security before during and after clle 2014

Local Edition

A New Paradigm for Information Security

Tim Ryan, Security Consulting Engineer, Public Sector East

Don Prince, Security Consulting Engineer, Public Sector East

© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco PublicLocal Edition

Agenda

• Threat Continuum – Before, During & After

• Building an Enterprise Access Control System with ISE

• ASA Features and Futures

• Web Security Review

• Q&A

2

Local Edition

Before, During and After Threat Mitigation

3


4

Verizon Data Breach Report Statistics

From OVER 850 BREACHES LAST YEAR - 2012

• 98% STEMMED FROM EXTERNAL AGENTS• 81% UTILIZED SOME FORM OF HACKING• 69% INCORPORATED MALWARE• 96% OF ATTACKS NOT HIGHLY DIFFICULT

Malware Detection Methods

• 49% External Party – LE, Fraud Detection Org., Customer etc…1

• 28% Self Detection Passive – Employee, Slow Network etc…1

• 16% Self Detection Active – Security Devices1 How can you increase this number?


5

FBI - 2013 Threat Information - By The Numbers From a recent Presentation given to Cisco by an FBI Field agent

63% of victims were notified by an external entity

77% of intrusions used publically available malware

Valid credentials were used in 100% of cases

229 = median number of days that the attackers were present on the network before detection

40% of victims were attacked again after the initial remediation

Details on the SSL Heartbleed Vunlerability: http://www.cisco.com/security

If you knew you were going to be compromised, would you do security differently ?

http://www.cisco.com/security


6

CryptoLocker RansomewareReport all Cryptolocker complaints to the FBI via: www.ic3.gov

• Typically delivered via email attachment url link to software download

• Once installed it encrypts files on the victims computer using AES The private key is controlled and kept by the bad guys

• It will also encrypt files on network shares accessible by the victim

• Message popup tells the user to deposit money at MoneyPack or BitCoin or files will be locked forever

• EASY to Prevent – DON’T CLICK !!

• Hard to recover unless you have good backup data

ff

http://www.ic3.gov/


7

BEFOREDetect Block Defend

DURING AFTERControlEnforce Harden

ScopeContain

Remediate

What Device Types, Users & Applications should be on the Network?

Attack Continuum

Network Endpoint Mobile Virtual Cloud

Point in time Continuous

BEFORE THE ATTACK: You need to know what's on your network to be able to defend it – devices / OS / services / applications / users (FireSight)

Access Controls, Enforce Policy, Manage Applications And Overall Access To Assets.

Access Controls reduce the surface area of attack, but there will still be holes that the bad guys will find. ATTACKERS DO NOT DISCRIMINATE. They will find any gap in defenses and exploit it to achieve their objective

The Next Generation Security Model


8



ScopeContain

Remediate

Attack Continuum



DURING THE ATTACK:Must have the highest efficacy threat detection mechanisms possibleDetection methods MUST be Multi-dimensional and correlatedOnce we detect attacks, NIPGS can block them and dynamically defend the environment





ScopeContain

Remediate

Attack Continuum



AFTER THE ATTACK: Cross Device Information Sharing - Evolvinginvariably some attacks will be successful, and customers need to be able to determine the scope of the damage, contain the event, remediate, and bring operations back to normalAlso need to address a broad range of attack vectors, with solutions that operate everywhere the threat can manifest itself – on the network, endpoint, mobile devices, virtual environments, including cloud



10

BEFOREControlEnforceHarden

DURING AFTERDetectBlock

Defend

ScopeContain

Remediate

Attack Continuum

Visibility and Context

Firewall

App Control

Identity Services + NAC

VPN

Vuln Mgmt

Next Gen IPS

Web/Email

Anti-Malware

Malware Tracking & Remediation

Netflow

Forensics

Log Mgmt

SIEM

Mapping Technologies to the Model


WWW

EmailGateway

ASA -CXFirewallApp Vis, Web Sec

Web SecurityAppliances

SignaturesWeb Categories

Cloud WebSecurity

Intrusion Preventio

n

Control

WWW Email WebDevices

IPS Sourcefire VRTNetworks

Visibility

Worlds Largest Cloud-Based Threat Intel & Defense SIO – Security Intelligence Operations

