Professional Documents
Culture Documents
PIW Cisco SASE and Secure Access Upate
PIW Cisco SASE and Secure Access Upate
CSA Update
Partner Interactive Webinar
Patrick Charretour – Octavian Preda
EMEA NX Solution Engineer – SASE, Routing and SD-WAN
GTM lead
March 26th, 2024
Agenda
• Extended Security
• Technology Partnership
• Demonstration
te
e
cti
Fir
on
Next Gen
and R pons
Catalyst
SD-WAN Secure the Network
es
Secure the Email
Security
e
al
T os nc
e
T hrea e
t I n te l l i g
Secure the Data Secure the Applications
On-box Next Generation Firewall Security Visibility & Monitoring Fabric Security
(NGFW)
Seamless Cloud Security (SSE)
3rd Party Integration Ecosystem Certification and Compliance
Integration
Application
Intrusion Advanced
URL
Live
Prevention Malware Signature Unified Logging 27001, 27017
firewall System (IPS) Filtering C5
Protection Updates 27018, 27701
Unified Client | EDR | Cloud Managed
Segmentation TLS DNS-layer Cisco ISE Dynamic Core
Sandboxing security
Decryption Integration Allocation FedRAMP
FIPS 140-2
** In progress
2 Cloud Security
Cisco on Cisco Integration (SSE) SSE Technology Alliance
Security Heatmap | Alarms | Security
Events | Real-Time Updates
Unified SASE | Automation | Comprehensive Security 3rd Party SSE Integration| Integrated SASE
5 Fabric Security
Cisco
SASE Encrypted Security Keys
Secure SD-WAN + SSE Encrypted Encrypted
Access
(CSA ☺)
Control Plane Data Plane
HW Based
Device Enhanced
Authentication Security
Pairwise Keys
(SUDI)
Tunnel
Tunnel
Tunnel
Tunnel
Tunnel
Tunnel
Network Internet
Centralized
Security
Single, on-premise security stack
Internet 20%
MPLS VPN
Problems:
• Costs
Internet Private Cloud IaaS SaaS
• Performance MS Azure, Google Webex, MS Teams
Cloud, AWS
• # Tools/vendors
• Integrations
• Maintenance
TRAFFIC
MPLS VPN
Internal 20%
Branch offices HQ Roaming/mobile
Internet 80%
Partner Managed Exchange
© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
The Future Model
Decentralized model
Internet Private Cloud IaaS SaaS
Supports applications MS Azure, Google Webex, MS Teams
Cloud, AWS
hosted in the cloud
Cloud Edge
Offers to users the same
off-network experience
SD-WAN Extended
Secure TLS
DIA/DCA Perimeter
Networks no longer
connect branches to data
centre – they securely
connect users to apps
Connect It Secure It
Converging Needs
SASE
Public applications
Secure Access
Breakout (unmonitored internet and trusted SaaS)
Client-Based
Access
Private applications
Managed Unified DashboardUnified Security
endpoint Internet
•Identity based controls •Flexible ingress/egress /SaaS
On premise,
users, devices DC/POP/
Private applications SD-WAN Branch
& things
Connect It Secure It
Converging Needs
SASE
Core SSE
Single Vendor
Integrated
Platform
Dual Vendor
Integrated
Unified Offer
Converges networking and security
into a single Offer and an
Multi Vendor unified dashboard
Disaggregated
Integrated Approach
Bringing better value from vendor
consolidation and integrations between
network and security tools
Bespoke
Secure Access
Full SSE Edition
Umbrella • Everything in SIG, plus
• ZTNA (client-based & clientless)
SIG with App Connectors
• DNS plus: • FWaaS • ZTA Relay (MASQUE & QUIC)
Public applications
Secure Access
Breakout (unmonitored internet and trusted SaaS)
Client-Based
Access
Private applications
Managed Unified DashboardUnified Security
endpoint Internet
•Identity based controls •Flexible ingress/egress /SaaS
On premise,
users, devices DC/POP/
Private applications SD-WAN Branch
& things
SaaS
CASB apps
SWG RBI
Core private
Multiple Console apps
Longtail/non-
standard apps
ZTNA Sandbox
DLP
65%
of enterprises plan on
• Licenses/hardware • Reporting consolidating vendors
• Policy management • Elevated staffing levels for better risk posture
• Client management
“ Th o ho t s n th p o t, th a m n’s nt nt s k pt at
the forefront, while the complexity of the underlying
engines is hidden to ensure a simplified, user-friendly
experience.
