Cisco Security Architecture
-
Upload
cisco-canada -
Category
Technology
-
view
5.965 -
download
4
Transcript of Cisco Security Architecture
Sourcefire Seminar Series 2014 North American Roadshow
2 © 2014 Cisco and/or its affiliates. All rights reserved.
The Silver Bullet Does Not Exist…
“Self Defending Network”
“It matches the pa8ern”
“No false posi9ves, no false nega9ves.”
Applica9on Control
FW/VPN
IDS / IPS UTM
NAC
AV PKI
“Block or Allow”
“Fix the Firewall”
“No key, no access”
Sandboxing
“Detect the Unknown”
3 © 2014 Cisco and/or its affiliates. All rights reserved.
BEFORE Discover Enforce Harden
AFTER Scope
Contain Remediate
Attack Continuum
Network Endpoint Mobile Virtual Cloud
Detect Block
Defend
DURING
Point in Time Continuous
The New Security Model
4 © 2014 Cisco and/or its affiliates. All rights reserved.
Sourcefire’s Security Solutions
COLLECTIVE SECURITY INTELLIGENCE
Management Center APPLIANCES | VIRTUAL
NEXT- GENERATION
FIREWALL
NEXT- GENERATION INTRUSION
PREVENTION
ADVANCED MALWARE
PROTECTION
CONTEXTUAL AWARENESS HOSTS | VIRTUAL MOBILE
APPLIANCES | VIRTUAL
5 © 2014 Cisco and/or its affiliates. All rights reserved.
Covering the Entire Attack Continuum
Visibility and Context
Firewall
NGFW
NAC + Identity Services
VPN
UTM
NGIPS
Web Security
Email Security
Advanced Malware Protection
Network Behavior Analysis
BEFORE Discover Enforce Harden
AFTER Scope
Contain Remediate
Attack Continuum
Detect Block
Defend
DURING
Sourcefire NGIPS and NGFW
7 © 2014 Cisco and/or its affiliates. All rights reserved.
Leadership The Path “Up and Right”
Sourcefire has been a leader in the Gartner Magic
Quadrant for IPS since 2006.
As of December 2013 Source: Gartner (December 2013)
8 © 2014 Cisco and/or its affiliates. All rights reserved.
2012 NSS Labs IPS SVM
9 © 2014 Cisco and/or its affiliates. All rights reserved.
NSS Labs Security Value Map (SVM) for Breach Detection Systems
Secu
rity
Effe
ctiv
enes
s
TCO per Protected-Mbps
10 © 2014 Cisco and/or its affiliates. All rights reserved.
FirePOWER™ InnovaDons
LCD Display Quick and easy headless configura3on
Device Stacking Scale monitoring capacity through stacking
ConnecDvity Choice Change and add connec3vity inline with network requirements
Hardware AcceleraDon For best in class throughput, security, Rack size/Mbps, and price/Mbps
Lights Out Management Minimal opera3onal impact SSD
Solid State Drive for increased reliability
Configurable Bypass or Fail Closed Interfaces For IDS, IPS or Firewall deployments
11 © 2014 Cisco and/or its affiliates. All rights reserved.
IPS
Per
form
ance
and
Sca
labi
lity
Data Center Campus Branch Office SOHO Internet Edge
FirePOWER 7100 Series 500 Mbps – 1 Gbps
FirePOWER 7120/7125/8120 1 Gbps - 2 Gbps
FirePOWER 8100/8200 2 Gbps - 10 Gbps
FirePOWER 8300 Series 15 Gbps – 60 Gbps
Platforms and Places in the Network
FirePOWER 7000 Series 50 Mbps – 250 Mbps
12 © 2014 Cisco and/or its affiliates. All rights reserved.
Collective Security Intelligence
IPS Rules
Malware Protection
Reputation Feeds
Vulnerability Database Updates
Sourcefire AEGIS™ Program
Private and Public
Threat Feeds Sandnets FireAMP™
Community Honeypots
Advanced Microsoft
and Industry Disclosures
SPARK Program
Snort and ClamAV
Open Source Communities
File Samples (>380,000 per
day)
Sourcefire VRT®
(Vulnerability Research Team)
Sandboxing Machine Learning
Big Data Infrastructure
13 © 2014 Cisco and/or its affiliates. All rights reserved.
2 SEU/SRU, 1 VDB updates per week
2 380,000 samples per day
>300,000 sandbox convic3ons per month
4,310 new IPS rules
100% Same-‐day protec3on for MicrosoL vulnerabili3es
99.4% Vulnerability coverage per NSS Labs IPS group test*
Protecting Your Network 2013 Output
* Source: NSS Labs Data Center IPS Comparative Analysis, 2014
14 © 2014 Cisco and/or its affiliates. All rights reserved.
Robust Partner Ecosystem
Combined API Framework
BEFORE Policy and
Control
AFTER Analysis and Remediation
Identification and Block
DURING
Infrastructure & Mobility
NAC Vulnerability Management Custom Detection Full Packet Capture
Incident Response
SIEM Visualization Network Access Taps
15 © 2014 Cisco and/or its affiliates. All rights reserved.
