Cisco Identity Services Engine and ASA Next-Generation Firewall Services

Cisco Identity Services Engine
and ASA Next-Generation

Firewall Services
June, 2013
Hermann Demian
Product Sales Specialist
hdemian@cisco.com
© 2012 Cisco and/or its affiliates. All rights reserved.

 Security Challenge
 Security Intelligence Operations
(SIO)
 Cisco ASA 5500 Series
 Cisco Cisco Identity Services
Engine (ISE)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
Countermeasures are less effective
1,071,291 web sites compromised
4 pieces of new malware

per second
36%
22%
Online video
search engines
20% 13%
Social networks Advertisements
Hits to Top Web Properties
Social Network
Ads
Online Video
Search Engine
0% 10% 20% 30% 40%
Search Engines vs. Counterfeit Software
27x more likely to deliver malicious content

Online Advertisements vs. Pornography

Online Shopping vs. Counterfeit Software

Disconnect with corporate IT
40%
say that company policy forbids
using company-owned devices for
personal activities.
71% don’t obey policies, almost 3 out of 4
50% of IT professionals believe:

“our employees obey the policies on personal use”
China
1 in 5 students claim becoming a Hacker is life Goal
http://www.cisco.com/en/US/prod/vpndevc/annual_security_report.html
(SIO)
Engine (ISE)
A Proactive Protection Against New Threats
Global Global
Threat Threat
Telemetry Telemetry
Cisco Threat Operations Advanced

SensorBase Center Algorithms
8:10 GMT All Cisco Customers Protected
Bank Branch
Ad Agency HQ ISP Datacenter
in Chicago
in London in Moscow
8:00 GMT Sensor Detects 8:07 GMT Sensor Detects New 8:03 GMT Sensor Detects
New Malware Botnet Hacker Probing
Higher Threat Coverage, Greater Accuracy, Proactive Protection
Unmatched Cloud-Based Global Threat Intelligence
24x7x365 $100M+ 600+
OPERATIONS SPENT IN DYNAMIC RESEARCH AND ENGINEERS, TECHNICIANS AND RESEARCHERS
DEVELOPMENT
40+ 80+
LANGUAGES PH.D.S, CCIE, CISSP, MSCE
0010 010 10010111001 10 100111 010 000100101 110011 01100111010000110000111000111010011101 1100001110001110 1001 1101 1110011 0110011 101000
0010 010 10010111001 10 100111 010 000100101 110011 01100111010000110000111000111010011101 1100001110001110 1001 1101 1110011 0110011 101000
Cisco SIO
WWW
Email Devices Web ScanSafe IPS AnyConnect
Actions
WWW
Information
IPS Networks Endpoints ESA ASA WSA
Visibility Control
1.6M 35% 3 to 5 200+

GLOBAL SENSORS WORLDWIDE EMAIL TRAFFIC MINUTE UPDATES PARAMETERS TRACKED
75TB 13B 5,500+ 70+

DATA RECEIVED PER DAY WEB REQUESTS IPS SIGNATURES PRODUCED PUBLICATIONS PRODUCED
150M+ 8M+
DEPLOYED ENDPOINTS RULES PER DAY
(SIO)
Engine (ISE)
Blades
 World’s most widely deployed

firewall
 Installed base of over 1 Million
ASA’s globally
 More than 15 years of market ASA

proven firewall capabilities
 Single code base for all
Virtual Appliances
deployments
PRSM
 All managed in the same
way with the same tools
End of Sale Announced 18 March, 2013
Milestone Date
End-of-Life Announcement Date March 18, 2013
End-of-Sale Date Sep 16, 2013
Last Ship Date HW December 15, 2013
End of Service Contract Renewal Date:HW December 12, 2017
Last Date of Support September 30, 2018
ASA 5585-X SSP-60
(40 Gbps, 350K cps)
Comprehensive Solutions from SOHO to the Data Center
ASA 5585-X SSP-40
(20 Gbps, 200K cps)
ASA 5585-X SSP-20

(10 Gbps, 125K cps)
Multi-Service
Performance and Scalability
(Firewall/VPN and IPS) ASA 5585-X SSP-10 ASA Service Module

