Speaker Notes Format
Why is this slide covered? – a high level overview to show Cisco has a wide breadth of platforms – we are not just a End Point, or Firewall, or IPS, or Email, Web, DNS, Analytics …….. We have proven evidence we are leaders in all of these
What are the 2 or 3 specific points we must get across on this slide? – It takes contextual knowledge of the entire eco system to provide those last few percentage points of confidence in stopping threats. Blended Advanced Persistent Threats that are very stealthy and try to get past point in time solutions can be uncovered quicker when we have visibility across all of these. Customers don’t need to purchase all of Cisco’s solutions to get all of these benefits because Talos correlates and consolidates data globally from customers to leverage specific data locally to all customers.
Is this a competitive positive for Cisco?
13 x4 ==52
Talos is the threat intelligence group at Cisco. We are here to fight the good fight — we work to keep our customers, and users at large, safe from malicious actors.
Defense in depth even within a firewall is a key design goal for any security policy. FTD has a variety controls to ensure the tightest security layer as well as enforce acceptable use policies.
The flexibility in place includes inspection and controls across the L4-7 packet information. FTD can be configured to pull in feeds from Talos in the form of Security intelligence. This feed allows the NGFW to intelligently block or allow flows based on IP, URLs and FQDN.
Application control is also a critical requirement. What apps are end users allowed to use and from which zone in your network? Are they allowed to interact with all the micro apps on a website? Can they even use the app in the first place? We have over 4000 pre-defined apps at your control. But we know apps are always changing and you may have your own app you want to control, so AVC and OpenAppID can be easily customized to meet your specific application control needs
Yet another layer of security control fall under the URL categories. Based on Cisco’s Talos intelligence, administrators can define the processing of DNS layer requests. Do you want to block certain categories? Or just report the end user visiting those sites? Do you want to block on the reputation of a specific site based on the possibility of a site being compromised?
Combining all of these controls within the very easy to understand and control policy definition process provides a superior defense in depth layer of security.
Speaker Notes Format
Why is this slide covered? This is a critical value that addresses a significant pain point for our customers. Encrypted traffic causes a blind spot to our customers. This blind spot can be for good reasons because the stream should not be investigated, maybe it’s an employees banking information or HR data. BUT – what about the malicious traffic now also hiding in the encrypted flows. We must provide the ability to intelligently chose what to decrypt and analyze and more importantly not severely impact the performance of the solution.
What are the 2 or 3 specific points we must get across on this slide? We provide industry leading performance and control capabilities around how we handle encrypted traffic. We can do this in software and in purpose built hardware. We also provide very detailed logging information around these sessions.
Is this a competitive positive for Cisco?
Encryption can be used for good, we secure our banking information, we like to see that lock on the website when we do our online shopping. But it is also used for the questionable and in many cases used by the criminal actors. With today’s networks becoming more and more blind to the ever increasing percentage of encrypted traffic, we can no longer take it for granted. Your firewall must be able to understand what is going on. This is usually done by decrypting the flow as a man in the middle. We then scan and understand what is going on with our access policy rules. The firewall, for the allowed/good traffic then needs to re-encrypt the traffic on and send it on its way. This, when done in SW only, imposes a significant inspection tax. Your firewall slows down. You end up tuning or turning off engines in your firewall in order to maintain performance. Many times you are forced to buy a much larger firewall to just support this inspection.
Not with Cisco’s NGFW architecture. Imbedded in our hardware we have architected TLS decrypt and encrypt with HW assistance. This greatly reduces the performance impact of understanding what is flowing over those encrypted conversations. With over 80% of your traffic being encrypted, you also require a method to enforce what type of encryption is used for the traffic you want to allow. FTD can enforce the version of TLS encryption as well as the cipher strength. We can allow or block if the cert is self signed or not, what cypher suites are allowed or not allowed.
The combination of these controls allows our customers to enforce the policies around what types of encryption is used as well as what flows over or is allowed to pass. We provide detailed an extensive tracking and logging the TLS sessions themselves.
Speaker Notes Format
Why is this slide covered? While this may not be a significant differentiation for a NGFW, it is required for many deployments. We support the majority of the VPN architectures.
What are the 2 or 3 specific points we must get across on this slide?
Is this a competitive positive for Cisco?
Speaker’s Notes:
Your firewall in many cases is also the termination point for your VPN connections as well. These connections can be site to site or end user vpn tunnels. FTD has inherited much of the VPN technology from our long history with ASA. We have added in enhanced configuration and reporting tools to make deployment easier. These VPN architectures can be defined as point to point, hub and spoke or full mesh. We provide an easy to understand graphical representation of these deployments to reduce the potential of errors and decrease the amount of time to setup, enforce and trouble-shoot VPN configurations.