VRT- Vulnerability Research Team

0010 010 10010111001 10 100111 010 000100101 110011 01100111010000110000111000111010011101 1100001110001110 1001 1101 1110011 0110011 101000 0110 00 0111000 111010011 101 1100001 11000 111010011101 0010 010 10010111001 10 100111 010 000100101 110011 01100111010000110000111000111010011101 1100001110001110 1001 1101 1110011 0110011 101000 0110 00 0111000 111010011 101 1100001 11000 111010011101 0010 010 10010111001 10 100111 010 000100101 110011 01100111010000110000111000111010011101 1100001110001110 1001 1101 1110011 0110011 101000 0110 00 0111000 111010011 101 1100001 11000 111010011101 0010 010 10010111001 10 100111 010 000100101 110011 01100111010000110000111000111010011101 1100001110001110 1001 1101 1110011 0110011 101000 0110 00 0111000 111010011 101 1100001 11000 111010011101

1.6M global sensors

75TB of live Data Feeds are received per day

150M+ deployed endpoints

35% worldwide email traffic

13B web requests

Dynamically Updated Security Solutions

5,500+ IPS signatures produced

8M+ rules per day

200+ parameters tracked

70+ publications produced

Info

rmat

ion

Actions

40+ languages 600+ engineers, technicians and researchers

$100M+ spent in dynamic research and development

80+ PH.D.S, CCIE, CISSP, MSCE

24x7x365 operations

Zero-day detection: 3-5 Minute Database Updates

Reputation-based Malware Protection

www.ironport.com/tocwww.cisco.com/security

Cisco SIOSourcefire VRT

http://www.ironport.com/toc

http://www.cisco.com/security


Collective Security Intelligence

12

Local Edition

Building an Enterprise Access Control Architecture with ISE

13

BEFORE DURING AFTER


Cisco Secure Access Architecture & TrustSecIdentity and Context-Centric Security

WHENWHATWHERE

HOWWHO

Identity

Security Policy Attributes

Centralized Policy Engine

Business-Relevant Policies

User and Devices

Dynamic Policy & Enforcement

APPLICATION CONTROLSMONITORING AND

REPORTINGSECURITY POLICY

ENFORCEMENT

14


15

•Centralized Policy

•RADIUS Server

•Secure Group Access

•Posture Assessment

•Guest Access Services

•Device Profiling

•Monitoring

•Troubleshooting

•Reporting

ACS

Profiler

Guest Server

NAC Manager

NAC Server

Identity Services Engine

Identity Services EnginePolicy Server Designed for Secure Access

Device Registration

Supplicant and Cert Provisioning

Mobile Device Management

*Certificate Authority

*Identity Resource

*MDM Lite

* Coming Soon

Local Edition

Authentication, Authorization, and Accounting“Who” is Connecting, Access Rights Assigned, and Logging It

16


ISE is a Standards-Based AAA ServerAccess Control System Must Support All Connection Methods

17

ISE Policy Server

VPN

Cisco Prime

Wired

Wireless

VPN

Supports Cisco and 3rd-Party solutions via standard RADIUS, 802.1X, EAP, and VPN Protocols

RADIUS802.1X = EAPoLAN

802.1X = EAPoLAN

SSL / IPsec

WebAuth & MAC Bypass


18

Separation of Authentication and Authorization

18

Policy Groups

Authentication

Authorization

Policy Set Condition


Authentication RulesObtaining & Validating Credentials

19

RADIUS AttributesService type

NAS IPUsername SSID …

EAP TypesEAP-FASTEAP-TLS

PEAPEAP-MD5

Host lookup …

Identity SourceInternal/CertificateActive Directory

LDAPv3RADIUS

Identity Sequence

Authentication Options

RADIUS

802.1X / MAB / WebAuth


20 20

RADIUS

RADIUS

802.1X / MAB / WebAuth Return standard IETF RADIUS / 3rd-Party Vendor Specific Attributes (VSAs):

• ACLs (Filter-ID)

• VLANs (Tunnel-Private-Group-ID)

• Session-Timeout

• IP (Framed-IP-Address)

• Vendor-Specific including Cisco, Aruba, Juniper, etc.

