Building a Security Architecture
-
Upload
cisco-canada -
Category
Technology
-
view
1.480 -
download
2
Transcript of Building a Security Architecture
![Page 1: Building a Security Architecture](https://reader034.fdocuments.us/reader034/viewer/2022051404/587154de1a28ab8e5b8b4edb/html5/thumbnails/1.jpg)
Jamey Heary
Cisco Distinguished Systems EngineerCCIE 7680
May 2016
Building a True Security Architecture One Capability at a Time
![Page 2: Building a Security Architecture](https://reader034.fdocuments.us/reader034/viewer/2022051404/587154de1a28ab8e5b8b4edb/html5/thumbnails/2.jpg)
AgendaCurrent State of Security
Cisco Security
Security as an Architecture- Stories
Summary
![Page 3: Building a Security Architecture](https://reader034.fdocuments.us/reader034/viewer/2022051404/587154de1a28ab8e5b8b4edb/html5/thumbnails/3.jpg)
State of Security
![Page 4: Building a Security Architecture](https://reader034.fdocuments.us/reader034/viewer/2022051404/587154de1a28ab8e5b8b4edb/html5/thumbnails/4.jpg)
Cyberwar is Raging!!
![Page 5: Building a Security Architecture](https://reader034.fdocuments.us/reader034/viewer/2022051404/587154de1a28ab8e5b8b4edb/html5/thumbnails/5.jpg)
Why is the Security Industry Approach Failing?
• It is not a fair fight to begin with
• People, Process and Technology Issues• Hacking People, Malicious Insiders
Security Technology Issues
• Silo’d Point Products. Nothing works together!
• Bolt on security, whack a mole strategy
• We are designing in complexity on purpose!
• Hyper focused on Prevention = anemic detection/scoping & Incident Response
• Lack of real network and security visibility
![Page 6: Building a Security Architecture](https://reader034.fdocuments.us/reader034/viewer/2022051404/587154de1a28ab8e5b8b4edb/html5/thumbnails/6.jpg)
Architecture Fail
Working together Fail
Bolt-on Fail
![Page 7: Building a Security Architecture](https://reader034.fdocuments.us/reader034/viewer/2022051404/587154de1a28ab8e5b8b4edb/html5/thumbnails/7.jpg)
Cisco Security
Cisco Security Homepage Cisco.com/go/security
![Page 8: Building a Security Architecture](https://reader034.fdocuments.us/reader034/viewer/2022051404/587154de1a28ab8e5b8b4edb/html5/thumbnails/8.jpg)
Cisco Security is Rockin it!
Best Security Company, 2016
Cisco’s Security Everywhere …“that’s pretty brilliant”
“Cisco’s strength in its Security business shows it is not an ‘old’ tech company”
“Network security architects … need to adopt new products and/or services that will enable the network to be an integral part of a strategy that focuses on detecting and responding to security incidents.”
“Vendors Like Palo Alto, FireEye Are Selling Legacy Technology”
“Cisco is making all the right moves… software-focused, cloud-friendly portfolio with double-digit growth in Security and acquisitions like OpenDNS”
CIO Survey’s 1st in Customer Preference
![Page 9: Building a Security Architecture](https://reader034.fdocuments.us/reader034/viewer/2022051404/587154de1a28ab8e5b8b4edb/html5/thumbnails/9.jpg)
Cisco Security Execution and Investment
ThreatGRIDacquired
SourcefireAcquired
Active Threat
Analytics
Black Hat 2014: Talos
Integrated Threat Defense
Vision
AMP Everywhere w/Threat Grid
Incident Response Service
Cisco ASA w/ FirePOWER Services for Mid-Size and
Branch environments
Global Security Sales Organization
Cisco ASA w/ FirePOWER
Services
ACI + FirePOWER Services
RSAC: AMP Everywhere; OpenAppID
Security and Trust
OrganizationSecurity
Everywhere
2013 2016
Portcullis acquired
OpenDNS
Acquired
OpenDNS/
Threat Grid
Integrated
LancopeAcquired
Neohapsis
Acquired
Security Everywhere
Extended
Firepower
NGFW and
Security
Advisory
Service for
Segmentation unveiled
CognitiveAcquired
Invested ~$5B in last 36 months!
