The evolving complexity of the data center is placing increased demand on the network and security teams to come up with inventive methods for enforcing security policies in these ever-changing environments. The goal of this session is to provide participants with an understanding of features and design recommendations for integrating security into the data center environment. This session will focus on recommendations for securing next-generation data center architectures. Areas of focus include security services integration, leveraging device virtualization, and considerations and recommendations for server virtualization. The target audience are security and data center administrators.

1. Cisco Confidential© 2015 Cisco and/or its affiliates. All rights reserved. 1
Security and
Virtualization in the
Data Center
Ronnie Scott - CCIE 4099
T-DC-13-I
May 19th 2016
In collaboration with

2. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
Housekeeping notes
Thank you for attending Cisco Connect Toronto 2016, here are a few housekeeping notes
to ensure we all enjoy the session today.
• Please ensure your cellphones / laptops are set on silent to ensure no one is disturbed
during the session

3. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3
Agenda
3
The New Security
Landscape
Defense By Design
Bringing The Big Guns
Conclusion

4. Cisco Confidential 4© 2015 Cisco and/or its affiliates. All rights reserved.

5. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5
Simplify and Unify
security solutions
Evolve while maintaining
Security and Compliance
Stay ahead of
evolving threats
95% of firewall breaches
caused by misconfiguration*
12% YoY growth of
devices 2014-2019
Over 100K new
threats per day
* Greg Young, Gartner Inc
PROVISIONING SCALABILITY PROTECTION
DataCenter Security Challenges

6. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6
Attacker Profiles
Organized Crime
 Out to make money
 Needs organization to stay profitable
 Typically smash-and-grab style or
drive-by
Graffiti and Activism
 Attack you for fame
 To make a point
 Can be a nuisance
 Can also draw unwanted attention
State Sponsored Cyber Warfare
 Extremely advanced
 Companies are generally at a
disadvantage
 Hard to defend
 A-Typical
Espionage
 Somewhere between Organized Crime
and Military
 Could be state sponsored
 Replicating Intellectual Property
 Gain human intelligence

7. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7
Extortion
Data
Manipulation
Card Not
Present
IOT Zombies
Backdoors
Kim Zetter – Wired Magazine, Jan 1, 2016
TheBig5-2016

8. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8

9. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9

11. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11

12. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12

13. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13
The Server Is Virtualized
13
• One Server - Multiple Guests
• Hypervisor abstractions hides hardware
• Partitioned system resources
• Application & OS encapsulation

14. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14
FinancialsCRM
Exchange ERP
OracleSAP

15. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15
Common Virtualization Concerns
15
• Physical Tools in a Virtual World
• Operations and Management Obfuscation
• Changes in Roles and Responsibilities
• Machine and Application Segmentation
Hypervisor
Initial
Infection
Secondary
Infection

17. Cisco Confidential 17© 2015 Cisco and/or its affiliates. All rights reserved.

18. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18

19. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19
Back to the basics … Ships in the night

20. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20
Cisco SAFE

21. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21
The VMDC Architecture

22. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22

23. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23

24. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24
But what our
customers want…

25. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25
…is the vision on the box.
(Not the one on the carpet)

26. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26
SAFE Simplifies the Security Conversation
One Step at a Time
Capability Phase Architecture Phase Design Phase

27. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27
WAN
Branch
Campus
Data
Center
Edge
Break the Network into Domains
Security Domains per PIN

28. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28
DC Core
Mapping The Problem
WAN / Campus
Core
Campus
App 2
Web
App
App 1 AppWeb DB
Branch
Site
1
Site
2
Edge
Shared
Services
DNS
DHCP
SQL
SLB

29. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 29
Business Requirements Per Domain
When done, try to rank by importance
Data Center
Protect Customer
Data
Must be easy to
operationalize
Support Role-based
Network Segmentation
Measurable
Security Increase
Example:
PCI Domain at Branch Office

30. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 30
Identify the Threats, Risks, and Policy
Also, identify the mitigating capabilities that should be considered
Data Center
Domain
Policy: Role-based
Network
Segmentation
Risk: Lateral Spread
of Breach
Threat: Exploitation
of Trust
Example:
PCI Domain at Branch Office