Authorization Rules


21

ISE Authorization Policy Definition Customized

Device Type LocationUser Posture Time Access Method Custom


What About That 3rd “A” in “AAA”?Accounting - Reporting

22


Detailed Visibility into System Operations

23


ISE Session Log – Session Tracking & Searching

Disconnect Device Search: user / device

Local Edition

Profiling – “What” is Connecting to My Network?

25


26

PCs Non-PCsUPS Phone Printer AP

PCs Non-PCs

UPS Phone Printer AP

How?

Profiling

• What ISE Profiling is:– Dynamic classification of every device that connects to network using the infrastructure.

– Provides the context of “What” is connected independent of user identity for use in access policy decisions

What Profiling is NOT:‒ An authentication mechanism.

‒ An exact science for device classification.


Profiling Policy OverviewProfile Policies Use a Combination of Conditions to Identify Devices

27

Is the MAC Address from Apple

DHCP:host-name CONTAINS iPad

IP:User-Agent CONTAINS iPad

Profile Library

Assign this MAC Address to ID Group “iPad”

I am fairly certain this device is an

iPad

CDP/LLDP/DHCP/mDNS/MSI/H323/RADIUS

HTTP/DHCP/RADIUS

Future Sourcefire Feed

Passive OS/App Fingerprinting


How Is Profile Library Kept Current With Latest Devices?

• Dynamic Feed Service

– Live Update Service for New Profiles and OUI Files

– Cisco and Cisco Partners contribute to service

– Opt In Model: New profiles automatically downloaded from Cisco.com and applied to live system.

28

Local Edition

Web Authentication


30

Network Access for Guests and Employees

• Unifying network access for guest users and employees

On wireless: Using multiple SSIDs Open SSID for Guest

On wired: No notion of SSID Unified port: Need to use different auth

methods on single port

SWITCHPORT

Employee Desktop

Printer

GuestContractor

IP Phone

Corporate

Guest

SSIDCorp

SSIDGuest

► Enter Flex Auth


31

Flex Auth For Wired PortsConverging Multiple Authentication Methods on a Single Wired Port

802.1X

Timeout/failure

MAB

Timeout/Failure

WebAuth

interface GigabitEthernet1/0/1 authentication host-mode multi-auth authentication open authentication port-control auto mab dot1x pae authenticator ! authentication event fail action next-method authentication order dot1x mab authentication priority dot1x mab

Interface Config


Building the Architecture in Phases

32

Wired Deployment Models Access-Prevention Technology

– A Monitor Mode is necessary– Must have ways to implement and see who will succeed and who will fail

Determine why, and then remediate before taking 802.1X into a stronger enforcement mode.

Solution = Phased Approach to Deployment:– Monitor Mode ( Low Security – Connectivity over Security)– Low-Impact Mode ( Medium Security – Balanced Security )

-or-– Closed Mode ( High Security – Security over Connectivity )


33

Monitor ModeA Process, Not Just a Command

interface GigabitEthernet1/0/1 authentication host-mode multi-auth authentication open authentication port-control auto mab dot1x pae authenticator

Interface Config • Enables 802.1X authentication on the switch, but even failed authentication will gain access

• Allows network admins to see who would have failed, and fix it, before causing a Denial of Service

AuthC = AuthenticationAuthZ = Authorization


34

Low-Impact ModeIf Authentication Is Valid, Then Specific Access!

• Limited access prior to authentication• AuthC success = Role-specific access

• dVLAN Assignment / dACLs• Secure Group Access

• Still allows for pre-AuthC access for Thin Clients, WoL & PXE boot devices, etc…

interface GigabitEthernet1/0/1 authentication host-mode multi-auth authentication open authentication port-control auto mab dot1x pae authenticator ip access-group default-ACL in

Interface Config


35

Closed ModeNo Access Prior to Login, Then Specific Access!