”
http://magnetic.cisco.com
Partner Managed Exchange
© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
25
SDWAN Manager Magnetic Adoption Example
We see more and automate more, so you can block more and respond faster to threats.
new vulnerabilities
2.1M+
malware samples 200+ discovered yearly
processed daily
• Backed by robust expert team of full-
400 B
time researchers and data scientists security events
web requests observed daily
625B resolved daily • Machine learning and automation
intelligence
Internet
Direct apps
SaaS
apps
? ZTNA
Core private
apps
VPN Longtail/non-
standard apps
SaaS
Managed
endpoint apps
Cisco Secure Access Core private
apps
Unmanaged Longtail/non-
standard apps
AnyConnect VPN
→ Authentication & Posture @ Connect time
→ DTLS Tunnel
→ Carry Internet & Private Traffic (All ports & protocols)
→ SAML, (+) Cert, & (+) Multi-Cert Authentication
Cisco Secure Client VPN
ZTNA Module
→ Authentication & Posture per session
→ QUIC tunnel (MASQUE proxy)
ZTNA
→ Carry Private Traffic (All ports & protocols)
→ SAML Auth + Auto re-new
Clientless ZTNA
Browser → Accessible from any browser that supports SAML/Cookies
→ Request based posture (geolocation, browser version, OS)
→ Web Apps Only
→ More Details
Unmanaged Endpoint
33
How to connect Users to CSA
Cisco New Secure Client
• QUIC :
•A fast, secure web transport protocol over UDP
•Provides its own layer of security, packet loss
detection, data recovery, and congestion control.
•HTTP/3 is based on QUIC
• MASQUE
•A proxy that routes multiple apps over one QUIC
connection.
•Efficient without little overhead.
Google has found that 75% of requests are faster over QUIC
30% fewer interrupts over QUIC for YouTube users
Partner Managed Exchange
© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
35
‘Just works’ ZTNA for Apple devices
36
How to connect from Secure Access to Internet Traffic
Unmanaged Public
resource
MFA Device L3/4/7 Private Cloud
Support Posture Services Router Firewall connector or
and Health w/ IPS Backhaul VPN
SD-WAN
Optional
Users
Partner Managed Exchange How Apps
© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
37
End to End Workflow Client based Access
Secure Tunnel
QUIC
Secure ZTA
Proxy Auth
client
1 2
1. Connect and Map destination to resource 3 4
Auth
VPN Private Applications Public/Private Cloud
IPSec backhaul or
App connector
MFA Device Posture Services L3/4/7
Support and Health Router Firewall
Optional
ZTNA
Proxy
Public/Private Cloud
App1.demo.com
QUIC
ZTNA
Proxy
All ports and protocols app2.demo.com
App Connector Tunnel
ZTNA QUIC
Redirect
December
App2.demo.com Availability
Auth MFA Device Posture L3/4/7
Services
QUIC Support and Health Router Firewall
App3.demo.com Optional
DC/Colo/
Branch
app3.demo.com
• Improved end-user experience • Performance benefits QUIC & MASQUE • No routing/network modification on client
Benefits
• Improved Security step up auth • Per App tunnels • App specific access
• Always on access • Cloud bypass for sensitive apps (future)
Public/Private Cloud
App1.demo.com
QUIC
ZTNA app1.demo.com
Proxy
All ports and protocols IPSec
ZTNA QUIC
App2.demo.com
Auth MFA Device Posture L3/4/7
Services
Support and Health Router Firewall
Optional
DC/Colo/
Branch
Internet/SaaS
Auth
VPN Public Applications
Backhaul VPN
Security Policy
NG Firewall with
Malware protection,
SecOps URL Filtering, SWIG,
Admin CASB, DLP, RBI
Office 365
Sensitive Cisco Secure Access
Data Google
Dana (IT) WebEx
Internet/SaaS Youtube
Auth
SD-WAN Branch IPSEC
Genie (Sales) Site with/without Backhaul VPN
Embedded Sec
MFA Device Posture Services L3/4/7
Support and Health Router Firewall
Optional
Redirect
Capabilities Cisco Source Destination
Traffic
App performance Path visualization Internet and BGP route Remote worker
WAN health monitoring experience
Isolate app issues Pinpoint issues down Internet is your new Ensure Internet routing Business apps must
from network issues to a service provider, WAN. Monitor its issues don't affect be available when
location and interface performance your users employees work
and services from home
Is it the
transit ISP?
CISCO SASE
Is it the ISP? CLOUD SECURITY
Internet
Umbrella
DNS Secure web Cloud access
Is it the Public / private apps security gateway security broker
(CASB)
WiFi? Secure TLS
Duo Duo
Adaptive MFA Device posture Behavior Continuous
and health analytics verification
SoC Dashboard
• Logs • Indexing
• Events Splunk • Data
Cisco Catalyst SD- • Alert Data Processing Splunk
• Holistic view of all security events Lake
WAN fabric • Visualization Dashboard
• Real time updates
• Top Threats & Policy Hits
• Drill down to flow level
Threat Management
Flow Analysis
App URL:
https://splunkbase.splunk.
com/app/6657 App
• Global map view Add-on:
• Top applications accessed https://splunkbase.splunk.
com/app/6656
• Top network talkers HSL Add-on:
https://splunkbase.splunk.
Partner Managed Exchange com/app/6872
© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Microsoft Sentinel – SD-WAN Security Analytics
Asset Protection
1 Integration Differentiators