ASA 5555-X (4 Gbps, 50K cps) (16 Gbps, 300K cps)
(4 Gbps,50K cps)
ASA 5545-X NEW

(3 Gbps,30K cps)
ASA 5525-X
(2 Gbps,20K cps) NEW
ASA 5550
ASA 5515-X
(1.2 Gbps,15K cps) (1.2 Gbps, 36K cps)
NEW
ASA 5512-X
(1 Gbps, 10K ASA 5540 Firewall/VPN Only
cps) NEW (650 Mbps, 25K cps)
NEW ASA 5520
(450 Mbps, 12K cps)
ASA 5510 ASA 5510+
(300 Mbps, 9K cps) (300 Mbps, 9K cps)
ASA 5505
(150 Mbps, 4K cps)
SOHO Branch Office Internet Edge Campus Data Center
Selling the comprehensive security solution
 Stateful inspection and next-generation security
 Multiple security services without sacrificing performance
Botnet Traffic Filter

ASA CX Context-
Prevention (IPS)
Secure Remote
Aware Security
Cloud Web
Intrusion
Security
Access
IPS and Reputation Filtering in Action
Cisco® Security Intelligence Operations
1 2 Internet
Local Connectivity
Internet
Cisco ASA 5500-X
Cisco ASA 5500-X
IPS Service Filter
Worldwide Visibility
Cisco IPS 4300
3
Step 1: Step 2: Step 3:

The sensor base network Cisco 5500-X IPS Service Alerts go out to the security
within the Cisco SIO gets updated reputation teams for prevention,
gathers telemetry data filter list; influences policy mitigation,
from other sensors decisions (deny or drop and remediation
across the world attacker, etc.)
Cloud Web  Fast Deployment
Security
Internet  Complete malware protection
 Roaming/Remote user
protection
 Number of CWS user
Cisco ASA depends on size of ASA
Cisco ASA
 Needs a separate license
Employees
Employees
VPN
Headquarters Branch Office
Current Datacenters Planned Datacenters
Bangalore Brazil
Chicago Canada (E), (W)
Copenhagen Dubai
Dallas Mexico
Frankfurt South Africa
Hong Kong
London
Miami
New York Metro
Paris
San Jose
Singapore
Sydney
Tokyo
Zurich
Cisco ASA Software Release 9.0 includes integration with Cisco Cloud
Web Security (formerly ScanSafe)
Web Filtering Web Security

(Block unwanted content) (Block malware and viruses)
 Web Usage Controls  Anti-malware protection

 Application Visibility  Web content analysis
 Bi-directional control  Script emulation
Centralized Reporting
Secure Mobility
facebook-secure-login.com
Cisco Cloud Security
Service
Internet bound web

communications
Internal
communications
AnyConnect Secure
Mobility Client
SHARED LICENSE
Premium Licenses Shared

DEDICATED LICENSE
by Multiple ASAs
MOBILE MOBILE ADVANCED

ADD-ON ADD-ON ENDPOINT
LICENSE LICENSE ASSESSMENT
at minimum at minimum
cost cost
ESSENTIALS LICENSE
PREMIUM LICENSE
At minimum cost
OR Posture Assessment
Basic Remote Access
and Clientless for
Connectivity
Remote Access
FLEX LICENSE
Good for Emergencies & Time Based.
 Provides detection and automatic blocking of call-home &
command/control traffic between bots and the bot master
 Scans all traffic, all ports, and all protocols
 Detects infected clients by tracking rogue “phone-home” traffic
 Time-based only, licensed per year, per appliance
 You have a 52-week Botnet Traffic Filter license installed on two units.
The combined running license allows a total duration of 104 weeks
 Required Version: 8.2(1)+ (Detection), 8.2(2)+ (Blocking)
Shipping since
Jul 2012
PRSM: Centralized Reporting and Management
AVC subscription WSE (Web Security Essentials) subscription

Software
NGFWS
Application
Web Reputation
Visibility & URL Filtering
(Cisco SIO)
Control
Software
Industry’s most widely deployed stateful inspection FW & remote

ASA
access solution
WHAT
Visit http://asacx-cisco.com
Broad…
… classification
of all traffic
1,000+ apps
MicroApp Engine
Deep classification
of targeted traffic
75,000+ MicroApps
App Behavior
Control user interaction
with the application
(SIO)
Engine (ISE)
Current Methods Simply Don’t Scale
What devices are on your network now?
Can you implement policy across Network boundaries?
Do you have consistent enforcement across your network?
How do you secure Mobile Data, Applications, Devices, and Users?
Are you always compliant?
Authentication,
Authorization
Accounting
Access Control Solution
Device Posturing
NAC Manager NAC Server
Device Profiling Identity