• Default 802.1X behavior• No access at all prior to AuthC• Still use all AuthZ enforcement types

• dACL, dVLAN, SGA• Must take considerations for Thin Clients,

WoL, PXE devices, etc…

interface GigabitEthernet1/0/1 authentication host-mode multi-auth authentication port-control auto mab dot1x pae authenticator

Interface Config


Condition is to match RADIUS AttributeService Type = 10 (Call-Check)

AND[NAS-Type = 15 (Ethernet)

ORNAS-Type= 19 (Wireless IEEE 802.11)]

By default, use Internal Endpoints DB for ID Source if MAC Address is found in DB

If MAC address lookup fails, reject the request and send access-reject.

If MAC address lookup returns no result, continue the process and move to authorization

ISE Central Web Auth (CWA)- uses url Re-Direction

• MAB Requests from Failed Auth user or Timed out user can still be processed to return specific authorization rule (VLAN, dACL, URL-Redirect, and SGT)

• By default, ‘If user not found’ value is set to ‘Reject’

36


URL Redirection

ISE uses URL Redirection for:

Central Web Auth

Client Software Provisioning

Posture Discovery / Assessment

Device Registration WebAuth

BYOD On-Boarding

Certificate Provisioning

Supplicant Configuration

Mobile Device Management

External Web Pages

Local Edition

Integrated Guest Services and Lifecycle Management

38


39

Provisioning: Guest accounts via sponsor portalNotify: Guests of account details by print, email, or SMS

Manage: Sponsor privileges, guest accounts and policies, guest portal

Report: On all aspects of guest accounts

Guests

Components of a Full Guest Lifecycle Solution

Authenticate/Authorize guest via a guest portal on ISE


40

Guest Self-ServiceFor Your

Reference


41

Sponsor Portal – Create Guest Accounts

Customizable fields

• Define if mandatory (*) or optional• Can add up to 5 other custom

attributes with custom labels

Guest roles and time profiles

• Pre-defined by admin

Language templates

• Customizable guest notifications by language and general preferences

For YourReference


42

ISE – Multiple Guest Portals• Several portals may be needed to support

different groups/users based on:– Location / country– Type of device: WLC, switches– Local language support

• ISE can hold several portals

• Multiple portals can be used simultaneously for authentication


43

Guest Deployment and Path Isolation

• Isolation at access layer (port, SSID)

• Layer 2 path isolation:

CAPWAP & VLANs for wireless

L2 VLANs for wired

• Layer 3 path isolation:

VRF (Virtual Routing and Forwarding) to Firewall guest interface

Various tunnel methods• GRE• VPN• MPLS

L3 Switches with VRF

Cisco ASA Firewall

Outside

CAPWAP

Internet

CorporateAccess Layer

Corporate

Guest

Corporate Intranet

Inside

DMZ

Guest DMZ

WLC

Global

Employee VRF

Guest VRF


ISE 1.2: Guest Access with Anchor Controller

PSN has dedicated Guest Portal interface (GE1) connected to DMZ:

interface Gigabit Ethernet 0 ip address 10.1.1.10 255.255.255.0!interface Gigabit Ethernet 1 ip address 192.168.1.10 255.255.255.0!ip host 192.168.1.10 guest.abc.com

If GE1 is first CWA-enabled interface, then URL redirect sent to guest.abc.com:8443

Client needs to resolve guest.abc.com to 192.168.1.10 via local or Internet DNS server.

PSN Dedicated Guest Interface on DMZ

ISE Policy Services Node

Wireless LANAnchor Controller

DMZ

Cisco Wireless LAN Controller

url-redirect=https://guest.abc.com:8443/guestportal/gateway?sessionId=SessionIdValue&action=cwa

Public DNS Server

Internet

Corporate LAN

GE 1

GE 0

10.x.x.x

192.168.x.x


Guest Tracking Leverages Network Logging

45

ISE Policy Server

VPN

Log interesting activity from Guest user and forward to ISE for correlation.

Guest IP accessed http://www.google.com

Guest IP accessed http://facebook.com

Guest IP triggered network AV alert

Guest IP triggered Infected endpoint event

Guest IP …

http://www.google.com/

http://facebook.com/


Create Service Policy in ASA to inspect HTTP

traffic for guest subnet

ISE shows accessed URLs

in reports

Guest Activity Tracking Integrates Network Logs

Local Edition

BYOD Extending Network Access to Personal Devices

47


48

Onboarding Personal DevicesRegistration, Certificate and Supplicant Provisioning

DeviceOnboarding

Certificate Provisioning

SupplicantProvisioning

Self-Service Model

iOSAndroid

WindowsMAC OS

MyDevicesPortal

Provisions device Certificates.‒ Based on Employee-ID & Device-ID.