FireSIGHT™ Visibility CATEGORIES
EXAMPLES
SOURCEFIRE FireSIGHT
TYPICAL IPS
TYPICAL NGFW
Threats Attacks, Anomalies ✔ ✔ ✔
Users AD, LDAP, POP3 ✔ ✗ ✔
Web Applications Facebook Chat, Ebay ✔ ✗ ✔
Application Protocols HTTP, SMTP, SSH ✔ ✗ ✔
File Transfers PDF, Office, EXE, JAR ✔ ✗ ✔
Malware Conficker, Flame ✔ ✗ ✗
Command & Control Servers C&C Security Intelligence ✔ ✗ ✗
Client Applications Firefox, IE6, BitTorrent ✔ ✗ ✗
Network Servers Apache 2.3.1, IIS4 ✔ ✗ ✗
Operating Systems Windows, Linux ✔ ✗ ✗
Routers & Switches Cisco, Nortel, Wireless ✔ ✗ ✗
Mobile Devices iPhone, Android, Jail ✔ ✗ ✗
Printers HP, Xerox, Canon ✔ ✗ ✗
VoIP Phones Avaya, Polycom ✔ ✗ ✗
Virtual Machines VMware, Xen, RHEV ✔ ✗ ✗
Contextual Awareness Information Superiority
FireSIGHT Demo
17 © 2014 Cisco and/or its affiliates. All rights reserved.
Save Money and Improve Security
IT Insight Spot rogue hosts, anomalies, policy
violaDons, and more
Impact Assessment Threat correlaDon reduces
acDonable events by up to 99%
Automated Tuning Adjust IPS policies automaDcally
based on network change
User Iden9fica9on Associate users with security
and compliance events
18 © 2014 Cisco and/or its affiliates. All rights reserved.
One of the world’s 3 largest credit reporting agencies: • 20,000 nodes • 7,500 employees
Generic Work Rate: $75/hour
FireSIGHT™ Operational Savings
Source: SANS "Calcula3ng TCO on Intrusion Preven3on Technology“ whitepaper, December 2013
19 © 2014 Cisco and/or its affiliates. All rights reserved.
Customer Testimonial: Nathan Romine, Western Union
Policy Demo
21 © 2014 Cisco and/or its affiliates. All rights reserved.
Benefits of Application Control
Social: Security and
DLP
Mobile: Enforce BYOD
Policy
Bandwidth: Recover Lost
Bandwidth
Security: Reduce Attack
Surface
22 © 2014 Cisco and/or its affiliates. All rights reserved.
Application Control is Cool!
AMP: Advanced Malware Protection
24 © 2014 Cisco and/or its affiliates. All rights reserved.
In Spite of Layers of Defense
Malware is geUng through
control based defenses
Malware PrevenDon is NOT 100%
Breach
ExisDng tools are labor intensive and require
experDse
Attack Continuum
BEFORE Discover Enforce Harden
AFTER Scope
Contain Remediate
Detect Block
Defend
DURING
Point in Time Continuous
25 © 2014 Cisco and/or its affiliates. All rights reserved.
APT / Advanced Malware A tool for financial gain
• Uses formal Development Techniques • Sandbox aware • Quality Assurance to evade detecDon • 24/7 Tech support available
• Has become a math problem • End Point AV Signatures ~20 Million • Total KNOWN Malware Samples ~100 M • AV Efficacy Rate ~50%
26 © 2014 Cisco and/or its affiliates. All rights reserved.
When Malware Strikes, You Have Questions
Where did it come from?
Who else is infected?
What is it doing?
How do I stop it?
27 © 2014 Cisco and/or its affiliates. All rights reserved.
Visibility and Control
28 © 2014 Cisco and/or its affiliates. All rights reserved.
AMP Everywhere
AMP for Networks
AMP for Endpoints
ESA Email
WSA Web
CWS Web
AMP for FirePOWER and FireAMP Demo
31 © 2014 Cisco and/or its affiliates. All rights reserved.
When Malware Strikes, Have Answers
Where did it come from?
Who else is infected?
What is it doing?
How do I stop it?
Device Trajectory File Trajectory
File Analysis Automated Remediation
32 © 2014 Cisco and/or its affiliates. All rights reserved.
Right in the Middle Of…
Better Together
34 © 2014 Cisco and/or its affiliates. All rights reserved.
Visibility
FirePower FireAMP Intelligence Spark
Sensors 20
100 Detections
30 Exploit Kits
595K Lookups
293K New files
6450 Detections
33M Lookups
10K Detections
28M Network lookups
3K Network Blocks
600K Files
100K Sandbox
60K IPS
100K Detections
Retrospective Intelligence
Sourcefire Vulnerability Research
35 © 2014 Cisco and/or its affiliates. All rights reserved.
