, ISE executes the policyIf Policy says – put printer in a VLAN X, ISE tells the switch to place printer on VLAN XIf Policy says – don’t allow printer on the network, ISE tells the switch to block the portIf Policy says – provide restricted access to printer and limit it to ONLY talk to a Print server, ISE will ask the switch to enforce an ACL per the policyISE – can also collect “netflow” information from switchIf ISE notices that HP Printer is trying to talk to Internet (based on netflow data), it raises an alaram, as Printers are meant to be used for intranet usage only. This eliminates data spoofing & improves security
The key component of the TrustSec architecture is ISE. It converges NAC and ACS functionality from AAA functions to security services like guest, profiling and posture into one appliance, making the choice of deploying either a “overlay mode” or “infrastructure integrated mode” a lot simpler for customers.Current NAC and ACS hardware platform is software upgradeable to ISELicense migration program for all software licensesData and Configurations migration tools available*
[Need animation on this slide]
Application Team – Control access to PCI Customer Data based on user, roleSystem Team – Identify data locations with PCI Customer DataNetwork Team – Create router, switch access controls for user IP addresses to Networks with PCI Customer Data
One of the challenges that organizations face is providing branch offices with the same security and consistent policy that is deployed at headquarters. Challenges include the cost of deployment of security devices, and even more, the cost associated with managing and tuning these devices due to limited IT or security resources in the branch. Lack of security consistency makes the branch office a prime target for determined hackers and criminals as they often represent a weak link in corporate security and a back door into corporate resources and the corporate data center.
To address these challenges, Cisco has integrated professional-grade security solutions into our branch and edge network devices. These solutions provide the exact same security as is deployed at the corporate headquarters, with the added bonus of being able to be deployed and managed remotely, and to have a consistent corporate security policy deployed and enforced across the entire WAN infrastructure.The Cisco ISRG2 family of routers provides a powerful and robust set of security services designed to not only protect the branch, but to secure and enable other critical services, such as voice and video, being extended to the branch office.Security solutions that can be deployed on the ISRG2 include the same firewall, IPS, and VPN solutions that run on the Cisco ASA. Mobile users and teleworkers can terminate their VPN connections directly to the branch router and receive the same secure access and rich network services as they would if they connected directly into corporate headquarters. A new ScanSafe solution on the ISRG2 provides consistent web security for branch users whether their web requests are pushed through the WAN to the corporate web server or are delivered to the Internet directly from the branch.The Cisco ASR routers at the corporate edge are also able to provide the same high-performance security to protect the corporate LAN from traffic originating from the branch or from outside users, such as mobile workers.Additionally, Cisco’s network devices are designed with a wide range of native security solutions, such as control and data plane protection, detection and protection against denial of service attacks, or a host of other sorts of threats. Finally, all of this lives within a larger secure network ecosystem on these devices, which extends security to such services as voice and video while providing a seamless LAN experience across the WAN.
Pointer to other sessions (IPS, NAC, 802.1x sessions) –BRK- 20101 (NFP)
Pointer to other sessions (IPS, NAC, 802.1x sessions) –BRK- 20101 (NFP)
Cloud computing and virtualization technologies spur higher levels of business growth and opportunities. In the mean time, new challenges start to emerge. The explosive growth of mobile computing requires an open infrastructure with trusted access to the cloud and virtualized data center resources. The new technologies change how workloads are handled, but the larger “attack surface” creates more vulnerability. Compliance mandates such as PCI DSS impose stringent requirements for policy enforcement and controls. Web 2.0 technologies and e-commerce require security that can scale to protect a mission-critical computing environment. Traditional security cannot protect new security “blindspots” such as security for a virtual and dynamic environment where virtual machines may move from one physical host to another, thus breaking static security boundaries such as VLAN based security.Another challenge is that many customers do not have experience and expertise to protect these new and dynamic environments. Finally, the massive workloads and consolidated infrastructure post high scalability and performance requirements on the security solutions.
The Cisco solution to secure cloud and virtualization includes the following components:- Cisco ASA 5585-X Appliance and Cisco Catalyst 6500 Series ASA Services Module (SM)- Cisco Nexus 1000V Series Switches - Cisco Virtual Security Gateway (VSG)- Cisco Intrusion Preventions System (IPS) sensorsCisco ASA 5585-X appliance is uniquely positioned to provide high performance security to protect the new virtualized data center and cloud with firewall and IPS capabilities. The ASA 5585-X MultiScale™ performance is a combination of breadth and depth. It provides rapid connections per second, an abundance of concurrent sessions, and accelerated throughput. It also enables multiple security services for exceptional flexibility. The ASA 5585-X can offer up to 20 Gbps of real-world HTTP traffic and up to 35 Gbps of large packet traffic. It supports up to 350,000 connections per second and a total of up to two million simultaneous connections initially. The ASA 5585-X deployment at the data center distribution layer provides a strong layer of protection for the high valued data center resources and services. The Cisco ASA Services Module provides similar high performance with a different deployment option as a plug-in module for Cisco Catalyst 6500 switches. Furthermore, Cisco also provides another IPS deployment option with IPS sensors to enable distributed and intelligent detection with precision response to network attacks.The Cisco Virtual Security Gateway (VSG) works with Cisco Nexus® 1000V switches to provide zone-based and policy-driven security at the virtual machine level, extending existing security policies into virtual and cloud environments. The Cisco Nexus 1000V adds additional security and monitoring capabilities at the access layer, including PVLAN, IP Source Guard, DHCP Snooping, ARP inspection, and NetFlow. Together with the Cisco ASA 5585-X, ASA Module and IPS sensors, the Cisco VSG and Cisco Nexus 1000V switches provide in-depth security for threat defense, secure segmentation, consistent policy and controls for virtualized data centers. The Cisco solution helps secure multi-tenancy which is a key element of private, public and hybrid cloud computing, defend against threats, and provide network traffic and activity visibility.