![Page 10: Building a Security Architecture](https://reader034.fdocuments.us/reader034/viewer/2022051404/587154de1a28ab8e5b8b4edb/html5/thumbnails/10.jpg)
2010 2012 2013 2014 20152011
100
98
96
94
92
90
88
86
84
82
NGFW
NGIPS
BDS (Cisco AMP)
NGFW(test average)
NGIPS(test average)
A Track record of Best-of-Breed Security Effectiveness Best of Breed Efficacy in NSS Labs testing Year after Year
Cisco
Test Average
![Page 11: Building a Security Architecture](https://reader034.fdocuments.us/reader034/viewer/2022051404/587154de1a28ab8e5b8b4edb/html5/thumbnails/11.jpg)
Magic Quadrant Ranking
NGIPS “Leader” since 2006
Email Security “Leader” since 2005
Network Access Control (NAC) “Leader” since 2011
Web Security “Leader” 3 of past 4 years
Network Performance Monitoring and Diagnostics “Leader” (Lancope)
Enterprise Network Firewalls / UTM “Challenger”
SSLVPN (no longer updated) “Leader”
![Page 12: Building a Security Architecture](https://reader034.fdocuments.us/reader034/viewer/2022051404/587154de1a28ab8e5b8b4edb/html5/thumbnails/12.jpg)
Comprehensive Best-of-Breed Security Capabilities
Cisco Confidential
WWW
DNS
Network Fabric, Threat Intelligence and Analytics
NGFW/
NGIPS
Advanced Threat
and AnalyticsPolicy and
Access
Web and
DNS
Email Endpoint
Capabilities Working Together
Simple | Open | Automated | Effective
![Page 13: Building a Security Architecture](https://reader034.fdocuments.us/reader034/viewer/2022051404/587154de1a28ab8e5b8b4edb/html5/thumbnails/13.jpg)
The Cisco Advantage
Best of Breed Portfolio
Architectural Approach
Only Cisco can build a true E2E security architecture
![Page 14: Building a Security Architecture](https://reader034.fdocuments.us/reader034/viewer/2022051404/587154de1a28ab8e5b8b4edb/html5/thumbnails/14.jpg)
Without an Architecture it is a mess of complexity!What makes an Architecture an Architecture?
Just Three things IMHO
1. Capabilities/Solutions (Ideally best of breed)
2. That work well together
3. Effectively
![Page 15: Building a Security Architecture](https://reader034.fdocuments.us/reader034/viewer/2022051404/587154de1a28ab8e5b8b4edb/html5/thumbnails/15.jpg)
Cisco is building the Industry’s first Threat-Centric Security Architecture
INNOVATION
![Page 16: Building a Security Architecture](https://reader034.fdocuments.us/reader034/viewer/2022051404/587154de1a28ab8e5b8b4edb/html5/thumbnails/16.jpg)
SAFE Simplifies SecurityMethod Overview
1. Identify your goals
2. Break down your network into manageable pieces
3. Criteria for success of the business (requirements in each PIN/domain)
4. Categorize your Risks, Threats and Policies
5. Build the Security SolutionA. Capabilities Phase
B. Architecture Phase
C. Low-level Design Phase
Format: Whiteboard, Diagrams and/or Presentation
![Page 17: Building a Security Architecture](https://reader034.fdocuments.us/reader034/viewer/2022051404/587154de1a28ab8e5b8b4edb/html5/thumbnails/17.jpg)
Security Capabilities Design – Branch Example
Host-based Security
Wireless WirelessIntrusionPrevention
Posture Assess-ment
Access Control +TrustSec
Flow Analytics
L2//L3 Network
L2//L3 Network
Host-based Security
Posture Assess-ment
Access Control +TrustSec
Flow Analytics
Web Security Services
Firewall Next-Gen Intrusion Prevention System
Anti-Malware
Flow Analytics
AVC-Application Visibility Control
Threat Intelligence
VPN
Wireless ManagerWeb browsing
Wired Clerk processingcredit card transaction
Wireless Controller
Switch Next-Generation Firewall/Router
To Data Center
To Cloud
WAN
• Use Best Practices to identify applicable security capabilities
• No Products and No Devices in this phase; that comes next
• Identify security capabilities that best mitigate threats, risks and policy