Service Engine
NAC Profiler NAC Collector
Standalone appliance or
licensed as a module on
NAC Server
Guest Lifecycle
Management
NAC Guest Server
All-in-One Enterprise Policy Control
Who What Where When How
Security Policy Attributes
Identity
Context
Cisco® ISE
Business-Relevant
Policies
Wired Wireless VPN
Virtual machine client, IP device, guest, employee, and remote user

Replaces AAA and RADIUS, NAC, guest management, and device identity servers
Authentication and Authorization
Cisco Catalyst® Switch

Identity Differentiators
Monitor Mode
Flexible Authentication
Sequence
IP Telephony Support
Support for Virtual Desktop

Authorized Tablets IP Network Device Guests Environments
Users Phones
802.1X MAB and Profiling Web Auth
Authentication Features
IEEE 802.1x MAC Auth Bypass Web Authentication
Consistent identity features supported on all Catalyst switch models

Device Profiling
DEVICE PROFILING
For wired and wireless networks
POLICY
Printer Personal iPad

ISE
Access Point
Personal
Printer Policy CDP CDP
LLDP
DHCP
LLDP
DHCP
iPad Policy
MAC MAC
[place on VLAN X] [restricted access]
Access
Point
The Solution DEPLOYMENT SCENARIO WITH CISCO DEVICE SENSORS

Efficient Device COLLECTION CLASSIFICATION AUTHORIZATION
Classification Switch Collects Device ISE Classifies Device, Collects ISE Executes Policy Based
Leveraging Related Data and Sends Flow Information and Provides on User and Device
Report to ISE Device Usage Report
© 2013 Cisco and/or itsInfrastructure
affiliates. All rights reserved. Cisco Confidential 40
Posture Assessment
Wired,
Wireless,
VPN User
Temporary Limited
Non-
Network Access Until
Compliant
Remediation Is Complete
Sample Employee Policy: Challenge: Value:

• Microsoft patches updated • Understanding health of • Temporal (web-based) or
device Persistence Agent
• McAfee AV installed,
running, and current • Varying level of control • Automatic Remediation
over devices • Differentiated policy
• Corp asset checks
• Cost of Remediation enforcement based on
• Enterprise application running
© 2013 Cisco and/or its affiliates. All rights reserved. role Cisco Confidential 41
Guest Access
Guest Policy Web

Authentication
Internet
Wireless or Guests
Wired Access
Internet-Only
Access
Provision: Manage: Notify: Report:

Guest Accounts via Sponsor Privileges, Guests of Account On All Aspects of Guest
Sponsor Portal Guest Accounts and Details by Print, Email, Accounts
Policies, Guest Portal or SMS
Identity Cisco® Profiling
1 ISE HTTP
IEEE 802.1X EAP NetFlow
User Authentication
SNMP
VLAN 10 DNS
2 VLAN 20 RADIUS
Profiling to
Company Identify Device Corporate DHCP
Asset Resources
4
HQ
Wireless LAN
Controller Policy
Internet Only
2:38 p.m. Decision
Personal 3 5
6
Asset
Posture Enforce Policy
of the Device in the Network Full or Partial
Unified Access
Management Access Granted
Also available for
VMware
SNS-3415-K9 & SNS-3495-K9

No CD/DVD Drive (Boot From USB
Stick or CIMC)
Cisco Secure Network Servers
Based on the Cisco UCS C220 Server, but designed for
 Cisco Identity Services Engine (ISE)

 Network Admission Control (NAC)
 Access Control Server (ACS)
The New Way
Best Practice Today
ISE MDM
Device Access Control Mobile Devices Security Control
• Device Profiling • Device Compliance • Forces on-boarding to MDM with

personal devices used for work
• BYOD On-boarding • Mobile Application
Management • Register but restrict access for
• Device Access Control
personal devices not managed by
• Securing Data at Rest
MDM
• Quarantine non-compliant devices
based on MDM policy
MDM cannot ‘see’ non-registered devices to

enforce device security – but the network can!
MDM: Mobile Device Management
• MDM device registration via ISE
o Non registered clients
redirected to MDM registration
page
• Restricted access
o Non compliant clients will be
given restricted access based
on policy
• Endpoint MDM agent
o Compliance
o Device application control
• Device Action from ISE
• Device stolen -> wipe data on
client
Identity Services Engine for Centralized Control
Gartner 2013 NAC MQ
1st System-wide Solution