Provisions Native Supplicants:‒ Windows: XP, Vista, 7 & 8‒ Mac: OS X 10.6, 10.7, 10.8, 10.9‒ iOS: 4, 5, 6, 7 ‒ Android – 2.2 and above‒ 802.1X + EAP-TLS, PEAP & EAP-FAST

Employee Self-Service Portal‒ Lost Devices are Blacklisted‒ Self-Service Model reduces IT burden

Single and Dual SSID onboarding.


49

Single Versus Dual SSID Provisioning

• Single SSID– Start with 802.1X on one SSID

using PEAP

– End on same SSID with 802.1X using EAP-TLS

• Dual SSID ( Most Common Method) – Start with CWA on one SSID

– End on different SSID with 802.1Xusing PEAP or EAP-TLS

SSID = BYOD-Open (MAB / CWA)

SSID = BYOD-Closed (802.1X)

WLAN ProfileSSID = BYOD-ClosedPEAP or EAP-TLS(Certificate=MyCert)

SSID = BYOD-Closed (802.1X)

WLAN ProfileSSID = BYOD-ClosedEAP-TLSCertificate=MyCert

Local Edition

Mobile Device Management (MDM)Extending “Posture” Assessment and Remediation to Mobile Devices

BEFORE DURING AFTER


ISE Integration with 3rd-PartyMDM Vendors MDM device registration via ISE

– Non registered clients redirected to MDM registration page

Restricted access– Non compliant clients will be given restricted

access based on policy Endpoint MDM agent

– Compliance– Device applications check

Device action from ISE– Device stolen -> wipe data on client

v2.3v6.2v5.0 v7.1

MCMS

51

v7.0 SP3 v4.1.10 v13.2 Patch 5v1.0


52

MDM Compliance Checking

• Compliance based on:– General Compliant or ! Compliant status

OR

– Disk encryption enabled– Pin lock enabled– Jail broken status

• MDM attributes available for policy conditions

• “Passive Reassessment”: Bulk recheck against the MDM server using configurable timer.

– If result of periodic recheck shows that a connected device is no longer compliant, ISE sends a CoA to terminate session.

Compliance and Attribute Retrieval via API

Micro level

Macro level


MDM Enrollment and ComplianceUser Experience Upon MDM URL Redirect

53

MDM Enrollment MDM Compliance

MDM:DeviceRegistrationStatus EQUALS UnRegistered

MDM:DeviceCompliantStatus EQUALS NonCompliant


54

ReportingMobile Device Management Report

Local Edition

TrustSec and Pervasive Policy Enforcement


TrustSec Authorization and Enforcement

dACL or Named ACL

• Less disruptive to endpoint (no IP address change required)

• Improved user experience

• Increased ACL management

VLANS

• Does not require switch port ACL management

• Preferred choice for path Isolation

• Requires VLAN proliferation and IP refresh – Optional VRF

Security Group Access

• Simplifies ACL management

• Uniformly enforces policy independent of topology

• Fine-grained access control

GuestVLAN 4VLAN 3

Remediation

EmployeesContractor

EmployeeIP Any

Security Group Tag

Security Group Access—SXP, SGT(Secure Group TAG),

SGACL, SGFW

56


TrustSec Enabled Network SegmentationCampus and Branch Segmentation

Business Drivers includePCI for Financial data, HIPAA Medical DataMedical Device Separation within VLANAccess Control with

Secure Group Access

• Rules defined by business function & Roles

• 80% + reduction over manual rules

• Simple to add/remove rules Enterprise Wide

• Topology-independent

• Scalable

• One Policy for Wired or Wireless


Secure Group Access Simplifies Security Enforcement

User-Access Control to DC

Business drivers include: Employee vs Guest, BYOD vs managed device

v

Secure Group Tag Enforcement Access List

ASA, Nexus or Catalyst SwitchAccess Lists with SGT’s

Local Edition

What’s Coming Next?

