The Network as a Sensor, Cisco and Lancope
Se está descargando tu SlideShare.
×
Eche un vistazo a continuación
Recomendado
Más Contenido Relacionado
Presentaciones para usted (20)
Similares a TechWiseTV Workshop: OpenDNS and AnyConnect (20)
Más de Robb Boyd (20)
Más reciente (20)
TechWiseTV Workshop: OpenDNS and AnyConnect
- 1. OpenDNS and AnyConnect Adam Winn, Product Manager Aug 30th, 2016
- 2. DNS-Layer Network Security Delivered from the Cloud OpenDNS Umbrella Overview
- 3. Desktops Business Apps Critical Infrastructure
- 4. Desktops Business Apps Critical Infrastructure Critical Infrastructure (Amazon, Rackspace, Windows Azure, etc.) Business Apps (Salesforce, Marketo, DocuSign, etc.) Roaming Laptops Remote Users
- 5. The NGFW Improves Perimeter Security But Relies on the VPN to Protect Roaming Users Last 20 years of security outside the perimeter: VPN on REMOTE ACCESS
- 6. But Not Every Connection Goes Thru the VPN Creating a Blind Spot for the NGFW VPN off* *or split tunnel Not all traffic —over all ports, all the time— is backhauled
- 7. By 2018, Gartner estimates: 25% of corporate data traffic will bypass perimeter security.
- 8. The Way Your Employees Work has Changed 82%of workers admit to not always using VPN Your network extends beyond the perimeter, and your security must, too. 49%of the workforce is mobile and under defended Security may never stop 100% of the threats, but it must work 100% of the time.
- 9. INTERNET MALWARE C2/BOTNETS PHISHING AV AV AV AV ROUTER/UTM AV AV ROUTER/UTM SANDBOX PROXY NGFW NETFLOW AV AV AV AV MID LAYER LAST LAYER MID LAYER LAST LAYER MID LAYER FIRST LAYER Where Do You Enforce Security? Perimeter Perimeter Perimeter Endpoint Endpoint CHALLENGES Too Many Alerts via Appliances & AV Wait Until Payloads Reaches Target Too Much Time to Deploy Everywhere BENEFITS Alerts Reduced 2-10x; Improves Your SIEM Traffic & Payloads Never Reach Target Provision Globally in UNDER 30 MINUTES
- 10. Predict Threats Before They Happen Real-time, diverse data reveals internet activity patterns, which we learn from to identify attacker infrastructure How We Do It Security Efficacy and Performance DNS xyz.com 1.2.3.4 Blocks malicious domain requests and IP responses as DNS queries are resolved No Extra Agents or User Actions Integrated into Cisco AnyConnect for Windows and Mac, and there’s nothing new for end-users to do
- 11. Requests Per Day 80B Countries 160 Daily Active Users 65M Customers 12K Our Perspective Diverse Set of Data
- 12. Statistical Models • Identifies other domains looked up in rapid succession of a given domain • Correlations uncover other domains related to an attack “C-Rank” Model (co-occurrences) • Detect domain names that spoof brand and tech terms in real-time “NLP-Rank” Model (Natural Language Processing) • Live DGA • SecureRank Many More Models • Geo-Diversity • Geo-Distance Earliest & Most Accurate Predictions & Classifications • Detect domains with sudden spikes in traffic • Finds domains involved in active attacks “SP-Rank” Model (Spike Rank) • Analyzes how servers are hosted to detect future malicious domains • Identifies steps that precede malicious activity Predictive IP Space Monitoring 1M+ Live Events Per Second FULLY AUTOMATED
- 13. No One Combines Better Performance & Effectiveness #1 Fastest & Most Reliable DNS w/ 65M+ Users 3M+ Daily New Domain Names Discovered 60K+ Daily Malicious Destinations Identified 7M+ Total Malicious Destinations Enforced
- 14. OpenDNS and AnyConnect Working Together To Simplify Security
- 15. • OpenDNS Umbrella: Cloud-delivered, predictive network security service for DNS and IP activity. • Cisco Umbrella Roaming: Limited version of OpenDNS Umbrella. For off-network/off-VPN protection. Sold alongside AnyConnect, ASA and NGFW. Cisco-branded. Key Definitions