![Page 18: Building a Security Architecture](https://reader034.fdocuments.us/reader034/viewer/2022051404/587154de1a28ab8e5b8b4edb/html5/thumbnails/18.jpg)
Management
Security
Services and
Applications
Security
Services
Platform
Infrastructure
Element
Layer
Cisco Platform-Based Security ArchitectureHardware Agnostic, Integrated and 3rd Party Friendly
Common Security Policy & Management
Common Security Policy and Management
Orchestration
Security Management APIs
Cisco APICAPIs
Platform APIs
Cloud Intelligence APIs
Physical Appliance Virtual Cloud
Access Control
Context Awareness
Content Inspection
Application Visibility
Threat Prevention
Device API: OpenFlow, OpenStack, Rest, Yang
Cisco Networking Operating Systems (Enterprise, Data Center, Service Provider, Cloud)
Route–Switch–Compute ASIC Data Plane Software Data Plane
APIs APIs
Cisco Security Applications Third-Party Security Applications
APIs
![Page 19: Building a Security Architecture](https://reader034.fdocuments.us/reader034/viewer/2022051404/587154de1a28ab8e5b8b4edb/html5/thumbnails/19.jpg)
Web AccessNGIPS Adv. Malw
WAF SaaS VisibAnti-Virus FPCNAC DLPDDoS
Integrated Management
SERVICES
LAYER
ANALYTICS
LAYER
Global & Local Threat Intelligence
Raw Data (Cisco + 3rd Party) Threat Research Analytics Engines
ENFORCEMENT
LAYER
Partnerships Cisco Portfolio
FW/NGFW
TELEMETRY
INTELLIGENCE
Polic
y Auto
matio
n, A
PIs
and C
ontro
ller In
tegra
tion
Network Platforms
Security Platforms
Router / Switches / Server
Cloud Platform
OpenDNS, Email, CWS,
Stealthwatch, Defense Orchestrator
Endpoint Platform
AnyConnect
AMP
Umbrella
Cisco Integrated Threat Defense ArchitectureStuff simply works together
![Page 20: Building a Security Architecture](https://reader034.fdocuments.us/reader034/viewer/2022051404/587154de1a28ab8e5b8b4edb/html5/thumbnails/20.jpg)
Control
Cisco
AnyConnect®FirePowerCisco CWS
WWW
Cisco WSACisco ASACisco ESA
Visibility
WWW
Web
Endpoints
Devices
Networks
IPS
Difference between a paperweight and a NGFW?
Best-of-Breed Global Threat Intelligence Cloud
24x7x365
operations
40+ languages
More than US$100 million
spent on dynamic research
and development
Info
rma
tio
nA
ctio
ns
Cisco® Collective Security IntelligencePervasive across Portfolio
www.talosintel.com
Threat Intel
![Page 21: Building a Security Architecture](https://reader034.fdocuments.us/reader034/viewer/2022051404/587154de1a28ab8e5b8b4edb/html5/thumbnails/21.jpg)
See the UnseenUnprecedented Intel Breadth & Depth
Daily Security IntelligenceDaily Threats Blocked
Deployed Security Devices
Daily Malware Sandbox Reports
120TBSecurity
Intelligence
1.6MDeployed
Devices
19.7BThreats
Blocked
150,000Micro-
applications
1,000Applications
93BDaily Email
Messages
35%Enterprise
13BWeb
Requests
150MDeployed
Endpoints
3-5 minUpdates
Cisco Security Intelligence
Global VisibilityGlobal Footprint
5BDaily Email
Connections
4.5BDaily Email
Blocks
14MDeployed
Access
Gateway
75,000FireAMP
Updates
6,000New Clam
AV Sigs
1.1MSandbox
Reports
![Page 22: Building a Security Architecture](https://reader034.fdocuments.us/reader034/viewer/2022051404/587154de1a28ab8e5b8b4edb/html5/thumbnails/22.jpg)
Cisco Talos Research
Finding Bad Guys,
one 0-day at a time
![Page 23: Building a Security Architecture](https://reader034.fdocuments.us/reader034/viewer/2022051404/587154de1a28ab8e5b8b4edb/html5/thumbnails/23.jpg)
Prevention Says easy, Does hardCriminals only have to find one vuln; Be prepared
BEFOREDiscover
Enforce
Harden
AFTERScope
Contain
Remediate
Attack Continuum
Detect
Block
Defend
DURING
Shared Context & Security Intelligence
![Page 24: Building a Security Architecture](https://reader034.fdocuments.us/reader034/viewer/2022051404/587154de1a28ab8e5b8b4edb/html5/thumbnails/24.jpg)