Speaker Notes Format
Why is this slide covered? To review with the customer that we have many ways to manage our environment. See if the customer has a requirement or desire for on prem or cloud based management. Explain that we have flexible choice and over time, the power to choose which consumption model required will improve (CDO on 4100 and 9300 coming in 6.5, etc)
What are the 2 or 3 specific points we must get across on this slide? Cisco provides in depth management solutions across the consumption models. These models can be chosen by either where they want to manage their devices OR what group is managing the devices (Security or Network)
Is this a competitive positive for Cisco?
Choosing the correct manager for your next generation firewall is an important step in designing your deployment. it really comes down to your core cases and requirements when you are choosing the right manager for your deployment. Cisco provides several options to its customers, ranging from on-box, to on-prem, to cloud based management. We will dive deeper into each of these in the following slides. The on-box manager which for the Firepower Threat Defense (FTD) is the graphical, intuitive, firepower device manager is a free with the FTD device but limits you to managing devices individually. Firepower Device Manager (FDM) enables easy on box reporting, policy and configuration management of common tasks.
Centralized management is available in two consumption models; on premise and cloud. Lets take a look at on-prem first. The Firepower Management Center (FMC) which provides comprehensive security administration and automation of multiple devices. Customers can leverage FMC to centrally manage both stateful services, configurations and policies and the Firepower firewall features in a single image. In the cloud, we have the Cisco Defense Orchestrator (CDO) which enable centralized cloud-based policy orchestrations and reporting for multiple sites and multiple security products (ASA, FTD, Meraki with more being added over time) from a single cloud based interface.
As we step into achieving a larger GOAL
You can already get a glimpse of it with FDM; our local FTD manager which is supported on low and mid range platforms today, with modern ux and workflows which are optimized for the commercial usecase
And one of the key benefits is that it is made to co-exist with our Cloud Manager CDO
The network operations teams need a solution that can:
Manage Policy Changes Across Many Devices Consistently and Easily: Critical to maintaining your security posture, but is time consuming and prone to human error when doing this across MANY devices. Simple, Efficient and Effective policy management is critical.
Your Business Is Not Static: As your business evolves you need a solution that will scale to meet the needs of your business! Adding devices needs to be easier and consistent. Ongoing management holistically across devices is critical! Running the most optimal, secure environment is required!
We Must Be Ahead of the Threats: Updating a platforms firmware or policy cannot take days when our company is at risk. It MUST happen quickly!
And lastly, Do More With Less: On top of the increased workload, you are often expected to meet growing demands with a team that just isn’t getting any bigger.
Overall, this means you need an integrated security solution that is not only effective, but also simpler and consistent to manage. You need a systematic to improve your security posture and provide robust security policy management across all of your locations.
In addition CDO will soon add, AWS, Umbrella SIG, Meraki MX, and Cisco Secure SD-WAN to its capability set. Write and set policy once, eliminating the chance of human error, and bringing consistency to your security posture across the entire hybrid network
Speaker - FYI
Where are CDO Data Centers?
AWS – US West (Oregon)
AWS – US East (Virginia)
AWS – EU Central (Frankfurt)
Can I sell CDO if out of region?
YES! CDO transactions are low overhead and we have clients all over the world with services out of the US or EMEAR.
ASA (available) - Shared objects, Shared policies, Device management, CLI automation
FTD (June 2019) - Layer 3, 4 and 7, IPS and malware, Objects, policies, Device management
Meraki (June 2019) - Layer 3 rules, NAT Shared objects with ASA and FTD
AWS (August 2019) - Security groups orchestration, VPN topology
SD-WAN (Dec 2019) - Policy management, VPN management
CDO is an open platform leveraging APIs, making it easy for us to extend CDO to additional platforms
Note: Meraki support available August 2019
FTD 6.5 is expected in Fall 2019
Cisco.com/go/cdo
Find details about pricing and demos on Salesconnect
Free CDO with new hardware sales as part of our “Ignite the Firewall” partner program
Slide 21-23: Should clean up, but I can take the lead on this one. I’ll probably incorporate into one or two slides.
Slide 21-23: Should clean up, but I can take the lead on this one. I’ll probably incorporate into one or two slides.
Slide 21-23: Should clean up, but I can take the lead on this one. I’ll probably incorporate into one or two slides.