Architectural viewpoint; start on the leftWhat we are going to have in our virtualized collaboration workspace is a set of our own devices and an ecosystem. We have partnerships established with some of the key vendors: Wyse, Devon IT and Igel. In the thin client market, there are two leading vendors and they share market, and then there a few others. The two that are splitting the majority of the market are Wyse and HP. We’re partnering mostly with Wyse.In the network, one focus is performance optimization. There is a set of software on the desktop in the datacenter, and a little bit on the endpoint and between them is a desktop virtualization protocol. No industry standard right now. Citrix has ICA. VMware has PC over IP. And Microsoft likes RTP. We’re focused on these big three. Our product will be available next summer, and that will be VDS, virtual desktop service.All packets are put together in a single stream and encrypted. Much of our network magic around quality of service, we can’t see inside those strings. With VDS, we’re working with partners to get certified to be able to look inside those desktop protocols and start applying intelligent network capabilities. WAN acceleration is part of that.Other pieces include policy. Because I’ve separated my access from my virtual desktop, the corporate can apply policy when you connect. If I’m in the building, I get access to all my applications. When I’m remote, on my iPad, the network knows I’m not inside the building and I might get access to some but not all of my applications. Can restrict financial data, for instance. In the data center, at the storage level we’re partnering with EMC and NetApps for storage. We’re using UCS, with that running things like QUAD and CUCM. On top of that, hypervisor and desktop virtualization software, and then windows. We’re putting that all together and validating in an end to end system and providing the design guide to allow the customer to stand all that up and do it quickly and easily.
Now, we’re looking at an example where CSA is used in a network to enforce PCI compliance. On the right, there is a large network, with a data center housing various types of servers.Next to that is the main office, and the internet edge, and one of the representative remote locations is at the left.Various types of network and security devices are tagged with the numbers of PCI requirements that can be enforced by that device. Of course, not all numbers are listed, only the more relevant ones.CSA protects any management or production servers, desktops, and more. And of course, it provides additional mechanisms to ensure financial information cannot be compromised.
Now, we’re looking at an example where CSA is used in a network to enforce PCI compliance. On the right, there is a large network, with a data center housing various types of servers.Next to that is the main office, and the internet edge, and one of the representative remote locations is at the left.Various types of network and security devices are tagged with the numbers of PCI requirements that can be enforced by that device. Of course, not all numbers are listed, only the more relevant ones.CSA protects any management or production servers, desktops, and more. And of course, it provides additional mechanisms to ensure financial information cannot be compromised.
Today’s solutions – “the before”A piecemeal security approach requires lots of integration and staffing to supportSecurity based on physical structure no longer sufficient as world embraces virtualizationLoss of control with non-company devices, employee owned devices, risk data loss and malwareVulnerable, in-the-clear connections risks confidentiality and increases compliance complexityDuplicate efforts and inconsistent security policies between wired and wireless network access and so on.New Security ApproachArchitecture-based approach enables an in-depth security systemDistributed security policy and enforcement to address both physical and virtual environmentsSecured any device connectivity enabled by access control, malware detection and data protectionEncrypted, integrity protected end-to-end communicationsUnified management and policy for consistency across all access methods
The changing business environment is also shifting user expectations of IT. The Cisco Connected World Report shows greater demand for the ability to work from anywhere with the user’s device of choice, while using video and rich media to enhance communications. Simultaneously, the report showed that IT is struggling with the performance and security implications associated with the proliferation of mobile devices and the delivery of a dynamic networked organization. 60% believe they don’t need to be in the office to be productive66% would accept a lower-paying job (10%) for more work flexibility45% work an extra 2-3 hours a day since they are able to work outside of the office (additional 25% work 4+ hours)45% of IT professionals unprepared to make workforces more mobile57% of IT professionals said security is the biggest challenge in supporting a mobile and distributed workforce
The changing business environment is also shifting user expectations of IT. The Cisco Connected World Report shows greater demand for the ability to work from anywhere with the user’s device of choice, while using video and rich media to enhance communications. Simultaneously, the report showed that IT is struggling with the performance and security implications associated with the proliferation of mobile devices and the delivery of a dynamic networked organization. 60% believe they don’t need to be in the office to be productive66% would accept a lower-paying job (10%) for more work flexibility45% work an extra 2-3 hours a day since they are able to work outside of the office (additional 25% work 4+ hours)45% of IT professionals unprepared to make workforces more mobile57% of IT professionals said security is the biggest challenge in supporting a mobile and distributed workforce
Learn security considerations and solutions from cisco.com/….Call a Cisco or partner to perform a security assessmentAssess your security status based on the 7 Security questions (and assess our organization level of security in a 5-7 steps framework - TBD)Learn about Cisco solution from XYZ - (use the 7 Questions as a way to get to this like we do with BN) Learn from how Cisco has deployed these security solutions through Cisco-on-Cisco case studies and customer case studies
#3 casesTrusted security architecture with pervasive network visibility and control - reduce complexity and increase protectionThe industry’s most rich and innovative security portfolio - optimized for any organization size and needs today and into the futureUnique context aware threat protection and security intelligence discovers and protects against next generation of threatsConsistent enforcement of policy throughout an organization using posture and context to enable a secure borderless experience Network integration that enables security from the device, throughout the network, to the data center, gathering data and enforcing Validated with third-party ecosystem partners to ease integration and deployment