The power of a Cisco Security Architecture
A collection of stories
![Page 25: Building a Security Architecture](https://reader034.fdocuments.us/reader034/viewer/2022051404/587154de1a28ab8e5b8b4edb/html5/thumbnails/25.jpg)
Malicious Code
Launches
Alice, the contractor,
Clicks a Link or
Malvertising
Ransomware
Payload
Malicious
Infrastructure
Story 1: Ransomware
![Page 26: Building a Security Architecture](https://reader034.fdocuments.us/reader034/viewer/2022051404/587154de1a28ab8e5b8b4edb/html5/thumbnails/26.jpg)
How Cisco Protects Customers
OpenDNS Next-Gen Firewall AMP Lancope
OpenDNS blocks the DNS request
NGFW blocks the connection/file
Web Security w/AMP blocks the file
AMP for Endpoint blocks the file &
communication back to home
OpenDNS blocks the request
NGFW blocks the connection
Lancope detects the activity
![Page 27: Building a Security Architecture](https://reader034.fdocuments.us/reader034/viewer/2022051404/587154de1a28ab8e5b8b4edb/html5/thumbnails/27.jpg)
OR
Ransomware
Payload
Bob Downloads
Malicious Email
Attachment
![Page 28: Building a Security Architecture](https://reader034.fdocuments.us/reader034/viewer/2022051404/587154de1a28ab8e5b8b4edb/html5/thumbnails/28.jpg)
OR
Email Security w/AMP
blocks the file
OpenDNS Email Security AMP Lancope
AMP for Endpoint blocks
the file & communication
back to home
![Page 29: Building a Security Architecture](https://reader034.fdocuments.us/reader034/viewer/2022051404/587154de1a28ab8e5b8b4edb/html5/thumbnails/29.jpg)
Cisco TrustSecBuilding block of a true security architecture
• TrustSec is a context-based TAG firewall/access control solution
• Cisco ISE is the central policy engine for Trustsec
• Classification of systems/users based on context
(user role, device, location, posture, threat, access method…)
• The context-based classification propagates using SGT tags
• SGT used by firewalls, stealthwatch, routers and switches to make intelligent
forwarding or blocking decisions in the DC
Users,
Device
Switch Router DC NGFW DC Switch
HR Servers
Enforcement
SGT Transport
Fin Servers SGT = 4
SGT = 10
ISE DirectoryClassification
SGT:5
![Page 30: Building a Security Architecture](https://reader034.fdocuments.us/reader034/viewer/2022051404/587154de1a28ab8e5b8b4edb/html5/thumbnails/30.jpg)
30© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Architecture: Network & Security working together
WLAN
ControllerVPN Remote
Access Access Switch
Firewall
ISE
Policy Server
Business Data
App / Storage
Corp Asset
Endpoints
Corp Network
Device Type: Apple Mac
User: Mary
AD Group: Employee
Asset Registration: Yes
Posture: Compliant
Physical Location: Lobby
Policy Mapping SGT: Employee
Source Destination Action
IP SGT IP SGT Service Action
Any Employee Any Biz Server HTTPS Allow
Any Suspicious Any Biz Server Any Deny
Firewall Rules
• Differentiated Network Access based on Context
• Security Group Tag is added to every packet from
host
• Massive Firewall rule simplification
• Policy Enforcement regardless of IP address/vlan
• Accelerated service provisioning
• Consistent policy assignment regardless of
access method
![Page 31: Building a Security Architecture](https://reader034.fdocuments.us/reader034/viewer/2022051404/587154de1a28ab8e5b8b4edb/html5/thumbnails/31.jpg)
Architecture: Rapid Threat Containment
WLAN
Controller
Quarantine is based on MAC Address
preventing compromised device accessing
from other location / access methods
NGFW
Policy
Server
Business Data
App / Storage
Compromised
Endpoint
10.10.10.10 (aa:bb:cc:dd:ee:ff)
Corp Network
Source Destination Action
IP SGT IP SGT Service Action