Visibility
FirePower FireAMP Intelligence Spark
Sensors 20
100 Detections
30 Exploit Kits
595K Lookups
293K New files
6450 Detections
33M Lookups
10K Detections
28M Network lookups
3K Network Blocks
600K Files
100K Sandbox
60K IPS
100K Detections
Retrospective Intelligence
ESA/WSA CWS
93B Messages
4.5B Blocks
20K New Files
80M Web Blocks
16B Web Requests
1M Blocks
20K New Files
Sourcefire+Cisco Vulnerability Research
36 © 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Security Architecture
SMB / Branch
Campus Data Center
Internet
ASA
ISR
IPS
ASA
Web ISE
AD Wireless
Switch
Router
Content Policy
ISR-G2 Integrated Services
CSM
ASA
ASAv ASAv ASAv ASAv
Hypervisor
Virtual Data Center
Physical Data Center
Global Threat Intelligence
Remote Devices
Acc
ess
Cloud Security Gateway
Cloud Security Gateway
ASAv in the
Fabric (SDN)
37 © 2014 Cisco and/or its affiliates. All rights reserved.
Comprehensive Security Portfolio
IPS & NGIPS
• Cisco IPS 4300 Series
• Cisco ASA 5500-X Series integrated IPS
• FirePOWER NGIPS
• FirePOWER NGIPS w/ Application Control
• FirePOWER Virtual NGIPS
Web Security
• Cisco Web Security Appliance (WSA)
• Cisco Virtual Web Security Appliance (vWSA)
• Cisco Cloud Web Security
Firewall & NGFW
• Cisco ASA 5500-X Series
• Cisco ASA 5500-X w/ NGFW license
• Cisco ASA 5585-X w/ NGFW blade
• FirePOWER NGFW
Advanced Malware Protection
• FireAMP
• FireAMP Mobile
• FireAMP Virtual
• AMP for FirePOWER license
• Dedicated AMP FirePOWER appliance
NAC + Identity Services
• Cisco Identity Services Engine (ISE)
• Cisco Access Control Server (ACS)
Email Security
• Cisco Email Security Appliance (ESA)
• Cisco Virtual Email Security Appliance (vESA)
• Cisco Cloud Email
• Cisco • Sourcefire
UTM
• Meraki MX
VPN
• Cisco AnyConnect VPN
38 © 2014 Cisco and/or its affiliates. All rights reserved.
ASA 5500-X Advantages
Up to 4X faster than legacy ASA
Integrated security acceleration hardware
NG Services: Application control (AVC), Web security (WSE), Sourcefire (NGIPS - FireSIGHT)
Technology Migration Program (TMP)
• 10% off ASA-X Firewalls
• 15% off NGFW Services ASA 5512-X
1 Gbps FW Throughput
ASA 5515-X 1.2 Gbps FW Throughput
ASA 5525-X 2 Gbps FW Throughput
ASA 5545-X 3 Gbps FW Throughput
ASA 5555-X 4 Gbps FW Throughput
Cisco ASA 5585-X Firewall for Data Centers
• World’s fastest firewall solution – up to 640 Gbps clustered
• 16 chassis clustering can be managed as a single device and across multiple data centers
• Purpose-built data center security supports traditional, SDN, and ACI data center environments
Market-leading DC Firewall
40 © 2014 Cisco and/or its affiliates. All rights reserved.
Real-Time Protection Network / Security Devices
Cisco Unified Threat Intelligence
Actionable Intelligence
Vendor, Industry and Agency Alliances
Managed Honeypots,
Mantraps
01001001011100101001001011100110100111 0100010 01001001011100101001001011100110100111 01001001001011100101001001011100110100111 0100010 01001001011100101001001011100110100111 0100010 01001001011100101001001011100110100111
0010 010010010111001010010010111001101001110010 00010 01001001011100101001001011100110100111 0100010 01001001011100101001000100010 01001001011100101001001011100110100111 0100010 01001001011100101001001011100110100111
• Multiple, non-integrated intelligence sources
• Limited Intelligence footprint • Slow, inconsistent threat updates • No consistency between security
solutions
Challenge • Largest unified threat database • Global intelligence from millions of
devices, billions of websites, emails/day • Threat updates every 3-5 minutes • Unified intelligence: (Cisco + Sourcefire)
ASA, IPS, CWS, ESA, WSA, ISE
Solution
Global Threat Operations
41 © 2014 Cisco and/or its affiliates. All rights reserved.
Local and Global Threat Intelligence
Integrated and Centralized Policy
Embedding Security in the Infrastructure Comprehensive Visibility and Scalable Enforcement
NETWORK Sees All Traffic
Routes All Requests Sources All Data
Controls All Flows
Handles All Devices
Touches All Users
Shapes All Streams
Visibility
Enforcem
ent
Behavioral Analysis
Encryption Identity Awareness
Device Visibility
Policy Enforcement
Access Control
Threat Defense
42 © 2014 Cisco and/or its affiliates. All rights reserved.
Risk Reports
• Samples
• Eval Output
• ExecuDve focus