31. Cisco Confidential 31© 2015 Cisco and/or its affiliates. All rights reserved.
Security Capabilities Design

32. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 32
Security Capabilities Design
Example
1. No Products
2. Vendor-agnostic
L2//L3
Network
Access
Control +
TrustSec
To Campus
Shared
Services
Zone
Next-Gen
Intrusion
Prevention
System
App
Server
Zone
PCI
Compliance
Zone
Database
Zone
Flow
Analytics
Host-based
Security
Load
Balancer
Flow
Analytics
Firewall
Anti-
Malware
Threat
Intell-
igence
Access
Control +
TrustSec
Next-Gen
Intrusion
Prevention
System
Next-Generation Firewall Router
L2//L3
NetworkFirewall VPN
Switch
Web
Application
Firewall
Centralized Management
Policy/
Configuration
Visibility/
Context
Analysis
Correlation
Analytics
Logging/
Reporting
Threat
Intelligence
Vulnerability
Management
Monitoring
To Edge
Virtualized Capabilities
WAN

33. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 33
3. Identify existing capabilities
4. What are common missing
capabilities?
Security Capabilities Design
Example
L2//L3
Network
Access
Control +
TrustSec
To Campus
Shared
Services
Zone
Next-Gen
Intrusion
Prevention
System
App
Server
Zone
PCI
Compliance
Zone
Database
Zone
Flow
Analytics
Host-based
Security
Load
Balancer
Flow
Analytics
Firewall
Anti-
Malware
Threat
Intell-
igence
Access
Control +
TrustSec
Next-Gen
Intrusion
Prevention
System
Next-Generation Firewall Router
L2//L3
NetworkFirewall VPN
Switch
Web
Application
Firewall
Centralized Management
Policy/
Configuration
Visibility/
Context
Analysis
Correlation
Analytics
Logging/
Reporting
Threat
Intelligence
Vulnerability
Management
Monitoring
To Edge
Virtualized Capabilities
WAN

34. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 34
Interconnected Enclaves
Web
ServerWeb
Server
Permit TCP/80 (HTTP) Permit TCP/22 (SSH)
Permit Web
to App
Web
Group
DB
serverDB
server
DB
Group
App
ServerApp
Server
App
Group
Permit App
to DB
Deny All
Inter-Zone
Firewall
Intra-Zone
Firewall
Intra-Zone
Firewall
Web
ServerWeb
Server
Permit TCP/80 (HTTP) Permit TCP/22 (SSH)
Permit Web
to App
Web
Group
DB
serverDB
server
DB
Group
App
ServerApp
Server
App
Group
Permit App
to DB
Deny All
Inter-Zone
Firewall
Intra-Zone
Firewall
Intra-Zone
Firewall
Web
ServerWeb
Server
Permit TCP/80 (HTTP) Permit TCP/22 (SSH)
Permit Web
to App
Web
Group
DB
serverDB
server
DB
Group
App
ServerApp
Server
App
Group
Permit App
to DB
Deny All
Inter-Zone
Firewall
Intra-Zone
Firewall
Intra-Zone
Firewall
BBI
Data Center
Core
DMZCampus
ACLs/
Firewall
ACLs/
Firewall
AMP or
IDS

35. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 35
Shared Services
Web
ServerWeb
Server
Permit TCP/80 (HTTP) Permit TCP/22 (SSH)
Permit Web
to App
Web
Group
DB
serverDB
server
DB
Group
App
ServerApp
Server
App
Group
Permit App
to DB
Deny All
Inter-Zone
Firewall
Intra-Zone
Firewall
Intra-Zone
Firewall
Web
ServerWeb
Server
Permit TCP/80 (HTTP) Permit TCP/22 (SSH)
Permit Web
to App
Web
Group
DB
serverDB
server
DB
Group
App
ServerApp
Server
App
Group
Permit App
to DB
Deny All
Inter-Zone
Firewall
Intra-Zone
Firewall
Intra-Zone
Firewall
Web
ServerWeb
Server
Permit TCP/80 (HTTP) Permit TCP/22 (SSH)
Permit Web
to App
Web
Group
DB
serverDB
server
DB
Group
App
ServerApp
Server
App
Group
Permit App
to DB
Deny All
Inter-Zone
Firewall
Intra-Zone
Firewall
Intra-Zone
Firewall
Data Center
Core
Permit TCP/5000-5010
Backup
Server
Inter-Zone
Firewall
Backup
Server

39. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 39
Inside The Enclave
Web
ServerWeb
Server
Permit TCP/80 (HTTP) Permit TCP/22 (SSH)
Permit Web
to App
User
Web
Group
DB
serverDB
server
DB
Group
App
ServerApp
Server
App
Group Permit App
to DB
Deny All
Inter-Zone
Firewall
Intra-Zone
Firewall
Intra-Zone
Firewall
Perimeter
Firewall
AMP or
IPS
SLB
WAAS
SLB

40. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 40
Architecture Phase
Assign capabilities to devices

41. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 41
Building the Solution
Lower-level designs with the details

42. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 42
Physical vs. Virtualized
Web
ServerWeb
Server
Permit TCP/80 (HTTP) Permit TCP/22 (SSH)
Permit Web
to App
Web
Group
DB
serverDB
server
DB
Group
App
ServerApp
Server
App
Group
Permit App
to DB
Deny All
Intra-Zone
Firewall
Intra-Zone
Firewall
Web
ServerWeb
Server
Permit TCP/80 (HTTP) Permit TCP/22 (SSH)
Permit Web
to App
Web
Group
DB
serverDB
server
DB
Group
App
ServerApp
Server
App
Group
Permit App
to DB
Deny All
Intra-Zone
Firewall
Intra-Zone
Firewall
Web
ServerWeb
Server
Permit TCP/80 (HTTP) Permit TCP/22 (SSH)
Permit Web
to App
Web
Group
DB
serverDB
server
DB
Group
App
ServerApp
Server
App
Group
Permit App
to DB
Deny All
Intra-Zone
Firewall
Intra-Zone
Firewall
Web
ServerWeb
Server
Permit TCP/80 (HTTP) Permit TCP/22 (SSH)
Permit Web
to App
Web
Group
DB
serverDB
server
DB
Group
App
ServerApp
Server
App
Group
Permit App
to DB
Deny All
Intra-Zone
Firewall
Intra-Zone
Firewall

43. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 43
Virtualized vs. Virtualization
Web
ServerWeb
Server
Permit TCP/80
(HTTP)
Permit TCP/22
(SSH)
Permit Web
to App
Web
Group
DB
serverDB
server
DB
Group
App
ServerApp
Server
App
Group
Permit App
to DB
Deny All
Intra-Zone
Firewall
Intra-Zone
Firewall
Web
ServerWeb
Server
Permit TCP/80
(HTTP)
Permit TCP/22
(SSH)
Permit Web
to App
Web
Group
DB
serverDB
server
DB
Group
App
ServerApp
Server
App
Group
Permit App
to DB
Deny All
Intra-Zone
Firewall
Intra-Zone
Firewall
Web
ServerWeb
Server
Permit TCP/80
(HTTP)
Permit TCP/22
(SSH)
Permit Web
to App
Web
Group
DB
serverDB
server
DB
Group
App
ServerApp
Server
App
Group
Permit App
to DB
Deny All
Intra-Zone
Firewall
Intra-Zone
Firewall
Web
ServerWeb
Server
Permit TCP/80
(HTTP)
Permit TCP/22
(SSH)
Permit Web
to App
Web
Group
DB
serverDB
server
DB
Group
App
ServerApp
Server
App
Group
Permit App
to DB
Deny All
Intra-Zone
Firewall
Intra-Zone
Firewall

44. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 44
Cloud Provisioning
Stack
Automation and Orchestration
Web
ServerWeb
Server
Permit TCP/80 (HTTP) Permit TCP/22 (SSH)
Permit Web
to App
Web
Group
DB
serverDB
server
DB
Group
App
ServerApp
Server
App
Group
Permit App
to DB
Deny All
Inter-Zone
Firewall
Intra-Zone
Firewall
Intra-Zone
Firewall
Web
ServerWeb
Server
Permit TCP/80 (HTTP) Permit TCP/22 (SSH)
Permit Web
to App
Web
Group
DB
serverDB
server
DB
Group
App
ServerApp
Server
App
Group
Permit App
to DB
Deny All
Inter-Zone
Firewall
Intra-Zone
Firewall
Intra-Zone
Firewall
Web
ServerWeb
Server
Permit TCP/80 (HTTP) Permit TCP/22 (SSH)
Permit Web
to App
Web
Group
DB
serverDB
server
DB
Group
App
ServerApp
Server
App
Group
Permit App
to DB
Deny All
Inter-Zone
Firewall
Intra-Zone
Firewall
Intra-Zone
Firewall
Web
ServerWeb
Server
Permit TCP/80 (HTTP) Permit TCP/22 (SSH)
Permit Web
to App
Web
Group
DB
serverDB
server
DB
Group
App
ServerApp
Server
App
Group
Permit App
to DB
Deny All
Inter-Zone
Firewall
Intra-Zone
Firewall
Intra-Zone
Firewall
Self-Service
Orchestration
Automation