Any Employee Any Biz Server HTTPS Allow
Any Suspicious Any Biz Server Any Deny
Firewall Rules
NGFW StealthwatchEvent: Malware
Source IP: 10.10.10.10/32
Response: Quarantine
OS Type: Windows 8
User: Mary
AD Group: Employee
Asset Registration: Yes
Posture: Non-Compliant
Physical Location: Lobby
MAC Address: aa:bb:cc:dd:ee:ff
Policy Mapping SGT: Suspicious
PXGRID: EPS Quarantine: 10.10.10.10
Access Switch
![Page 32: Building a Security Architecture](https://reader034.fdocuments.us/reader034/viewer/2022051404/587154de1a28ab8e5b8b4edb/html5/thumbnails/32.jpg)
Story 2: Security Automation – Dynamic Segmentation
32
![Page 33: Building a Security Architecture](https://reader034.fdocuments.us/reader034/viewer/2022051404/587154de1a28ab8e5b8b4edb/html5/thumbnails/33.jpg)
Enabling Network-Wide Identity & Context SharingCisco Platform Exchange Grid – pxGrid
INFRASTRUCTURE FOR A ROBUST SECURITY ECOSYSTEM
• Single framework – develop once, instead of to multiple APIs
• Control what & where context is shared among platforms
• Bi-directional – share and consume context at the same time
• Extremely Scalable
• Integrating with Cisco SDN for broad network control functions
AD
Single, Pub/SubOpen Framework
Real-time & Secure
pxGridContext
Sharing
![Page 34: Building a Security Architecture](https://reader034.fdocuments.us/reader034/viewer/2022051404/587154de1a28ab8e5b8b4edb/html5/thumbnails/34.jpg)
NGFW
Story 3: Security Automation – Rapid Threat Containment
VPN
Bob
![Page 35: Building a Security Architecture](https://reader034.fdocuments.us/reader034/viewer/2022051404/587154de1a28ab8e5b8b4edb/html5/thumbnails/35.jpg)
Cisco NGFW cutting-edge AutomationNot your grandma’s NGFW
Context Rich
Creates a host profile Internally, ISE pxgrid,
3rd party host scan data
Impact Assessment
Threat correlation reduces actionable
events by up to 99%
Automated Tuning
Adjust IPS policies automatically
based on traffic profile
App Identification you can trust
OpenAppID
![Page 36: Building a Security Architecture](https://reader034.fdocuments.us/reader034/viewer/2022051404/587154de1a28ab8e5b8b4edb/html5/thumbnails/36.jpg)
Demo
![Page 37: Building a Security Architecture](https://reader034.fdocuments.us/reader034/viewer/2022051404/587154de1a28ab8e5b8b4edb/html5/thumbnails/37.jpg)
• Breaches will happen. Be Prepared.
Scenario
• Zero-day Malware gets through and infects Bob’s wireless PC and then spreads to a single server in the DC he has access to
• AMP sees the unknown file and sends it to the sandbox
• Malware tries to spread from Bob and the server.
Story 4: Security Retrospection– Scope, contain, remediate
![Page 38: Building a Security Architecture](https://reader034.fdocuments.us/reader034/viewer/2022051404/587154de1a28ab8e5b8b4edb/html5/thumbnails/38.jpg)
Web
Filtering and
Reputation
Security
Intelligence
File Type
Blocking
Application
Visibility &
Control
Indicators of
CompromiseTraffic
Intelligence
File
ReputationCognitive
Threat
Analytics
XXX X
After
www.website.com
X
File
Retrospection
Roaming User
Reporting
Log Extraction
Management
Allow Warn BlockPartial
Block
NGFW/
Meraki
AMP
ApplianceWSA/CWS ESA AMP EndpointAdmin
Cisco Security Architecture
Threats
File
Sandbox
X
AMP Everywhere
Integrated
![Page 39: Building a Security Architecture](https://reader034.fdocuments.us/reader034/viewer/2022051404/587154de1a28ab8e5b8b4edb/html5/thumbnails/39.jpg)
A New Layer of Breach ProtectionIndustries first recursive DNS Security Solution
Threat PreventionDNS is common to almost all threats
Protects On & Off NetworkNot limited to devices forwarding traffic through on-premiseappliances
Partner & Custom IntegrationsBlock based on malware analysis (Threatgrid, FireEye, etc.)