59

Next Slides contain some Forward Looking Features…..All standard Legal Disclaimers apply here……. It’s all about the information…………….blah, blah, blah, blah

BEFORE DURING AFTER


ISE 1.3 Key Features (1 of 2)

Feature Description

1. Multiple AD Forest support Ability to connect to multiple active directory domainsfor authentication and authorization

2.TrustSec • Improved scale of IP-SGT Mapping• SG-ACL policy refresh for Non-CoA capable platforms• Allow TrustSec Configurations to be Exported / Imported

3. ERS • Guest and Network Device Support• Bulk operation support

4. Serviceability Multiple features to ease administration and troubleshooting of an ISE system

5. Network Access Miscellaneous Network Access Features

6.MDM (Limited Availability) Lite Native MDM support in ISE leveraging the AnyConnect client

7. Guest Rewrite of guest functionality and enhancements

8. Profiler Endpoint purge functionality and other enhancements


ISE 1.3 Key Features (2 of 2)

Feature Description

9. pxGrid • APIs to facilitate sharing of network information with external applications

• New persona for pxGid services• Integration of WMI interface for session tracking

10. CA Services Built in Certificate Authority for BYOD and MDM solutions

11. Infrastructure Ability to run ISE services as non rootUpgrade, database and other enhancements

12. Licensing Introduction of intermediate and premium licensesConsumption to be based on Daily Max – Not real time

13. Admin WebApp Miscellaneous features including IE11 support

14. CP/Posture OSX Provisioning / non Java client

15. Unified Agent AnyConnect / posture combined agent support (HoneyBadger)


Native MDM with ISE & AnyConnect – ISE 1.3SetupSet Wi-Fi settings

Push VPN settings

Configure Email & Calendar

Push and install Certs

ISE Built in CA – 1.3

ConfigurationSet the PIN lock

Enforce encryption on device

Detect Jail-broken device

Restrict camera usage

Apps Management from Apple

App Store/Google Play

ManagementGeo-query location

Lock & Unlock

Un-enroll from MDM

Wipe data on device


ASA Firewall – Recent Innovations

• ASA Clustering with Etherchannel LB • Cisco® Cloud Web Security integration

• Next-generation encryption

• IPv6 support enhancements

• Multi-context - Routing & S2S VPN

• EtherChannel – with VSS & VPC support

• Mix Transparent & Routed Modes

• ISE control of VPN via CoA – Sept 2014

• VMware versions coming – Later in 2014

• Sourcefire Feature Integration – 2014 & Beyond

Clu

ste

r C

on

tro

l L

ink

Multi SwitchEtherChannel

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 64

VMware Hypervisor (vSwitch & dvSwitch)

Non-vPATH enablement

Term-based licensing (vCPU, not socket)

SDN management for both ASA and ASAv

10 Interfaces (VMware Limitation)

200 VLAN sub-interfaces

1000 VxLANs – SDN/ACI support

1-2 Gbps Performance

Hyper-V coming late 2014

Virtual ASA - May 2014 – ver 9.2

Security for the Virtual World

UCSVirtual AccessStorage

Data security authenticate & access control

Port security authentication, QoS features

Virtual FirewallReal-time MonitoringFirewall Rules

Virtual FirewallVirtual IPS

Remote VPN to ASAv

© 2014 Cisco/Sourcefire and/or its affiliates. All rights reserved. Cisco Confidential

A Commitment to Our Customers

• Choices to bring Next Generation Security into your environment• (1) FirePower NGS on ASA*

• (2) NGFW/NGIPS Services within FirePower NGS

• (3) Centralized Management• System-Level Management

• Threat-level Management

• Manager of Managers (MoM)

• Integration with Network Security Services• Identity / Access Control / ISE & TrustSec

• Strongest Data Center Capabilities

Gartner MQ Leaders in (NG)IPS, SSLVPN, VPN, Identity/NAC, Web Security, Email Security, Data Center

Leader in Data Center Security (Infonetics 2013)