- 16. • Umbrella Roaming Client (URC): A lightweight, standalone agent that tags and directs an endpoint’s DNS requests to Umbrella. Comes with OpenDNS Umbrella* and Cisco Umbrella Roaming. For Windows and OS X. • Umbrella Roaming module for AnyConnect: A new AnyConnect 4.3 module that performs the same functions as the standalone URC. Comes with OpenDNS Umbrella* and Cisco Umbrella Roaming. For Windows and OS X. Key Definitions * OpenDNS Umbrella Professional, Insights, Platform, and MSP
- 17. • On-premises users are protected by stacks of security products • Remote workers must use VPN to get the same level of protection Umbrella Roaming: The Challenge Under-protected off-network users VPN on SANDBOX PROXY NGFW NETFLOW
- 18. • But VPN utilization is decreasing • 82% of workers admit to not always using VPN when remote Umbrella Roaming: The Challenge Under-protected off-network users SANDBOX PROXY NGFW NETFLOW VPN off
- 19. Cisco Umbrella Roaming VPN on VPN off ODNS active SANDBOX PROXY NGFW NETFLOW Umbrella Malware Phishing Sites C2 Callbacks Block Cloud-Delivered Security Service for Cisco NGFW Protection when off the VPN no additional agent required* Visibility and enforcement at the cloud-edge via DNS Block requests to malicious domains and IPs Predictive intelligence uncover current and emergent threats * When used with the AnyConnect Umbrella module
- 20. Security or System Admin’s Machine Building Installation Package Download Profile for AnyConnect Module dashboard2.opendns.com* Download AC Push- or Pull-Deploy Image software.cisco.com 4.3 *Currently at dashboard2.opendns.com, but will switch to dashboard.umbrella.com in November One-Time Process
- 21. Uploading Installation Package 4.3 Create/Edit VPN Policy to Include Umbrella Module “PUSH” OPTION Upload AC 4.3 and All Files to Endpoint Software Distribution “PULL” OPTION Upload AC 4.3 and All Files to ASA or ISE
- 22. Optional Automatic Updates Eliminates On-Going Maintenance for AnyConnect AnyConnect update on cisco.com Umbrella service Umbrella module enabled in AnyConnect Umbrella service regularly checks for new AnyConnect versions, which includes all modules, not just “Roaming Security” Umbrella module regularly checks for updates, and automatically installs new version without admin or user intervention
- 23. Easy Upgrade Experience: Demo
- 24. AnyConnect Module: How We Enforce Security at the DNS Layer
- 25. Built-in OS Components .NET API Windows Registry WMI Configuration Any Running App Cisco AnyConnect Roaming Module CISCO NGFWCISCO UMBRELLA STEP 2a domains resolved by OpenDNS when outside VPN and not local or STEP 2b domains resolved by your DNS server when VPN tunneled or if local LOCAL DNS SERVER Any Running App Cisco AnyConnect Roaming Security CISCO UMBRELLA Any Running App LOCAL DNS SERVER Cisco AnyConnect Roaming Module CISCO UMBRELLA DNS Forwarded to Umbrella or Local DNS Server encrypted EDNS request w/device ID forwards the identical DNS request enforces security policy based on threat intel & device ID response from your DNS server returns IP to requested domain or block page DNS requests to internal domains START HERE! DNS requests to Internet domains START HERE! STEP 1 watch for new networks, exempted domains & VPN status device ID device ID device ID LOCAL DHCP SERVER Internal, split tunnel, & search domain lists for customer AnyConnect Driver AnyConnect Driver AnyConnect Driver
- 26. Powerful Security With No Complexity or Latency: Demo
- 27. Simple for Both Security & Sysadmin Teams 1 Enable roaming in minutes 2 Global security by default 3 Instant visibility into threats 4 Detailed logs for incident response