Block by Domains for All Ports No added latency
Incredibly easy to POV/Deploy30min deploy time
UMBRELLA & Investigate
DNS Protection and Intel
![Page 40: Building a Security Architecture](https://reader034.fdocuments.us/reader034/viewer/2022051404/587154de1a28ab8e5b8b4edb/html5/thumbnails/40.jpg)
• Previous automated Software defined segmentation drastically limits the attack surface available to the malware to spread
• OpenDNS prevents C&C connection
• Stealthwatch (flow behavior analytics) alerts on C&C and host lock
The Cisco Security Architecture Goes to Work
![Page 41: Building a Security Architecture](https://reader034.fdocuments.us/reader034/viewer/2022051404/587154de1a28ab8e5b8b4edb/html5/thumbnails/41.jpg)
Card Processor
Hacked
Server
POS Terminals
ASA
Firewall
Private
WAN
(truste
d)
Credit Card
Processor
ASA
Firewall
Stores Data CenterU
pd
ate
s f
rom
PO
S S
erv
er
HT
TP
S
Credit Card Processing HTTPS
Internet
ISR G2
Routers
ISR G2
Routers
Wireless
AP
Wireless POS
C3850
Unified
Acces
s
Network as a Sensor– Host Lock Violation and Suspect Data LossHost Lock Violation - CTD
Public
InternetCompromised
Server
StealthWatch FlowCollector
StealthWatch Management
Console
Cisco ISE
Command and
Collect
![Page 42: Building a Security Architecture](https://reader034.fdocuments.us/reader034/viewer/2022051404/587154de1a28ab8e5b8b4edb/html5/thumbnails/42.jpg)
• Stealthwatch uses pxGrid to have ISE change the SGT to compromised
• Hosts are now in quarantine and ISE posture assessment can start self-patching
• Within <5mins AMP returns a malicious verdict on the file. All AMP devices are now alerting and dropping file. AMP on endpoint will kill the process and shutdown the malware on infected hosts
• All domains discovered by AMP threatgrid are passed to OpenDNS for blocking providing an umbrella of threat coverage
• Both AMP and Stealthwatch can be used to investigate and scope breach
The Cisco Security Architecture Goes to Work
![Page 43: Building a Security Architecture](https://reader034.fdocuments.us/reader034/viewer/2022051404/587154de1a28ab8e5b8b4edb/html5/thumbnails/43.jpg)
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 43
When Malware Strikes, Have Answers - AMP
Where did it come
from?
Who else is
infected?
What is it doing? How do I stop it?
Device Trajectory
File Trajectory
File Analysis Automated Remediation
![Page 44: Building a Security Architecture](https://reader034.fdocuments.us/reader034/viewer/2022051404/587154de1a28ab8e5b8b4edb/html5/thumbnails/44.jpg)
Near Future: Threat Centric NAC: ISE 2.1*EndPoints based on Incidents and Indicators
![Page 45: Building a Security Architecture](https://reader034.fdocuments.us/reader034/viewer/2022051404/587154de1a28ab8e5b8b4edb/html5/thumbnails/45.jpg)
ISE Threat Centric NAC
Network as
a Sensor
and
Enforcer,
and
Integrated
Threat
Defense
![Page 46: Building a Security Architecture](https://reader034.fdocuments.us/reader034/viewer/2022051404/587154de1a28ab8e5b8b4edb/html5/thumbnails/46.jpg)
Story 5: Cisco ACI Security
![Page 47: Building a Security Architecture](https://reader034.fdocuments.us/reader034/viewer/2022051404/587154de1a28ab8e5b8b4edb/html5/thumbnails/47.jpg)
EPG
“Internet”EPG
“Web”
Solving the inline problem elegantly– Service graphs & chaining
FireSIGHT Management
CenterAlerts
Network Visibility
Policy Management
Analytics
Remediation
Application Policy
Infrastructure
Controller (APIC)
Service Graph
Contracts
NGIPS/NGFW
Advanced Malware Protection
Policy and events
Basic configuration
and health
Intelligent Remediation
![Page 48: Building a Security Architecture](https://reader034.fdocuments.us/reader034/viewer/2022051404/587154de1a28ab8e5b8b4edb/html5/thumbnails/48.jpg)
VRF1 pod1net
ASA and Firepower Insertion into ACI
Web host
Web EPG
App host
App EPG
DB host
DB EPG
NGIPS
ASA5525 ClusterRouted L3FW Context
Dynamic Routing to vPCGoTo
ASA virtualRoutedL3FW Context
GoTo
ASAv
Firepower 7010Inline NGIPS
GoThrough
Outside host
Outside Network
NGFW Cluster
FabricPerimeter
Outside
Router
L3out3
ASA DP 1.2.3.4Firepower DP 1.0.1
![Page 49: Building a Security Architecture](https://reader034.fdocuments.us/reader034/viewer/2022051404/587154de1a28ab8e5b8b4edb/html5/thumbnails/49.jpg)
So much more I’d like to tell you,So many more use cases
Reach out to your Cisco account team
![Page 50: Building a Security Architecture](https://reader034.fdocuments.us/reader034/viewer/2022051404/587154de1a28ab8e5b8b4edb/html5/thumbnails/50.jpg)
In Summary
![Page 51: Building a Security Architecture](https://reader034.fdocuments.us/reader034/viewer/2022051404/587154de1a28ab8e5b8b4edb/html5/thumbnails/51.jpg)
Simple, Effective, Integrated & Open Security
Cisco SecurityLeapfrogging the Market
![Page 52: Building a Security Architecture](https://reader034.fdocuments.us/reader034/viewer/2022051404/587154de1a28ab8e5b8b4edb/html5/thumbnails/52.jpg)
Our Approach is Unique
![Page 53: Building a Security Architecture](https://reader034.fdocuments.us/reader034/viewer/2022051404/587154de1a28ab8e5b8b4edb/html5/thumbnails/53.jpg)
Strategy is for amateurs.