Policy Management Deep network integration
Solution
System-wide Policy Control
from One Screen
Unified Network
Access Control Award Winning Product
’12 Cisco Pioneer Award
Turnkey BYOD Over 400 Trained and

Solution Trusted ATP Partners
Over 1,000 Wins—Year 1
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52
Trusted
WiFi
 Authenticate User
 Fingerprint Device
 Apply Corporate Config
 Enterprise Apps
 Automatic Policies
Trusted
WiFi
Apply defined policy

profiles based on:
 Device Type
 User
 Location
 Application
Trusted
WiFi
Access: FULL
No Yes
Electronic Medical Records

Mobile TelePresence
Email
Instant Messenger
Trusted
WiFi
Is Mr. Allen’s lab work ready yet?
Not yet but i will let you know the

moment it arrives
Untrusted WiFi
Access: Limited
 ISE Information:
http://www.cisco.com/go/ise
 Cisco TrustSec (SGA and certified solutions):
www.cisco.com/go/trustsec
 Application Notes and How-To Guides:
http://www.cisco.com/en/US/solutions/ns340/ns414/ns742/ns744/l
anding_DesignZone_TrustSec.html
 Design Zone—BYOD Reference Design:
http://www.cisco.com/en/US/solutions/ns340/ns414/ns742/ns743/
ns1050/own_device.html#~overview
Thank you.
"Security is a process, not a product"

Andrew S. Tanenbaum

Cisco Identity Services Engine and ASA Next-Generation Firewall Services

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Cisco Identity Services Engine and ASA Next-Generation Firewall Services

Uploaded by

Copyright:

Available Formats

Cisco Identity Services Engine

and ASA Next-Generation

© 2012 Cisco and/or its affiliates. All rights reserved.

1,071,291 web sites compromised

4 pieces of new malware

Hits to Top Web Properties

0% 10% 20% 30% 40%

27x more likely to deliver malicious content

182x more likely to deliver malicious content

21x more likely to deliver malicious content

71% don’t obey policies, almost 3 out of 4

50% of IT professionals believe:

1 in 5 students claim becoming a Hacker is life Goal

Cisco Threat Operations Advanced

8:10 GMT All Cisco Customers Protected

Email Devices Web ScanSafe IPS AnyConnect

1.6M 35% 3 to 5 200+

75TB 13B 5,500+ 70+

 World’s most widely deployed

 More than 15 years of market ASA

ASA 5585-X SSP-20

(Firewall/VPN and IPS) ASA 5585-X SSP-10 ASA Service Module

ASA 5545-X NEW

SOHO Branch Office Internet Edge Campus Data Center

 Multiple security services without sacrificing performance

Botnet Traffic Filter

Cisco® Security Intelligence Operations

Step 1: Step 2: Step 3:

Headquarters Branch Office

Web Filtering Web Security

 Web Usage Controls  Anti-malware protection

Internet bound web

Premium Licenses Shared

MOBILE MOBILE ADVANCED

 Detects infected clients by tracking rogue “phone-home” traffic

 Time-based only, licensed per year, per appliance

PRSM: Centralized Reporting and Management

AVC subscription WSE (Web Security Essentials) subscription

Industry’s most widely deployed stateful inspection FW & remote

What devices are on your network now?

Can you implement policy across Network boundaries?

Do you have consistent enforcement across your network?

How do you secure Mobile Data, Applications, Devices, and Users?

Are you always compliant?

NAC Manager NAC Server

Device Profiling Identity

Who What Where When How

Security Policy Attributes

Wired Wireless VPN

Virtual machine client, IP device, guest, employee, and remote user

Cisco Catalyst® Switch

Support for Virtual Desktop

802.1X MAB and Profiling Web Auth

IEEE 802.1x MAC Auth Bypass Web Authentication

Consistent identity features supported on all Catalyst switch models

Printer Personal iPad

The Solution DEPLOYMENT SCENARIO WITH CISCO DEVICE SENSORS

Sample Employee Policy: Challenge: Value:

Guest Policy Web

Provision: Manage: Notify: Report:

SNS-3415-K9 & SNS-3495-K9

 Cisco Identity Services Engine (ISE)

• Device Profiling • Device Compliance • Forces on-boarding to MDM with