Professional Documents
Culture Documents
Cisco Identity Services Engine and ASA Next-Generation Firewall Services
Cisco Identity Services Engine and ASA Next-Generation Firewall Services
Hermann Demian
Product Sales Specialist
hdemian@cisco.com
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
Countermeasures are less effective
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3
36%
22%
Online video
search engines
20% 13%
Social networks Advertisements
Social Network
Ads
Online Video
Search Engine
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4
Search Engines vs. Counterfeit Software
40%
say that company policy forbids
using company-owned devices for
personal activities.
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7
China
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8
http://www.cisco.com/en/US/prod/vpndevc/annual_security_report.html
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9
Security Challenge
Security Intelligence Operations
(SIO)
Cisco ASA 5500 Series
Cisco Cisco Identity Services
Engine (ISE)
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11
A Proactive Protection Against New Threats
Global Global
Threat Threat
Telemetry Telemetry
Bank Branch
Ad Agency HQ ISP Datacenter
in Chicago
in London in Moscow
8:00 GMT Sensor Detects 8:07 GMT Sensor Detects New 8:03 GMT Sensor Detects
New Malware Botnet Hacker Probing
Higher Threat Coverage, Greater Accuracy, Proactive Protection
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12
Unmatched Cloud-Based Global Threat Intelligence
24x7x365 $100M+ 600+
OPERATIONS SPENT IN DYNAMIC RESEARCH AND ENGINEERS, TECHNICIANS AND RESEARCHERS
DEVELOPMENT
40+ 80+
LANGUAGES PH.D.S, CCIE, CISSP, MSCE
0010 010 10010111001 10 100111 010 000100101 110011 01100111010000110000111000111010011101 1100001110001110 1001 1101 1110011 0110011 101000
0010 010 10010111001 10 100111 010 000100101 110011 01100111010000110000111000111010011101 1100001110001110 1001 1101 1110011 0110011 101000
Cisco SIO
WWW
Actions
WWW
Information
IPS Networks Endpoints ESA ASA WSA
Visibility Control
150M+ 8M+
DEPLOYED ENDPOINTS RULES PER DAY
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14
Security Challenge
Security Intelligence Operations
(SIO)
Cisco ASA 5500 Series
Cisco Cisco Identity Services
Engine (ISE)
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15
Blades
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16
End of Sale Announced 18 March, 2013
Milestone Date
End-of-Life Announcement Date March 18, 2013
End-of-Sale Date Sep 16, 2013
Last Ship Date HW December 15, 2013
End of Service Contract Renewal Date:HW December 12, 2017
Last Date of Support September 30, 2018
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17
ASA 5585-X SSP-60
(40 Gbps, 350K cps)
Comprehensive Solutions from SOHO to the Data Center
ASA 5585-X SSP-40
(20 Gbps, 200K cps)
Multi-Service
Performance and Scalability
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18
Selling the comprehensive security solution
Stateful inspection and next-generation security
Prevention (IPS)
Secure Remote
Aware Security
Cloud Web
Intrusion
Security
Access
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19
IPS and Reputation Filtering in Action
1 2 Internet
Local Connectivity
Internet
Cisco ASA 5500-X
Cisco ASA 5500-X
IPS Service Filter
Worldwide Visibility
Cisco IPS 4300
3
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20
Cloud Web Fast Deployment
Security
Internet Complete malware protection
Roaming/Remote user
protection
Number of CWS user
Cisco ASA depends on size of ASA
Cisco ASA
Needs a separate license
Employees
Employees
VPN
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21
Current Datacenters Planned Datacenters
Bangalore Brazil
Chicago Canada (E), (W)
Copenhagen Dubai
Dallas Mexico
Frankfurt South Africa
Hong Kong
London
Miami
New York Metro
Paris
San Jose
Singapore
Sydney
Tokyo
Zurich
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22
Cisco ASA Software Release 9.0 includes integration with Cisco Cloud
Web Security (formerly ScanSafe)
Centralized Reporting
Secure Mobility
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24
facebook-secure-login.com
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25
Cisco Cloud Security
Service
Internal
communications
AnyConnect Secure
Mobility Client
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26
SHARED LICENSE
ESSENTIALS LICENSE
PREMIUM LICENSE
At minimum cost
OR Posture Assessment
Basic Remote Access
and Clientless for
Connectivity
Remote Access
FLEX LICENSE
Good for Emergencies & Time Based.
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27
Provides detection and automatic blocking of call-home &
command/control traffic between bots and the bot master
Scans all traffic, all ports, and all protocols
You have a 52-week Botnet Traffic Filter license installed on two units.
The combined running license allows a total duration of 104 weeks
Required Version: 8.2(1)+ (Detection), 8.2(2)+ (Blocking)
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 29
Shipping since
Jul 2012
Application
Web Reputation
Visibility & URL Filtering
(Cisco SIO)
Control
Software
access solution
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 30
WHAT
Visit http://asacx-cisco.com
Broad…
… classification
of all traffic
1,000+ apps
MicroApp Engine
Deep classification
of targeted traffic
75,000+ MicroApps
App Behavior
Control user interaction
with the application
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 31
Security Challenge
Security Intelligence Operations
(SIO)
Cisco ASA 5500 Series
Cisco Cisco Identity Services
Engine (ISE)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 32
Current Methods Simply Don’t Scale
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 33
Authentication,
Authorization
Accounting
Access Control Solution
Device Posturing
Guest Lifecycle
Management
NAC Guest Server
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 34
All-in-One Enterprise Policy Control
Identity
Context
Cisco® ISE
Business-Relevant
Policies
Flexible Authentication
Sequence
IP Telephony Support
Authentication Features
POLICY
Access
Point
Wired,
Wireless,
VPN User
Temporary Limited
Non-
Network Access Until
Compliant
Remediation Is Complete
Internet
Wireless or Guests
Wired Access
Internet-Only
Access
VLAN 10 DNS
2 VLAN 20 RADIUS
Profiling to
Company Identify Device Corporate DHCP
Asset Resources
4
HQ
Wireless LAN
Controller Policy
Internet Only
2:38 p.m. Decision
Personal 3 5
6
Asset
Posture Enforce Policy
of the Device in the Network Full or Partial
Unified Access
Management Access Granted
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 43
Also available for
VMware
ISE MDM
Device Access Control Mobile Devices Security Control
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 49
• MDM device registration via ISE
o Non registered clients
redirected to MDM registration
page
• Restricted access
o Non compliant clients will be
given restricted access based
on policy
• Endpoint MDM agent
o Compliance
o Device application control
• Device Action from ISE
• Device stolen -> wipe data on
client
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 50
Identity Services Engine for Centralized Control
Gartner 2013 NAC MQ
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 51
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 52
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52
Trusted
WiFi
Authenticate User
Fingerprint Device
Apply Corporate Config
Enterprise Apps
Automatic Policies
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 53
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 53
Trusted
WiFi
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 54
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 54
Trusted
WiFi
Access: FULL
No Yes
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 55
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 55
Trusted
WiFi
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 56
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 56
Untrusted WiFi
Access: Limited
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 57
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 57
ISE Information:
http://www.cisco.com/go/ise
Cisco TrustSec (SGA and certified solutions):
www.cisco.com/go/trustsec
Application Notes and How-To Guides:
http://www.cisco.com/en/US/solutions/ns340/ns414/ns742/ns744/l
anding_DesignZone_TrustSec.html
Design Zone—BYOD Reference Design:
http://www.cisco.com/en/US/solutions/ns340/ns414/ns742/ns743/
ns1050/own_device.html#~overview
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 58
Thank you.