![Page 54: Building a Security Architecture](https://reader034.fdocuments.us/reader034/viewer/2022051404/587154de1a28ab8e5b8b4edb/html5/thumbnails/54.jpg)
Execution is for professionals.
![Page 55: Building a Security Architecture](https://reader034.fdocuments.us/reader034/viewer/2022051404/587154de1a28ab8e5b8b4edb/html5/thumbnails/55.jpg)
![Page 56: Building a Security Architecture](https://reader034.fdocuments.us/reader034/viewer/2022051404/587154de1a28ab8e5b8b4edb/html5/thumbnails/56.jpg)
Appendix
![Page 57: Building a Security Architecture](https://reader034.fdocuments.us/reader034/viewer/2022051404/587154de1a28ab8e5b8b4edb/html5/thumbnails/57.jpg)
Cisco’s Comprehensive Best-of-Breed Security Portfolio
WWW
Threat Intelligence and Analytics
Open | Simple | Integrated | Automated
NGFW/
NGIPS
Advanced
Threat
Policy and
Access
Web Email Endpoint
Building Blocks Working Together as an Architecture
![Page 58: Building a Security Architecture](https://reader034.fdocuments.us/reader034/viewer/2022051404/587154de1a28ab8e5b8b4edb/html5/thumbnails/58.jpg)
10I000 0II0 00 0III000 II1010011 101 1100001 110
Working Together to Create a True Security Architecture
Cisco FTD
ASA w/ FPCisco Web &
Email SecurityCisco
NGIPS
Common Identity, Policy and Context Sharing
Malware Prevention /
Sandboxing
10I000 0II0 00 0III000 II1010011 101 1100001 110
110000III000III0 I00I II0I III0011 0110011 101000 0110 00
101000 0II0 00 0III000 III0I00II II II0000I II0
100I II0I III00II 0II00II I0I000 0II0 00
Context-aware
SegmentationNetwork Integration
Context Visibility
Cisco AMP Client
AMP
OpenDNSTrustsec
ISE
PxgridNaaS
NaaE
Cisco
Pervasive & Integrated
Across the Portfolio
Remediation
![Page 59: Building a Security Architecture](https://reader034.fdocuments.us/reader034/viewer/2022051404/587154de1a28ab8e5b8b4edb/html5/thumbnails/59.jpg)
Pervasive & Integrated Across Cisco
Across the whole Attack Continuum
Attack Continuum
Network-Integrated,
Broad Sensor Base,
Context sharing and
Automation
Continuous Advanced
Threat Protection, Cloud-
Based Security Intelligence
Leading products working
together as a system
Built for Scale, Consistent
Control, Management
Visibility-Driven Threat-Focused Integrated
BEFOREDiscover
Enforce
Harden
AFTERScope
Contain
Remediate
Detect
Block
Defend
DURING
![Page 60: Building a Security Architecture](https://reader034.fdocuments.us/reader034/viewer/2022051404/587154de1a28ab8e5b8b4edb/html5/thumbnails/60.jpg)
How to Build a Security ArchitectureSAFE Simplifies SecurityMethod Overview
1. Identify your goals
2. Break down your network into manageable pieces
3. Criteria for success of the business (requirements in each PIN/domain)
4. Categorize your Risks, Threats and Policies
5. Build and model the Security Architecture
A. Capabilities Phase
B. Architecture Phase
C. Low-level Design Phase
Format: Whiteboard, Diagrams and/or Presentation
![Page 61: Building a Security Architecture](https://reader034.fdocuments.us/reader034/viewer/2022051404/587154de1a28ab8e5b8b4edb/html5/thumbnails/61.jpg)
Reference Architectures
![Page 62: Building a Security Architecture](https://reader034.fdocuments.us/reader034/viewer/2022051404/587154de1a28ab8e5b8b4edb/html5/thumbnails/62.jpg)