- 28. Where Does Umbrella Fit With CWS? INTERNET ON NETWORK ALL OTHER TRAFFIC WEB TRAFFIC EMAIL TRAFFIC INTERNET ALL OTHER TRAFFIC WEB TRAFFIC EMAIL TRAFFIC OFF NETWORK ASA/FirePOWER DPI/block by IP, URL, packet, or file ESA/CES blocks by sender, content, or file WSA/CWS proxy/block by URL, content, or file ESA/CES blocks by sender, content, or file CWS proxy/block by URL, content, or file Umbrella resolve/block by domain, IP, or URL Umbrella resolve/block by domain, IP, or URL AMP FOR ENDPOINT check/block hash AMP FOR ENDPOINT check/block hash
- 29. • What version of the AnyConnect Client does this work on? o Minimum 4.3 MR1 (4.3.01095) for Windows and Mac • Is there a minimum ASA version required? o Not for the Umbrella Roaming module • Do I have to change the configuration on my ASA? o Not for pre-deploy. The ASA won’t override manual installations and profiles for Umbrella module. • Does it require a separate license? o The Roaming Security module is included with AnyConnect Plus or Apex subscriptions. Devices without AnyConnect can use the Umbrella Roaming Client (standalone) that is included with most Umbrella subscriptions. In either case, an Umbrella subscription is still required. • Is it available for iOS, Android or Chromebook? o While on-network, these devices can be protected with network-level policies (Umbrella Professional and above). There are no off-network agents for these platforms at this time. FAQ
- 30. • IP Layer Enforcement* • Active Directory integration for policies and reporting* • Change Root CA from OpenDNS to Cisco** • And much more… AnyConnect Umbrella Module: Roadmap * OpenDNS Umbrella Insights, Platform, and MSP ** Most relevant to OpenDNS Umbrella Insights and above
- 31. Thank you for watching.
- 32. Appendix
- 33. Umbrella Roaming: Order of Operations Umbrella service AnyConnect Umbrella module 1. Probe to determine network state 2. Tell AnyConnect to pass DNS queries 3. (If non-local domain) Creates EDNS0* packet, embeds unique device id 4. (and if port 443 is open) Encrypt data w/DNScurve** 5. Gives packet to AnyConnect, to forward to OpenDNS’s anycast IP address for DNS resolution root com. domain.com . Authoritative Nameservers *https://en.wikipedia.org/wiki/Extension_mechanisms_for_DNS **https://dnscurve.org/ Umbrella service 1. (if encrypted) decrypts DNS query 2. Checks domain and hostname for policy 3. (if not blocked or globally cached) resolves IP 4. Checks IP against intel 5. (if domain & IP safe) returns destination IP or (if domain or IP bad) returns block page IP Umbrella module in AnyConnect
- 34. AnyConnect Module: States of Operation PROTECTED BY UMBRELLA Protected by Umbrella Non-local domain requests forwarded to 208.67.222.222 over 53/UDP Protected & Encrypted Non-local domain requests forwarded to 208.67.222.222 over 443/UDP Protected… …by Umbrella Network* …by Umbrella VA* Probes Umbrella service; unlikely state as its for different Umbrella packages Configuring Probing after network state change Unprotected - Can’t Connect - Missing Profile - Service Unavailable Disabled - Full-Tunnel VPN Active - Trusted Network Detected* NOT PROTECTED BY UMBRELLA ADDITIONAL STATES SHOWN IN PORTAL Offline Service unable to sync with module for a certain time period (e.g. computer not turned on) Uninstalled End-user or admin properly removed module * For other Umbrella packages, IP-Layer Enforcement may be provided by the module even in these states
- 35. 2016 Cisco Annuual Security ReportWEBNON-WEB 15%of C2 bypasses Web ports 80 & 443 DNSIP IP 91%of C2 can be blocked at the DNS layer Why Add Security at the DNS Layer? Lancope Research 68%of orgs don’t monitor recursive DNS