45. Cisco Confidential 45© 2015 Cisco and/or its affiliates. All rights reserved.

46. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 46
Network-Integrated,
Broad Sensor Base,
Context and Automation
Continuous Advanced Threat
Protection, Cloud-Based
Security Intelligence
Agile and Open Platforms,
Built for Scale, Consistent
Control, Management
Security Solutions Strategic Imperatives
Network Endpoint Mobile Virtual Cloud
Visibility-Driven Threat-Focused Platform-Based

47. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 47
Web-zone Fileserver-zoneApplication-zone
Hypervisor
Nexus 7000
Nexus
1000V Primary VLAN 20
VRF
VLAN 20
UCS
VLAN 100
Isolated
VLAN 200
Isolated
VLAN 300
Community
Layer 2 Segmentation
• Isolate VMs in shared Layer 2 subnet
• Limit communication to Layer 3 gateway
• ACLs block unwanted communication
PVLANs for Physical and Virtual Isolation
.1Q Trunk
47

48. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 48
ACI Security
Automated Security With Built In Multi-Tenancy
Security AutomationEmbedded Security
• White-list Firewall Policy Model
• RBAC rules
• Hardened CentOS 7.2
• Authenticated Northbound API (X.509)
• Encrypted Intra-VLAN (TLS 1.2)
• Secure Key-store for Image Verification
• Dynamic Service Insertion and Chaining
• Closed Loop Feedback for Remediation
• Centralized Security Provisioning & Visibility
• Security Policy Follows Workloads
Distributed Stateless Firewall
Line Rate Security Enforcement
Open: Integrate Any Security Device
PCI, FIPS, CC, UC-APL, USG-v6
ACI Services
Graph
Micro-Segmentation
• Hypervisor Agnostic (ESX, Hyper-V, KVM*)
• Physical, Virtual Machine, Container
• Attribute Based Isolation/Quarantine
• Point and Click Micro-segmentation
• TrustSec-ACI Integration
Encryption
• Link MACSEC
• INS-SEC Overlay Encryption
• MKA, SAP
• GCM-AES-256/128-XPN
• GCM-AES-256/128

49. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 49
Segmentation begins with visibility
You can’t protect what you can’t see
Who is on the Network?
And what are they up to?

50. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 50
Make Fully Informed Decisions with Rich Contextual
Awareness
Context
Who
What
Where
When
How
IP address 192.168.1.51
Unknown
Unknown
Unknown
Unknown
Bob
Tablet, iOS, v. 9.1x
Building 200, first floor
11:00 a.m. EST on April 10
Wireless
The right user, on the right device, from the
right place is granted the right access
Any user, any device, anywhere gets on
the network
Result
Poor Context Awareness Extensive Context Awareness

51. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 51
Visibility with Cisco Identity Services Engine (ISE)
Discover Known and Unknown in Your Network
PARTNER CONTEXT
DATA
NETWORK / USER
CONTEXT
How
WhatWho
WhereWhen
CONSISTENT SECURE ACCESS POLICY ACROSS WIRED, WIRELESS and VPN
Access Policy
PxGrid

52. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 52
Flexible and Scalable Policy Enforcement
Switch Router DC FW DC Switch
Security Control Automation
Simplified Access Management
Improved Security Efficacy
access-list 102 deny icmp 76.176.66.41 0.255.255.255 lt 278 169.48.105.37 0.0.1.255 gt 968
access-list 102 permit ip 8.88.141.113 0.0.0.127 lt 2437 105.145.196.67 0.0.1.255 lt 4167
access-list 102 permit udp 60.242.95.62 0.0.31.255 eq 3181 33.191.71.166 255.255.255.255 lt 2422
access-list 102 permit icmp 186.246.40.245 0.255.255.255 eq 3508 191.139.67.54 0.0.1.255 eq 1479
access-list 102 permit ip 209.111.254.187 0.0.1.255 gt 4640 93.99.173.34 255.255.255.255 gt 28
access-list 102 permit ip 184.232.88.41 0.0.31.255 lt 2247 186.33.104.31 255.255.255.255 lt 4481
access-list 102 deny ip 106.79.247.50 0.0.31.255 gt 1441 96.62.207.209 0.0.0.255 gt 631
access-list 102 permit ip 39.136.60.170 0.0.1.255 eq 4647 96.129.185.116 255.255.255.255 lt 3663
access-list 102 permit tcp 30.175.189.93 0.0.31.255 gt 228 48.33.30.91 0.0.0.255 gt 1388
access-list 102 permit ip 167.100.52.185 0.0.1.255 lt 4379 254.202.200.26 255.255.255.255 gt 4652
access-list 102 permit udp 172.16.184.148 0.255.255.255 gt 4163 124.38.159.247 0.0.0.127 lt 3851
access-list 102 deny icmp 206.107.73.252 0.255.255.255 lt 2465 171.213.183.230 0.0.31.255 gt 1392
Traditional Security Policy
Business
Policy
Software Defined Segmentation
Building a Policy Matrix

53. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 53
TrustSec Components
Access
Switch
Router DC FW DC Switch
HR Servers
Enforcement
Fin Servers
ISE DirectoryClassification
User /
Endpoint
Propagation

54. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 54
ISE Dynamically provisions TrustSec
Security Groups in APIC-DC
ACITrustSec
Security Groups External (Outside Fabric) EPGs
TrustSec Security Groups Provisioned in ACI

55. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 55
ISE dynamically learns EPGs and
VM Bindings from ACI fabric
ACI
VM1 VM1000TrustSec Domain
TrustSec
Internal (Inside Fabric) EPGsSecurity Group from APIC-DC
ACI Application Servers are Automatically Propagated
to the TrustSec Domain

56. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 56
Assigning Security Groups
56
Dynamic Classification Static Classification
• IP Address
• VLANs
• Subnets
• L2 Interface
• L3 Interface
• Virtual Port Profile
• Layer 2 Port Lookup
Common Classification for
Mobile Devices
Classification for Servers,
Topology-based assignments.
802.1X Authentication
MAC Auth Bypass
Web Authentication
SGT
56

57. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 57
Nexus 1000V: SGT Assignment in Port Profile
• Port Profile
– Container of network properties
– Applied to different interfaces
• Server Admin assign Port Profiles
• VMs inherit SGT from port-profile
• SGT bound to the VM

58. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 58
Firewall Policy based on SGT
Security Group
definitions from ISE
Trigger FirePower
services by SGT policies
Can still use Network Object (Host,
Range, Network (subnet), or FQDN)
AND / OR the SGT

59. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 59
Evolution of Firepower and ASA
October 2013
Firepower AND
ASA
September 2014
ASA with Firepower Services
ON the ASA-5500-X and
ASA-5585-X
March 2016
Firepower Threat Defense
FOR the ASA-5500-X,
FP-4100, and FP-9300

60. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 60
Introducing FirePOWER 9300
FirePOWER 9300
Security Appliance
Ultra High Performance
High Port Density
Multi-Services
Flexible Programmability
Power Efficiency
Best in Class
Price
&
Performance
Per RU

61. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 61
Security Modules
• Two configurations
SM-36 “Extreme”: 72 x86 CPU cores (up to 80Gbps)
SM-24 “Enterprise”: 48 x86 CPU cores (up to 60Gbps)
• Dual 800GB SSD in RAID1 by default
• Built-in hardware Smart NIC and Crypto Accelerator
Hardware VPN acceleration

62. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 62
Introducing Virtual Security Gateway
• L2 transparent FW
• Inspection between L2 adjacent hosts
• Uses VMware attributes for policy
• L2 separation for East-West traffic
• One or more VSGs per tenant
• Based on Nexus 1000V vPath
Virtual
Hosts
Virtual
Hosts
Virtual
Hosts

63. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 63
Cisco ASAv Platforms
Cisco ASAv30 2 Gbps
Cisco® ASAv5
• ASA Code Base
• Hypervisor Agnostic
• Lab Edition license
Cisco ASAv10 1 Gbps
100 Mbps

64. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 64
Comparing Cisco Virtual Firewalls
Cisco ASAv Cisco VSG
Layer 2 and 3 modes Layer 2 mode
Dynamic and static routing No routing
DHCP server and client support No DHCP support
Site-to-site and RA-VPN No IPsec support
CLI and Cisco®
ASDM, Cisco
Security Manager, and APIC
Cisco Prime NSC
ASA CLI, SSH, and REST API Limited CLI and SSH configuration

65. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 65
Firepower Threat Defense (FTD)
Converged ASA+FirePOWER Image
FirePOWER capabilities + select ASA features
Firepower Management Center 6.0
Same subscriptions as FirePOWER Services
• Delivered via Smart Licensing only
Threat (IPS + SI)
Malware (AMP + ThreatGrid)
URL Filtering
Firepower Threat Defense 6.0
ASA features
Unified ASA / Firepower Rules and
Objects
ASA Dynamic and Static NAT
OSPFv2, BGP4, RIP, Static
Syn Cookies, Anti-Spoofing
ASA ALGs (fixed configuration)
VMware and AWS Support
Smart Licensing Support

66. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 66
Cisco StealthWatch System
Network Reconnaissance Using Dynamic NetFlow Analysis
Monitor Detect Analyze Respond
 Understand your
network normal
 Gain real-time
situational awareness
of all traffic
 Leverage Network
Behavior Anomaly
detection & analytics
 Detect behaviors
linked to APTs,
insider threats,
DDoS, and malware
 Collect & Analyze
holistic network audit
trails
 Achieve faster root
cause analysis to
conduct thorough
forensic investigations
 Accelerate network
troubleshooting & threat
mitigation
 Respond quickly to
threats by taking action
to quarantine through
Cisco ISE
*Cisco acquired Lancope Dec ‘15

67. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 67
Card Processor
Hacked
Server
POS Terminals
ASA
Firewall
Private
WAN
(trusted)
Credit Card
Processor
ASA
Firewall
Stores Data CenterUpdatesfrom
POSServer
HTTPS
Credit Card Processing HTTPS
Internet
ISR G2
Routers
ISR G2
Routers
Wireless
AP
Wireless POS
C3850
Unified
Access
Network as a Sensor
Host Lock Violation and Suspect Data Loss
Public
Internet
Compromised
Server
StealthWatch
FlowCollector
StealthWatch
Management
Console
Cisco ISE
Command and
Collect

68. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 68
AMP Everywhere Deployment AMP
Advanced Malware Protection
Deployment
Options
Email and Web
AMP for Networks
(AMP on
FirePOWER)
AMP for Endpoints AMP Private Cloud
Virtual Appliance
Method License with ESA, WSA,
CWS, or ASA customers
ASA w/ FP, FP Appliances
Install lightweight
connector on endpoints
On-premises Virtual
Appliance
Ideal for
New or existing Cisco
CWS, Email /Web Security,
ASA customers
IPS/NGFW customers
Windows, Mac, Android,
and Linux
High-Privacy Environments
Details
 ESA/WSA: Prime
visibility into email/web
 CWS: web and
advanced malware
protection in a cloud-
delivered service
 AMP capabilities on ASA
with FirePOWER
Services
 Wide visibility inside
network
 Broad selection of
features- before, during,
and after an attack
 Comprehensive threat
protection and response
 Granular visibility and
control
 Widest selection of AMP
features
 Anyconnect delivery
 Private Cloud option for
those with high-privacy
requirements
 For endpoints and
networks
PC/MAC Mobile Virtual
Meraki
Soon

69. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 69
PRODUCTS & TECHNOLOGIES
Umbrella
Enforcement
DNS based security service
protects any device, anywhere
Investigate
Intelligence
Discover and predict
attacks before they happen
OpenDNS Adds to Cisco’s Threat Prevention Portfolio

70. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 70
Advantages of a DNS-based Solution
ANY OPERATING SYSTEM
Win, Mac, iOS, Android,
Linux, ChromeOS, and even
network devices and custom
operating systems
FAST AND SCALABLE
Extremely efficient
query/response method
SIMPLE TO DEPLOY
network’s DHCP tells
every connected device
where to point DNS

71. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 71
Talos is the industry-leading threat intelligence
organization. We detect and correlate threats in real time
using the largest threat detection network in the world to
protect against known and emerging cyber security threats
to better protect your organization.

72. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 72

73. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 73
Talos Research

74. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 74
Cisco Talos Security Intelligence & Research
IPS Rules
Malware
Protection
Reputation
Feeds
Vulnerability
Database
Updates
AEGIS™
Program
Private and
Public
Threat Feeds
Sandnets
FireAMP™
Community
300,000 detections
added per day
Honeypots
Advanced Microsoft
and Industry
Disclosures
Crete Program
100,000 True
Positive
Events/Day
Snort and ClamAV
Open Source
Communities
File Samples
1,100,000 daily
Sandboxing
Machine Learning
Big Data Infrastructure
Threat Grid
Community

75. Cisco Confidential 75© 2015 Cisco and/or its affiliates. All rights reserved.

77. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 77

78. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 78

79. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 79
www.cisco.com/go/vmdc
www.cisco.com/go/safe

81. Thank you.
In collaboration with