ISE 2.1 Feature List Guest and SSO Enhancements
Microsoft Intune & SCCM Integration
ACS to ISE Migration Features
Smart Licensing
Third party NAD Support
EasyConnect
Streamlined Visibility
Context directory
Customizable Dashboard
Expanded Profiling Capabilities
Threat Centric NAC
TrustSec Workflow Enhancements
TrustSec / ACI Policy Plane Integration
New Posture Compliance Check
![Page 63: Building a Security Architecture](https://reader034.fdocuments.us/reader034/viewer/2022051404/587154de1a28ab8e5b8b4edb/html5/thumbnails/63.jpg)
Cisco Meraki
![Page 64: Building a Security Architecture](https://reader034.fdocuments.us/reader034/viewer/2022051404/587154de1a28ab8e5b8b4edb/html5/thumbnails/64.jpg)
Cisco Meraki: Cloud-managed Networks
Meraki MS
Ethernet Switches
Meraki SM
Mobile Device
Management
Meraki MR
Wireless LAN
Meraki MX
Security
Appliances
![Page 65: Building a Security Architecture](https://reader034.fdocuments.us/reader034/viewer/2022051404/587154de1a28ab8e5b8b4edb/html5/thumbnails/65.jpg)
Meraki MX Security Appliances
6 models scaling from small branch to campus / datacenter
Complete networking and security in a single appliance
Zero-touch site to site
VPN
WAN optimization
NG firewall
Content filtering
WAN link-bonding
Intrusion Prevention
Feature
highlights
Future support for:
• AMP
• IPFIX
![Page 66: Building a Security Architecture](https://reader034.fdocuments.us/reader034/viewer/2022051404/587154de1a28ab8e5b8b4edb/html5/thumbnails/66.jpg)
Systems Manager Mobile Device Management
Device Management controls iOS, Android, Mac, and Windows devices
Cloud-based - no on-site appliances or software, works with any vendor’s network
Free for up to 100 seats
Centralized app
deployment
Device security
Rapid provisioning
Backpack™ file sharing
Asset management
Feature
highlights
AMP
IPFIX
Future
support
![Page 67: Building a Security Architecture](https://reader034.fdocuments.us/reader034/viewer/2022051404/587154de1a28ab8e5b8b4edb/html5/thumbnails/67.jpg)
“Yellow” Retail
WAN
Data Centre
“Yellow” Retail
3rd-party supplier
“Blue” RetailStore
Core Network
(Transit)
“Yellow” RetailStore
“Yellow” Retail Router: TAG everything “yellow”
Allow “Yellow” & “Purple”
DC Router:
Allow yellow to yellow Allow blue and
Yellow to purple
Tag “Yellow” apps “Yellow”
Tag “Shared” apps “Purple”
“Blue” Retail Router: TAG everything “Blue”
Allow “Blue” & “Purple”
SharedApps
RetailApps
Simplify: Segmenting traffic with SGTSecurity Domain Level classifications
6
7
“Blue” Retail
WAN
“Blue” Retail
3rd-party supplier
SGACL
SGACLSGACL
![Page 68: Building a Security Architecture](https://reader034.fdocuments.us/reader034/viewer/2022051404/587154de1a28ab8e5b8b4edb/html5/thumbnails/68.jpg)
Cisco Security Solution PartnersCombined Program – Over 60+ Partners
Combined API Framework and Integration Points
BEFOREPolicy and
Control
AFTERAnalysis
and Remediation
Identificationand Block
DURING
Infrastructure & Mobility
RemediationVulnerability Management
SIEMVisualizationNetwork Access Taps
Custom Detection Incident ResponseFull Packet Capture
IAM/SSO