*Refers to the Cisco Sourcefire NGS platform – Sourcefire running on ASA


Cisco Web Security Options

• Inline: Next Gen IPS - Multi-port GE/10GE/40GE

• Anti-Malware- Network & Agent based

• Web filtering

• Application control across all ports

• VRT- Threat Protection

• Defense Center- Threat Detection Correlation view

• Internet B/w from 50Mbps - 60 Gbps – High Performance Platform

• Inline - Next Gen firewall plus Web filtering

• Anti-Virus, IPS (Snort)

• Cloud Managed

• Application control across all ports

• Traffic Shaping

• Simple Configuration & Monitoring

• CIPA- SafeSearch, YouTube for EDU

• Internet B/W less than 1 Gbps

• Transparent Re-direct Network Connector or Device Agent (Win, mac)

• Port 80/443

• Anti Malware from Sourcefire

• Granular Filtering using Cisco Web usage control

• Web security for mobile users without the need for VPN

• Multiple Malware Scanners for Threat Protection

• Dynamic Web Categorization

• CIPA- SafeSearch, YouTube for EDU - per policy

• Internet B/w – no Limit

• Transparent Re-direct via WCCP or Browser Proxy

• Port 80/443

• Anti Malware from Sourcefire

• DLP for Web

• Granular Filtering using Cisco Web usage control

• Central Logging or Splunk

• Video/Audio bandwidth throttling

• SIO – IP Reputation Filtering & Threat Protection

• Dynamic Web Categorization

• CIPA- SafeSearch, YouTube for EDU – global

• Internet B/w – Depends on # of WSA’s & Requests / Sec.

• In ASA-CX Limited B/W

MerakiCloud Web Security

(aka –ScanSafe)

IronPort(Web Security Appliance)

Physical or VirtualSourcefire


Complete Your Online Session Evaluation

• Give us your feedback and youcould win fabulous prizes. Winners announced daily.

• Complete your session evaluation through the Cisco Live mobile appor visit one of the interactive kiosks located throughout the convention center.

Don’t forget: Cisco Live sessions will be available for viewing on-demand after the event at CiscoLive.com/Online

67

https://www.ciscolive.com/online


Register for CiscoLive! – San Francisco

68

CiscoLive! – San FranciscoMay 18 – 22, 2014www.ciscolive.com/us

http://www.ciscolive.com/us

Local Edition


70

Links

• Secure Access, TrustSec, and ISE on Cisco.com– http://www.cisco.com/go/security– http://www.cisco.com/go/ise– http://www.cisco.com/go/isepartner

• TrustSec and ISE Deployment Guides:– http://

www.cisco.com/en/US/solutions/ns340/ns414/ns742/ns744/landing_DesignZone_TrustSec.html

• YouTube: Fundamentals of TrustSec:– http://www.youtube.com/ciscocin#p/c/0/MJJ93N-3Iew

http://www.cisco.com/go/security

http://www.cisco.com/go/ise

http://www.cisco.com/go/isepartner

http://www.cisco.com/en/US/solutions/ns340/ns414/ns742/ns744/landing_DesignZone_TrustSec.html



http://www.youtube.com/ciscocin

http://www.youtube.com/ciscocin

Threat spreads and attempts to

exfiltrate valuable data

ENTERPRISE

DATA CENTER

Anatomy of a Modern Threat

Infection entry point occurs outside of

the enterprise

Internet and Cloud Apps

PUBLIC NETWORK

Advanced cyber threat bypasses

perimeter defense

CAMPUS

PERIMETER


72

A Systems ApproachSwitch/Controller is the Enforcement Point


74

MDM IntegrationRegistration and Compliance

Jail BrokenPIN Locked

EncryptionISE Registered PIN LockedMDM Registered Jail Broken

For YourReference


75

MDM Integration

• User / Administrator can issue remote actions on the device through MDM server (Example: remote wiping the device) – My Devices Portal (User Interface)– ISE Endpoints Directory (Admin Interface)

Remediation

• Edit• Reinstate• Lost?• Delete• Full Wipe• Corporate Wipe• PIN Lock

Options

Admin Interface

User Interface

security before during and after clle 2014

Technology

cisco andor

generation security

recent presentation

attack continuum visibility

security consulting

harden scope

information security

fraud detection